Two years after its entry into law, the General Data Protection Regulation (GDPR) has been an overall success, even if there are a number of areas for future improvement.

This is the conclusion of a report from the European Commission, which argued that increasing global convergence around principles that are shared by the GDPR offers new opportunities to facilitate safe data flows.

The report pointed out that 69 per cent of the population above the age of 16 in the EU have heard about the GDPR and 71 per cent of people heard about their national data protection authority, according to a survey from the EU Fundamental Rights Agency.

“The GDPR has empowered individuals to play a more active role on what is happening with their data in the digital transition - it is also contributing to fostering trust-worthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.”

The EC suggested that privacy has become a competitive quality that customers are increasingly taking into consideration when choosing their services. For small businesses, the implementation of the right to data portability has the potential to lower the barriers to entry to data protection friendly services.

It also noted that the GDPR is an essential and flexible tool to ensure the development of new technologies in accordance with fundamental rights. “The implementation of the core principles of the GDPR is particularly crucial for data intensive processing – the risk based and technology neutral approach of the regulation provides a level of data protection, which is adequate to the risk of the processing also by emerging technologies.”

The future proof and risk-based approach of the GDPR will also be applied in the future EU framework for Artificial Intelligence and in the implementation of the European Data Strategy. This strategy aims at fostering data availability and at the creation of Common European Data Spaces.

As for the downsides, the report showed that the handling of cross-border cases needs a more efficient and cohesive approach when using the cooperation tools provided in the GDPR.

A broad consensus from the European Parliament, European Council, stakeholders and by the data protection authorities listed the main issues in this context as: differences in national administrative procedures; varying interpretations of concepts relating to the cooperation mechanism; and varying approaches regarding the start of the cooperation procedure.

“The key objective at this stage is to support a harmonised and consistent implementation and enforcement of the GDPR across the EU,” the report stated in terms of work on improvements.

It added that this requires a strong engagement from all actors:

• making sure that national legislation, including sectoral ones, are fully in line with the GDPR;
• Member States providing data protection authorities with the necessary human, financial and technical resources to properly enforce the data protection rules but also reaching out to stakeholders, both citizens and businesses;
• data protection authorities developing efficient working arrangements regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects;
• making full use of the toolbox under the GDPR to facilitate the application of the rules, for instance through codes of conduct;
• closely monitoring the application of the GDPR to new technologies such as artificial intelligence, the Internet of Things and blockchain.

In terms of the international dimension, the European Commission will continue to focus its efforts on promoting convergence of data protection rules as a way to ensure safe international data flows. This includes ongoing reforms for new or updated data protection laws, or the push for the ‘Data Free Flow with Trust' (DFFT) concept.

This work will also cover various adequacy dialogues and the modernisation and expansion of our transfer toolbox through updating the SCCs and laying the groundwork for certification mechanisms.

The GDPR has emerged as a reference point and acted as a catalyst for many countries and states around the world considering how to modernise their privacy rules – Chile, South Korea, Brazil, Japan, Kenya, India, Tunisia, Indonesia, Taiwan and the state of California, to name but a few.

The report proposed further active engagement with international partners to reach data regulation adequacy, citing the creation of an area between the EU and Japan of free and safe data flows.

Since the regulation came into force in 2018, data protection authorities have levied administrative fines, warnings and reprimands, orders to comply with data subject's requests, orders to bring processing operations into compliance, to rectify, erase or restrict processing.

Commenting on the report, Thales technical director Chris Harris said that since its inception there have been murmurs about its effectiveness due to lack of clarity on compliance and fears around the resources and power each data protection authority has to track and investigate the number of breaches that occur in their country.

“Whilst we’ve seen some justifiably big fines dished out, unfortunately, as organisations continue to digitally transform, the lack of clarity around new technologies like blockchain and AI is actually mostly hitting law-abiding companies that are just trying to be compliant.

“We need to ensure GDPR operates as the protective bubble around personal information that we all want, without restricting the innovation and development that the world needs from these disruptive technologies.”

Harris suggested that smaller companies may have found compliance harder, not only due to the complexity and potentially onerous nature of the requirements, but because many vendors with GDPR-focussed solutions were understandably scaling their offerings for the larger organisations.

“In order to be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers’ data at risk.”

Share Story: