The EU Council of Ministers considers the data protection framework a ‘success’ and does not call for a reopening of the legislation but a comprehensive evaluation next year.
Marking five years since the EU General Data Protection Regulation (GDPR) entered into application, the Council’s position on the status of the data protection law, seen by Euractiv, was adopted by the Committee of Permanent Representatives on Thursday (23 November).
“The GDPR continues to be a success. The Regulation has led to positive outcomes for the harmonisation of EU law and the strengthening of a data protection culture at EU and global level,” the Council’s position states.
While recognising the GDPR’s successes in enhancing trust and legal certainty, the Council points out several ‘practical implementation challenges’ for private and public entities and calls for further clarifications and a strategy for future data adequacy decisions.
However, the European governments have invited the Commission to conduct “an overarching and comprehensive evaluation” of the application and functioning of the data protection law in the review report that the EU executive is due to publish next year.
In its review, the Commission is set to consider the findings of the EU Council, Parliament and any other relevant body.
The member states’ position underlines how data protection is a ‘vital component’ of responsible innovation and that the technology-neutral approach of the GDPR allowed it to adapt to the challenges posed by the evolution of technologies.
According to the Council, the number of complaints that have been filed in the past five years indicates that the GDPR effectively resulted in people exercising their data protection rights, stressing that the national authorities’ capacity to follow up on these requests remains a critical aspect to ensure the consistent application of the law.
The Council remarks that private organisations processing personal data have progressively increased their compliance efforts. At the same time, the GDPR’s one-stop-shop mechanism has led to greater legal certainty for companies and a level-playing field across the EU.
However, the findings point out that the GDPR has led to a significant additional burden on SMEs, particularly regarding data processing that entails a low level of risk.
In this context, member states call for practical tools like templates and model information clauses to facilitate compliance of small organisations. At the same time, the document notes that other compliance tools like certification and codes of conduct would be further explored.
The Council said that the GDPR has led to complex processes and difficulties of interpretation, notably when public bodies exchange data among themselves.
Member states point out that the compliance process is particularly burdensome for local authorities, which also have a hard time appointing data protection officers, and urge data protection authorities to develop practical tools and guidance in this sense.
For the European governments, the right of access under the GDPR and the legal basis for data processing activities made necessary for complying with legal obligations under EU law have led to legal uncertainty for public bodies.
Specific data processing
For the Council, the past five years have allowed the identification of specific processing activities or related GDPR provisions that may benefit from further clarification and guidance to ensure coherent implementation, such as the processing of minors’ personal data.
The EU countries also want more clarity around the conditions under which personal data can be processed for research and archiving purposes and to further elaborate the concepts of anonymisation and pseudonymisation.
The Council further highlights the risks of using personal data for the profiling and scoring of individuals, hence calling for an assessment of whether the current legal framework and its application are effective or whether further guidance is needed “to clearly limit profiling and scoring activities”.
The member states dub the establishment of the Board and its related procedures to ensure a consistent application of the GDPR as a ‘positive achievement’ but note that effective enforcement, including on large-scale data controllers, is essential to ensure the protection of personal data.
The Council points to the need for enforcement improvements but remains generic, merely mentioning the Commission’s proposal to harmonise administrative procedures.
At the international level, the EU countries noted that data adequacy decisions have been instrumental in positioning the GDPR as the global benchmark for data protection.
“In this regard, the Council invites the European Commission to increase the transparency of its assessment process and present a comprehensive and coherent strategy for future adequacy decisions, which should also explore opportunities for and benefits of sectorial or sub-national adequacy decisions,” the text continues.
While recognising the usefulness of transfer tools like standard contractual clauses, the member states encourage exploring other options like codes of conduct, certifications and binding corporate rules.
Concerning the margins left for national legislation to define frameworks for specific data processing activities, such as the right of public access to official documents, the Council’s position is that they have proved to be an effective approach.
Since the GDPR came into force, the EU has passed several important new digital laws like the Digital Markets Act, Digital Services Act, Data Governance Act, Data Act and the upcoming AI Act. The Council is calling on the Board to clarify the interlinks with the GDPR.
[Edited by Nathalie Weatherald]
Read more with EURACTIV