European Commission: General Data Protection Regulation shows results, but work needs to continue
Just over one year after the entry into application of the General Data Protection Regulation, the European Commission has publishedon July 24th a report looking at the impact of the EU data protection rules, and how implementation can be improved further. The report concludes that most Member States have set up the necessary legal framework, and that the new system strengthening the enforcement of the data protection rules is falling into place. Businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.
While the new data protection rules have achieved many of their objectives, the Commission's communication also sets out concrete steps to further strengthen these rules and their application:
One continent, one law: Today, all but three Member States – Greece, Portugal and Slovenia – have updated their national data protection laws in line with EU rules. The Commission will continue to monitor Member State laws to ensure that when they specify the GDPR in national laws, it remains in line with the Regulation and that their national laws are not a gold-plating exercise. If needed, the Commission will not hesitate to use the tools at its disposal, including infringements, to make sure Member States correctly transpose and apply the rules.
Businesses are adapting their practices: Compliance with the Regulation has helped companies increase the security of their data and develop privacy as a competitive advantage. The Commission will support the GDPR toolbox for businesses to facilitate compliance, such as standard contractual clauses, codes of conduct and new certification mechanism. In addition, the Commission will continue supporting SMEs in applying the rules.
Stronger role of data protection authorities: The Regulation has given national data protection authorities more powers to enforce the rules. During the first year, national data protection authorities have made use of these new powers effectively when necessary. Data protection authorities are also cooperating more closely within the European Data Protection Board. By the end of June 2019, the cooperation mechanism had managed 516 cross-border cases. The Board should step up its leadership and continue building an EU-wide data protection culture. The Commission also encourages national data protection authorities to pool their efforts for instance by conducting joint investigations. The European Commission will continue to fund national data protection authorities in their efforts to reach out to stakeholders.
EU rules as reference for stronger data protection standards across the globe: As more and more countries across the world equip themselves with modern data protection rules, they use the EU data protection standard as a reference point. This upwards convergence is opening up new opportunities for safe data flows between the EU and third countries. The Commission will further intensify its dialogues on adequacy, including in the area of law enforcement. In particular, it aims at concluding the ongoing negotiations with the Republic of Korea in the coming months. Beyond adequacy, the Commission aims to explore the possibility to build multilateral frameworks to exchange data with trust.