GDPR has ‘achieved many of its aims & been the biggest driver of cybersecurity spend, online safety & privacy’, but it has had challenges in implementation, but this is not something the EU report focuses on.
In a report from the European Commission to the European Parliament and council, yesterday, the EU gave itself a pass for the first 2 years of application of the ‘General Data Protection Regulation.’ In particular it looked at the application & functioning of the rules on the transfer of personal data to 3rd countries, & international organisations, & of the rules on co-operation & consistency.
It concludes that the GDPR ‘empowers citizens’ because it, “Strengthened data protection safeguards, provides individuals with additional & stronger rights, increased transparency, & ensures that all those that handle personal data under its scope of application are more accountable & responsible.”
Additionally, it says that GDPR “Equips the independent data protection authorities with stronger & harmonised enforcement powers & sets up a new governance system. It also makes a ‘level playing field’ for all companies operating in the EU market, regardless of where they are established, & it ensures the free flow of data within the EU, thus strengthening the internal market.”
European Economic Area (EEA) Agreement
After its incorporation in the European Economic Area (EEA) Agreement, the Regulation also applies to Norway, Iceland & Liechtenstein, but the impact is far wider.
It is noted how adoption of the GDPR has caused other countries to make it a truly global trend running from Chile to South Korea, from Brazil to Japan, from Kenya to India, & from California to Indonesia.
“The EU’s leadership on data protection shows it can act as a global standard-setter for the regulation of the digital economy,” observes the report.
Also, many companies have responded to the increased consumer demand for privacy by voluntarily extending some of the rights & safeguards provided for in the GDPR to their non-EU based customers.
It also suggests that in the EU, “the data protection & privacy legislative Framework14 has proven to be a sufficiently flexible tool to allow practical solutions (e.g. tracing apps) to be developed while ensuring a high level of protection of personal data.”
This, it credits, as being due to GDPR having been conceived in a technology neutral way, based on principles, “& is therefore designed to cover new technologies as they develop.”
The report suggests that the general view is that 2yrs after it started to apply, “the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection & guaranteeing the free flow of personal data within the EU23.”
There is an acceptance that “a number of areas for future improvement have also been identified. Like most stakeholders & data protection authorities, the Commission is of the view that it would be premature at this stage to draw definite conclusions regarding the application of the GDPR.
Concerns include international transfers and the cooperation and consistency mechanisms.
However, it concludes, “The general view is that data protection authorities have made balanced use of their strengthened corrective powers, including warnings & reprimands, fines & temporary or definitive processing limitations.”
These are not contentious claims as GDPR & the need for organisations to comply to avoid swinging fines has put data security on the boardroom agenda globally & resulted in increased security spend to be compliant, making people safer.
Even when the underlying principle of data being owned by its subject has gone unnoticed. However, GDPR has probably been THE biggest driver of cybersecurity in the last couple of years, more even than the news about new attacks & breaches.
However, some find the report too ‘self-congratulatory’ & lacks evidence to substantiate the claims made.
Met its Objectives
Stewart Room, Global Head of Data Protection & Cyber Security at DWF commented, “The European Commission’s report on the operation of the GDPR, 2 yrs. since it came into effect, provides high praise for its achievements, claiming that it has ‘successfully, met its objectives of strengthening the protection of the individual’s right to personal data protection & guaranteeing the free flow of personal data within the EU’.
While it is the case that the GDPR started a huge amount of compliance activity between 2016 & 2018, & lots of news coverage, which helped to raise awareness levels of data protection rights, the lack of numerical evidence to support the Commission’s claims stand out.
“A key problem to note is that there is an absence of such evidence on data protection performance levels under the previous legal regime (the 1995 Directive), so, therefore, there isn’t a benchmark available to substantiate progress made under the GDPR.
Reports of personal data security breaches have not ended, there are still structural problems in the AdTech environment & with the progression of developments in technology, e.g. facial recognition & AI, there have to be doubts about the ability of the law & the regulatory system to keep up
“The GDPR is certainly a good & welcomed innovation, but perhaps we should divorce legislative intent from the realities on the ground, within which there remain serious problems with the resourcing levels of the regulatory offices compared to the work that needs to be done & low levels of enforcement activity.”
Plans for GDPR include increased data-portability. The report suggests tools may include consent management tools, & personal information management apps, plus mandating technical interfaces & machine-readable formats allowing portability of data in real-time.
Also, there is recognition that application of the GDPR is challenging, especially for small & medium sized enterprises (SMEs). However, it suggests that it would not be appropriate to provide derogations based on the size of the operators, “as their size is not in itself an indication of the risks the processing of personal data that it undertakes can create for individuals.”
The report notes how a number of data protection authorities have provided practical tools to help the implementation of the GDPR by SMEs with low-risk processing activities.
It suggests that efforts “Should be intensified & widespread, preferably within a common European approach in order not to create barriers to the Single Market. Data protection authorities have developed a number of activities to help SMEs comply with the GDPR, for instance through the provision of templates for processing contracts & records for processing activities, seminars & hotlines for consultation.”