While the EU General Data Protection Regulation has proven to be a valuable framework in the two years since it came into force, it still requires some work regarding proper implementation by EU member states and a potential modernization of cross-border data transfers. That was some of the message put forth by the European Commission in its highly anticipated, two-year GDPR review released Wednesday.
In a press conference on the review, European Commission Vice President for Values and Transparency Věra Jourová and Commissioner for Justice Didier Reynders were complimentary of the GDPR, saying the regulation is “a success” and "showing the way forward."
However, Jourová was quick to point out there’s a “very serious to-do list” facing the Commission and member states going forward.
“The European Data Protection Board and data protection authorities need to step up their work to provide a truly common European culture, provide more coherent and practical guidance, and work on vigorous but uniform enforcement,” Jourová said. “We have to work together, as the board and member states, to address concerns, particularly those of small and medium-size enterprises.”
Jourová’s call for more collaboration and harmonization fall in line with sentiments set out in the Commission’s review. More specifically, the review alluded to a "lack of a consistent approach" between data protection authorities on GDPR enforcement. Member states have shown varying interpretations of provisions, resulting in strict enforcement, flexibility or something in between. The variance in the approaches for the minimum age for a minor to consent to the use of their data was one example put forth in the review.
"We have to ensure that it is applied harmoniously, or at least with the same vigor, across the European territory," said Reynders, who mentioned there can be some nuanced differences. "In order for that to happen, data protection authorities need to be sufficiently equipped. They need the relevant number of staff and budgets, and there is a clear will to move on that direction."
Responding to the review, European Data Protection Supervisor Wojciech Wiewiórowski also emphasized the need for unification among DPAs' approaches to implementation and enforcement.
"We now need a stronger expression of genuine European solidarity, burden sharing and a common approach to ensure the enforcement of our data protection rules," Wiewiórowski said in a statement. "The outstanding success of the GDPR is the combination of many factors but the European data protection authorities’ ability to enforce EU rules is key, in particular if we want to address some harmful data practices by powerful global players. The EDPS stands ready to share its resources and expertise."
On the topic of adequate resources for DPAs, the review noted 42% and 49% increases in regulators' staffing and budgets, respectively, from 2016-2019. The numbers reflect progress, but the Commission is seeking more with a particular eye on boosting resources for DPAs in Ireland and Luxembourg.
The Commission in its review, "Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest."
The EDPB, which provided its own submission to the Commission's review process, supports the concept of continuing to increase resources. The board said Wednesday via Twitter, "It is of utmost importance that national governments fund their data protection regulators appropriately. The supervisory authorities can only be as good in implementing the GDPR as the resources available to them."
The review also covered the GDPR's work as it relates to cross-border transfers and other international data activities.
IAPP Research Director Caitlin Fennessy, CIPP/US, who formerly served as the Privacy Shield director at the U.S. International Trade Administration, noted the review discusses the 11 adequacy assessments underway and a modernization of standard contractual clauses, which are expected to move forward after July's "Schrems II" decision from the Court of Justice of the European Union.
Other big takeaways, according to Fennessy, are a planned push for data protection provisions in trade agreements and discussions on a "Data Protection Academy" where DPAs, from the bloc and abroad, can share experiences and best practices.
The future of data protection in the U.K. was also addressed in the review. As the EU and U.K. continue to work through an adequacy agreement, the Commission deemed a deal to be "essential" for cooperation on matters involving law enforcement and security.
"A high degree of convergence in data protection is an important element for ensuring a level playing field between two so closely integrated economies," the Commission wrote.
While there's work to be done, Jourová made clear that the GDPR and Europe's data protection regime have been "a compass to guide us through the digital transition," adding that the GDPR was essential to examining the privacy aspects of emerging technologies.
"Even though just two years have passed, we have come a long way," said Jourová. "There was panic about the GDPR and how it would be the end of the world. ... I have good news today: No doomsday was here. It never happened."