EU GDPR 2 year review published – What could this mean?

Today the European Commission has published the report of its review of the General Data Protection Regulation (GDPR). The aim of this review, scheduled two years after GDPR became law in 2018, is to consider its functionality in practice. The GDPR review is an opportunity for the European Commission to assess areas where GDPR is working well, and understand where the operational application may have raised issues that need to be addressed.

The report out today does not introduce any new legal changes to GDPR but its findings provide an indication of where the European Commission believe further action may be needed. This, in turn, will help ensure the values, principles and requirements of GDPR are being fully implemented.

Key findings of the review include:

• Data protection authorities (DPAs) have not yet used the “full array” of GDPR tools to support cooperation between authorities
• A more harmonised and efficient working arrangement between DPAs is needed on cross border cases.  The lack of staff and resources of some national data protection authorities is seen as a reason why closer cooperation between authorities has failed to fully emerge
• There is a lack of “consistent approach and guidance” from various data protection authorities on issues such as cookies and the application of legitimate interest
• Individuals are increasingly aware and using the increased data protection rights. 69% of Europeans having heard about GDPR and 60% aware of the law that allows them to access data help about them by public administration.
• The right to data portability is “not used to its full potential”. However, the development of new technological tools to facilitate portability has been seen
• The administrative burdens faced by SMEs for recording of processing activities is highlighted with the exemption in Article 30 seen as “very narrow”. The report highlights how the use of templates to support SMEs to meet their requirement should be used
• GDPR has helped to address privacy issues raised by emerging technologies. This includes awareness around the important role guidance and sandboxes can play
• Creation of a “Data Protection Academy” to increase international cooperation
• The important role of the adequacy process and the ongoing talks with South Korea and the UK in line with the political declaration of the future relationship.
• The importance of the European Data Protection Board developing criteria to approve certification mechanisms and codes of conduct.

In response to the publication of the GDPR report, Sue Daley, Associate Director of Tech and Innovation at techUK welcomed the report’s findings;

“In the two years since its introduction GDPR has provided businesses with clear, consistent and harmonised data protection rules which have helped the levels of data protection and security increase across industries and sectors. It also put in the hands of individuals tools to make real decisions about how their data is being used.   

techUK agrees with the Commission’s position that the GDPR’s risk-based, principle-driven, technology neutral approach provides a clear legal framework to explore data protection issues being raised by emerging technologies. However, what remains vital is that there continues to be consistency, clarity and certainty on how the rules and requirements of the GDPR are interpreted and applied by member states. The call for data protection authorities to be adequately resourced is also supported as this is key to ensuring regulators can support individuals and companies particularly given the data protection issues and questions being faced today"