Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation
On the 24th of June 2020, the European Commission published the Communication on Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation (GDPR).
The European Commission’s Communication is accompanied by a press release on the Commission’s report and a summary of the main findings, in the form of questions and answers.
As noted in the content of the Communication, one of the conclusions is that, after two years of application, the GDPR has met its objectives of strengthening the protection of personal data and guaranteeing the flow of personal data.
With regard to the improvements made by the GDPR, it is noted that the Regulation has strengthened the transparency and has given individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability.
As far as the data protection authorities are concerned, they play a key role in ensuring the application of the GDPR at national level and the effective functioning of the cooperation and consistency mechanisms of the European Data Protection Board, in particular the one-stop shop mechanism used for cross-border cases. Thus, the Commission has consistently stressed the obligation for Member States to allocate sufficient human, financial and technical resources to national data protection authorities.
At the same time, the GDPR provides national data protection authorities with harmonized and enhanced powers. Since the entry into application of the Regulation, data protection authorities made use of a wide range of corrective powers provided by the GDPR, such as administrative fines, warnings and reprimands, orders to comply with the data subject’s requests, orders to bring processing operations into compliance with the Regulation, to rectify, erase or restrict processing. The GDPR also provides a broader range of corrective powers. For example, the effect of a ban on the processing or the suspension of data flows can be much stronger than a financial penalty.
At the same time, the data protection authorities have been very actively working together as members of the European Data Protection Board, also by using the cooperation tool of mutual assistance intensively. As regards the consistency mechanism, the EDPB adopted several opinions over the past two years. Regarding the handling of cross-border cases, it was noted the need for a more efficient and cohesive approach when using the cooperation instruments provided in the GDPR. The main issues to be tackled in this context include: differences in national administrative procedures, varying interpretations of concepts relating to the cooperation mechanism, and also varying approaches regarding the start of the cooperation procedure, the timing and communication of information.
The Commission also states that the GDPR has emerged as a reference point for many countries around the world when these countries have modernised their personal data protection rules (Chile, South Korea, Brazil, Japan, Kenya, India, Tunisia, Indonesia, Taiwan and the state of California, to name a few).
At the same time, it is mentioned that the GDPR offers a modernized toolbox to facilitate the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection.
The key objective at this stage is to support a harmonized and consistent implementation and enforcement of the GDPR across the EU. This requires a strong engagement from all the actors:
- making sure that national legislation, including sectoral ones, are fully in line with the GDPR;
- Member States providing data protection authorities with the necessary human, financial and technical resources to properly enforce the data protection rules;
- data protection authorities developing efficient working arrangements regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects;
- making full use of the toolbox under the GDPR to facilitate the application of the rules, for instance through codes of conduct;
- closely monitoring the application of the GDPR to new technologies such as AI, IoT, blockchain.
As regards the international dimension, the Commission will continue to focus its efforts on promoting convergence of data protection rules as a way to ensure safe international data flows.