Time to Review and Revise the GDPR?
Of the 99 Articles that make up the EU General Data Protection Regulation (GDPR), Article 97 is surely the most far-reaching, for the safeguarding of privacy and data protection in Europe.
Since the law came into force in May of last year, Article 97 has motivated growing numbers of EU member states and supervisory authorities to consider the many challenges faced by organizations striving to achieve GDPR compliance, and have been discussing their observations and experiences with its application. Their comments clearly illustrate that the GDPR is far from being “settled law”.
But first, for those unfamiliar with the article, here is the full text:
By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.
In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of:
a) Chapter V on the transfer of personal data to third countries or international organisations with particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC;
b) Chapter VII on cooperation and consistency.
For the purpose of paragraph 1, the Commission may request information from Member States and supervisory authorities.
In carrying out the evaluations and reviews referred to in paragraphs 1 and 2, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources.
The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account of developments in information technology and in the light of the state of progress in the information society.
So, let's take a look at the comments submitted by member states, pertaining to their ongoing evaluation of the GDPR.
Preparation for the Review of GDPR Article 97
As reported by IAPP, Article 97 instructs the European Commission, by May 25, 2020, and once again every four years thereafter, to “submit a report on the evaluation and review of this Regulation to the European Parliament and the Council.” At a minimum, these reports should examine “the application and functioning” of Chapter 4 on transfers of personal data to third countries or international organizations and Chapter 7 on cooperation and consistency mechanisms. What makes this review process so critical is that it may serve as an impetus for the commission to “submit appropriate proposals to amend” the GDPR.
European authorities have already begun preparing for their first review of the application of the GDPR. Back in July, the Finnish Presidency issued a note to the delegations that contained a plan for its preparation of the European Council’s position on the GDPR evaluation. In particular, the presidency “welcome[d] all observations from the delegations with respect to the review and evaluation of the GDPR.” Following the Sept. 3 DAPIX Working Party meeting, which brought together experts from each member state, delegations were asked to submit in writing their observations on the experiences obtained from the application of the GDPR, along with their initial positions on and recommendations for items to be included in the council’s report. Most recently, on Oct. 9, the council released a note to the delegations containing such comments from 19 member states.
The following sections highlight some of the key issues raised in the comments made by member state delegations about the GDPR. It focuses on areas where they have seen conflict arise, questions around which they would like greater clarity, and recommendations for what they believe should be done to address these issues.
It is also worth noting that some member states insisted that the review not be limited to the two topics mentioned in Article 97(2) (personal data transfers and cooperation/consistency), while others maintained that it is still too early to draw conclusions for a review of the GDPR.
Confusion, Inconsistency and Fragmentation
For most, implementing the GDPR has been anything but simple, easy or straightforward. Along these lines, multiple member states submitted comments pointing to the uncertainty, confusion and fragmentation that persists around the GDPR’s application. For its part, Germany admitted that “some businesses and government agencies have said they feel overwhelmed following the GDPR’s entry into application,” while “[s]ome users have felt considerable uncertainty [and] been very confused” by seemingly new instruments created by the GDPR, such as records of processing activities and data protection officers.
To alleviate some of these ambiguities, the Czech Republic suggested that real cases of best practice, as well as cases of bad practice, could be published online for the benefit of other member states. It pointed to several issues in which best practices are needed, including conflict of interests of DPOs, professional qualifications of DPOs, the roles of controller and processor, transparency obligations to data subjects where data has been obtained from public sources, and additional identification pursuant to Article 11.
One of the biggest areas in which fragmentation has affected GDPR implementation has been in the protection of children’s data. Namely, Ireland described the GDPR’s approach to the protection of children as “fragmented and disjointed.” While references to protections for children can be found in various recitals (38, 58, 65, 71, and 75) and articles (6.1(f), 8, 12, 40, and 57), they are like “a jigsaw puzzle” and “do not provide a coherent picture.” France also pointed out that children’s consent in Article 8, which leaves discretion to member states regarding the age of consent of minors, “is likely to cause implementation difficulties” and that assessing whether this needs to be revised should be a priority. In a similar vein, the Netherlands pushed for “only one uniform age of consent” to apply throughout the entire EU, as the current situation “leads to a problematic lack of legal certainty for all parties concerned; parents, children and controllers alike.”
Furthermore, the Czech Republic noted that, if the European Data Protection Board were to issue its own, even non-exhaustive, list of processing operations subject to or exempted from impact assessments, it would “contribute to much more uniform and consistent application of the GDPR.” Germany also urged DPAs to harmonize their practice of interpretation more closely regarding risky processing operations and data protection impact assessments.
Member states made numerous comments about the effectiveness of and expectations placed upon supervisory authorities. On the bright side, member states drew attention to the effectiveness of the cooperation efforts between SAs. Latvia, for example, noted that several complaints by data subjects have been resolved successfully through the cooperation of the Latvian and Lithuanian SAs.
Others, meanwhile, focused on the shortcomings in the work done by SAs. For example, Germany noted that businesses would like “faster and more concrete assistance from the data protection authorities,” while “[d]ata subjects would like more advice and faster processing of their requests.” Germany also asked for transparent criteria for SAs regarding the issuance of fines “in order to ensure comparability and uniform enforcement.” France called for “national disparities which hinder cooperation for supervisory authorities” to be “examined and removed.” Lithuania raised a question as to whether an appeal judgment in a national court in one jurisdiction would be legally binding on the lead SA in another jurisdiction.
Finding that a large number of data subjects make complaints to SAs after they are notified of a data breach via Article 33, Bulgaria stated that “difficulties arise in handling complaints on the same issue.” Bulgaria noted that “the obligation to handle complaints [vis-à-vis Article 77] itself obstructs the work of the data protection authority.” Bulgaria also noted that while Article 57, Paragraph 4 considered the excessiveness of a request to the SA is hinged on the repetitiveness of requests arising from a single data subject, it does not consider excessiveness in the sense of “multiple identical requests made by a large number of data subjects … regarding the same case.” Germany also pointed out that “data protection authorities are most likely overwhelmed by the massive volume of reports” in accordance with Article 33, of which there were 89,000 in the EU by April 2019.
Transfers of personal data
Most member states that commented on adequacy decisions offered positive reflections. Yet, a common criticism was that they “remain underused.”
To address this problem, Germany urged the commission to “keep up its efforts to bring about additional adequacy decisions and to expand the existing ones to additional areas and sectors.” The Netherlands submitted a list of countries, suggested by Dutch trade organizations, as potential future candidates for an adequacy finding. These included Singapore, Colombia, Mexico, South Africa, Serbia and Dubai International Financial Centre, as well as all countries that have ratified and implemented the modernized Convention 108+.
Regarding codes of conduct, Belgium explained that “there is a clear interest from various stakeholders to make use” of them, but there is a reluctance to do so “due to a lack of clear uidelines.” Bulgaria referred to codes of conduct as “an extremely useful and practically oriented voluntary accountability tool” but one that is “widely regarded as a form of indulgence that impedes the powers of the supervisory authority.” The Netherlands cast doubt on the validity of the interpretation of codes of conduct provided in the EDPB’s recently adopted guidelines, arguing that the text of the GDPR should be clarified on this topic. In addition, the Netherlands stated that the institution of a monitoring body for codes of conduct should be optional, as it would likely act as a disincentive by introducing additional costs into the process.
Lithuania remarked that Recital 81 states standard contractual clauses may be adopted by SAs only after approval by the commission, a situation that “creates legal uncertainty as to the mandatory nature of such procedure.” To remedy this, Lithuania recommended to consider whether this power of the commission be explicitly included in Article 28(8).
Finally, on binding corporate rules, “while a useful and necessary subsidiary mechanism,” Belgium argued that their use “also runs counter to the harmonization objectives of the GDPR.”
To recap, Article 97(4) of the GDPR requires the commission to “take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources” while conducting its evaluation and review of the GDPR. In particular, the Council expects the Commission to request information from the Member States on three issues:
the use of adequacy decisions;
the independence and resources of DPAs, including about “their capacity to exercise their powers provided by the GDPR and to comply with their obligations in the context [of] the cooperation and consistency mechanisms”; and
verification of the effectiveness of the “coherent interpretation and application of the GDPR throughout the EU by the cooperation and consistency mechanism provided by the GDPR.”
So, what are the next steps for the first Article 97 evaluation and review of the GDPR?
Today's DAPIX meeting gives delegations an opportunity to discuss a draft report containing the observations on the GDPR made by various member states. The Finnish Presidency has already declared its intentions to adopt the final version of the report, in the form of an outcome of the proceedings, by the end of 2019.
Whether substantive amendments to the GDPR will result from this review process remains to be seen, but it should not be ruled out. Indeed, several developments in information technology and information society — including growth in the data power of large tech companies, big data analytics and profiling, the potential for price discrimination, and blockchain applications — could pose a future challenge to the law. As the Netherlands put it direly, if the EU waits for these developments to materialize before amending the GDPR, “there is a risk that the proverbial genie will be out of the bottle and these amendment[s] will turn out to be too little, too late.”
Most of all, the above comments clearly illustrate that the GDPR is far from being settled law. Privacy practitioners would do well to follow the Article 97 process until May of next year, as the commission prepares its first report on the evaluation and review of the GDPR.