.png)
1 month ago
22
The European Commission found serious enforcement issues with the General Data Protection Regulation (GDPR) and called for clearer guidelines to strengthen data protection across member states in a report published on Thursday (25 July).
This is the Commission’s second report on the application of the EU’s GDPR, a landmark data protection regulation that governs how personal data is handled in the European Union.
The regulation, in force since 2018, required that every four years, starting from 2020, the Commission should publish reviews of the GDPR to identify any issues, possibly leading to amendments to the regulation. The first one was published two years ago.
The new study revealed enforcement issues and the need for improved compliance and data protection across the EU.
This year’s study could lead to some tangible changes to the regulation but it is unclear how substantial these will be.
“There is no appetite for a complete legislative overhaul, so options range from developing new regulators’ guidance to targeted or ancillary legislative changes,” said Isabelle Roccia, managing director for Europe at the International Association of Privacy Professionals.
“The Civil Liberties Committee will now have an EPP chair and industry may see an opportunity for an industry-friendly refresh of parts of the GDPR without poking the bear,” she said.
Maryant Fernández Pérez, head of digital policy at the European Consumer Organisation (BEUC), an umbrella organisation representing the interests of national consumer organisations across Europe, warned that “the GDPR is constrained by often slow and ineffective enforcement, particularly in the major cross-border cases”.
Already in April, members of the European Parliament voted on amendments to the GDPR Enforcement Procedures Regulation to strengthen enforcement. Stakeholders urged further improvements, particularly regarding complainants’ rights and cross-border matters.
EU Parliament votes to strengthen GDPR enforcement
Members of the European Parliament voted on Wednesday (10 April) on amendments to strengthen the enforcement of the EU’s General Data Protection Regulation (GDPR), however, stakeholders urged for further improvements, particularly regarding complainants’ rights and cross-border matters.
Enforcement troubles
The report further said that ata Protection Authorities (DPAs), responsible for enforcing data protection laws across member states, have varying interpretations of the GDPR around certain issues, such as the legal basis for processing personal data in clinical trials.
The legal basis refers to the necessary justification for processing personal data under the GDPR.
These inconsistencies among DPAs result in differing compliance requirements for organisations operating across member states, the Commission wrote.
According to the document, stakeholders would like to see more guidelines on anonymisation, pseudonymisation, legitimate interest, and scientific research.
Anonymisation removes personal identifiers from data to prevent identification, while pseudonymisation replaces personal identifiers with pseudonyms, allowing data to be linked to individuals with additional information kept separately.
The Commission did ask the European Data Protection Board, an EU body tasked with ensuring consistent application of guidelines on the GDPR, for scientific research but they have not yet been adopted, the document said.
A significant portion of resources is consumed by handling a large number of complaints, the document reads. This limits the ability of DPAs to engage in other activities such as investigations, public awareness campaigns, and engagement with data controllers.
DPAs also struggle with insufficient human resources and face challenges in competing with the private sector for skilled staff, particularly in technical and legal fields.
Data subject rights
Data controllers, the companies or organisations that manage personal data, face challenges in interpreting and responding to access requests. Delays and incomplete responses to access requests are reported, and there are difficulties in reconciling this right with public access to documents.
Stakeholders are also concerned about children’s understanding of their data protection rights, their digital literacy, and potential undue influence affecting their exercise of these rights.
SMEs and cooperation
Small and medium-sized enterprises (SMEs) often find compliance challenging due to varying levels of support and guidance from DPAs. To help them comply with the GDPR, there should be practical tools, templates, and easy-to-understand guidance, the document said.
Difficulties also include appointing Data Protection Officers (DPOs) with the required expertise.
The development of digital regulations requires better cooperation across various regulatory fields such as competition law, consumer law, digital market rules, electronic communications, and cybersecurity, the document stated.
[Edited by Eliza Gkritsi/Zoran Radosavljevic]
Read more with Euractiv
Von der Leyen gives nod to €100 billion 'CERN for AI' proposal
Re-elected European Commission President Ursula von der Leyen’s political guidelines addressed calls for huge artificial intelligence (AI) research investments under the “CERN for AI” banner, but proponents and critics say the plan is lacking crucial details.
English (US)