The EU Commission issued today a “Communication to the European Parliament and the Council” which is entitled “Data protection rules as a trust enabler in the EU and beyond- taking stock”, which outlines the current state of EU data protection, with particular focus on the impact of GDPR.
- The implementation of GDPR in the EU
The Commission notes that all EU Member States have updated their national data protection laws except for three (Greece, Portugal and Slovenia).
In some instances, Member States have introduced national requirements on top of the GDPR, in particular through many sectoral laws and this leads to fragmentation and results in creating unnecessary burdens. One example of an additional requirement introduced by Member States on top of the Regulation is the obligation under the German legislation to designate a Data Protection Officer in companies with 20 employees or more permanently involved in automated processing of personal data.
The work of national courts and the Court of Justice of the European Union is also helping to create consistent interpretation of data protection rules. National courts have recently issued judgements invalidating provisions in national laws which depart from the GDPR in Germany and Spain.
As regards enforcement, the Commission finds that national Data Protection Authorities (DPAs) have adopted a balanced approach to enforcement powers. “They have focused on dialogue rather than sanctions” says the Commission. It gives the following examples of fines imposed by DPAs:
- EUR 5 000 on a sport betting café in Austria, for unlawful video surveillance;
- EUR 220 000 on a data broker company in Poland for failure to inform individuals that their data was being processed;
- EUR 250 000 imposed on the Spanish football league LaLiga, for lack of transparency in the design of its smartphone application;
- EUR 50 million on Google in France, because of the conditions for obtaining consent from users (we commented that decision on our blog here).
As regards individuals’ rights, the Commission notes a stronger awareness of data protection rights. Individuals increasingly exercise their rights. Requests for access to personal data have increased in several sectors, such as banking and telecommunications. Individuals have also more often withdrawn their consent and exercised their right to object to commercial communications.
However, some operators reported misunderstandings by individuals about data protection rules, such as the belief that individuals should consent to all processing, or that the right to erasure is absolute (while for instance personal data sometimes have to be kept by the operators due to legal obligations, see our blog post on this topic here). On their side, civil society organizations complain about long delays in replying by some business and DPAs.
Finally, the Commission comments on how the protection of personal data is integrated in several other areas tackled by European Union policies such as telecommunications, artificial intelligence, transport, energy etc.. In those areas, compliance with the GDPR is key but the interplay between data protection issues and sectorial policies can be challenging. For example, in the area of health and research. On this topic, the Commission mentions that it prepared specific Question and Answers on the interplay between the Clinical Trials Regulation and the GDPR (see our blog post on this topic here). The Commission also notes that there are interplays with competition rules. Although this is not expressly mentioned in the Communication, one can assume that they have in mind the new rules about data portability.
- International aspects
The Commission notes that a number of countries outside the EU have adopted new data protection rules or have modernized existing ones, with legislations that are general rather than sectorial. This trend is truly global, running from South Korea to Brazil, from Chile to Thailand, from India to Indonesia. The Commission does not refer to the recent California Consumer Privacy Act, maybe because it is focused on consumers and not as far-reaching as the GDPR.
As regards the transfer of data outside of the EU, the Commission points that this past year, it intensified its work on the convergence between privacy systems, notably by exploring the possibility of adopting adequacy decisions with selected third countries. In February 2019, the EU-Japan mutual adequacy arrangement entered into force and created the world’s largest area of free and safe data flows. Adequacy negotiations with South Korea are at an advanced stage and exploratory work is ongoing with a view to launching adequacy talks with several Latin American countries – such as Chile or Brazil – depending on the completion of ongoing legislative processes.
As regards the transfer of data to the US, the Commission states that the EU-US Privacy Shield has proven to be a useful tool to ensure transatlantic data flows based on a high level of protection, with more than 4,700 participating companies. Its annual review ensures that the correct functioning of the framework is regularly checked and that new issues can be addressed in time.
Not surprisingly, the Commission’s conclusion is that the first year of application of the GDPR “has been overall positive” but that further progress is necessary in a number of areas.