There is no recital in the Regulation related to article 97.
There is no recital in the Directive related to article 97.
Article 97 of the Regulation renews the task of evaluation and revision by the Commission that must submit assessment reports to the Parliament and the Council at regular intervals.
The second paragraph specifies that the Commission report should examine in particular the application and operation:
- of Chapter V on the transfer of personal data and in particular the decisions finding an adequate level of protection in the non -EU third countries.
- of Chapter VII on cooperation and consistency (cooperation between the supervisory authorities, role and tasks of the European Data Protection Board...).
For this purpose, the Commission may request information from Member States and supervisory authorities (paragraph 3).
Therefore, every four years the Commission must present every reports on the assessment and the revision of the Regulation to the European Parliament and the Council. In carrying out the evaluations and reviews, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources (paragraph 4).
A first report must be submitted no later than four years after the entry into force of the Regulation, i.e., the twentieth day following its publication in the Official Journal of the European Union and be published.
Like the Directive, the Commission must remain aware of the development in information technology and in the light of the state of progress in the information society and propose, where appropriate, amend to the Regulation (paragraph 5).
The Directive was already requiring the Commission to provide a report to the European Parliament and the Council on the application of the Directive, accompanied, as appropriate, by proposals for amendment (see Article 33).
We do not see a priori any specific implementation difficulties.
European data protection board (EDPB)
Contribution of the EDPB to the evaluation of the GDPR under Article 97 (18 February 2020)
The application of the GDPR in this first year and a half has been successful. The GDPR has strengthened data protection as a fundamental right and harmonized the interpretation of data protection principles. Data subject rights have been reinforced and data subjects are increasingly aware of the modalities to exercise their data protection rights. Moreover, data controllers and processors within the EU now benefit from one single set of rules bringing more legal certainty and a single interlocutor through the one-stop-shop mechanism. The framework provides for increased investigative and corrective powers for supervisory authorities (SAs), including significant fines. The GDPR also contributes to an increased global visibility of the EU legal framework and is being considered a model outside of the EU.
Since the entry into application of the GDPR, the EDPB as a new decision-making EU body - building on the work of the Working Party 29 (“WP 29”) - has adopted various opinions and guidelines2 to clarify fundamental provisions of the GDPR and to ensure consistency in the application of the GDPR by SAs.
More specifically, the EDPB has done so with the objective of developing guidance on new and emerging technologies. In this respect, the EDPB emphasizes that the GDPR is a technologically neutral framework designed to be comprehensive and to foster innovation by being able to adapt to different situations without being complemented by sector-specific legislation. The EDPB underlines that the GDPR is fully applicable to emerging technologies and it will continue to elaborate on the impact of emerging technologies on the protection of personal data.
The EDPB acknowledges that the implementation of the GDPR has been challenging, especially for small actors, most notably SMEs. SAs have been developing several tools to support SMEs in complying with the GDPR . The EDPB is committed to facilitating the development of these tools in order to further alleviate the administrative burden.
The EDPB is convinced that the cooperation between data protection authorities will result in a common data protection culture and consistent monitoring practices. However, the EDPB notes that SAs have identified challenges while implementing the cooperation and consistency mechanism. In particular, the patchwork of national procedures and practices has an impact on the cooperation mechanism. This is mainly due to differences in complaint handling procedures, position of the parties in the proceedings, admissibility criteria, duration of proceedings, deadlines, etc. The EDPB is examining possible solutions to overcome these challenges and to ensure a common application of the key concepts relating to the cooperation procedure. The European Commission should monitor whether national procedures hinder the full effectiveness of the cooperation mechanism and eventually legislators may also have a role to play in ensuring further harmonization.
The EDPB stresses that the effective application of the powers and tasks attributed by the GDPR to SAs is largely dependent on the resources available to them. In this regard, the EDPB notes that most of the SAs state that resources made available to them are insufficient. Therefore, it is of the utmost importance that all SAs are provided with sufficient resources by the Member States to carry out their tasks. The EDPB notes that this applies, in particular, to the one-stop-shop mechanism, as its success depends on the time and effort that SAs can dedicate to individual cases and cooperation.
Next, the EDPB underlines that transfers of personal data to third countries or international organisations form an integral part of the digital environment. The EDPB welcomes the interest of third countries to engage with the EU in the context of an adequacy decision. Adequacy decisions are an important tool to ensure the continuous protection of personal data transferred from the European Economic Area to third countries and International organisations. The EDPB remains committed to providing independent assessments of the tools developed by the European Commission with regard to the strengthened requirements of the GDPR, especially enforceable rights, effective redress and safeguards concerning onward transfers. The EDPB considers these assessments to be of the utmost importance. The EDPB will participate in the evaluation of current adequacy decisions and the adoption of future ones, while emphasising that it needs to receive all relevant documents in time to allow for a thorough assessment.
With respect to other tools for international transfers, the EDPB recalls its ongoing work on binding corporate rules, codes of conduct, certification mechanisms and administrative arrangements for transfers between public authorities. The EDPB is of the view that there is a pressing need for the European Commission to bring the existing set of SCCs in line with the GDPR and to draft additional SCCs that cover new transfer scenarios. In particular, the adoption of a set of processor-to-processor SCCs would allow the appropriate framing of such transfers in accordance with Article 46 GDPR.
In conclusion, after only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time. Rather than revising the GDPR itself, the EDPB calls upon the EU legislators, in particular the European Commission, to intensify efforts towards the adoption of an ePrivacy Regulation to complete the EU framework for data protection and confidentiality of communications.
1. By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.
2. In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of:
(a) Chapter V on the transfer of personal data to third countries or international organisations with particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC;
(b) Chapter VII on cooperation and consistency.
3. For the purpose of paragraph 1, the Commission may request information from Member States and supervisory authorities.
4. In carrying out the evaluations and reviews referred to in paragraphs 1 and 2, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources.
5. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account of developments in information technology and in the light of the state of progress in the information society.
1st proposal close
The Commission shall submit reports on the evaluation and review of this Regulation to the European Parliament and the Council at regular intervals. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. The Commission shall, if necessary, submit appropriate proposals with a view to amending this Regulation, and aligning other legal instruments, in particular taking account of developments in information technology and in the light of the state of progress in the information society. The reports shall be made public.
2nd proposal close
1. The Commission shall submit reports on the evaluation and review of this Regulation to the European Parliament and the Council at regular intervals..
2. In the context of these evaluations the Commission shall examine, in particular, the application and functioning of the provisions of Chapter VII on Co-operation and Consistency.
3. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. The reports shall be made public.
4. The Commission shall, if necessary, submit appropriate proposals with a view to amending this Regulation, and aligning other legal instruments, in particular taking account of developments in information technology and in the light of the state of progress in the information society.
No specific provision