The European Commission published a report about the GDPR to assess two years of implementation of the famous data protection regulation. This assessment was well awaited, also in light of the pending negotiation of the e-privacy regulation which is currently stuck between Parliament and Council. The report analyses various areas of implementation and suggests some recommendations for the future.
A national enforcement system for a global market
One of the main question with GDPR is whether the current enforcement system, distributed over national authorities and the European Board, is working well. Fact is, data protection enforcement over big techs such GAFAs (the acronym for Google, Facebook, Apple and Amazon) is granted to the European countries where such companies are established, that is to say mainly Ireland and Luxembourg so far. Such small countries have been chosen by big techs merely for fiscal reasons, however they may become a problem with GDPR enforcement because local DPA authorities there do not have sufficient size and resources to tackle giant platforms. This is the question, in jargon, of the so-called “little authorities”. In addition, there might be political convenience in refraining from attacking such operators whose headquarters and presence is beneficial for the hosting countries. Fact is, after 2 years of GDPR implementation there are no signs of significant interventions against the GAFAs.
GDPR does not provides also for a centralized enforcement system pivoting the European Data Protection Board (EDPB), the agency-to-be of the national data protection authorities. EDPB mostly ensures consistency amongst DPA authorities and may intervene to settle disputes amongst them, however it is not authorized to replace “a little authority” which is not able or willing to do its job against a global platform.
Need for reform?
In other words, there should be room to discuss a reform of the GDPR enforcement system, although the European Commission is very cautious about that. The creation of a new European agency is always a matter of discussion between members States, because such a move would entail the delegation of national powers to a sovra-national entity. The first opponents to that are the national DPA authorities themselves, which would be the first victims of the loss of national powers. This is why European DPA authorities have preferred the creation of the EDPB as a form of umbrella organization rather than a true, new European agency. On the other side, national DPA authorities risk to be blamed in front of public opinion if they are not able to carry on their main tasks for what they are created and paid, i.e. tackling data abuse by big techs. This is why the move towards the creation of a European data protection agency may become a valid option to discuss.
Small countries hosting big tech could even agree with the above, because it could be an elegant way to solve the conflict of interests they have with big techs headquartered within their borders.
The precedents in the telecom sector
It is not the first time that the creation of an European agency, with delegated enforcement powers, is a matter of hard political discussion. In 2009 the European Union created BEREC, the agency for telecoms, after a long and exhausting discussion whether it should be a real agency or not. At the end, the soft option succeeded, and Berec was created and replaced the previous organization coordinating national authorities (called ERG) with a new organization which, however, does not have enforcement powers (although with a seat, in Riga, and ad hoc employees). Also in that case, national authorities and Members States won and preserved national sovereign competences.
In the case of telecoms, one could say that the national-geographic nature of this market may still justify the resistance of Member States and some national egoism. By contrast, as far as data protection and fights against big techs is concern, the case is more serious and the lack of a supra-national European enforcement agency is destined to become a problem.
Here the other takeaways from the Commission’s report:
- Enforcement of the GDPR and functioning of the cooperation and consistency mechanisms: The Commission notes that, while it is too early to assess the functioning of new cooperation mechanisms (such as one-stop-shops), more progress is needed for a harmonised handling of cross-border cases. In addition, the report underlines that several Data Protection Authorities (DPAs) suffer from a lack of resources.
- Recommendations: The EDPB (European Data Protection Board) and the DPAs are invited to support harmonisation in applying and enforcing the GDPR (including by further clarifying certain key concepts) and conducting joint investigations. The Commission will monitor the process and encourage cooperation. Member States are invited to allocate adequate resources to DPAs.
- Implementation of the GDPR by the Member States: The document notes that there is fragmentation, notably due to the extensive use of facultative specification clauses (e.g. the age of consent for children).
- Recommendations: Member States should consider limiting the use of specification clauses which might create fragmentation. The Commission will support the harmonisation of the legislative frameworks.
- Empowering individuals to control their data: The Commission notes that the GDPR’s potential for data portability has not been fully used yet, though it could foster competition and innovation. In that context, it mentions the importance of the European Data Strategy. Recommendations: The EDPB is invited to adopt further practical guidelines. The Commission, on its side, will focus on providing standard contractual clauses both for international transfers and the controller/processor-relationship. Furthermore, in line with the Data Strategy, it will explore practical means to facilitate the increased use of the right to portability by individuals.
- Opportunities and challenges for organisations, especially SMEs: While it would not be appropriate to provide derogations based on the size of the operators, the report notes that the application of the GDPR is challenging for SMEs.
- Recommendations: The European Commission will fully use the GDPR toolbox, particularly when it comes to SMEs.
- Application of the GDPR to new technologies: The European Commission warns that DPAs should be prepared to clarify how specific technologies (AI, blockchain, IoT, facial recognition) will work while respecting the GDPR.
- Recommendations: The Commission will monitor the application of the GDPR to new technologies, also taking into account the AI and Data Strategies.
- International transfers and global cooperation: The Commission is currently carrying out an adequacy assessment (under both the GDPR and the Data Protection Law Enforcement Directive) for the future EU-UK relationship. Furthermore, it is developing a comprehensive modernisation and update of standard contractual clauses to better reflect the realities of processing operations in the modern digital economy. Finally, the EDPB has updated the guidance on existing transfer mechanisms (binding corporate rules, ‘derogations’) and has developed the legal infrastructure for new tools (codes of conduct, certification).
- Recommendations: The European Commission will finish the ongoing evaluation of the existing adequacy decisions and the work on the modernisation of the standard contractual clauses. The EDPB is invited to streamline the assessment and eventual approval of binding corporate rules with a view to speed up the process.
- International cooperation in the area of data protection: The Commission recognised that EU companies should be able to share data without facing conflicts of law and compromising EU fundamental rights when they cooperate with foreign law enforcement authorities. Therefore, the Commission wants to develop appropriate legal frameworks with its international partners to support these forms of cooperation (by providing for the necessary data protection safeguards to contribute to a more effective fight against crime).
- Recommendations: The Commission will engage with third countries in a number of ways to foster international cooperation.