Out-Law Analysis | 29 Jun 2020 | 11:50 am | 7 min. read
Actions planned in response to the findings from the European Commission's GDPR review underpin its broader aim for greater convergence of data protection standards internationally. These include renewed efforts to drive out differences in the way EU governments and national data protection authorities apply data protection law, a push to expand the network of jurisdictions deemed to offer 'equivalent' data protection to that available in the EU, and the revision of standard contract clauses (SCCs) to help companies transfer personal data around the world more easily.
The Commission's review of the GDPR stemmed from its obligation, under Article 97 of the GDPR, to submit a report on the evaluation and review of the Regulation to EU law makers within two years of the GDPR taking effect. Its next review is due in 2024. The wide-ranging review looked at a number of important aspects of the data protection regime and how it had operated since the GDPR began to apply on 25 May 2018.
The GDPR introduced new cooperation and consistency mechanisms into EU data protection law in a bid to ensure greater harmonisation of the approach data protection authorities throughout the EU take to applying that law.
Central to that effort is the European Data Protection Board (EDPB), a body that brings together representatives from all the national data protection authorities of EU countries. The EDPB has a special statutory role to ensure cross-border enforcement of data protection law is consistent, and leads on the publication of guidance to support businesses in complying with the provisions laid out in the Regulation.
By the end of 2019, the EDPB had adopted 10 sets of guidelines and 43 opinions in relation to the GDPR. However, views gathered from stakeholders during the Commission's review, including from Pinsent Masons, identified the need for additional guidance "on key concepts of the GDPR" and for "more practical advice, in particular more concrete examples". In response, the Commission has called on the EDPB and national data protection authorities to meet this challenge in the future guidance they issue.
In its report, the Commission noted that all EU member states except Slovenia have adopted new national data protection laws to implement and complement the GDPR. However, it also found that there is a "degree of fragmentation" in how the GDPR has been implemented across the different countries because of the freedom the Regulation provides member states in certain areas to specify their own national rules.
Particular differences in the age of consent and the reconciliation of data protection with freedom of expression and information were highlighted in this regard. This causes uncertainty for data subjects in terms of how their rights apply, and also causes challenges for cross-border business and innovation.
The Commission also pointed out the different approaches to derogations which permit the processing of 'special category data', including for health and research purposes. The Commission is mapping these different approaches and will support the establishment of codes of conduct to facilitate cross-border processing. It will also give feedback to the EDPB in relation to its future guidelines on the processing of personal data for scientific research.
The impact of the GDPR has not only been limited to the business sector. Different studies have concluded that a very high percentage of the general population of the EU is aware of the content of the Regulation and are being very active in exercising their data protection rights. In this sense, one of the objectives is to promote the exercise of the right to portability.
In essence, the right to portability of personal data lets individuals share information held by one organisation with another, to switch service providers for instance. However, despite the increasing prevalence of the 'internet of things', the Commission said this right is not being used to its full potential. The Commission aims to extend the exercise of data portability to a wider number of sectors beyond banking and telecommunications where it is used most often. To achieve this, the design of appropriate tools, standardised machine-readable formats and interfaces is envisaged.
The Commission's review identified concerns from the SME community about the administrative burdens GDPR compliance places on their businesses. The Commission has pledged to look in more detail at this issue and has identified the potential for more practical tools to be developed to help SMEs – this includes "harmonised forms for data breaches and simplified records of processing activities" which it said the EDPB could lead on developing.
A "common European approach" to address barriers to trade in the EU single market for SMEs is preferred by the Commission. In this respect, it plans to publish new SCCs between controllers and processors and is seeking to facilitate the development of new codes of conduct and certification schemes, including in the area of cybersecurity.
While the Commission is of the view that the GDPR has demonstrated its flexibility in relation to new technologies during the business and public health response to the coronavirus crisis, notably in relation to the design of new contact tracing apps, it has acknowledged that the application of the GDPR to technological advancements such as facial recognition and AI will be a challenge and require ongoing monitoring.
Businesses can expect the EDPB to publish new guidance on how the GDPR applies to the areas of scientific research, AI, blockchain, and potentially other technological developments too over the coming months.
The 'adequacy decision' mechanism provided for by the GDPR, through which the European Commission endorses other jurisdictions as having equivalent data protection standards to those in place in the EU, has enabled the creation of large areas of free and safe data flows. The adequacy regime is also expected to play an important role in the context of the future, post-Brexit, relationship between the EU and UK in respect of digital trade, law enforcement and security.
The need to ensure the continuity of adequacy decisions is an important tool for trade and international cooperation. SCCs are the most widely used data transfer mechanism, for transfers to countries that do not have an 'adequacy decision'. The Commission’s planned work on the comprehensive modernisation of these clauses in the light of the GDPR requirements and rulings of the Court of Justice of the EU (CJEU) is necessary for thousands of EU companies to provide services to their clients, suppliers and employees.
The Commission wants the EDPB to clarify the interplay between rules on international data transfers and the territorial scope of the GDPR. The GDPR’s territorial scope which covers processing activities of foreign operators that are active in the EU market must also be reflected in the enforcement action by the data protection authorities, it said. In this regard, the Commission said representatives within the EU should be appointed to liaise with data protection authorities of so-called 'third countries'.
Finally, the assessment and eventual approval of binding corporate rules and the completion of the work on the procedures and criteria for codes of conduct and certification mechanisms is seen as essential to further develop the toolkit for international data transfers.
According to the Commission, the GDPR acts as a major reference point at international level for countries developing their own data protection frameworks and has accelerated the introduction of modern privacy rules in many jurisdictions – most recently in the Dubai International Financial Centre (DIFC). While this should contribute to improved data protection when data is transferred outside the EU, it should also facilitate legitimate data flows.
In this respect, the Commission plans to ramp up its dialogue with policymakers around the world, for instance through the EU-Africa partnership and in discussions with the OECD, G20 and G7, with the objective of increasing respect for privacy and developing elements of convergence between different privacy systems.
The Commission also plans to establish a 'Data Protection Academy' to facilitate and support exchanges between European and international data regulators.
The Commission's report also highlighted its intention to continue fighting abuses of privacy and digital protectionism, including by challenging disproportionate access of foreign authorities to personal data and forced data localisation requirements. It wants to provide companies active in the EU need greater legal certainty in cases where they face a legitimate request to transfer data for law enforcement purposes by addressing conflicts of law across jurisdictions.
The report acknowledged that some opportunities to foster harmonisation were missed. One example the Commission specifically cited was the national lists of the kinds of processing operations which require data protection impact assessments to be conducted, under Article 35 of the GDPR.
Feedback from stakeholders that fed into the review, including from Pinsent Masons, pointed to inconsistencies between GDPR guidance developed in individual member states and by the EDPB. The EDPB and national data protection authorities have been asked to work towards greater alignment of the guidance they produce.
In addition to delivering greater alignment of guidance, the Commission has invited the EDPB and national data protection authorities to effectively implement the cooperation and consistency mechanism, and support harmonisation by clarifying "key GDPR concepts".
The Commission committed to closely monitor the independence of national data protection authorities and to encourage cooperation between regulators, particularly in the fields of communications, competition, and consumer policy. It also called on member states to ensure that data protection authorities are sufficiently resourced.
The Commission has identified a number of ways that organisations can be better supported to comply with the GDPR. Examples include:
In Pinsent Masons' submission to the European Commission's review, we highlighted that one area pervasive to how the EU looks at personal data is use of data as part of innovation. It is vital that innovative uses of data are not stifled or that innovative partners are not driven to other territories to undertake their work.
Additional reporting by Nicola Barden, Carrie McMeel, Kai Paterna, Betty Jeulin, Carmen Moreno and Lauro Fava of Pinsent Masons, the law firm behind Out-Law.
01 May 2020