On 24 June, the European Commission published the Communication reviewing of the two years of application of the General Data Protection Regulation (GDPR) The Communication received input from the multistakeholder expert group on the application of the GDPR, of which EDRi members Access Now and Privacy International belong to. EDRi welcomes the publication of the review at a time where data protection needs to be reinforced and not only celebrated.
The GDPR is considered one of the “crown jewels” of the European legislation. However, 2 years after the Regulation entered into force, the GDPR has been increasingly receiving criticism from data protection activists (citing the lack of “teeth” of the Regulation) or, from the Big Tech side, because of accusations that GDPR stifles innovation.
What’s the GDPR Impact Assessment?
The Commission review report highlights many of the similar analysis that civil society groups have raised during the last two years, namely:
- There are not enough joint operations or investigations for cross-border cases which could have led to a more harmonised enforcement.
- Member states need to allocate “sufficient human, financial and technical resources to national data protection authorities”.
- Despite the “harmonised” legislation, different implementations still exist in areas such as the age of children consent for processing data, balancing freedom of expression and information with data protection rights, as well as derogations from the general prohibition to process certain categories of personal data.
- Individuals are not fully empowered yet, for example in the case of the right to data portability.
- It is unclear how to adapt the GDPR to “new” technologies, such as contact tracing apps and facial recognition.
Alexa, tell me where to go from here
EDRi welcomes the request from the Commission’s Communication to ask for stronger enforcement by asking DPAs and member states to ensure harmonised enforcement, the need for adequate funding for DPAs , as well as the creation of specific guidelines when needed. If there is no adequate progress, we agree with the Commission that infringement procedures to ensure that Member States comply with GDPR are an adequate tool at their disposal.
GDPR was the best possible outcome we could achieve during its contemporary political scenario. Now it is the time to ensure that all the work from activists, policy makers and academics were worth their efforts. We must ensure that GDPR’s complementary legislation, the ePrivacy Regulation, is strengthened and adopted during the German Presidency of the Council of the EU.
Communication from the European Commission on the review of the GDPR (24.06.2020)
Access Now welcomes European Commission’s call for stronger enforcement of the GDPR (24.06.2020)
Privacy International: GDPR – 2 years on (22.05.2020)