Background
The GDPR required that the EC produce a public report by 25 May 2020 (and every four years thereafter) evaluating and reviewing the GDPR, including a review of international transfers and cooperation and consistency mechanisms. The EC has released this initial report (the Report) which, in summary, sets out that the EC considers that the GDPR has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.
Some key findings of the Report
Greater empowerment - the EC found that:
the GDPR empowers data subjects to control the use of their personal data
with rights of rectification, erasure, access and objection; andfiling complaints with supervisory authorities and recovery of
compensation for damage arising from breaches of the rights help
enforce these rights.
However, the EC flagged that more needs to be done to promote the
right to data portability in the context of switching between service
providers.Balanced use of corrective powers - the EC considers that the general
view is that data protection authorities have made balanced use of
their strengthened corrective powers including warnings and fines.One stop shop a work in progress – the EC’s findings were that
Supervisory authorities are cooperating well in the context of the
European Data Protection Board (EDPB) and the one stop shop
governance system. However, the EC comments that developing a truly
harmonised data protection culture is an on-going process as data
protection authorities have not yet “made full use of the tools the
GDPR provides such as joint operations”. The EC noted that at times,
finding a common approach meant moving to the lowest common
denominator meaning opportunities to harmonise were missed.Technology neutral means greater flexibility – the EC comments that
as the GDPR is conceived in a technology neutral way, and is based on
principles, it is designed to cover new technologies as they develop.
The EC’s view is that this was demonstrated during the COVID-19
crisis “notably in relation to the design of the tracing apps and
other technological solutions to fight the pandemic” without the need
for modification of its provisions. The EC forecast challenges ahead
in applying GDPR principles in fields such as artificial
intelligence, blockchain, Internet of Things and facial recognition.Modernising international data transfers - the EC is working with the
EDPB to modernise mechanisms for international data transfers,
including the Standard Contractual Clauses and developing specific
guidance on the use of certification and codes of conduct for
transferring data outside of the EU. The EC will report separately on
the existing adequacy decisions, after the ECJ has delivered its
judgment in the Schrems II case.
Future actions for the EC
Based on its findings in the Report, the EC sets out actions that it deems necessary to support GDPR and it will monitor these in view of its next evaluation report due in 2024. These actions include the EC:
encouraging cooperation between regulators;
finalising the work on the modernisation of the Standard Contractual
Clauses, with a view to updating them in light of the GDPR, “covering
all relevant transfer scenarios and better reflecting modern business
practices”; andencouraging, including through financial support, the drafting of EU
codes of conduct in the area of health and research.
Next Steps
Organisations should keep track of the EC’s action in this area, in particular in relation to the Standard Contractual Clauses. If the Standard Contractual Clauses are updated then many organisations may need to take further action to ensure that international data transfers are covered by an adequate mechanism of transfer.
Please let us know if you have any questions or would like to discuss the above.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
