European Commission report on the GDPR: more work needed

July 24, 2019

The European Commission has published a report looking at the impact of the EU data protection rules after one year of being in force, and how implementation can be further improved. The report concludes that most member states have implemented the GDPR, and that the new system strengthening the enforcement of data protection rules is falling into place. Businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.

The GDPR has made EU citizens increasingly aware of data protection rules and of their rights, as indicated by the Eurobarometer survey published in May 2019. However, only 20% of Europeans know which public authority is responsible for protecting their data. As a result, the European Commission has launched a campaign to encourage Europeans to read privacy statements and to optimise their privacy settings.

While the GDPR has achieved many of its objectives, the Commission’s report also sets out concrete steps to further strengthen these rules and their application:

Most member states with the exception of Greece, Portugal and Slovenia, have updated their national data protection laws in line with EU rules. The Commission will continue to monitor national laws to ensure national laws implement, but not gold plate, it. If needed, the Commission will use the tools at its disposal, including infringements, to make sure member states correctly transpose and apply the rules.

The GDPR has given national data protection authorities more powers to enforce the rules. During the first year, national data protection authorities have made use of the new powers effectively when necessary. Data protection authorities are also cooperating more closely within the European Data Protection Board. By the end of June 2019, the cooperation mechanism had managed 516 cross-border cases. The report says that the EDPB should step up its leadership and continue building an EU-wide data protection culture. The Commission also encourages national data protection authorities to pool their efforts, for example by conducting joint investigations. The European Commission will continue to fund national data protection authorities in their efforts to make contact with stakeholders.

As more countries introduce modern data protection rules, they use the EU data protection standard as a reference point. This upwards convergence is opening up new opportunities for safe data flows between the EU and third countries. The Commission will further intensify its dialogues on adequacy, including in the area of law enforcement. In particular, it aims at concluding the ongoing negotiations with the Republic of Korea in the coming months. Beyond adequacy, the Commission aims to explore the possibility to build multilateral frameworks to exchange data with trust.

In line with the General Data Protection Regulation, the Commission will report on its implementation in 2020 to assess the progress made after two years of application including on the review of the 11 adequacy decisions adopted under the 1995 Directive.