Since 25 May, 2018, the General Data Protection Regulation (GDPR) has been providing unified rules for data processing, requiring wider protection for the rights and interests of data subjects, and establishing important guidelines around the flow of information in the European Union. One year later, the first “anniversary” of the GDPR offered an exceptional opportunity to assess past achievement and to set goals for the future that were summarized in the communication from the European Commission to the European Parliament titled “Data protection rules as a trust-enabler in the EU and beyond – taking stock.” The report shows that, despite being described as a giant leap to the unknown, measures taken by the relevant stakeholders ensure the success of the new regulation.
The document focuses on legal framework, data protection governance systems, data subjects, controllers and international flow of personal data. Generally, the Commission concludes that the application of the GDPR should be considered successful in many areas, because many objectives set by the European legislators have been achieved. This success extends beyond the borders of Europe since the regulation has a global impact. On the other hand, as pointed out by the Commission, there are still aspects of the GDPR that need further action from the stakeholders.
Besides being a legal act, the GDPR is an instrument fostering a European “data protection culture.” Application of and compliance with the GDPR requires actions from all actors involved, such as legislators, supervisory authorities, data subjects and controllers. Adoption of the relevant measures were intended to change their cultures and behaviors. So those stakeholders were invited to contribute to the process of establishing the practices surrounding GDPR through public commenting or working with various authorities such as the European Data Protection Board.
For instance, parliaments and other regulatory bodies carried out the revision of the current legal framework, and, as a result, several laws have been adopted, amended or repealed. Most supervisory authorities have successfully adopted the necessary measures to effectively exercise their competences provided by the GDPR. Furthermore, the European Data Protection Board, as a platform of cooperation for these authorities, and the European Court of Justice, traditionally interpreting European law, provide guidance in order to achieve a more harmonized practice.
Meanwhile, data subjects and controllers have become more aware of the rules regarding data processing. Individuals are more mindful of controlling their personal data; thus, they exercise the rights provided by the GDPR more effectively than ever. On the other hand, controllers had to revise their activities, and to make the necessary modifications in order to comply with the new provisions.
The regulation provides unified rules for the proper flow of information within, from and into the European Economic Area. Instruments such as adequacy decisions or standard contractual clauses have been successfully applied in the past as well as under the GDPR. On the other hand, new institutions – e.g. certifications or codes of conduct – have been regulated to further ease trans-border transfer of personal data and to provide wide protection to data subjects. Furthermore, from the US through the Middle East to the Far East, many countries have adopted measures in order to harmonize their data privacy legislations with the GDPR, sometimes adapting to the new regime of data protection, sometimes even copying certain solutions or institutions. Thus, the impact of the regulation may be felt beyond the borders of the EU.
On the other hand, there are certain areas where the objectives of the GDPR have yet to be achieved. For instance, supervisory authorities should exploit all opportunities provided by the new regulation, especially in the field of cooperation. In a unified European area of data protection, the interactions and cooperation between these institutions, such as joint investigations or mutual assistance procedures, are inevitable but have not yet taken hold. The sanctioning system introduced by the GDPR, especially the system of fines, needs to be further harmonized. Since last fall, there is a growing number of cases in which supervisory authorities imposed so-called “GDPR fines.” Contrary to the intent of the GDPR, the amounts of these fines significantly vary among the member states. Therefore, efforts should be taken to ensure that violations of the GDPR will result in the same sanctions everywhere across the member states, otherwise so-called “forum shopping” might occur. Furthermore, international flow of personal data should be further considered. Certification schemes or codes of conduct may serve as useful instrument for facilitating trans-border data flows. Yet, the application of these tools on a national as well as European level lags other provisions of the GDPR. Finally, legal harmonization of GDPR and the adoption of new laws needs to be continued, such with the ePrivacy Regulation, which requires further revision of the legislative framework.
One might ask whether the GDPR is a success? Although it has only been applied a little more than a year, the GDPR has already made a great impact on almost all aspects of our lives, activating different stakeholders and providing wider protection to data subjects. Thus, as an instrument fostering a European “data protection culture,” the regulation is highly successful. On the other hand, deficiencies defined by the Commission in the communication may and – hopefully will be – resolved in the near future. And since the document is only the first one in the line of reports on the implementation of the GDPR, count on the progress of further harmonization being continuously monitored.