Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: Commission publishes second report on application of GDPR
On July 25, 2024, the European Commission published the Second Report on the application of the General Data Protection Regulation (GDPR).
In particular, the report highlighted a significant uptick in enforcement activity by data protection authorities in recent years including landmark fines for:
- the infringement of the lawfulness and security of processing;
- the infringement of processing of special categories of personal data; and
- the failure to comply with individuals' rights.
Regarding data protection authorities, the report noted the increased resources for data protection authorities in terms of budget and staff. However, data protection authorities have been noted to struggle in handling high numbers of consumer complaints and adopt divergent interpretations of the GDPR. The report detailed the fragmented application of the GDPR in areas such as the minimum age for a child's consent, the introduction of further conditions for processing genetic data, biometric data, and health data, and the processing of personal data relating to criminal convictions and offenses.
On data subject rights, the report provided that the right of access is the most frequently right exercised by data subjects, though challenges remain in interpreting when requests are unfounded or excessive. The report also noted the increased use of the right to data portability, which was facilitated by the requirement under the Digital Markets Act (DMA) for 'gatekeepers' to provide effective portability of users' data. On the exercise of data subjects' rights by children, the report considered that children did not fully understand their rights.
The report further addressed the data protection challenges faced by small and medium sized enterprises (SME). This includes the role of a Data Protection Officer (DPO), where SMEs have faced challenges including:
- appointment of DPOs with requisite experience;
- lack of EU-wide standards for education and training;
- failing to adequately integrate DPOs;
- lack of resources;
- other tasks outside data protection; and
- insufficient seniority.
Notably, the report considers the data transfer landscape, providing that adequacy decisions in particular have facilitated data flows. The report noted that adequacy decisions adopted by the Commission are increasingly relevant since jurisdictions with adequate status are recognized by other jurisdictions as safe destinations under their own data protection rules. Although the report acknowledges that data exporters are struggling with transfer impact assessments, the EU standard contractual clauses (SCC) and binding corporate rules (BCR) are still widely used. The adoption of model clauses by other jurisdictions has also increased the scale of cross-border data flows.
Concluding recommendations
The report considers that to ensure strong protection for individuals and ensure the free flow of personal data within and outside the EU, there is a need to focus on, among other things:
- proactive support by data protection authorities in compliance efforts;
- consistent application of the GDPR across the EU;
- effective cooperation between data protection authorities;
- establishing cooperation with sectoral regulators on issues with an impact on data protection; and
- implementing efficient and targeted working arrangements for guidelines, opinions, and decisions, and prioritizing key issues to reduce the burden on data protection authorities.
You can read the report here.