The General Data Protection Regulation (GDPR) provided that the Commission should present a first report on the evaluation and review of the GDPR after two years of application and every four years thereafter. This report has been published by the European Commission and shows that the DPMR has achieved most of its objectives.
This week, just over two years after its entry into force, the EPMR is the subject of an evaluation report published by the European Commission. The report shows that the PPMR has achieved most of its objectives, including giving citizens a strong set of enforceable rights and creating a new European system of governance and enforcement.
According to the European Commission, the RGPD has proven to be a flexible tool to support the development of digital solutions in unforeseen circumstances, such as the VIDOC crisis.19 The European Commission has also stated that the RGPD has been a useful tool to support the development of digital solutions in unforeseen circumstances, such as the VIDOC crisis.20 The report also concludes that harmonisation across Member States is progressing, despite some fragmentation that needs to be continuously monitored. It also finds that businesses are developing a culture of compliance and are increasingly promoting the high level of data protection they provide as a competitive advantage.
The report sets out actions for all stakeholders, in particular small and medium-sized enterprises, to further facilitate the application of the DPSR, in order to promote and further develop a genuine European data protection culture and rigorous enforcement.
Věra Jourová, Vice-President for Values and Transparency, said on this occasion :
“The European data protection regime now sets the benchmark, guiding us in the human-centred digital transition and is an important pillar on which we build for other policies, such as the data strategy or our approach to artificial intelligence.
The PPMR is a good example of how the European Union, by adopting a fundamental rights-based approach, empowers its citizens and offers opportunities for businesses to make the most of the digital revolution. But we must all continue to work to ensure that the PPMR achieves its full potential³d.
Didier Reynders, Commissioner for Justice, said:
“The DPMR has achieved its objectives and has become a reference throughout the world for countries wishing to grant their citizens a high level of protection. But we can do better, as today’s report shows. For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We also need to ensure that citizens can make full use of their rights. The Commission will monitor progress, in close cooperation with the European Data Protection Committee and in its regular exchanges with Member States, so that the DPMR can unleash its full potential³d.
Main conclusions of the review of the DPMR
Citizens are better armed and more aware of their rights
The DPMR enhances transparency and gives individuals enforceable rights, such as the rights of access, rectification and deletion, the right to object and the right to data portability.
Today, 69% of the EU population over the age of 16 are aware of the existence of the DPMR, while 71% have heard of their national data protection authority, according to the results of a survey published last week by the European Union Agency for Fundamental Rights. However, more can be done to help citizens exercise their rights, including the right to data portability.
Data protection rules are adapted to the digital age: the DPMR has enabled individuals to play a more active role in the use of their data in the digital transition. It also helps to encourage trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.
Data protection authorities make use of their enhanced powers to adopt corrective measures: from warnings and reminders to administrative fines, the DPMR provides national data protection authorities with adequate tools to enforce compliance. However, these authorities need to be sufficiently supported with the necessary human, technical and financial resources. Many Member States are currently working in this direction, significantly increasing budgetary and staff allocations.
Overall, national data protection authorities in the EU, taken together, have seen their staff increase by 42% and their budget by 49% between 2016 and 2019. However, there are still considerable differences between Member States.
Data protection authorities work together in the framework of the European Data Protection Committee, but there is room for improvement: the DPMR has established an innovative governance system designed to ensure a consistent and effective application of the DPMR through the so-called ‘one-stop-shop’, a mechanism whereby a company processing data in a cross-border context has only one data protection authority as its interlocutor, namely the authority of the Member State where its principal place of business is located.
Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the “one-stop shop”, 79 of which resulted in a final decision. However, more can be done to develop a genuine common data protection culture. In particular, the handling of cross-border cases requires a more efficient and harmonised approach and an effective use of all the tools provided for in the DPMR to ensure cooperation between data protection authorities.
Opinions and guidelines issued by data protection authorities: the European Data Protection Committee publishes guidelines on key aspects of the Regulation and on new topics. Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises.
It is essential to ensure that the guidance given at national level is strictly in line with the guidelines adopted by the European Data Protection Committee.
Exploiting the full potential of international data transfers: Over the last two years, the Commission’s international commitment to unhindered and secure data transfers has produced important results. This applies in particular to data transfers between the EU and Japan, which now share the largest area of secure free movement of data in the world.
The Commission will continue its work on the adequacy of the level of data protection together with its partners around the world. In addition, and in cooperation with the European Data Protection Committee, the Commission is considering modernising other data transfer mechanisms, including the standard contractual clauses which are the most commonly used data transfer tool.
The European Data Protection Committee is currently developing specific guidance on the use of certification and on codes of conduct for data transfers outside the EU, to be completed as soon as possible.
Given that the European Court of Justice is likely to provide further clarification in a ruling on 16 July which may be relevant to some elements of the adequacy principle, the Commission will prepare a separate report on existing adequacy decisions after the Court’s ruling.
Promoting international cooperation: Over the last two years, the Commission has intensified bilateral, regional and multilateral dialogues, encouraging the development of a global culture of privacy and the convergence of different privacy protection systems for the benefit of both citizens and businesses.
The Commission is committed to pursuing this work as part of the EU’s wider external action, for example, in the context of the Africa-EU Partnership and through its support for international initiatives such as the “Data Free Flow with Trust” initiative.
At a time when violations of privacy rules can affect a large number of people simultaneously in several parts of the world, it is time to intensify international cooperation between data protection authorities. This is why the Commission will seek authorisation from the Council to open negotiations for the conclusion of agreements on mutual assistance and cooperation in prevention and law enforcement with the third countries concerned.
Bringing EU law in line with the Data Protection Directive in the field of law enforcement
In addition, the Commission also issued today a Communication identifying ten legal acts regulating the processing of personal data by competent authorities for the purpose of the prevention, investigation, detection and prosecution of criminal offences, which should be brought in line with the Data Protection Directive in the field of law enforcement.
This will provide legal certainty and clarify issues such as the purposes of processing of personal data by competent authorities and the types of data that may be processed.
Find the full report HERE.
Translated from RGPD : La Commission Européenne publie son rapport d’évaluation sur les outils de protection des données