Digital Law Up(to)date: A first evaluation of the GDPR two years after implementation

On 24 June 2020, the European Commission adopted a communication to the European Parliament and the Council on “Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation” (COM(2020)0264). Then months later, on 25 March 2021, the European Parliament, in turn, adopts a resolution on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application (2020/2717(RSP)). Recently published in the Official Journal (on 8 December 2021), here are some interesting points in this resolution.

General observations. The European Parliament notes that the GDPR has made the European Union a key global player in terms of personal data protection and that this text is a real success. Like the Commission, it considers that there is no need at this stage to update or review this regulation.

Legal basis for processing. Practice shows that data controllers often mention several (or even all) legal basis for a processing: the Parliament recalls that a clear choice must be made. However, a combination of legal basis is necessary in the case of processing of special categories of data: there must be a basis under Article 9 and another basis under Article 6. In addition, the Parliament is concerned that ‘legitimate interest’ is very often abusively mentioned, without conducting the required test of the balance of interests.

Small businesses and organisations. Yes, the implementation of GDPR has been difficult for smaller businesses and organisations. However, the European Parliament points out that there is no derogation in the GDPR for such SMEs. It calls on the European Data Protection Board (“EDPB”) to provide clear guidelines to help SMEs in this implementation. 

Enforcement. The Parliament points to several problems: the uneven and sometimes non-existent enforcement of the GDPR by national DPAs, the different interpretation of the GDPR by the Members States and the EDPB, a follow up of a very small share of submitted complaints, the significant variation of the he amount of the fines across Member States, the too low amounts of the fines issued to large companies. It calls on the Commission and the EDPB to harmonise penalties by means of guidelines. Another concern directly related to the enforcement of the GDPR is the absence of necessary human, technical, financial and structural resources of the national Data Protection Authorities. 

Fragmentation of GDPR implementation. The Parliament deplores the fact that the Member States’ use of the facultative specification clauses has been detrimental to the achievement of full data protection harmonisation. 

International personal data flows and cooperation. The parliamentarians stress that adequacy decisions should not be political but legal decisions. They call on the Commission to be totally transparent by publishing the set of criteria used in determining whether a third country is deemed to provide an ‘essentially equivalent’ level of protection to that afforded in the EU. They also take note of the recent developments proposed by the Court of Justice of the European Union (case law Schrems I, Schrems II, Privacy International) and of the recent adequacy decisions of the Commission. 

Future Union legislation. The European Commission recently launched several legislative initiatives (data governance, artificial intelligence, digital services act, data act, etc.). It is crucial to check whether these texts must always fully comply with the GDPR. In this respect, it considers that the adoption of the new ePrivacy Regulation has become urgent as this new text complements and particularises the GDPR.

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.