With all of the attention that's been paid to the start of enforcement of the California Consumer Privacy Act (CCPA), it might be easy to have missed that it has been two years since the European General Data Protection Regulation (GDPR) came into effect on May 25, 2018.

Luckily, the European Commission (Commission) was there to remind us. On June 24, 2020, the Commission published a report titled “Data protection as a pillar of citizens' empowerment and the EU's approach to the digital transition — two years of application of the General Data Protection Regulation”.

While the Commission focused primarily on the transfer of personal data to third countries or international organizations and on cooperation and consistency in applying the GDPR, the report provides insight into other areas as well.

For the report, the Commission sought input from the European Council, the European Parliament, the European Data Protection Board (the Board), individual data protection authorities of member countries, a formal “multi-stakeholder expert group” (including representatives from business and academia) and others.

Key Findings in the Report

The report yielded several notable findings:

Fragmentation in General

While the GDPR aims to provide a consistent framework for data privacy for all member states, this has not completely occurred in practice. This is due, in large part, to certain clauses in GDPR which allow member states to:

  • Provide more specific requirements for processing personal data; or
  • Deviate from the GDPR's default rules in certain areas.

This is a particular challenge for cross-border businesses since different requirements may be mandated by the laws of the country where the business is established versus the laws of the countries in which the data subjects reside.

Consent for Processing Children's Personal Data

Where data is processed on the basis of data subject consent, GDPR mandates that consent for the collection of personal data from children below the age of 16 in the context of “information society services” (services normally provided for remuneration at a distance by electronic means at the individual request of the recipient of the services) must be provided by the child's parent or guardian.

However, GDPR allows member states to lower the threshold to as low as 13 years of age. While nine countries have maintained the threshold at 16, a greater number of countries have implemented a lower threshold. This requires businesses providing such services to ascertain a child's country of residence in order to establish what consent will be required (or apply the strictest standard to all individuals).

Appointment of a Data Protection Officer

Since GDPR takes a “risk-based” approach (i.e., requirements are stricter for processing involving a higher degree of risk than they are for low-risk processing), GDPR mandates that only certain controllers and processors of personal data (for example, those that process special categories of data on a large scale) must designate a data protection officer.

Germany has deviated from this approach in at least one respect, requiring that a company with 20 or more employees permanently engaged in automated processing of personal data appoint a data protection officer.

Burdens on Small and Medium Enterprises (SMEs)

Compliance has posed a particular challenge for smaller-sized businesses. The report maintains that, due to the risk-based approach, it would be inappropriate to relax requirements for SMEs since the size of the business is not necessarily indicative of the level of risk involved in the processing carried out by the business.

The report recommends that SMEs take advantage of resources offered by local data protection authorities (specialized publications, hotlines and templates for contracts and recordkeeping), as well as tools provided at the EU level (such as standard contractual clauses).

The Commission recommends that the Board and member countries develop additional tools and resources.

Creation of New Standard Contractual Clauses (SCCs) and Updates to Existing SCCs

The Commission is drafting SCCs between controllers and processors. Using SCCs instead of negotiating a data protection agreement may prove particularly beneficial to SMEs since they are particularly sensitive to legal costs. The Commission is also working on updating the SCCs for international data transfers. This is a welcome development since those SCCs were introduced in 1995 and preceded GDPR.

Overrepresentation of Ireland and Luxembourg as “Lead Authority” for Cross-Border Cases

Under the GDPR's “one-stop-shop” mechanism for cross-border enforcement cases, the data protection authority of the country that hosts the main establishment of the processor (as opposed to the country of the processor or data subject) acts as the lead authority. The data protection authorities of other countries with an interest in the enforcement action may participate as concerned authority.

As a result, Ireland and Luxembourg (each of which host major international tech companies) are overrepresented as lead authority in cross-border enforcement actions. In fact, Ireland acted as lead authority in a greater number of cases than Germany did.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.