Written by members of the DLA Piper European cyber and data protection team

On 24 June, the European Commission published its evaluation report of the GDPR, just over two years after the GDPR become applicable. The Commission’s report indicates that the GDPR has met most of its objectives, in particular in relation to individual enforceable rights and by creating a new European system of governance and enforcement. During the press conference organised to present the report, Vice-President Jourová emphasized that the GDPR is a “success story” that has enabled people to get more control over their personal data while providing a competitive advantage to companies. Commissioner Reynders further commented that the past two years have demonstrated the positive effects of the GDPR and that it is flexible tool, as the COVID-19 crisis has shown, though some might argue that the multiple different approaches taken by Member States when applying GDPR to COVID-19 added unhelpful legal complexity to an already uniquely challenging crisis. The report recognises that more work needs to be done to harmonise GDPR requirements across Member States and “promote and further develop a truly European data protection culture and vigorous enforcement”. According to Vice-President Jourová, a long to-do list still needs to be completed.

The report sets out a number of key findings summarised below:

1. Citizens are more empowered and aware of their rights: The review found that the general awareness of GDPR and the rights contained within in it was high, assisted by enhanced transparency requirements within GDPR, According to Vice-President Jourová, the human-centric approach laid down by the GDPR differentiates the EU from other countries, such as the US or China. However, the report recognises that more can be done to assist in the exercise of rights, particularly in relation to the right to data portability.  Comment: we agree with this overall conclusion though challenges remain for individuals wishing to exercise their rights and organisations on the receiving end of requests.  For example, the approach taken by different Member States to data subject access requests varies significantly with some (like Germany) interpreting the requirement extremely narrowly whereas others (like the UK) require a very wide disclosure of information.  This inconsistency serves neither data subjects nor controllers well.
2. Data protection rules are fit for the digital age: The review found that the GDPR is “contributing to fostering trustworthy innovation“, by empowering individuals to be more aware of what is happening with their data and through measures such as data protection by design and by default. Vice-President Jourová noted that further EU policies are being built up on the basis of GDPR, such as the Data Strategy and the Artificial Intelligence strategy. Comment: GDPR has certainly helped to improve transparency and raise awareness of rights.  When building new products or designing new procedures, GDPR has encouraged organisations to build privacy by design.  Yet significant challenges remain for legacy systems and processing which were established in some cases decades before GDPR was introduced.  Many of these systems are required to deliver digital solutions.  As with house building, it is much easier and cheaper to build new than it is to refurbish. 
3. Data protection authorities are making use of their stronger corrective powers: The review found that GDPR provides national data protection authorities with adequate corrective tools to allow them to enforce GDPR obligations. However, the review also recognised that data protection authorities need adequate human, technical and financial resources in order to be effective; and noted that although the Commission has seen an increase in resources for data protection authorities in many Member States, there are still significant differences between jurisdictions. Comment: lack of resources is one factor restraining effective enforcement.  Others include fundamental differences in the interpretation of GDPR and enforcement appetite.  Some Member States have a reputation for being a softer touch when it comes to enforcement than others.  These differences are also a factor in the muted adoption of one stop shop.  Another “drag” on enforcement is legal uncertainty.  GDPR is a vague principle based law and there is virtually no guidance or precedent yet considering how GDPR fines should be calculated.  Supervisory authorities don’t like losing appeals as it undermines their credibility so they are likely to tread carefully imposing more limited sanctions until there is a sufficient body of precedent to sustain a larger fine which would survive an appeal.  There have been some notable exceptions to this approach, including the two huge fines that the UK’s ICO reported it was planning to impose last July.  Almost a year later the ICO has yet to issue either of these fines demonstrating the challenges supervisory authorities face making large fines stick.
4. One Stop Shop – more can be done: The review noted that the handling of cross-border cases needs a more efficient and harmonised approach by data protection authorities.  In particular, data protection authorities have not yet made full use of the tools GDPR provides, such as joint operations that could lead to joint investigations. The European Data Protection Board (EDPB) has indicated that it will clarify procedural steps to enhance cooperation between the data protection authorities. Commissioner Reynders commented that the cooperation between data protection authorities still needs to be reinforced.   Comment: there has been a slow adoption of the one stop shop tools to date.  The recently upheld Google fine in France demonstrates that the bar for creating a main establishment is set very high.  It also demonstrates that national supervisory authorities have a strong will to regulate within their own borders notwithstanding the one stop shop regime.  Conceding jurisdiction to a supervisory authority in a different Member State will not come easily to many, particularly when the interpretation of GDPR and the approach to enforcement continues to vary significantly among Member States.
5. Advice and guidelines by data protection authorities:The review recognised that the EDPB and data protection authorities have issued guidelines and tools covering key aspects of GDPR.  However, it noted that it is essential to ensure that guidance provided at national level by data protection authorities is fully consistent with guidelines adopted by the EDPB. More specifically, Commissioner Reynders stressed that more assistance must be provided to companies that are struggling  with the application of GDPR, such as SMEs. In this respect, the report specified that the Commission is currently working on standard contractual clauses between controllers and processors in application of Article 28 of GDPR.  Comment: more support for SMEs and a standard set of Article 28 terms would certainly be welcome, particularly for SMEs who do not have the resources or budget to engage specialist legal advice.
6. Harnessing the full potential of international data transfers:The Commission noted that the EDPB is working on specific guidance on the use of certification and codes of conduct for transferring data outside of the EU, and recognised that these need to be finalised as soon as possible. The Commission further stated that it is looking at modernising mechanisms for data transfers, including Standard Contractual Clauses. The Commission also reported that it has engaged in an intensive dialogue with the countries that has been granted with an adequacy decision in order to assess whether such adequacy decisions are still relevant. In this respect, Vice-President Jourová and Commissioner Reynders stressed that no decision has been taken yet with regard to the adequacy of the UK and that further information is still needed They also commented that the situation of Switzerland will be reviewed once this country has adopted its reform. Both the Standard Contractual Clauses and the adequacy standards will be reviewed after the Court of Justice judgment in the Schrems II case is handed down on 16 July. Given that this judgment is likely to have an important impact, Commissioner Reynders stated that a reaction from the Commission should be expected shortly after the publication of this judgement.  Comment: this will be a busy year for data transfer law.  First we have the Schrems II decision of the CJEU to look forward to on 16 July.  Secondly, the UK is trying to rush through an adequacy ruling in record time ahead of the Brexit transition period coming to an end on 1 January 2021.  Data transfers remain a complicated and cumbersome area of law adding a very significant cost for organisations carrying out data transfers.  Regrettably Schrems II and Brexit has added to that legal uncertainty.
7. Promoting international cooperation:The Commission stated that it will seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries. President Jourová and Commissioner Reynders welcomed the fact that GDPR has become a reference point across the world  and that more and more countries are moving towards stronger data protection standards.

In general, the Commission’s review of the application of GDPR over the last two years is positive. However, the Commission recognises that there is still some way to go, in particular, ensuring that GDPR is applied uniformly across Member States, which requires data protection authorities to be provided with adequate resources. In addition, the Commission recognized that data protection authorities should provide assistance to those companies that are struggling the most with the implementation of GDPR, such as SMEs, as well as providing assistance and tools to allow citizens to understand and effectively apply their rights.

If you have any further questions, please contact the author or your usual DLA Piper contact person.