How EU Authorities See GDPR Effectiveness Two Years In

eWEEK DATA PROTECTION PERSPECTIVE: “The issue we’re facing now is that the full scope of GDPR is not being used,” one expert told eWEEK. “There are still mechanisms that need to be tested. Europe really led the way on how to protect personal data—on paper. Now we need to make sure this is delivered in practice.”

Download the authoritative guide: How to Develop an IT Security Strategy

GDPR.flags

BERLIN—The European Union’s flagship data protection law, the General Data Protection Regulation (GDPR), has been in effect for two years as of May 25 and has led to an improved awareness of privacy rights—and not just within the continent, but globally.

However, there are concerns that, while the framework of the regulation is solid, the EU and the European Commission is not doing enough to ensure that budgets and resources for Data Protection Authorities (DPAs) are sufficient to handle an increasing number of complaints and data privacy violations. 

Furthermore, introduction of the GDPR has created a major degree of uncertainty, because data processing activities taking part in the course of daily business activities were all of a sudden being called into question in terms of their legality.

This has led, in part, to “abstruse constellations,” according to Johanna Soetbeer, a lawyer and data protection consultant with German data protection and IT security specialist Intersoft Consulting

GDPR: Better Privacy Management Overall, but Enforcement Lacking

Aside from the initial confusion, however, after two years of GDPR, the improved awareness regarding privacy, whether out of conviction or for fear of the significantly increased fines, has led to a better privacy management in many companies,” Soetbeer explained.

She noted that since the introduction of the GDPR, companies are often more willing to put effort and resources into developing comprehensive data-protection strategies in order to ensure compliance with the GDPR.

Intersoft’s Shobha Fitzke explained that in Germany, for example, companies have sought compliance with the requirements of the GDPR by implementing data-protection management systems and the recording of processing activities, called data mapping. 

“On the other hand, the new documentation requirements require a lot of internal—and sometimes external—effort, and some companies complain that the GDPR merely generates more paper documents with no real purpose,” Fitzke pointed out. “Smaller companies in particular struggle with implementing all of the requirements.”

For Brussels-based Estelle Massé, senior policy analyst and global data protection lead for international non-profit organization Access Now, the two-year anniversary of GDPR brings up “bittersweet” feelings. 

“We remain convinced the framework can bring a lot of benefits to people, and there are clear mechanisms, and there is clear potential, because it is changing the way entities view data protection,” Massé said.

Some EU States Lack Enforcement Resources

However, the company’s recently published GDPR implementation progress report raises concerns that while the language of the regulation is robust, state-based DPAs still lack sufficient resources to enforce it. 

“We put a lot of energy into adopting sound legislation, but then the same amount of resources are not put into enforcement, and it is frustrating both for people who have worked to push the legislation through and for those who have been promised those rights,” Massé said.

She pointed to numerous flaws, which include a growing backlog of complaint cases that need to be resolved, political pressure within certain EU member states to relax enforcement to protect jobs created by large tech companies and the outright misuse of the law to curtail press freedoms. 

Massé highlighted cases in Romania, Poland, Slovakia and Hungary, where courts and authorities have been abusing the GDPR to curtail investigative journalism or target civic tech NGOs by trying to force outlets to reveal their sources. 

“There is very specific language in the GDPR that mentions the regulation always needs to take human rights and freedom of expression rights into account,” Massé said. “There might need to be clarification, but if you look at the language, it clearly does not authorize the issues that have happened. We feel people are testing the boundaries of the law.” 

Call for More Human and Financial Help

Massé called for governments across the EU to increase the financial and human resources allocated to DPAs, including technical staff, so that they can function properly and be able to address the large number of complaints. 

Massé said the report found that out of 30 DPAs from all 27 EU countries, the United Kingdom, Norway and Iceland, only nine said they were happy with their level of resourcing.

She said in order to send a unified message to global corporations, as well as to ensure the full independence of individual member DPAs, funding should come down from the EU. 

“It’s EU legislation, and we cannot create holes in states where these tech companies can go shopping for a country that will be less strict with the way the law is applied,” Massé said. “Part of the EC should be dedicated to ensure these DPAs can act independently to enforce GDPR laws.” 

Fitzke also pointed out that while the European Data Protection Board (EDPB) provides helpful guidelines and opinions on the consistent interpretation of GDPR provisions, there still seem to be some discrepancies among the member states on how to fulfill provisions of the GDPR accordingly.

“It still seems difficult to bring about real changes with regard to data processing activities by the big tech companies, due to their monopoly of the market and the various ramifications,” Fitzke said. “There is still considerable room for further improvement and harmonization.”

How the ePrivacy Directive Fits In

Soetbeer explained that it is also necessary to link the GDPR to the ePrivacy Directive, which is focused on protecting privacy and security of personal data in electronic communications.

She said in the future, data transfers outside EU/EEA would definitely be an issue of growing importance, because standard contractual clauses and privacy shield certification have been challenged “quite a lot” in the past.

“We also see that privacy by design and privacy by default settings are an issue for a lot of companies, especially for software developers, and authorities might come up with guidelines here,” she said.

The same applies for social media, online marketing (for example, cookies) as well as big data.

“Authorities have a focus on companies like Facebook and how they handle personal data, and we believe that there will be stricter requirements and sanctions in the future,” Soetbeer said. “As online marketing, targeting, online behavioral advertising and cookies become more and more relevant in daily online life, the laws and regulations in this regard need to evolve as well.”

Not Nearly Enough Citations?

Access Now’s report records that from May 2018 to March 2020, authorities levied a mere 231 fines and sanctions, while as many as 144,376 complaints were filed between May 2018 and May 2019.

These figures indicate the EU needs to start bolstering DPA resources apace, particularly when taking into account the huge disparity of resources between data-protection authorities and companies they oversee.

The lack of cooperation between DPAs also has threatened to undermine the GDPR’s long-term capacity to change private-sector norms and practices with regard to data protection, the report warned. 

Despite the persistent challenges to implementation, Massé noted one of the most exemplary successes of the regulation has been the global conversation around data privacy that it has sparked.

The GDPR regulation has put data protection at the heart of many debates, including at the center of Coronavirus tracing app development, and brought attention to how much people are concerned about data privacy and protection.

Brexit Has Impacted GDPR

In addition to the COVID-19 pandemic, which has raised a series of data privacy concerns as governments try to contain the outbreak, Massé noted the United Kingdom’s decision to leave the EU also has consequences for the application of the GDPR and implications for the protection of personal data in Europe.

“The issue we’re facing now is that the full scope of GDPR is not being used,” she said. “There are still mechanisms that need to be tested. Europe really led the way on how to protect personal data—on paper. Now we need to make sure this is delivered in practice.”  

Nathan Eddy is a longtime eWEEK contributor based in Berlin.