Multistakeholder Expert Group’s Report on GDPR Application

The Multistakeholder Expert Group to the European Commission, established in 2017, published a detailed report on 10 June 2024, evaluating the application of the General Data Protection Regulation (GDPR). This group assists the Commission by identifying challenges and providing advice on GDPR implementation from various stakeholders’ perspectives, including businesses, civil society, and individual experts.

Key Findings:

1. Positive Developments:
   • Increased data protection compliance and awareness.
   • Enhanced control over personal data for individuals.
   • Global adoption of GDPR principles, benefiting European companies.
     
     
2. Ongoing Challenges:
   • Legal Fragmentation: Despite attempts at harmonization, inconsistencies in GDPR interpretation by Data Protection Authorities (DPAs) lead to legal uncertainties. This affects sectors like healthcare and pharmaceuticals.
   • Specific Provisions: Issues with data minimization, storage limitation, and the use of compliance tools such as codes of conduct and certifications. Protection of minors’ data remains inadequate.
   • SME Challenges: High compliance costs, fear of sanctions, and a need for simplified rules and practical guidance tailored for SMEs.
     
     
3. Data Subjects’ Rights:
   • Rights such as access and erasure are the most exercised. However, there are difficulties in quantifying the exercise of these rights and ensuring transparency from controllers.
   • Business sectors report burdens in responding to data subject requests, highlighting the need for pragmatic approaches and increased awareness of rights limitations.
     
     
4. Automation and Competition: Concerns were raised that exercising the right not to be subject to automated decision-making may reveal sensitive information, potentially jeopardizing business secrets and raising competition issues.
   
   
5. Data Portability: The lack of awareness of data portability rights is attributed to the absence of standardized data formats and concerns over potentially affecting the rights and freedoms of others when porting data.
   
   
6. Transparency Obligations: Many organizations struggle with compliance, often using vague or overcomplicated terms not aligned with GDPR requirements, impacting overall transparency.
   
   
7. Interplay with Other Regulations:
   • AML and PSD2: There are significant concerns about the GDPR’s application alongside other regulations like anti-money laundering obligations and the Payment Services Directive.
   • Standard Contractual Clauses (SCCs): Adoption issues for data transfers outside the EU persist due to legal ambiguities and conflicting national DPA advice, complicating cross-border data transfers.
     
     
8. Enforcement Issues: In cross-border cases, lack of coordination between DPAs and differences in national procedures result in slow, inconsistent decisions, hampering effective GDPR enforcement.

Recommendations:

• Harmonization: Improve consistency in GDPR application across member states to reduce fragmentation.
• Support for SMEs: Develop practical tools, templates, and tailored guidance to assist SMEs in compliance.
• Enhanced DPA Interaction: Foster better engagement between DPAs and stakeholders to ensure guidelines are practical and timely.
• Global Engagement: Continue working with international partners to adopt GDPR principles and facilitate cross-border data flows.

The report underscores the importance of maintaining GDPR’s core principles while addressing practical challenges to ensure its effective application across diverse sectors and regions.

👉 Read the full report here.