The report of the EU Commission on the GDPR unveils a situation where Member States and data protection authorities still need to have a more consistent approach and exploit all the potentials of the EU privacy regulation.
The key findings of the EU Commission report on the GDPR
The report from the European Commission is quite extensive, but its main findings can be summarized as follows:
- The one-stop-shop mechanism will be used for several relevant cross-border decisions, often impacting big tech companies, and will have a substantial impact on individuals’ rights in several EU Member States;
- Data protection authorities have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations;
- Progress is needed to make the handling of cross-border cases more efficient and harmonized across the EU, in terms of procedures, admissibility criteria, duration of proceedings;
- Inconsistencies between the national guidance and the guidelines from the European Data Protection Board are a significant issue, and companies need more practical advice on how to handle data protection matters;
- There is still a degree of fragmentation in national laws of EU Member States integrating the GDPR which is notably due to the extensive use of facultative specification clauses;
- The reconciliation of the right to the protection of personal data with freedom of expression and information and the proper balancing of these rights is a challenge for national legislation;
- The right to data portability has clear potentials, still not fully used, to put individuals at the center of the data economy by enabling them to switch between different service providers, to combine various services, and increase competition; and
- The Commission is working on a comprehensive modernization of standard contractual clauses, to update them in light of new requirements introduced by the GDPR. The matter is quite urgent, also in the light of the EU Court of Justice’s upcoming decision on the so-called Schrems II case expected to be issued on the 16th of July.
My view on the main criticalities faced during the two years of GDPR
There is no doubt that the main weakness of the GDPR during its first two years of life was the lack of a consistent approach among data protection authorities. Multinational companies were looking forward to achieving unique turn-key solutions across the European Union but ended up with a considerable fragmentation that requires a country-specific approach.
At the same time, both individuals and companies did not fully understand the potentials of the new data portability right, which might undermine anti-competitive behaviors that were consolidated over the years.
The most crucial test for the GDPR is the upcoming decision of the EU Court of Justice on Schrems II, which might invalidate the Standard Contractual Clauses, creating the same situation of panic that occurred five years ago with the invalidation of the Safe Harbor. Companies shall be able to deal with the potential impact of this decision, adopting both legal and technical measures to put their operations on the line.
On the topic mentioned above, you may find interesting the article #HappyBirthdayGDPR – It CANNOT be the year of the “whatever it takes”.
Image Credit Trending Topics 2019