The European General Data Protection Regulation (GDPR) this week celebrates its second anniversary. For many organisations, it may seem that the GDPR has become business as usual; one of many elements of their global compliance strategy. For many others, it remains a continuous struggle.
The two year anniversary is an important milestone for the GDPR, since this is the moment the European Commission was supposed to present the first evaluation of the application of the Regulation. Unfortunately, the report has been delayed until the start of the summer. Some of the lessons learned are nevertheless crystal clear.
Overall, the GDPR has been a success
In preparatory analysis for the European Commission’s review, the EU Member States, the European Data Protection Board (EDPB – the assembly of all EU supervisory authorities) and even industry groups, like the Centre for Information Policy Leadership, all agree: overall, the GDPR has been a success. Especially in the private sector, the Regulation has seen a big increase of awareness for privacy and data protection issues. Many organisations have implemented far-reaching privacy programs, to ensure the personal data of their employees, business partners and customers is well protected. And if something goes wrong, they are much more forthcoming to report a breach than was the case in the past, if you look at the total number of data breaches reported thus far.
Also the ‘extraterritorial’ influence of the GDPR is noticeable. Countries around the world have adopted legislation to bring their own privacy laws more in line with GDPR, or are in the process of doing so. Think for example of Japan, where additional legal provisions and guidelines were adopted to ensure their privacy law could be declared adequate. A similar process is ongoing in South Korea. And in Brazil, the new omnibus privacy law LGPD is clearly inspired by the GDPR, as is the draft Indian privacy bill currently before Congress. That doesn’t mean these laws are exact copies of the GDPR: all countries have chosen to embed their laws in their own national legal traditions, but many of the newer concepts and compliance approaches introduced by GDPR have been copied.
The GDPR has not achieved one of its main goals: full harmonisation
One of the main points of criticism of the GDPR, is that it is a Regulation-in-name-only. That requires a bit of explanation. Under EU law, there are two main legal instruments: Regulations, which have direct legal effect in all EU Member States and in principle do not require national implementing laws, and Directives, which are only binding as to the goal they aim to achieve. Directives always require implementing laws in all EU Member States. The GDPR officially is a Regulation, and many of the provisions indeed have direct effect, and can be relied upon by organisations and individuals throughout Europe. However, on many details, like the use of special categories of personal data (including health data), additional national rules can be imposed, to either allow the processing of such data or to make it more difficult. The same goes for data used in an employment relationship and for research and statistical data. Also, the age at which minors can provide consent for online services varies from country to country, between 13 and 16 years. This means the original goal to have “one single privacy rule for the whole of the European Union” has not been completely achieved. The core of the Regulation has been harmonised, but many important details have not.
What also hasn’t been fully harmonised, is the approach supervisory authorities should take when enforcing the law. The GDPR provides the main elements of what an investigation should look like and how authorities should consult each other, but the process itself is run on the basis of national administrative law. These laws fall outside the scope of EU legislation, and thus are not harmonised.
Supervision and enforcement of the GDPR remains a struggle
Also more in general, the supervision and enforcement of the GDPR is not an unequivocal success. Many had expected – and sometimes hoped – that data protection authorities would start imposing multimillion euro fines from the moment the GDPR went into application. That seems not to have been the case. Especially some high profile complaints brought by civil society groups like NOYB (none of your business, led by the Austrian Max Schrems) and Privacy International, are still awaiting a decision by the competent authorities. But that doesn’t mean the GDPR has not been enforced at all.
At the start of 2020, well over €115 million had been imposed in fines by the various data protection authorities. In addition, many authorities have taken other types of enforcement decisions, as allowed by the GDPR, from (public) warnings of non-compliance, to the suspension of processing operations. Many data protection authorities also make clear it sometimes suffices to have a phone call with a non-compliant organisation, to explain the correct interpretation and/or application of the GDPR. This may not be the most visible way of enforcement, but it is a really effective one.
The main hurdle for data protection authorities is a lack of resourcing and funding. Two-thirds confirm they do not have sufficient resources to deal with all the complaints received from individuals, as well as with the requests from companies for guidance and approval of certifications and international transfer instruments. Also the Council and CIPL conclude in their GDPR evaluation reports that underfunding of data protection authorities is a risk for the effective implementation of GDPR.
With only two years experience in working with the GDPR in practice, almost everyone agrees that it is too soon to start discussing any possible changes to the text of the Regulation. For now, Member States, supervisory authorities and industry seem content with more (detailed) guidance from the EDPB. At the same time, they note the reform of the data protection legislation in Europe is still not completed. The ePrivacy Regulation, which shall provide the specific rules for online data protection in line with the standards and principles of the GDPR, is still in the legislative process, with no agreement on a final text of the Regulation in sight. The hope is the German presidency of the Council from July onwards will be able to make some progress in this file.