Almost one year after the entry into force of the General Data Protection Regulation, the European Commission today published a report in which it examines the impact of the EU data protection rules and outlines how implementation can be further improved. The report shows that most Member States have put in place the necessary legal framework and that the new system for strengthening data protection rules is taking effect. Companies are developing a culture of law-abidingness, while citizens are becoming more aware of their stronger rights. At the same time, the trend at the international level continues toward higher data protection standards.

First Vice-President of the Commission, Frans Timmermans, commented: “The European Union is committed to remaining at the forefront of privacy protection in the age of digital transformation and to seizing the many employment and innovation opportunities that come with this change. Data is invaluable to a thriving digital economy and plays an increasingly important role in the development of innovative systems and machine learning. For us, it is extremely important to shape the global environment for the development of the technological revolution and to use it wisely while fully respecting the rights of individuals.”

Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, added: “The General Data Protection Regulation is bearing fruit. It gives Europeans strong tools to meet the challenges of digitization and take control of their personal data. The General Data Protection Regulation opens up opportunities for companies to make the most of the digital revolution, while at the same time building trust. It opens up opportunities for digital diplomacy beyond Europe, promoting data traffic based on high standards between those countries that share the EU’s values. But work must continue to ensure that the new data protection rules are fully in place and effective.”

The GDPR is making EU citizens increasingly aware of data protection rules and of their rights, according to the results of the Eurobarometer survey published in May 2019. However, only 20% of Europeans know which authority is responsible for protecting their data. This is why the European Commission launched a new campaign this summer to ensure that people in Europe also read the privacy statements and optimize their privacy settings.

The new data protection regulations have achieved many of the goals they were intended to achieve. In addition, the Commission’s Communication provides for concrete steps to improve these rules and their application:

• One continent, one law: Today, all Member States – apart from Greece, Portugal and Slovenia – have updated their national data protection legislation in line with EU rules. The Commission will keep Member States’ legislation under review. This ensures that the Member States act in accordance with the Regulation when concretizing the GDPR in national law and that there is no overregulation (“gold-plating”) in national legislation. If necessary, the Commission will not hesitate to use the instruments at its disposal (e.g. infringement procedures) to ensure that the rules are correctly transposed and applied by the Member States.

• Companies are adapting their practices: Compliance with the regulation has helped companies increase the security of their data and use data protection as a competitive advantage. To this end, the Commission will support the GDPR toolkit for businesses, including standard contractual clauses, codes of conduct and a new certification mechanism. In addition, the Commission will continue to assist SMEs in the application of the rules.

• Strengthening the role of data protection authorities: The GDPR has given national data protection authorities more powers to enforce the rules. In the first year, national data protection authorities have effectively used these new powers as needed. They also work more closely with the European Data Protection Board. As of the end of June 2019, 516 cross-border cases have been processed under the cooperation mechanism. The Board should strengthen its leadership role and continue to build an EU-wide data protection culture. In addition, the Commission encourages national data protection authorities to combine their efforts, for example by conducting joint investigations. The European Commission will continue to provide financial support to national data protection authorities in their public relations work.

• EU rules as a reference for stricter data protection standards worldwide: More and more countries around the world are adopting modern data protection regulations, using EU data protection standards as a reference. This so-called upward convergence opens up new possibilities for secure data traffic between the EU and third countries. The Commission will intensify its discussions on the adequacy of the level of protection, including in the area of law enforcement. Specifically, it intends to conclude the negotiations underway with the Republic of Korea in the coming months. Beyond the question of adequacy, the Commission would like to explore the possibilities of building a multilateral legal framework for trust-based data sharing.

Next steps

Under the General Data Protection Regulation, the Commission will present an implementation report in 2020 and, after two years of application, assess the progress made, including in the review of the eleven adequacy decisions adopted under the 1995 Directive.

Background

The General Data Protection Regulation is a single set of rules based on a common EU-wide approach to the protection of personal data and is directly applicable in the Member States. It strengthens trust by giving individuals back control over their personal data while guaranteeing the free flow of personal data between EU member states. The protection of personal data is a fundamental right in the European Union.

The General Data Protection Regulation has been in force since May 25, 2018. Since then, almost all member states have adapted their national legislation to the General Data Protection Regulation. National data protection authorities are responsible for enforcing the new rules and are better coordinating their actions through new cooperation mechanisms and the European Data Protection Board. They produce guidance on key aspects of the General Data Protection Regulation to support the implementation of the new rules.