In the next few months, the European Commission will publish its second report on the application of the EU General Data Protection Regulation. To inform its evaluation, the Commission consulted its multistakeholder expert group and the European Data Protection Board, and ran a call for evidence in January that produced at least 260 submissions. The available statistics may not fully reflect the nature of responses but show that approximately 28% were submitted by trade associations, 27% by individuals and 12% by companies. The bulk of responses originated from Germany with 25%, followed by Belgium with 17% — likely due to the concentration of industry and civil society representation offices in Brussels — and France with 11%.
My colleague Laura Pliauskaite looked at a sample of submissions representative of these categories, and across industry and civil society. Every submission analyzed concluded that the GDPR contributes to improving personal data protection, but all acknowledged various drawbacks regarding its implementation and enforcement.
Industry expressed the need for:
- A risk-based and practical approach to application.
- Coherence with other new data-related legislation and the ePrivacy Directive.
- Consistent interpretation by member states.
- More consistent guidance from the EDPB and data protection authorities.
- Attention to sector-specific compliance.
- A simpler and reinforced approach to the one-stop shop.
- Clarification of data subjects' rights and of their limitations, taking into account other interests and objectives.
- A consistent approach across member states on the use of representative actions under the GDPR's Article 80.
- Improvement of international data transfers tools.
- More clarity on the role of data protection officers.
- More training from DPAs on sector-specific issues/special categories of personal data.
- More dialogue with industry, overall.
Civil society highlighted:
- DPAs' lack of resources.
- A lack of effective enforcement due to delays and procedural complexity.
- The importance of upholding data subjects' rights.
- Using a risk-based-approach to pick-and-choose compliance options.
- The need for additional EDPB guidelines, which should be binding.
- The need to ensure coherent implementation between the GDPR and new laws in the digital field.
None of the submissions analyzed recommended re-opening the legislation. Stakeholders' criticisms and wish lists are largely lacking in surprise. Rather, they crystallize once again continuous feedback about the landmark legislation still in the making eight years after its entry into force.
Elsewhere:
- EU negotiators reached a provisional agreement on the proposed European Health Data Space. The EHDS is one of a dozen data spaces to be created with a goal of facilitating access and exchange of health data at the EU level. At a first level, it would ease access to medical data across borders for patients and health professionals and caregivers. At a second level, it would make such data available for research, innovation and development. The EHDS's application will raise a set of complex data protection compliance issues, including regarding concepts of anonymization, legal basis for processing and international data transfers. The text should receive final approve from European Parliament in late April.
- The deadline by which U.K. businesses can no longer rely on the old EU standard contractual clauses for restricted transfers under the U.K. regime is 21 March. U.K. businesses will have to rely either on the international data transfer agreement or the addendum, or leverage another means of compliance. The U.K. Information Commissioner's Office published this guide.
- The ICO published new guidance on fines. As previewed by the regulator's General Counsel Claudia Berg at the IAPP Data Protection Intensive: UK in London last February, "the guidance is not just about going after non-compliance, it is also about sending a deterrent message to others." Transparency and predictability on the cost of noncompliance are very important, so is the ICO's ability to preserve its flexibility. The guidance establishes that the regulator "will consider whether to impose a fine as well as, or instead of, other corrective measures."