Luxembourg: Assessment By The European Commission Of Two Years Of The GDPR's Application

What happened?

On 24 June 2020, the European Commission ("Commission") published its first evaluation¹ of the General Data Protection Regulation ("GDPR")² since its entry into application on 25 May 2018 (the "Report").

The Report focuses on international transfers and the manner in which the cooperation and consistency mechanisms provided for under the GDPR are applied. It also refers to several issues surrounding the GDPR's implementation amongst which are the challenges faced by small and medium-sized enterprises ("SMEs") as to their compliance with the GDPR or the way specific technologies such as artificial intelligence, blockchain or the Internet of Things implement GDPR principles.

The Report also highlights that the GDPR provides a strong and flexible framework with respect to the processing of personal data (including health data) as part of the monitoring of epidemics such as the current COVID-19 pandemic. In this respect, the Commission expresses its intention to follow closely the development and the use of apps in the context of the COVID-19 pandemic and refers to its previous guidance in that area.

What is the overall assessment?

While the Commission admits that it is still early to draw definitive conclusions, the Commission considers the GDPR did successfully reach most of its objectives.

The GDPR notably conferred more awareness on data subjects in the exercise of their rights and Member States have progressed in effectively supporting their respective data protection authorities, which have used their corrective powers in a reasonable manner since 25 May 2018. Regarding this last point, however, the Report highlights that national data protection authorities have also imposed administrative fines, certain of which amounted to hundreds of thousands of euros and even to several million euros (against entities of the Google group).

The Commission points out that the Luxembourg data protection authority (Commission Nationale pour la Protection des Données), which acts as a lead authority in several cross-border cases due to the presence of a certain number of big tech companies on its territory, has benefited from one of the greatest increases in human and financial resources (as a percentage)³. Between 2016 and 2020, it is expected, within the European Economic Area ("EEA"), to have (i) the fourth most significant growth in staff (153%) (following Ireland, Finland and the Netherlands), and (ii) the second most significant growth in budget (226%) after Ireland.

What are the remaining challenges?

Notwithstanding the GDPR's achievements after two years of application, the Commission has also identified several areas where the enforcement of the GDPR may be improved or where future actions would be necessary, such as:

• simplifying data subjects' rights enforcement, in particular for the right of portability which has not reached its full potential yet and is exercised in few sectors only (such as the banking and telecommunications sectors);
• providing standard contractual clauses ("SCCs") between controllers and processors (under Article 28 of the GDPR) and continuing the ongoing work on the modernisation of the SCCs for international transfers (under Article 46 of the GDPR)⁴;
• improving handling of cross-border cases by national authorities and the implementation of joint investigations;
• limiting the use of specification clauses (i.e. where the GDPR gives Member States the possibility to put in place specific rules for certain specified processing situations), which create fragmentation between Member States' legislation (for instance, regarding the age for child consent in relation to information society services);
• developing more practical tools and resources to help SMEs comply with the GDPR; and
• reflecting on potential amendments that could be made to specific provisions of the GDPR.

What's next?

The Commission will release a new evaluation in 2024. In the meantime, it will continue its work aiming at promoting convergence of data protection rules and developing international cooperation in the field of data protection. To that end, the Commission invites data protection authorities to ensure their national guidance is fully in line with guidelines adopted by the European Data Protection Board (the "EDPB")⁵ and encourages both the EDPB and national data protection authorities to adopt further practical guidelines to provide concrete answers on issues faced by the various stakeholders when they apply the GDPR.

Finally the Commission has stated that it will report at a later stage on the evaluation of the existing adequacy decisions, such decisions constituting a legal basis for the transfer of personal data from the EEA to a third country⁶.

Footnotes

1 Communication from the Commission to the European Parliament and the Council: Data Protection as a pillar of citizen's empowerment and the EU's approach to the digital transition – two years of application of the General Data Protection Regulation {SWD(2020) 115 final}. Available here

2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC - OJ L 119, 4.5.2016.

3 Please see The Commission Staff Working Document accompanying the Communication from the Commission to the European Parliament and the Council, Annex II: Overview of the resources of data protection authorities.

4 The report was released before the CJEU ruling of 16 July 2020 in the "Schrems II" case (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) invalidating Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. Therefore, it remains to be seen how such a ruling might influence the Commission's work on the SCCs.

5 The EDPB, established by the GDPR, is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor. It is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU's data protection authorities.

6 The countries/territories benefiting from adequacy decisions are: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Japan, Jersey, Isle of Man, Israel, New Zealand, Switzerland and Uruguay.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.