European data protection board (EDPB)
Contribution of the EDPB to the evaluation of the GDPR under Article 97 (18 February 2020)
The application of the GDPR in this first year and a half has been successful. The GDPR has strengthened data protection as a fundamental right and harmonized the interpretation of data protection principles. Data subject rights have been reinforced and data subjects are increasingly aware of the modalities to exercise their data protection rights. Moreover, data controllers and processors within the EU now benefit from one single set of rules bringing more legal certainty and a single interlocutor through the one-stop-shop mechanism. The framework provides for increased investigative and corrective powers for supervisory authorities (SAs), including significant fines. The GDPR also contributes to an increased global visibility of the EU legal framework and is being considered a model outside of the EU.
Since the entry into application of the GDPR, the EDPB as a new decision-making EU body - building on the work of the Working Party 29 (“WP 29”) - has adopted various opinions and guidelines2 to clarify fundamental provisions of the GDPR and to ensure consistency in the application of the GDPR by SAs.
More specifically, the EDPB has done so with the objective of developing guidance on new and emerging technologies. In this respect, the EDPB emphasizes that the GDPR is a technologically neutral framework designed to be comprehensive and to foster innovation by being able to adapt to different situations without being complemented by sector-specific legislation. The EDPB underlines that the GDPR is fully applicable to emerging technologies and it will continue to elaborate on the impact of emerging technologies on the protection of personal data.
The EDPB acknowledges that the implementation of the GDPR has been challenging, especially for small actors, most notably SMEs. SAs have been developing several tools to support SMEs in complying with the GDPR . The EDPB is committed to facilitating the development of these tools in order to further alleviate the administrative burden.
The EDPB is convinced that the cooperation between data protection authorities will result in a common data protection culture and consistent monitoring practices. However, the EDPB notes that SAs have identified challenges while implementing the cooperation and consistency mechanism. In particular, the patchwork of national procedures and practices has an impact on the cooperation mechanism. This is mainly due to differences in complaint handling procedures, position of the parties in the proceedings, admissibility criteria, duration of proceedings, deadlines, etc. The EDPB is examining possible solutions to overcome these challenges and to ensure a common application of the key concepts relating to the cooperation procedure. The European Commission should monitor whether national procedures hinder the full effectiveness of the cooperation mechanism and eventually legislators may also have a role to play in ensuring further harmonization.
The EDPB stresses that the effective application of the powers and tasks attributed by the GDPR to SAs is largely dependent on the resources available to them. In this regard, the EDPB notes that most of the SAs state that resources made available to them are insufficient. Therefore, it is of the utmost importance that all SAs are provided with sufficient resources by the Member States to carry out their tasks. The EDPB notes that this applies, in particular, to the one-stop-shop mechanism, as its success depends on the time and effort that SAs can dedicate to individual cases and cooperation.
Next, the EDPB underlines that transfers of personal data to third countries or international organisations form an integral part of the digital environment. The EDPB welcomes the interest of third countries to engage with the EU in the context of an adequacy decision. Adequacy decisions are an important tool to ensure the continuous protection of personal data transferred from the European Economic Area to third countries and International organisations. The EDPB remains committed to providing independent assessments of the tools developed by the European Commission with regard to the strengthened requirements of the GDPR, especially enforceable rights, effective redress and safeguards concerning onward transfers. The EDPB considers these assessments to be of the utmost importance. The EDPB will participate in the evaluation of current adequacy decisions and the adoption of future ones, while emphasising that it needs to receive all relevant documents in time to allow for a thorough assessment.
With respect to other tools for international transfers, the EDPB recalls its ongoing work on binding corporate rules, codes of conduct, certification mechanisms and administrative arrangements for transfers between public authorities. The EDPB is of the view that there is a pressing need for the European Commission to bring the existing set of SCCs in line with the GDPR and to draft additional SCCs that cover new transfer scenarios. In particular, the adoption of a set of processor-to-processor SCCs would allow the appropriate framing of such transfers in accordance with Article 46 GDPR.
In conclusion, after only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time. Rather than revising the GDPR itself, the EDPB calls upon the EU legislators, in particular the European Commission, to intensify efforts towards the adoption of an ePrivacy Regulation to complete the EU framework for data protection and confidentiality of communications.
Link