The European Commission, the executive body of the European Union, has published its first GDPR evaluation report since the GDPR took effect on May 25, 2018. It has been more than two years since the GDPR took effect and the report provides an assessment of how effective the GDPR has been at achieving its aims.
The EU considers the GDPR an overall success, as the regulation has broadly achieved most of its objectives, but there have been some teething problems and there are some challenges that need to be overcome. The GDPR should be considered a work in progress and is not quite living up to its full potential.
Due to the sweeping changes that were introduced, the European Commission does not believe it is possible to draw definitive conclusions about its effectiveness in just 2 years. The European Commission says in the report that it will continue to monitor progress and will continue to work with individual member states and the European Data Protection Board (EPDB) on the application of the GDPR, and will ultimately provide proposals for revisions.
The report highlights how the new rights introduced by the GDPR have empowered EU citizens, who now feel more in control of their personal data. The GDPR has raised awareness of privacy in Europe and is helping to prevent companies from violating the privacy of EU citizens.
Organizations covered by the GDPR have benefited from having one set of rules to follow, with the GDPR providing some consistently across all EU member states. The GDPR has also helped to ensure that all businesses work to the same set of rules, regardless of where they are located, which has helped to level the playing field.
There have been some issues, which were highlighted in the report. Small- and medium-sized enterprises have struggled with compliance and further work is required to help SMEs comply with the GDPR.
Despite the GDPR serving to improve consistency across all member states, there is a lack of harmonization across all members of the bloc and the rules remain highly fractured. Individuals countries were required to introduce their own laws to harmonize local laws with the GDPR and that is still an on-going process.
Consistent enforcement of GDPR rules has also been a problem. It is the responsibility of the data protection authorities in each country to pursue financial penalties for violations, but some DPAs lack the necessary resources and there are different levels of in-house expertise across member states. The differences in laws in each country has also created challenges for joint enforcement actions, for example, differing ages of consent. In such cases, joint enforcement actions have required data protection authorities to use the weakest set of rules.
Enforcement of compliance against large tech companies is still largely the responsibility of the DPAs in Luxembourg and Ireland, where the firms have their EU bases, and those DPAs lack the necessary resources to handle their caseloads, which are considerably larger than other countries.
“To be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers’ data at risk,” explained the European Commission in the report.
“To meet the full potential of the GDPR, it is important to create a harmonised approach and a European common culture of data protection, and to foster a more efficient and harmonised handling of cross-border cases. This is expected by people and businesses and constitutes an essential objective of the reform of EU data protection rules.”