Yesterday in a report from the European Commission to the European Parliament and council, the EU marked its own homework and gave itself a pass with flying colours for the first two years of application of the General Data Protection Regulation. In particular it looked at the application and functioning of the rules on the transfer of personal data to third countries and international organisations and of the rules on cooperation and consistency.
It concluded that the GDPR empowers citizens as it: “Strengthened data protection safeguards, provides individuals with additional and stronger rights, increased transparency, and ensures that all those that handle personal data under its scope of application are more accountable and responsible.” In addition it says that GDPR “Equips the independent data protection authorities with stronger and harmonised enforcement powers and sets up a new governance system. It also creates a level playing field for all companies operating in the EU market, regardless of where they are established, and it ensures the free flow of data within the EU, thereby strengthening the internal market.”
Following its incorporation in the European Economic Area (EEA) Agreement, the Regulation also applies to Norway, Iceland and Liechtenstein, but the impact is far wider. The report notes how adoption of the GDPR has spurred on other countries to make it a truly global trend running from Chile to South Korea, from Brazil to Japan, from Kenya to India, and from California to Indonesia. “The EU’s leadership on data protection shows it can act as a global standard-setter for the regulation of the digital economy,” says the report.
In addition, many companies have responded to the increased consumer demand for privacy by voluntarily extending some of the rights and safeguards provided for in the GDPR to their non-EU based customers.
It also suggests that in the EU, “the data protection and privacy legislative framework14 has proven to be a sufficiently flexible tool to allow practical solutions (eg tracing apps) to be developed while ensuring a high level of protection of personal data.” This, it credits, as being due to GDPR having been conceived in a technology neutral way, based on principles, “and is therefore designed to cover new technologies as they develop.”
The report suggests that the general view is that two years after it started to apply, “the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU23.”
Among the praise, there is an acknowledgement that “a number of areas for future improvement have also been identified. Like most stakeholders and data protection authorities, the Commission is of the view that it would be premature at this stage to draw definite conclusions regarding the application of the GDPR. Concerns include international transfers and the cooperation and consistency mechanisms.
However it concludes, “The general view is that data protection authorities have made balanced use of their strengthened corrective powers, including warnings and reprimands, fines and temporary or definitive processing limitations.”
In most respects, these are uncontentious claims as GDPR and the need for organisations to comply to avoid swinging fines has put data security on the boardroom agenda globally and resulted in increased security spend to be compliant, making people safer. Even when the underlying principle of data being owned by its subject has gone unnoticed. Nonetheless, GDPR has probably been THE biggest driver of cybersecurity in the last couple of years - more even than the onslaught of news about new attacks and breaches.
However, some find the report a little too self congratulatory and lacking evidence to substantiate the claims made.
Stewart Room, global head of data protection & cyber security at DWF commented in an email to SC Media UK comments: "The European Commission's report on the operation of the GDPR, two years since it came into effect, provides high praise for its achievements, claiming that it has 'successfully, met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU'. While it is certainly the case that the GDPR triggered a huge amount of compliance activity between 2016 and 2018 and lots of news coverage, which helped to raise awareness levels of data protection rights, the lack of empirical evidence to support the Commission's claims stand out.
"A key problem to note is that there is an absence of such evidence on data protection performance levels under the previous legal regime (the 1995 Directive), so, therefore, there isn't a benchmark available to substantiate progress made under the GDPR. In contrast, reports of personal data security breaches have not run dry, there are still structural problems in the AdTech environment and with the ceaseless progression of developments in technology, such as facial recognition and AI, there have to be doubts about the ability of the law and the regulatory system to keep up speed.
"The GDPR is certainly a good and welcomed innovation, but perhaps we should divorce legislative intent from the realities on the ground, within which there remain serious problems with the resourcing levels of the regulatory offices compared to the work that needs to be done and low levels of enforcement activity."
Future plans for GDPR include increased data-portability. The report suggests tools may include consent management tools, and personal information management apps, plus mandating technical interfaces and machine readable formats allowing portability of data in real-time.
There is also recognition that application of the GDPR is challenging especially for small and medium sized enterprises (SMEs). However it suggests that it would not be appropriate to provide derogations based on the size of the operators, “as their size is not in itself an indication of the risks the processing of personal data that it undertakes can create for individuals.”
Instead the report notes how several data protection authorities have provided practical tools to facilitate the implementation of the GDPR by SMEs with low risk processing activities. It suggests that these efforts “Should be intensified and widespread, preferably within a common European approach in order not to create barriers to the Single Market. Data protection authorities have developed a number of activities to help SMEs comply with the GDPR, for instance through the provision of templates for processing contracts and records for processing activities, seminars and hotlines for consultation.”