On 24 June, almost a month after the two-year anniversary of the entry into application of the General Data Protection Regulation (GDPR), the Commission published its report on the evaluation of the GDPR, together with detailed Staff Working Document outlining the evidence for the report and a report on the alignment of relevant EU law enforcement rules with regard to data protection.

The report concludes that “[t]he general view is that two years after it started to apply, the GDPR has successfully, met its objectives and many of the expectations […]. [T]he Commission is of the view that it would be premature at this stage to draw definite conclusions regarding the application of the GDPR.” As emphasised in its report, and by Commission Vice President Vĕra Jourová and Justice Commissioner Didier Reynders during today’s press conference, the GDPR “has already emerged as a key reference point at international level and acted as a catalyst for many countries around the world to consider introducing modern privacy rules.” In addition, the Commission is already thinking of how it can expand this global standard setting role to other areas, such as non-personal data sharing, AI and platform regulation, and, given that privacy legislation has been developing at speed in the U.S. following the adoption of the GDPR, the Commission does not want to give up its ground.

Based on significant input from the EDPB, national DPAs, the Council, individual Member States, and stakeholders (both through the Multistakeholder Expert Group and the responses to the mini-consultation on the report), the Commission does acknowledge, however, that “a number of areas for future improvement have also been identified.”

Regarding the implementation of the legal framework in the EU, the Commission found that there is “still a degree of fragmentation and diverging approaches”, especially when it comes to specification clauses (e.g. the age of consent for children). The report recommends that Member States consider greater alignment with the GDPR. In the long term, the Commission should explore whether “future targeted amendments to certain provisions might be appropriate.”

On enforcement of the GDPR and the cooperation between the national DPAs, the report notes that, while national DPAs “have made use of administrative fines” and “developed their cooperation”, “developing a truly common European data protection culture between data protection authorities is still an on-going process.” The report makes a number of recommendations, especially on cooperation and consistency, with the Commission seeking to ensure DPAs have sufficient funding and encourage cooperation with a wider range of regulators (including competition and consumer policy).

With the Schrems II judgment expected on 16 July, the UK leaving the EU acquis on 31 December 2020, and the Commission’s work on updating Standard Contractual Clauses (SCCs) ongoing, there has been a lot of interest in the Commission’s conclusions on international data transfers. The Commission will report on the evaluation of the existing adequacy decisions after the Schrems II judgment. Similarly, its work on “a comprehensive modernisation of [SCCs]” will “better reflect the realities of processing operations in the modern digital economy and consider the possible need, in light of the upcoming [Schrems II judgment], to further clarify certain safeguards.” On the adequacy decision for the UK, the report does not offer any indication of the timing of such a decision, but rather states that “the Commission is currently carrying out an adequacy assessment.”

The quick adoption of new technologies in the EU was one of the main arguments in favour of reopening the GDPR. However, the Commission explains that the GDPR had been “conceived in a technology neutral way” and argues, “[t]he data protection and privacy legislative framework proved its importance and flexibility during the COVID-19 crisis, notably in relation to the design of the tracing apps and other technological solutions to fight the pandemic.” Going forward, the Commission will monitor the situation and the EDPB is invited to issue new guidelines/revise existing ones in light of such technological developments.

The Commission will monitor the implementation of these recommendations in view of the next evaluation report in 2024. When that comes around, we can probably expect a more serious discussion as to whether or not the framework should be adjusted.