Commission Evaluation Report on GDPR
On 24 June 2020, the European Commission published its first report on the evaluation and review of the General Data Protection Regulation (GDPR). The report comes two years after the Regulation became applicable on 25 May 2018. As stipulated by Art. 97 of the GDPR, it particularly assesses the following:
- The application and functioning of the rules on the transfer of personal data to third countries and international organisations;
- The application and functioning of the rules on cooperation and consistency;
- Issues that have been raised by various actors over the last two years.
The Commission generally draws positive conclusions. The GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU. Nonetheless, several issues for future improvement were identified. The main findings of the report are:
- The GDPR has empowered citizens and made them aware of their rights: Today, 69% of the population above the age of 16 in the EU have heard about the GDPR, and 71% have heard about their national data protection authority, according to results of a recent survey by the EU Fundamental Rights Agency. There is, however, room for improvement to help citizens exercise their rights, notably the right to data portability;
- The GDPR has made the EU fit for the digital age: Citizens play an active role in the world of digital transition. Innovation became more trustworthy, notably through a risk-based approach, and principles such as data protection by design and by default;
- Data protection authorities are making use of their stronger corrective powers: They are making use of administrative fines ranging from a few thousand euros to several million, depending on the gravity of the data protection infringements. Stark differences still exist in the various EU Member States, however, as regards adequately equipping the authorities with personnel, financial, and technical resources. Cooperation between the national data protection authorities, among them the EDPB, especially in cross-border cases, could be improved, including a more efficient and harmonized handling of the cases. The potential of the GDPR, e.g., joint investigations, has not been fully used;
- The Commission’s work to harness the full potential of the tools available under the GDPR to enable international data transfers has been stepped up. The EU now shares the world's largest area of free and safe data flows with Japan. The Commission wishes to increase the number of adequacy decisions with third countries and modernize the standard contractual clause. As cases are pending before the CJEU (in particular the Schrems II case), the Commission will report on the adequacy decisions at a later stage;
- The Commission has stepped up (and will continue to do so) bilateral, regional, and multilateral dialogue in order to foster a global culture of respect for privacy and convergence between different privacy systems for the benefit of citizens and businesses alike. International cooperation between data protection enforcers will be enhanced, e.g., by means of mutual assistance and enforcement cooperation agreements with third countries.
Lastly, the Commission lists a number of actions that are to be taken in order to remedy difficulties in the application of the GDPR as identified in the evaluation report. The evaluation report is accompanied by a staff working document (available only in English) that describes the findings in detail.
When presenting the report, Věra Jourová, Vice-President for Values and Transparency, said: “Europe's data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other polices, such as data strategy or our approach to AI.”
Didier Reynders, Commissioner for Justice, added: “The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. … We need also to ensure that citizens can make full use of their rights. The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with Member States, so that the GDPR can deliver its full potential.”