The GDPR empowers citizens and is adapted to the needs of the digital age
Two years after the application of the General Data Protection Regulation (GDPR), the European Commission published an evaluation report on its implementation. According to the authors of the report, the GDPR strengthens the position of the citizen by providing a number of rights related to the protection of personal data and creates a new European system for managing and enforcing these provisions.
The report states that the GDPR has proved flexible in supporting digital solutions in unforeseen circumstances, such as the coronavirus crisis. In addition, more and more Member States are adapting internal rules to the General Data Protection Regulation. The analysis of the European Commission also shows that enterprises are increasingly perceiving the organization's adaptation to the provisions on personal data protection as a strong competitive advantage.
The main conclusions of the review of the application of the GDPR
Thanks to the implementation of the GDPR, EU citizens are more aware of their rights. The GDPR gives natural persons enforceable rights, such as the right of access to data, rectification and erasure, right to object and the right to data portability. According to the results of a survey published in June this year by the European Union Agency for Fundamental Rights, 69% of the population aged 16+ in the EU have heard about the GDPR and 71% of the respondents in the EU have heard about their national data protection authority. Despite the increasing level of awareness about the GDPR, citizens should continue to be helped to exercise their rights.
Data protection regulations are tailored to the needs of the digital age
The GDPR has empowered individuals to play a more active role in relation to what is happening with their data in the digital transition. It is also contributing to fostering trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.
Support for supervisory authorities
Data protection authorities have greater corrective powers. The GDPR gives national data protection authorities appropriate enforcement tools - from warnings and reprimends to administrative fines. However, their use depends on the necessary human, technical and financial resources needed. Many Member States therefore see a significant increase in budget and staff expenditure. Overall, in 2016-2019, all national data protection authorities in the EU together recorded an increase of 42% in staffing and 49% in budget outlays. However, the situation in individual Member States is still very diverse.
Data protection authorities cooperate within the framework of the European Data Protection Board (EDPB)
As part of the cooperation of data protection authorities, an innovative management system has been established, which aims to ensure the consistent and effective application of this Regulation through the so-called one-stop-shop mechanism. Thanks to it, an enterprise processing data in various countries has, as an interlocutor, only one data protection authority, namely the authority of the Member State in which its head office is located.
Advice and guidelines by data protection authorities
EDPB issues guidelines covering key aspects of the Regulation as well as new, emerging issues. It is on their basis that several data protection authorities have created new tools, including helplines for individuals.
Full use of the potential of international data transfers
Over the past two years, the Commission's international commitment to providing free and secure data transfers has produced significant results. This applies to, among others Japan, with which the EU currently shares the world's largest area of free and secure data flows. Together with partners from around the world, the Commission will continue work on an adequate level of data protection. In addition, the Commission, in cooperation with EDPB is considering modernizing other data transfer mechanisms, including standard contractual clauses - the most-used data transfer tool. EDPB is working on specific certification guidelines and codes of conduct for data transfers outside the EU - they should be finalized as soon as possible.
Supporting international cooperation
Since May 2018, the Commission has intensified bilateral, regional and multilateral dialogue, supporting a global culture of respect for privacy and convergence between different privacy systems for the benefit of both citizens and businesses. At a time when violations of privacy can affect a large number of people at once in several parts of the world, international cooperation between enforcement authorities should be strengthened. Therefore, the Commission will ask the Council to agree to start negotiations to conclude mutual assistance and cooperation agreements with relevant third countries.
The Commission report also includes a list of actions aimed at facilitating the application of the GDPR to all interested parties, in particular small and medium-sized enterprises, which will promote the provisions on the protection of personal data and their enforcement.
It is worth recalling that, according to the GDPR, the European Commission reports on the evaluation and review of this regulation - the first of them after two years of application, and the next every four years, starting from the first report. The report shall cover, in particular, issues of international data transfers and the "cooperation and consistency mechanism". In its review, the Commission has adopted a broader approach to address issues raised by various actors in the last two years. This applies to information provided by the Council, the European Parliament, the European Data Protection Board, national data protection authorities and stakeholders.