In a follow-up report to the general regulation on the protection of personal data two years after its implementation, the European Commission highlights a number of necessary improvements. Harmonization of treatments, fight against fragmentation, better support for SMEs and more effective international cooperation are on the table.
The date of May 25, 2018 still resonates a lot in the heads of CIOs, RSSIs, DPOs and directorates-general, the day of entry into force of the GDPR. However, the need for compliance to ensure the protection of personal data everywhere in Europe has not necessarily been taken into account among all the public and private organizations concerned. While since 2018, 114 million euros in fines have been imposed, implementation difficulties have been pointed out by decision-makers, which is not without facilitating the situation. However, the GDPR is not frozen; both on the side of the companies which must apply it – it is by no means a project with a definite deadline but which is more a matter of substantive long-term work – than of the institutions carrying the regulations.
In a context where 69% of the EU population over the age of 16 have heard of the GDPR and 71% of EU citizens know their national data protection authority, a latest report from the European Commission underlines the efforts to be made to change the regulation. “The general opinion is that two years after its entry into force, the GDPR has successfully achieved its objectives of strengthening the protection of the right to the protection of personal data and guaranteeing the free movement of personal data within the UE23. However, a number of future improvements have also been identified, “said the Commission.
Towards better support for SMEs
If major accounts have been able to deploy resources to jump into the GDPR compliance train – when this was not already done -, more modest structures such as SMEs have often found themselves at the bottom of the wall. The Commission considers that it is not possible to adopt derogations depending on the size of the companies, it recognizes that actions must be taken. “Several data protection authorities have provided practical tools to facilitate the implementation of the GDPR by SMEs with low processing risk. These efforts should be intensified and generalized, preferably in a common European approach so as not to create obstacles to the single market, “says the Commission. “Data protection authorities have developed a number of activities to help SMEs comply with the GDPR, for example by providing contract processing models and registers of processing activities, seminars and hotlines for consultation. A number of these initiatives have received funding from the EU50. Other activities should be envisaged to facilitate the application of the GDPR to SMEs ”.
However, the laws of the Member States follow different approaches when implementing derogations from the general prohibition to process particular categories of data, with regard to the level of specification and the guarantees, including for health and research purposes. To resolve this problem, the Commission will first establish the different approaches of the Member States and will support, in a next step, the establishment of codes of conduct which would contribute to an approach in this area and facilitate cross-border data processing. personal. In addition, future Council guidelines on the use of personal data in scientific research will contribute to a harmonized approach.
International coordination to be taken up a notch
Better coordination of resources at European level, in particular from the point of view of procedures relating to the processing of complaints relating to personal data, is also in sight. “Further progress is needed to make the processing of cross-border cases more efficient and harmonized across the EU, including from a procedural point of view, for example on issues such as complaint handling procedures, criteria for admissibility of complaints, the length of the proceedings due to different deadlines or the absence of deadlines in national administrative law, the time of the procedure where the right to be heard is granted, or the information and participation of the complainants during of the procedure ”, one can read in the report. On this point, the Commission urges its members to limit the use of specification clauses likely to create fragmentation and compromise the free movement of data.
Another important aspect of the international dimension of EU data protection rules relates to the extensive territorial scope of the GDPR, which also covers the processing activities of foreign operators active in the EU market. “To ensure effective compliance with the GDPR and a level playing field, it is essential that this extension is appropriately reflected in the coercive measures taken by data protection authorities,” says the Commission. “In particular, they should involve, where appropriate, the head of the representative within the EU, who can be contacted in addition or to companies based outside the EU. This approach should be pursued more vigorously in order to send a clear message that the absence of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR. “
Facilitate exchanges within the framework of the right to portability
Among the other avenues for improvement envisaged by the Commission is the creation of appropriate tools with standardized interfaces and formats whose reading can be automated to facilitate exchanges between suppliers in the context of the right to portability. “Increased use of the right to portability could, among other things, allow individuals to use their data for the public good if they wish,” the Commission said without further details. Or even set up conditions for members to agree on the age of consent of children to assert their data protection rights. “At a time when privacy concerns or data security incidents affect large numbers of people simultaneously in multiple jurisdictions, cooperation on the ground between European and international regulators should be further strengthened. In particular, this requires the establishment of appropriate legal instruments, closer forms of cooperation and mutual assistance, including allowing the exchange of information necessary for investigations. “