It’s been three years since the EU’s General Data Protection Regulation (GDPR) came into operation. And so it’s a timely moment to look back at how the regulation has functioned over the last few years, and to consider its future.
The upcoming evaluation by the European Commission - which should have been published by the end of May - is therefore highly anticipated.
Generally, however, we can look back positively on the GDPR’s ‘toddler years’. The regulation is quite possibly the best-known piece of European legislation, known by many different abbreviations in many languages, both within and outside the EU.
It has cemented the role of the EU as the world leaders on data protection, strengthened the data protection and privacy of our citizens as a fundamental right and has harmonised the interpretation of data protection principles.
At the same time, application of GDPR is not without its challenges, particularly in the area of enforcement.
“Generally, we can look back positively on the GDPR’s ‘toddler years’. The regulation is quite possibly the best-known piece of European legislation, known by many different abbreviations in many languages, both within and outside the EU”
Many national supervisory authorities have indicated that they are struggling, and that they don’t have adequate staff and resources to properly enforce the provisions of the regulation in their respective territories.
Ironically, one unintended consequence of the GDPR is that it has significantly increased the demand for data protection experts, also in the private sector, which has made the human resources management of supervisory authorities all the more complicated.
Furthermore, there seems to be an imbalance between the way personal data is stored, which is often in a cross-border context, and the way data protection provisions are enforced, which is mainly up to the various national supervisory authorities.
In this digital world, where the personal data of millions of Europeans is stored by large tech companies headquartered in a single Member State such us Ireland, the responsibility of the supervisory authority in that Member State is immense.
It is not only Irish citizens that need to rely on its strength and efficiency, but citizens throughout the EU need to be able to count on this supervisory authority to guarantee the protection of our personal data and ensure that it is used carefully and through secure channels.
This is a big ask for the supervisory authority of a single Member State, particularly considering the substantial means of the companies that are supposed to be supervised.
Given that our digital services market is growing ever more complex, with developments in areas such as artificial intelligence, it is important to ask ourselves whether the decentralised enforcement regime is still fit for purpose, or whether it would be better to join forces at a European level.
“There seems to be an imbalance between the way personal data is stored, which is often in a crossborder context, and the way data protection provisions are enforced, which is mainly up to the various national supervisory authorities”
In addition to the enforcement challenges, it is also clear that certain GDPR provisions are underused.
Codes of conduct, for instance, are important tools that can be used in a specific sector to create legal certainty.
Yet, despite the four years since the entry into force of the legislation and two years after its application, the number of approved codes of conduct remains limited. Why? Because, before a national supervisory authority can approve a code of conduct, the code must first be approved by the European Data Protection Board (EDPB).
Every code of conduct will include a provision on a monitoring body, but in order to provide with accreditation, the national supervisory authority will need to get its draft requirements for accreditation approved by the EDPB.
To date, only eight Member States have managed to have their accreditation requirements approved, while 19 Member States are apparently not ready as yet.
Many crucial sectors are thus deprived of a tool that could provide them with legal certainty. This is hugely important, given the potential for significant fines for failure to comply with the GDPR.
In the healthcare sector, for example, the lack of legal certainty leads to the imposition of standards that are stricter than necessary, which can negatively affect the quality and level of care provided to patients.
It is absolutely crucial that measures to encourage the drafting of such codes of conduct are increased and further developed.
The much-awaited evaluation of the GDPR by the European Commission should be published by the end of June and I expect the Commission to provide some answers to these pertinent questions.