Second GDPR Report Highlights Progress and Challenges

On 25 July 2024, the European Commission published its second report on the application of the GDPR, in accordance with Article 97. The report highlights several achievements but also points out what is not going so well. Here is a condensed version.

Successes

1. Increased Awareness and Rights Exercise: The GDPR has significantly raised public awareness about data protection, with many individuals now familiar with their rights and actively exercising them. This has been facilitated by effective public awareness campaigns, educational initiatives, and user-friendly digital tools developed by data protection authorities (DPAs).
2. Strong Enforcement Actions: There has been a notable uptick in enforcement activities by DPAs, including substantial fines against large tech companies (around EUR 4.2 billion). This has led private companies to ‘take data protection seriously’ and helped to embed a culture of compliance.
3. Enhanced Cooperation Between DPAs: The cooperation and consistency mechanisms under the GDPR have been increasingly utilized, with a rise in cross-border cases handled through mutual assistance and informal cooperation. The European Data Protection Board (EDPB) has played an important role in resolving disputes and ensuring consistent application of the GDPR.
4. Use of GDPR Compliance Tools: Businesses have benefited from practical compliance tools such as standard contractual clauses (SCCs), codes of conduct, and certification mechanisms. These tools are particularly useful for SMEs and organizations lacking extensive resources.
5. Development of Guidelines and Best Practices: The EDPB and DPAs have developed numerous guidelines to clarify various GDPR aspects, helping organizations understand and comply with their obligations. These guidelines have generally been well-received by stakeholders.
6. Improved Resources for DPAs: Most DPAs have seen increases in staff and budget, enhancing their capacity to enforce the GDPR and carry out their tasks effectively.
7. Positive Role of the EDPB: The EDPB has strengthened cooperation between DPAs and has been instrumental in ensuring the consistent application of the GDPR across member states.

Challenges and Recommendations

1. 1. Inconsistent Interpretation by DPAs: Divergent interpretations of key GDPR concepts by national DPAs lead to legal uncertainty and increased compliance costs. The Commission emphasizes the need for clearer, more actionable, and practical guidance from DPAs and the EDPB.
   2. Fragmented National Legislation: Fragmentation arises from national laws where member states have discretion, such as the age of consent and processing of sensitive data. The Commission advocates for better alignment and harmonization to minimize these inconsistencies. Member States must consult DPAs timely before adopting personal data processing legislation, as this is sometimes lacking or insufficient.
   3. Resource Limitations of DPAs: Many DPAs report inadequate human and financial resources, impacting their enforcement capabilities. The Commission calls for continued investment to ensure DPAs are adequately funded and staffed.
   4. Challenges for SMEs: SMEs face significant hurdles in achieving GDPR compliance due to limited expertise and perceived regulatory complexity. The Commission suggests intensifying support efforts, providing practical tools, templates, and tailored guidance for SMEs.
   5. Inefficient Handling of Cross-Border Cases: Procedural differences across member states lead to inefficiencies in handling cross-border cases. The Commission has proposed a Regulation on procedural rules to harmonize these aspects and support timely investigations and remedies.
   6. Streamlining Approval Processes for Compliance Tools: The approval processes for codes of conduct, certifications, and SCCs are often slow and complex. The Commission highlights the need for clearer timelines and more active engagement by DPAs to encourage the development and adoption of these tools.
   7. Data Protection Officers (DPOs): DPOs play a critical role in ensuring GDPR compliance within organizations. While many DPOs possess the necessary knowledge and skills, challenges remain, such as (i) difficulty appointing qualified DPOs, (ii) lack of EU-wide training standards, (iii) poor integration of DPOs, (iv) insufficient resources, (v) non data protection tasks, and (vi) low seniority. The Commission recommends enhanced enforcement and clearer guidelines for DPOs, emphasizing the need for their adequate integration into organizational processes and ensuring they have sufficient resources and authority to fulfill their duties effectively.
   8. Coordination with Other EU Policies: The GDPR is increasingly integrated with other EU digital policies, such as the Digital Services Act, Digital Markets Act, and the AI Act, to ensure a cohesive regulatory environment for data protection and digital services. These policies build on the GDPR framework to address specific issues like online advertising, AI applications, and platform work, ensuring a comprehensive approach to digital regulation. This requires that regulators cooperate to ensure efficient enforcement, quoting ‘pay or OK’ models as an example.
   9. Engagement with Stakeholders: Constructive engagement between DPAs and stakeholders, including businesses and civil society, is critical. The report notes varying levels of responsiveness from DPAs and recommends improved communication and clarity. Enhanced stakeholder engagement will ensure that compliance measures are practical and well-understood, fostering a cooperative regulatory environment.
   10. More guidelines needed: The report calls for more guidance on processing data for scientific research, balancing data protection with fostering innovation and public health research. The Commission encourages the adoption of clear guidelines to clarify roles and responsibilities, facilitating research while ensuring robust data protection.
   11. Enhanced Transparency and Participation: The Commission recommends increased transparency in the development of guidelines and policies, with early-stage consultations to better understand market dynamics and practical applications. This approach aims to create more practical and understandable guidelines, especially for non-legal professionals in SMEs and voluntary organizations.

Find it here.