If you were asked which of the 99 Articles of the EU General Data Protection Regulation is having the greatest impact on privacy and data protection, which one might you choose? Certainly, Article 3 on territorial scope would be a good choice. Article 6 on lawfulness of processing would also be a strong pick. A case could also be made for any of the articles in Chapter 3 on rights of the data subject.

I might actually consider one of the GDPR’s final provisions, Article 97, as perhaps the most consequential for the future of privacy and data protection in Europe and around the world. This article has already prompted member states, supervisory authorities and other European institutions to deeply reflect upon the problems, obstacles and hindrances to the GDPR’s implementation and share and discuss their observations and experiences with its application since it came into force last year.

So, where do things stand in the Article 97 process to date? Let's focus on comments recently submitted by member state delegations regarding their ongoing review and evaluation of the GDPR.

Preparing for the GDPR’s Article 97 review

Article 97 instructs the European Commission, by May 25, 2020, and once again every four years thereafter, to “submit a report on the evaluation and review of this Regulation to the European Parliament and the Council.” At a minimum, these reports should examine “the application and functioning” of Chapter 4 on transfers of personal data to third countries or international organizations and Chapter 7 on cooperation and consistency mechanisms. What makes this review process so critical is that it may serve as an impetus for the commission to “submit appropriate proposals to amend” the GDPR.

European authorities have already begun preparing for their first review of the application of the GDPR. Back in July, the Finnish Presidency issued a note to the delegations that contained a plan for its preparation of the European Council’s position on the GDPR evaluation. In particular, the presidency “welcome[d] all observations from the delegations with respect to the review and evaluation of the GDPR.” Following the Sept. 3 DAPIX Working Party meeting, which brought together experts from each member state, delegations were asked to submit in writing their observations on the experiences obtained from the application of the GDPR, along with their initial positions on and recommendations for items to be included in the council’s report. Most recently, on Oct. 9, the council released a note to the delegations containing such comments from 19 member states.

The following sections highlight some of the key issues raised in the comments made by member state delegations about the GDPR. It focuses on areas where they have seen conflict arise, questions around which they would like greater clarity, and recommendations for what they believe should be done to address these issues.

It is also worth noting that some member states insisted that the review not be limited to the two topics mentioned in Article 97(2) (personal data transfers and cooperation/consistency), while others maintained that it is still too early to draw conclusions for a review of the GDPR.

Areas of confusion, inconsistency and fragmentation

For most, implementing the GDPR has been anything but simple, easy or straightforward. Along these lines, multiple member states submitted comments pointing to the uncertainty, confusion and fragmentation that persists around the GDPR’s application. For its part, Germany admitted that “some businesses and government agencies have said they feel overwhelmed following the GDPR’s entry into application,” while “[s]ome users have felt considerable uncertainty [and] been very confused” by seemingly new instruments created by the GDPR, such as records of processing activities and data protection officers.

To alleviate some of these ambiguities, the Czech Republic suggested that real cases of best practice, as well as cases of bad practice, could be published online for the benefit of other member states. It pointed to several issues in which best practices are needed, including conflict of interests of DPOs, professional qualifications of DPOs, the roles of controller and processor, transparency obligations to data subjects where data has been obtained from public sources, and additional identification pursuant to Article 11.

One of the biggest areas in which fragmentation has affected GDPR implementation has been in the protection of children’s data. Namely, Ireland described the GDPR’s approach to the protection of children as “fragmented and disjointed.” While references to protections for children can be found in various recitals (38, 58, 65, 71, and 75) and articles (6.1(f), 8, 12, 40, and 57), they are like “a jigsaw puzzle” and “do not provide a coherent picture.” France also pointed out that children’s consent in Article 8, which leaves discretion to member states regarding the age of consent of minors, “is likely to cause implementation difficulties” and that assessing whether this needs to be revised should be a priority. In a similar vein, the Netherlands pushed for “only one uniform age of consent” to apply throughout the entire EU, as the current situation “leads to a problematic lack of legal certainty for all parties concerned; parents, children and controllers alike.”

Furthermore, the Czech Republic noted that, if the European Data Protection Board were to issue its own, even non-exhaustive, list of processing operations subject to or exempted from impact assessments, it would “contribute to much more uniform and consistent application of the GDPR.” Germany also urged DPAs to harmonize their practice of interpretation more closely regarding risky processing operations and data protection impact assessments.

Supervisory authorities

Member states made numerous comments about the effectiveness of and expectations placed upon supervisory authorities. On the bright side, member states drew attention to the effectiveness of the cooperation efforts between SAs. Latvia, for example, noted that several complaints by data subjects have been resolved successfully through the cooperation of the Latvian and Lithuanian SAs.

Others, meanwhile, focused on the shortcomings in the work done by SAs. For example, Germany noted that businesses would like “faster and more concrete assistance from the data protection authorities,” while “[d]ata subjects would like more advice and faster processing of their requests.” Germany also asked for transparent criteria for SAs regarding the issuance of fines “in order to ensure comparability and uniform enforcement.” France called for “national disparities which hinder cooperation for supervisory authorities” to be “examined and removed.” Lithuania raised a question as to whether an appeal judgment in a national court in one jurisdiction would be legally binding on the lead SA in another jurisdiction.

Finding that a large number of data subjects make complaints to SAs after they are notified of a data breach via Article 33, Bulgaria stated that “difficulties arise in handling complaints on the same issue.” Bulgaria noted that “the obligation to handle complaints [vis-à-vis Article 77] itself obstructs the work of the data protection authority.” Bulgaria also noted that while Article 57, Paragraph 4 considered the excessiveness of a request to the SA is hinged on the repetitiveness of requests arising from a single data subject, it does not consider excessiveness in the sense of “multiple identical requests made by a large number of data subjects … regarding the same case.” Germany also pointed out that “data protection authorities are most likely overwhelmed by the massive volume of reports” in accordance with Article 33, of which there were 89,000 in the EU by April 2019.

Transfers of personal data

Most member states that commented on adequacy decisions offered positive reflections. Yet, a common criticism was that they “remain underused.”

To address this problem, Germany urged the commission to “keep up its efforts to bring about additional adequacy decisions and to expand the existing ones to additional areas and sectors.” The Netherlands submitted a list of countries, suggested by Dutch trade organizations, as potential future candidates for an adequacy finding. These included Singapore, Colombia, Mexico, South Africa, Serbia and Dubai International Financial Centre, as well as all countries that have ratified and implemented the modernized Convention 108+.

Regarding codes of conduct, Belgium explained that “there is a clear interest from various stakeholders to make use” of them, but there is a reluctance to do so “due to a lack of clear guidelines.” Bulgaria referred to codes of conduct as “an extremely useful and practically oriented voluntary accountability tool” but one that is “widely regarded as a form of indulgence that impedes the powers of the supervisory authority.” The Netherlands cast doubt on the validity of the interpretation of codes of conduct provided in the EDPB’s recently adopted guidelines, arguing that the text of the GDPR should be clarified on this topic. In addition, the Netherlands stated that the institution of a monitoring body for codes of conduct should be optional, as it would likely act as a disincentive by introducing additional costs into the process.

Lithuania remarked that Recital 81 states standard contractual clauses may be adopted by SAs only after approval by the commission, a situation that “creates legal uncertainty as to the mandatory nature of such procedure.” To remedy this, Lithuania recommended to consider whether this power of the commission be explicitly included in Article 28(8).

Finally, on binding corporate rules, “while a useful and necessary subsidiary mechanism,” Belgium argued that their use “also runs counter to the harmonization objectives of the GDPR.”

What’s next?

To recap, Article 97(4) of the GDPR requires the commission to “take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources” while conducting its evaluation and review of the GDPR. In particular, the Council expects the Commission to request information from the Member States on three issues:

• the use of adequacy decisions;
• the independence and resources of DPAs, including about “their capacity to exercise their powers provided by the GDPR and to comply with their obligations in the context [of] the cooperation and consistency mechanisms”; and
• verification of the effectiveness of the “coherent interpretation and application of the GDPR throughout the EU by the cooperation and consistency mechanism provided by the GDPR.”

So, what are the next steps for the first Article 97 evaluation and review of the GDPR?

For starters, the DAPIX meeting scheduled for Oct. 21 will allow the delegations to discuss a draft report that lays out the observations on the GDPR made by the member states. The Finnish Presidency aims to adopt the final version of the report, in the form of an outcome of the proceedings, by the end of the year.

Whether substantive amendments to the GDPR will result from this review process remains to be seen, but it should not be ruled out. Indeed, several developments in information technology and information society — including growth in the data power of large tech companies, big data analytics and profiling, the potential for price discrimination, and blockchain applications — could pose a future challenge to the law. As the Netherlands put it direly, if the EU waits for these developments to materialize before amending the GDPR, “there is a risk that the proverbial genie will be out of the bottle and these amendment[s] will turn out to be too little, too late.”

Above all, what these comments illustrate is that the GDPR is anything but settled law. For privacy professionals, it will be important to follow the Article 97 process until May 25, 2020, as the commission prepares its first report on the evaluation and review of the GDPR.

Photo by Christian Wiediger on Unsplash