The European Union admits small- and medium-sized companies have struggled to comply with the General Data Protection Regulation (GDPR), and that there is still a lack of harmonization across the bloc about how the privacy legislation is applied.
In its first evaluation report published Wednesday, the European Commission—the EU’s executive body—says the GDPR is an “overall success” that “has met most of its objectives” by “offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.” But it adds that while harmonization across member states is “increasing,” there is still “a certain level of fragmentation that must be continually monitored.”
Commissioner for Justice Didier Reynders said in a press release that “we can do better … we need more uniformity in the application of the rules across the Union.”
Věra Jourová, the Commission’s vice-president for values and transparency, added that “we all must continue … to make GDPR live up to its full potential.”
The Commission says it would be “premature to draw definite conclusions as to the application of the GDPR and to provide for proposals for its revision.” Instead, it will monitor progress in close cooperation with member states and the European Data Protection Board (EPDB), the EU body designed to monitor GDPR enforcement at the nation level.
The next GDPR evaluation report is not due until 2024.
EU issues warning to U.K. over data transfers
The United Kingdom will be expected to retain the same levels of data protection as set out under the General Data Protection Regulation (GDPR) if it agrees to a Brexit deal with the European Union, European Commissioner for Justice Didier Reynders said Wednesday.
“When it comes to transfer with a member that is leaving us—the United Kingdom—we want to make sure that in any Brexit agreement there is the proper application of the rules of the GDPR,” said Reynders.
The EU’s warning is at odds with U.K. Prime Minister Boris Johnson’s statement to Parliament in February that the United Kingdom would “develop separate and independent policies” in the area of data protection, as well as on borders, competition, and subsidies.
The report outlines several areas where the GDPR, and its enforcement, might be falling short. One such concern is that data protection authorities’ budgets and levels of in-house expertise are insufficient.
While national data regulators have collectively increased staff numbers by 42 percent and their budgets by 49 percent between 2016 and 2019, the Commission acknowledges there are still “stark differences” between member states, with much of that spending and resource allocation taking place in larger EU countries (Germany, France, and the United Kingdom, for example) and those that are home to the world’s largest tech firms—Ireland (Twitter, Google, Microsoft, Apple, and Facebook) and Luxembourg (Amazon).
According to a report published last month by Brave, a tech company that promotes a private browser to protect users’ data, half of the EU’s data protection authorities still have annual budgets of under €5 million (U.S. $5.6 million). Three—Estonia, Malta, and Cyprus—have budgets of less than €1 million (U.S. $1.1 million). Worse still, some EU countries have made drastic cuts: Portugal, for example, reduced the budget of its data protection authority by €203,000 (U.S. $229,000) between 2018 and 2020.
Brave’s report also found a dire lack of in-house expertise equipped to deal with data requests. For example, only six of Europe’s 28 national data protection authorities have more than 10 tech specialists (Germany, Spain, France, the United Kingdom, Ireland, and Greece), while seven authorities have just two tech specialists (or less).
Meanwhile, the Commission report says there is “room for improvement” in the way national data protection authorities work together—such as joint operations that could lead to joint investigations—and that there needs to be a “more cohesive approach” to help foster greater harmonization, as efforts so far have been missed.
It says it is “essential” to ensure guidance provided at national level is fully consistent with guidelines adopted by the EDPB. The Commission adds that while many final decisions have been agreed through the EDPB, neither a dispute resolution nor an urgency procedure have yet been triggered, which means there is little clarity about how these tools could be—or should be—used.
The report puts these problems down to differences in national administrative procedures; varying interpretations of concepts relating to the cooperation mechanism; and varying approaches regarding the start of the cooperation procedure, as well as the timing and communication of information.
However, not everyone is a fan of the tools available under the GDPR. The so-called “one stop shop” arrangement, which provides that a company processing data cross-border is subject to just one data protection authority as its regulator of choice (namely the authority of the member state where the company has its European headquarters), has been roundly criticized by privacy groups, industry bodies, and even some EU data commissioners for potentially slowing down investigations as agencies struggle to deal with complaints and for largely putting the enforcement of Big Tech firms into the hands of one regulator (Ireland).
Indeed, slow progress in certain investigations has prompted some countries to take matters into their own hands. While Google has its European headquarters in Ireland (and is subject to two ongoing GDPR-related investigations there), both of its GDPR fines so far have been handed down by other countries: France’s CNIL fined Google €50 million (U.S. $57 million) in January 2019, while the Swedish Data Protection Authority fined the company 75 million Swedish Kroner (U.S. $7.6 million) in March this year.