General Data Protection Regulation shows results, but work needs to continue
Just over one year after the entry into application of the General Data Protection Regulation, the European Commission has published a report looking at the impact of the EU data protection rules, and how implementation can be improved further.
The report concludes that most Member States have set up the necessary legal framework, and that the new system strengthening the enforcement of the data protection rules is falling into place. Businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.
Frans Timmermans, First Vice-President of the European Commission, said: “The European Union strives to stay at the forefront of the protection of personal rights in the digital transformation while seizing the many opportunities it offers for jobs and innovation. Data is becoming an invaluable element for a booming digital economy and is playing an increasingly vital role in developing innovative systems and machine learning. It is essential for us to shape the global field for the development of the technological revolution and for its proper use in full respect of individual rights.”
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality added: “The General Data Protection Regulation is bearing fruit. It equips Europeans with strong tools to address the challenges of digitalisation and puts them in control of their personal data. It gives businesses opportunities to make the most of the digital revolution, while ensuring people’s trust in it. Beyond Europe, it opens up possibilities for digital diplomacy to promote data flows based on high standards between countries that share EU values. But work needs to continue for the new data protection regime to become fully operational and effective.”
The GDPR has made EU citizens increasingly aware of data protection rules and of their rights, as indicated by a Eurobarometer survey published in May 2019. However, only 20% of Europeans know which public authority is responsible for protecting their data. This is why the European Commission has launched this summer a new campaign to encourage Europeans to read privacy statements and to optimise their privacy settings.
While the new data protection rules have achieved many of their objectives, the Commission’s communication also sets out concrete steps to further strengthen these rules and their application:
- One continent, one law: Today, all but three Member States – Greece, Portugal and Slovenia – have updated their national data protection laws in line with EU rules. The Commission will continue to monitor Member State laws to ensure that when they specify the GDPR in national laws, it remains in line with the Regulation and that their national laws are not a gold-plating exercise. If needed, the Commission will not hesitate to use the tools at its disposal, including infringements, to make sure Member States correctly transpose and apply the rules.
- Businesses are adapting their practices: Compliance with the Regulation has helped companies increase the security of their data and develop privacy as a competitive advantage. The Commission will support the GDPR toolbox for businesses to facilitate compliance, such as standard contractual clauses, codes of conduct and new certification mechanism. In addition, the Commission will continue supporting SMEs in applying the rules.
- Stronger role of data protection authorities: The Regulation has given national data protection authorities more powers to enforce the rules. During the first year, national data protection authorities have made use of these new powers effectively when necessary. Data protection authorities are also cooperating more closely within the European Data Protection Board. By the end of June 2019, the cooperation mechanism had managed 516 cross-border cases. The Board should step up its leadership and continue building an EU-wide data protection culture. The Commission also encourages national data protection authorities to pool their efforts for instance by conducting joint investigations. The European Commission will continue to fund national data protection authorities in their efforts to reach out to stakeholders.
- EU rules as reference for stronger data protection standards across the globe: As more and more countries across the world equip themselves with modern data protection rules, they use the EU data protection standard as a reference point. This upwards convergence is opening up new opportunities for safe data flows between the EU and third countries. The Commission will further intensify its dialogues on adequacy, including in the area of law enforcement. In particular, it aims at concluding the ongoing negotiations with the Republic of Korea in the coming months. Beyond adequacy, the Commission aims to explore the possibility to build multilateral frameworks to exchange data with trust.
In line with the General Data Protection Regulation, the Commission will report on its implementation in 2020 to assess the progress made after two years of application including on the review of the 11 adequacy decisions adopted under the 1995 Directive.
The General Data Protection Regulation is a single set of rules with a common EU approach to the protection of personal data, directly applicable in the member States. It reinforces trust by putting individuals back in control of their personal data and at the same time guarantees the free flow of personal data between EU Member States. The protection of personal data is a fundamental right in the European Union.
The GDPR has been applicable since 25 May 2018. Since then, nearly all Member States have adapted their national laws in the light of GDPR. The national Data Protection Authorities are in charge of enforcing the new rules and are better coordinating their actions through new cooperation mechanisms and the European Data Protection Board. They are issuing guidelines on key aspects of the GDPR to support the implementation of the new rules.
Source: European Commission