GDPR worked but has a few kinks

The European Union (EU) General Data Protection Regulation (GDPR) has been assessed as an overall success in terms of meeting expectations and objectives, but a two year progress report suggests that there are still a few kinks which need to be ironed out.

The European Commission (EC) said it would be premature to draw definite conclusions as to the application of the GDPR, and to provide for proposals for any revisions, but said it had identified a number of areas where improvements could eventually be made.

It said that the GDPR had made EU citizens feel more empowered and aware of their enforceable rights and protections – according to the EU Fundamental Rights Agency, 69 percent of those aged over 16 have heard of the GDPR, and 71 percent have heard about their national data protection agency. In general, it said, people feel they can play an active role in controlling their data.

Organisations felt that having one consistent set of rules to adhere to across the EU had been a benefit, as well as levelling the playing field when competing with organisations not based in the EU but operating there. Small to medium-sized enterprises (SMEs) tended to feel that many of the provisions of the GDPR had lowered the barriers to entry to data protection friendly services.

GDPR is helping  fostering more trustworthy innovation through risk-based approaches and principles such as privacy by design – the EC noted its approach had been tested during the Covid-19 pandemic and shown to be successful, with principles-based rules supporting the development of tools to effectively combat and monitor the spread of the virus.

The EC also said that the EU’s disparate data protection authorities (DPAs) had shown they could actively work together since the introduction of the GDPR, however it noted that that neither a dispute resolution nor an urgency procedure have yet been triggered under the regulations.

The EC made a number of suggestions for improvements around differences in national administrative procedures and how different EU member states interpret various concepts under the rules – the European Data Protection Board has already indicated that it will clarify procedural steps to help in this regard.

DWF  Global Head of Data Protection & Cyber Security Stewart Room said the Commission’s report on the operation of the GDPR, two years since it came into effect, provides high praise for its achievements, claiming that it has ‘successfully, met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU’. While it is certainly the case that the GDPR triggered a huge amount of compliance activity between 2016 and 2018 and lots of news coverage, which helped to raise awareness levels of data protection rights, the lack of empirical evidence to support the Commission’s claims stand out.

“A key problem to note is that there is an absence of such evidence on data protection performance levels under the previous legal regime (the 1995 Directive), so, therefore, there isn’t a benchmark available to substantiate progress made under the GDPR. In contrast, reports of personal data security breaches have not run dry, there are still structural problems in the AdTech environment and with the ceaseless progression of developments in technology, such as facial recognition and AI, there have to be doubts about the ability of the law and the regulatory system to keep up speed.

“The GDPR is certainly a good and welcomed innovation, but perhaps we should divorce legislative intent from the realities on the ground, within which there remain serious problems with the resourcing levels of the regulatory offices compared to the work that needs to be done and low levels of enforcement activity.”