The GDPR, which came into force in 2018, was the biggest shake-up of data privacy in 20 years.
Its introduction also followed claims that the political consultancy Cambridge Analytica used data harvested from millions of Facebook users without their consent.
On Wednesday, the Commission published a keenly awaited report to mark the second anniversary, saying that GDPR “has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.”
The executive says GDPR has “proved to be flexible to support digital solutions in unforeseen circumstances such as the COVID-19 crisis.”
The Commission warns, however, that the GDPR “should not be abused to curtail press freedom.”
“GDPR has proved to be flexible to support digital solutions in unforeseen circumstances such as the COVID-19 crisis” European Commission
The two-year review is mostly favourable, saying that citizens are “more empowered” and aware of their rights. It claims that 69 percent of the population above the age of 16 in the EU have heard about the GDPR and 71 percent have heard about their national data protection authority.
The report says that data protection authorities are making use of their stronger corrective powers, adding that there has been a 42 percent increase in staff and 49 percent increase in budget for all national data protection authorities in the EU between 2016 and 2019.
Data protection authorities, adds the report, are working more closely together now but also concedes that “there is room for improvement.”
Reacting to the report, Greens MEP Alexandra Geese told this website, “The rules for the protection of our personal data have proven to be a global gold standard and are an indispensable basis for a fundamental rights-based development of future technologies such as artificial intelligence or a strategy for pooling health data.”
The German member added, “We welcome that the Commission is acknowledging that there is room for improvement in the enforcement of GDPR. We must now finally ensure that the Member State authorities are adequately funded. GDPR must be applied consistently, especially vis-a-vis major internet platforms.”
Geese, a member of Parliament’s Committee on the Internal Market and Consumer Protection continued, “ When it comes to the ad-tech industry, and in particular targeted advertising that makes use of large amounts of data on private users, data protection rules are systematically violated.”
“The rules for the protection of our personal data have proven to be a global gold standard and are an indispensable basis for a fundamental rights-based development of future technologies such as artificial intelligence or a strategy for pooling health data” Alexandra Geese MEP
“We call for strong and consistent action here. It is unacceptable that the local football club has to follow the rules meticulously, while the giants of the net are often off the hook.”
Further reaction to the Commission’s report came from Estelle Massé, a senior policy analyst at Access Now, a non-profit group set up to defend the “digital rights” of people and which is also a member of the Commission’s multi-stakeholder expert group on the implementation of GDPR.
Access Now says many of the findings and proposals highlighted by the Commission are in line with its own recommendations.
“First, the Commission’s report finds that while the GDPR strengthens people’s rights, the enforcement of the law could be improved,” said Masse.
Massé recalls that GDPR faced “one of the most aggressive lobbying efforts against a piece of legislation in the EU,” noting that the debate and negotiations lasted for nearly five years. After more than 3,000 amendments “it emerged as a flagship law for protecting data in the digital era.”
“Even after its 2016 adoption, industry lobbying against it never really ceased, which is a contributing factor as to why today’s report by the Commission has been so highly anticipated. Many business operatives evidently hoped the review process would lead to a re-opening of the law. Thankfully, the GDPR and its vital and necessary protections live on.”
Access Now says GDPR has played a “crucial role in raising awareness around why data protection matters, how often our personal data are misused, and how people can now exercise their rights and seek remedy for these violations.”
It goes on to suggest that enforcement of the GDPR has “severely lagged” and data protection authorities have been “crippled by a lack of resources, tight budgets, and administrative hurdles, and have been unable - or sometimes, unwilling - to enforce the GDPR adequately.”
“The Commission reached a similar conclusion in its report. Importantly, it notes that it is ready to use infringement procedures to ensure that national governments comply with the GDPR.”
“Even after its 2016 adoption, industry lobbying against it [GDPR] never really ceased, which is a contributing factor as to why today’s report by the Commission has been so highly anticipated. Many business operatives evidently hoped the review process would lead to a re-opening of the law” Estelle Massé, Access Now
A similar call was also made by Parliament.
Massé said, “The EU and its states have invested a lot of time and energy in adopting the GDPR. The EU must put its money where its mouth is and invest the resources necessary to realise the promise of the GDPR.”
She said that in a report Access Now detailed how in Poland, Romania, Hungary and Slovakia, courts and authorities have been abusing the GDPR to curtail investigative journalism or target civic tech NGOs by pressuring outlets to reveal their sources.
“We called on the Commission to launch infringement procedures in countries where these abuses would occur.”
Věra Jourová, Commission Vice-President for Values and Transparency, said, “Europe’s data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other polices, such as data strategy or our approach to AI.”
“The GDPR is the perfect example of how the EU, based on a fundamental rights approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. But we all must continue the work to make GDPR live up to its full potential.”
Her colleague, Didier Reynders, EU Commissioner for Justice, said, “The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection.”
“We can do better though, as today's report shows. For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights.”
Markus Beyrer, Director General of BusinessEurope, said, “Europe's digital capacity has proved vital throughout the COVID-19 crisis. The processing and movement of data has meant that Europe can continue to work, shop, study and carry out its personal life at distance.”
“This is only possible because businesses in Europe have taken many steps to comply with the GDPR and were in good shape to uphold citizens’ privacy as they continued to carry out their daily lives online.”
“We agree with the Commission that a revision seems premature as its impact is still being fully assessed, but we are concerned that the full possibilities of the GDPR are being diminished in practice.”
He added, “Application of all legal data processing possibilities should be permitted instead of forcing one method. The Commission should also understand the impact of the GDPR in relation to its ambitions to boost European excellence in Artificial Intelligence.”