Maren Winter - stock.adobe.com

EU judges GDPR an overall success, but changes still needed

Two years after its implementation, an EU report says that the GDPR is achieving what it set out to do, with a few reservations

The European Union (EU) General Data Protection Regulation (GDPR) has been assessed as an overall success in terms of meeting expectations and objectives, but more time is needed to smooth out some early issues identified by stakeholders, according to a two-year progress report issued by Brussels.

The European Commission (EC) said it would be premature to draw definite conclusions as to the application of the GDPR, and to provide for proposals for any revisions, but said it had identified a number of areas where improvements could eventually be made.

It said that the GDPR had made EU citizens feel more empowered and aware of their enforceable rights and protections – according to the EU Fundamental Rights Agency, 69% of those aged over 16 have heard of the GDPR, and 71% have heard about their national data protection agency. In general, it said, people feel they can play an active role in controlling their data.

On the business side, the EC said that organisations felt that having one consistent set of rules to adhere to across the EU had been a benefit, as well as levelling the playing field when competing with organisations not based in the EU but operating there. Small to medium-sized enterprises (SMEs) tended to feel that many of the provisions of the GDPR had lowered the barriers to entry to data protection friendly services.

The GDPR is also contributing to fostering more trustworthy innovation through risk-based approaches and principles such as privacy by design – the EC noted its approach had been tested during the Covid-19 pandemic and shown to be successful, with principles-based rules supporting the development of tools to effectively combat and monitor the spread of the virus.

The EC also said that the EU’s disparate data protection authorities (DPAs) had shown they could actively work together since the introduction of the GDPR, however it noted that that neither a dispute resolution nor an urgency procedure have yet been triggered under the regulations.

The EC made a number of suggestions for improvements around differences in national administrative procedures and how different EU member states interpret various concepts under the rules – the European Data Protection Board has already indicated that it will clarify procedural steps to help in this regard.

Going forward, it will act to make sure that national rules are better in line with the GDPR; that each member state can provide their DPAs with the needed resources; that DPAs are helped to develop more efficient working arrangements on the cooperation and consistency mechanisms; that the full toolbox available under the GDPR is uses to better apply the rules; and that the application of the GDPR to emerging technologies such as artificial intelligence (AI), blockchain, and the internet of things (IoT) is closely monitored.

Chris Harris, Europe, the Middle East and Africa (EMEA) technical director at Thales, said the EC was right to zero in on the need for clarification and to look at how the 27 different DPAs work together.

“Since [GDPR’s] inception, there has been murmurs about its effectiveness due to lack of clarity on compliance and fears around the resources and power each DPA has to track and investigate the number of breaches that occur in their country. This is something that should have been sorted from the start, and not something that we are still talking about two years later – four if you include the transition period,” he said.

“To be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers’ data at risk.”

Tom De Cordier, a Brussels-based partner at law firm CMS, said that contrary to the EC’s view, the Covid-19 crisis had laid bare some of the problems inherent in the GDPR.

“Despite GDPR offering a high level of protection to citizens by default, the public trust in its effectiveness remains extraordinarily low – as demonstrated by the ongoing privacy debate surrounding contact-tracing apps and slow progress on introducing large scale initiatives that could help meaningfully curb the spread of the coronavirus,” he said.

“More than ever, we need governments and tech companies working together to build trustworthy technology to tackle the biggest health crisis of the century and clearly communicate the regulations that surround it.

“Moving beyond the crisis, supporting innovation and emerging technologies such as 5G and IoT will be key in bringing new economic opportunities. Currently, Europe is working under ePrivacy laws from 2002, which don’t easily interface with the GDPR and are in dire need of an update,” said De Cordier.

Read more about the GDPR

Read more on Privacy and data protection