Ten key takeaways from the European Commission's review of the General Data Protection Regulation

Today the European Commission published its first review of the application of the General Data Protection Regulation ("GDPR").

Just over two years on from the GDPR's application in May 2018 (a time which might feel simultaneously distant and recent for many privacy professionals…!), the review takes into account input from the Council of the European Union, the European Parliament, the European Data Protection Board ("EDPB"), individual Data Protection Authorities ("DPAs"), an independent expert group and various other stakeholders. 

In a nutshell, the Commission's message regarding the law's application seems similar to many school report cards (including this post's author) – some notable achievements, shows good potential but needs to pull up its socks in various areas.

As per the European Commission's remit under Article 97(2), the review covers international transfer issues and the cooperation / consistency mechanisms between the EDPB and DPAs.  However, it also addresses various other topics including DPA resourcing, extra-territoriality and even provides a brief insight on the revisions to the Standard Contractual Clauses. 

There's a lot to unpack in the review and many issues merit deeper consideration (e.g. how do national DPAs navigate local procedures and processes in respect of cross-border cases? To what extent is it actually feasible to apply principles-based legislation to a plethora of rapidly-evolving technologies? What needs to be included in a "comprehensive modernisation" of the SCC?)

However, for now, this blog post seeks just to summarise the ten key takeaways for privacy professionals:

1. A law in its infancy – the document makes clear that it would be premature to draw definitive conclusions regarding the law's application.  Not wholly unexpected but it serves as a reasonable reminder that the GDPR is still in its infancy.
2. A balanced use of enforcement powers – the Commission's view is that DPAs have made "balanced use" of their enforcement powers highlighting the range of fines issued but also noting that bans on processing may be an equal or higher deterrent than fines.  The document doesn't comment on concerns from some privacy stakeholders that the fines have been limited in scale and number.
3. Cross-border cases and cooperation – the report highlights a need to improve the handling of cross-border cases, citing national divergences on complaint handling processes / timeframes / procedures.  The Commission is participating in a "reflection process" with the EDPB on these issues.  In addition, the report explains that DPAs trying to find a common approach to issues (the DPIAs national lists is provided as an example) has sometimes meant "moving to a lowest common denominator".
4.  DPA resourcing – unsurprisingly, the Commission flags the need for EU Member States to allocate sufficient human, financial and technical resources to DPAs.  The document makes clear that, given the establishment of large tech multinationals in Ireland and Luxembourg, their DPAs require more resources than their respective populations might suggest.
5. Fragmentation of national laws – according to the Commission, there is a degree of inconsistency in local law application (e.g. age of children's consent for information society services) which stymies cross-border business and innovation.  The Commission also calls for Member States to complete any revisions of their sectoral laws to take into account the GDPR.
6. Greater awareness of data protection rights – the Commission praises the fact that post-GDPR data subjects have a greater awareness of their rights but flags the need for wider exploitation of certain rights (e.g. data portability).  Interestingly, the review highlights the proposed Directive on representative actions for the protection of the collective interests of consumers, as potentially paving the way for group actions on data protection rights.
7. Revisions to Standard Contractual Clauses – the document sets out that the Commission is working on a "comprehensive modernisation" of the Standard Contractual Clauses.  This seems to relate just to the Controller to Processor clauses but it's not crystal clear whether work on Controller to Controller clauses or any Processor to Subprocessor clauses is also taking place.  The Commission flags the forthcoming Court of Justice of the European Union judgment in the "Schrems II" case which will impact this work.  No timeframes are provided for when the new clauses may see the light of day.
8. Application to new technologies - the Commission notes that the GDPR is a principles-based law but highlights the challenges in applying this approach to specific / rapidly-evolving technologies like facial recognition. 
9. Adequacy developments – the review refers to the EU-Japan mutual adequacy decision and describes the Republic of Korea adequacy assessment as being at an advanced stage.  Exploratory talks are also apparently happening with countries in Asia and Latin America.  Brief reference is made to the adequacy assessment in respect of the UK which is taking place.  No detail on this process is provided.   Finally, as required by this review, following the Schrems II judgement, the Commission will work on assessing existing adequacy decisions which were made pre-GDPR.  No comment is made as to whether the Commission would be suggesting recommendations to existing decisions.  The document also praises the fact that the GDPR has acted as a reference point for many new data protection laws.
10.  Extra-territoriality – the Commission reminds DPAs that the territorial scope of the GDPR should be reflected in enforcement actions and suggests involving a controller or processor's EU representative where necessary.