GDPR: Reflections from the EU
The GDPR has been in force since the 25th May 2018, built around a two-fold aim to enhance the data protections rights of individuals whilst also improving business opportunities by facilitating the free flow of personal data in the digital single market.
However, despite the comprehensive nature of the GDPR, the emergence of new technologies and the ever-changing field of data protection creates a need for regular assessment of the regulation to ensure that it is adapting to modern developments.
This was recognised upon its instigation, as Article 97 of the GDPR states that the European Commission will submit a review and evaluation of the GDPR by the 25th May 2020, taking into account the findings of the European Parliament and the European Council.
In light of this, the Council Working Party on Information Exchange and Data Protection met several times between the 3rd September and the 5th December 2019 so as to discuss the Council position on the GDPR.
It is important to note that whilst Article 97 of the GDPR requires the Commission give particular focus to areas such as international transfers and co-operation and consistency between supervisory authorities and the application of the GDPR across Europe, the Council felt that its positions and findings should not be limited to these topics to ensure their evaluation is as comprehensive as possible.
Is the GDPR a success?
At this point in time, the Council regard the GDPR as a success.
Their reflections detail that the GDPR is an important milestone, as it has so far succeeded in strengthening the protection of personal data and fostering innovation in the EU whilst also improving awareness of the significance of data protection in the EU and abroad.
The Council also detailed their support for the Commission motion that competition, consumer and data protection authorities should cooperate in certain circumstances.
The example given was the supervision of large-scale technology companies, with the suggestion that such authorities could monitor the extent to which data subjects can sufficiently exercise their rights against large-scale corporations. This horizontal focus emphasises that the Council recognise the significance of the GDPR for all levels of data protection, as the rights of the individual are being prioritised on the same level as all other rightsholders.
With regard to improvements, the Council findings detail how controllers and processors need more clarification and guidance from the relevant supervisory authorities and the EDPB (European Data Protection Board).
This push for further clarification within the GDPR is likely to be reflected in the Commission’s upcoming evaluation report, which is sure to highlight the broad need for practical guidelines alongside other suitable means to further simplify data protection in the EU.
The Council found that drafting sector-specific codes of conduct in accordance with Article 40 of the GDPR could be a suitable method to bolster and further the application of the GDPR.
Particular focus was given to sensitive areas such as the processing of health data and the protection of children’s personal data. Whilst such codes of conduct are currently being considered among the supervisory authorities, the Council encouraged the development of such measures and recommended the Commission further increase support for the instigation of these codes of conduct.
New technological developments - specific challenges faced?
Particular attention was given to the emergence of new technologies, as the Council acknowledged the challenge such developments pose for the protection of personal data as well as the protection of other fundamental rights such as the prohibition of discrimination.
These challenges were related to artificial intelligence, mass-collation of data, algorithms and block-chain technology among other significant areas such as facial recognition and the ‘deep fake’ technology.
We recently discussed the application of the GDPR to the processing of personal data in blockchain technologies, and reviewed guidance on how privacy rights and new technologies can be reconciled.
Indeed, although the findings detailed the risk that these new areas present for the future of data protection, the Council did note that certain applications of the aforementioned technologies can prove to be a great advantage and potentially enhance the privacy of EU citizens.
Therefore, the Council deemed it necessary to monitor and assess the relationship between technological developments and the GDPR on a continual basis.
Furthermore, the Council highlighted that the GDPR was drafted to be technologically neutral and thus deemed it essential that the GDPR, and more generally the EU’s legal framework for the protection of personal data are prerequisites for the development of future policy initiatives.
However, in light of the significance of emerging technologies, the Council found it necessary to clarify as soon as possible how the GDPR applies to such areas to ensure its continual application.
What next?
In their final remarks, the Council reiterated their call for the Commission to take a broad view beyond International transfers and cooperation issues (not least in the wake of Brexit), given that there are strong arguments supporting a broader review and discussion on the topic.
Furthermore, upon reflection of the aforementioned issues raised, The Council suggested that further discussions and sharing of experiences between Member States and the Commission should be explored, whilst ensuring that there is no overlap with the work of the EDPB.
Finally, The Council upheld that “it is important to promote the European model established by the GDPR and to ensure legal certainty for all stakeholders in the forthcoming years”, asking that the Commission should continue monitoring and analysing experiences of application of the GDPR whilst also responding to challenges posed by new technologies as soon as possible.
You can read the full report here.
If you would like to discuss any of the issues raised in this article, or if you have any questions about your business’ data protection practices, then please don’t hesitate to get in touch!
Article by Sam Holmes @ Gerrish Legal, February 2020 / Cover photo by Ricardo Gomez Angel on Unsplash