The Commission maintains the Regulation is generally working, but has found room for improvement in cooperation between countries.
The Regulation has been generally successful: On 24 June 2020, the EC published its first review of the GDPR. The EC has taken the view that the GDPR has met most of its intended objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage.
Coordination across countries remains a pain point: The report recognises that there is room for improvement in the way the consistency mechanism works. National authorities are still in the process of developing a truly common European data protection culture, and have not yet made full use of the tools the GDPR provides, such as joint investigations. The report notes that finding a common approach meant at times moving to the lowest common denominator, which resulted in missed opportunities to foster more harmonisation.
More staff needed? Member States are required to give authorities adequate staff and resources, however the report concludes the situation here is still too fragmented and unsatisfactory. Between 2016 and 2019, there has been a 42% increase in staff and 49% in budget for DPAs across the EEA; nonetheless, the EC found the situation to be too uneven, especially for those acting as lead authorities in important cases involving large companies.
The EC will carry out reviews every four years: Article 97 of the General Data Protection Regulation (GDPR) which came into effect in May 2018, included a provision requiring the EC to review the regulation after two years, and then every four years thereafter. The reviews will focus mainly on the transfer of personal data to third countries or international organisations, and on the mechanism for cooperation and consistency across EU member states.