On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework.  In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives.  The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR.  The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.

Member States

The Commission emphasizes the success of the GDPR in harmonizing data protection rules across Europe to provide greater legal certainty for individuals and businesses.  This has required the active participation of EU Member States to enact national data protection laws that allocate the necessary powers and resources to their supervisory authorities, specify rules in certain areas, and amend or repeal other national legislation impacted by the GDPR.  While the Commission generally praises the work of the Member States in this regard, it notes that three countries (Greece, Portugal and Slovenia) have yet to pass a post-GDPR national data protection law, and the harmonization of national legislation remains a work in progress across most Member States.  The Commission also acknowledges some developments detrimental to achieving a uniform approach across the EU (e.g., Germany’s stricter requirements for data protection officers) and encourages Member States to take steps to ensure greater harmonization.  Although the GDPR has led to a more consistent set of EU data protection rules, frustratingly for industry, some significant Member State divergences over the interpretation and application of these rules persists.

Supervisory Authorities

In a similar vein, the Commission praises the work of the Member State supervisory authorities, who in its view have exercised their new enforcement powers in a balanced manner that values dialogue over sanctions.  However, the Commission would like to see further cooperation among the supervisory authorities, including alignment with the work of the European Data Protection Board (“EDPB”), enhancing the means for stakeholders to inform the work of the EDPB, and greater efforts to support parties who may lack data protection knowledge or resources (e.g., small and medium-sized businesses).  In this vein, it has been reported that certain Member State supervisory authorities have been critical of the UK Information Commissioner’s failure to consult prior to announcing its statement of intent to impose significant fines upon British Airways and Marriott International, Inc.

Individual rights and businesses’ compliance efforts

The Commission further notes that individuals are showing a greater awareness of their privacy rights under the GDPR and a willingness to exercise those rights.  Nevertheless, efforts in this area should continue to enhance individual participation and prevent any misunderstandings or misinformation about privacy rights.

The Commission also applauds the efforts of businesses to comply with the GDPR, which has undeniably resulted in challenges for some, but has also created a timely opportunity for organizations to enhance internal privacy and data security practices, as well as develop privacy-friendly services.  The Commission also mentions the various tools in the GDPR enabling businesses to demonstrate compliance, including standard contractual clauses, codes of conduct, and GDPR certification.  The Commission indicates it will work with stakeholders to maximize the value of these tools by updating the existing clauses and supporting certification schemes in line with the recently adopted EDPB guidelines.  The Commission also voices its support for related tools available under the GDPR (e.g., other types of standard clauses, such as those recently submitted by the Danish supervisory authority and reviewed by the EDPB).

International cooperation

The Commission highlights what it refers to as the “upward convergence” of the GDPR at the international level, as many countries are now adopting or drafting privacy laws that echo the substance and principles of the GDPR, such as in Brazil and India, resulting in a global shift in the area of data privacy.  The Commission also notes the recent EU-Japan mutual adequacy arrangement (creating “the world’s largest area of free and safe data flows”), alludes to other forthcoming adequacy findings, indicates its desire to engage new countries and regions in adequacy discussions, and underscores its current work to update existing adequacy findings for various countries.

The Commission also states its aim to “harness the full potential” of the GDPR to enable international transfers of personal data, reiterating its intention to take action on standard contractual clauses and support the development of other transfer mechanisms.  This initiative will be important, given pending challenges before the EU courts with respect to two key transfer mechanisms, standard contractual clauses and the U.S.-EU Privacy Shield, reported here.  The Commission also mentions ongoing efforts for international cooperation to combat crime and terrorism, as well as coordination with data protection enforcement powers in other countries to facilitate cooperation and mutual assistance.

Data protection legislation across EU legal policy

Finally, the Commission notes other areas of EU policy wherein data protection rules form an integral component of the legal framework, particularly:

  • telecommunications and electronic communication services;
  • health and research;
  • artificial intelligence;
  • transport;
  • energy;
  • competition;
  • elections; and
  • law enforcement.

The Commissions concludes its report by stating that the first year of the application of the GDPR has been overall positive, but there is still work to be done in a number of areas.  This is an understatement.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.