The EU’s General Data Protection Regulation is 18 months old, having come into force on 25 May 2018. In October 2019, the governments of 19 EU countries made submissions to the European Council in preparation for the first review (due after two and then four years). The submissions highlight some gaps in the legislation, with particular regard to cross-border cooperation and enforcement; in particular, getting non-EU companies to appoint a representative in the EU remains a challenge. Other points commonly raised relate to the monitoring of codes of conduct, and to the need for GDPR to retain a forward-looking view so that it does not stifle technological development. The EC’s review could result in the European Data Protection Board issuing new guidelines on the topics that need clarification, though it is unlikely the Commission will propose amendments of the Regulation itself for the time being. 18 months in, the GDPR has contributed to stronger awareness among citizens of issues related to data protection; however, the picture is more nuanced as to the actual impact it has had, with tech giants still largely carrying on as usual in their data collection practices, and small businesses not sufficiently shielded from the burden of the more prescriptive rules.
The scope of the review could end up being broader than envisaged
The document adopted by the European Council includes comments from 19 member states. These will feed into the review of the GDPR that the EC will have to prepare by 25 May 2020, which has to take into account the views of both Council and Parliament. The submissions vary in scope and detail across member states: some of them are very short and generic, others engage in specific detail on several aspects of the GDPR. It is also worth noting that the Council required member states to respond to three questions about: use of adequacy decisions by stakeholders in each country; independence and resources of the competent authorities; and effectiveness of the cooperation and consistency mechanism. However, a significant number of the 19 submissions do not address those questions: some responses are limited to generic comments on how a country sees the GDPR functioning until now; others (e.g. Germany, Netherlands) went at lengths in identifying aspects of the Regulation which require rethinking; in some cases (e.g. Denmark) comments are very limited, and not related to the questions asked by the Council. Nonetheless, it is possible to identify some common traits in the responses, which will likely inform the review process.
Firstly, it is likely that the review will end up having a broader scope than envisaged. While the law states that the EC has to focus its review on Chapters V and VII of the GDPR (related to transfers of personal data to third countries, and to the cooperation and consistency mechanism, respectively), member states’ submissions to the Council have shown their interest to go beyond those two chapters. In particular, Belgium, Germany, and the Netherlands have been explicit in demanding a broader review; and it is expected that a similar demand will come from the EU Parliament, whose view on the impact of the GDPR will also have to be taken into account.
Cross-border cooperation and enforcement have caused the biggest headaches so far
One common trait in the submissions of the 19 member states is that the application of the GDPR rules across borders, inside and outside the EU, still presents material challenges. The GDPR includes provisions for cooperation and consistency across member states, and applies to data controllers and processors even when they are not based in the EU, as long as they treat personal data of individuals based in the EU. Despite these provisions, member states have noted there are obstacles to the practical application of the rules. One example is the uncertainty arising when a data subject files an appeal in a country other than that of the ‘lead authority’ overseeing a case: as pointed out in Estonia’s submission, it is unclear whether the court decision would be binding on the lead authority. The Estonian submission also noted that supervisory authorities seemingly have no options against data controllers based outside the EU, if they fail to appoint a representative in the Union; other submissions echoed these remarks (Slovenia, Austria), and show that the application of the GDPR to companies outside the EU remains a practical challenge. For example, Austria proposed to empower DPAs or courts to designate a representative ex officio, at the controller’s cost.
Respondents also placed some emphasis on the need to clarify provisions around codes of conduct. For example, Bulgaria noted that it is unclear whether a company can sign up to more than one sectoral code of conduct, and whether a sector can have more than one code of conduct. To this end, the very definition of sector also needs clarification, as well as the relationship between controller and processor when they are signed up to different codes. Germany made a similar point; it called for the drafting of sector-specific codes to help consistency in the application throughout the EU, and for the publication of a central list of codes of conduct agreed with the supervisory authorities. The Netherlands also noted that a contradiction between the seemingly facultative monitoring of codes of conduct and the need to identify a ‘monitoring body’ for that purpose. Austria also made a similar remark, noting Art. 41 refers to ‘mandatory’ monitoring whereas Art. 40 says this ‘may’ be carried out by an accredited body. Finally, both the Netherlands and Poland stressed the importance of looking at future technologies, with particular focus on blockchain applications and the need to safeguard privacy without hindering technological development.
The review will likely result in more guidelines from the EDPB, rather than amendments to the Regulation
While many of the observations brought up by the 19 member states would suggest or require amendments to the GDPR, it is unlikely that the review will lead to amendments to the Regulation, for two reasons. Firstly, as some member states pointed out, the regulation has been in place for a little more than a year, and many countries have not yet adopted it fully enough to complete the implementation. As a result, views on the impact the GDPR has had so far are partial and incomplete, thereby not providing a full picture of the necessary changes. Secondly, any amendment to the Regulation would have to be subject to the same process through which the GDPR was adopted: the Commission would have to formulate a proposal; this would be discussed and amended by the EU Parliament and Council individually, and then be subject to the ‘trilogue negotiations’ between the three bodies before formal adoption. It is worth remembering that the EC’s first proposal of the GDPR dates back to 2012, and that it took four years to finalise the text resulting from the agreement of the institutions involved.
Instead, the review is more likely to inform the work of the EDPB, which could be required to clarify certain aspects of the Regulation, or to facilitate best practice, by issuing new guidelines and working documents. In their submissions, several states have already required the EDPB to issue new guidelines on a range of topics, and to publish practical cases of good and bad practice rather than solely relying on theoretical examples, as suggested in the response submitted by Czech Republic.