European Commission publishes second report on application of GDPR

Since the first report, the EU has introduced further initiatives, including in response to new technologies, to empower individuals. The focus going forward is on supporting stakeholders’ compliance efforts, including by providing clearer and more actionable guidance from data protection authorities, and a more consistent interpretation and enforcement of the GDPR across the EU.

The Second Report identifies a number of actions necessary to support the effective application of the GDPR, including those listed below.

• Consistent interpretation and application of GDPR: data protection authorities (‘DPAs’) are currently taking different views on the application of key concepts in the GDPR, for example in relation to the legal basis for processing personal data as part of a clinical trial and the situations in which an entity is a controller or processor. Stakeholders have identified this difference in interpretation as one of the main obstacles in a consistent application of the GDPR.

• Increased resources for DPAs: although statistics suggest that DPAs have grown in size, the DPAs themselves consider that they still lack sufficient staff with the specialised technical skills and knowledge to deal with the privacy issues arising out of new technologies. DPAs have noted that their staff spend too much of their time dealing with trivial consumer complaints and not enough time on public awareness campaigns, investigations or collaborations with controllers, for example.

• Investigatory tools for DPAs: the Second Report notes that since 2020, DPAs have made extensive use of their corrective powers under the GDPR, in particular to impose fines. Warnings, reprimands and orders to comply with the GDPR were the most commonly used corrective measures by DPAs after fines. The Second Report suggests that DPAs should continue to be given investigatory tools by Member States to effectively exercise the enforcement powers provided to them by the GDPR.

• Adoption of practical guidelines: stakeholders have found the EDPB’s guidelines helpful but note that they do not always reflect the GDPR’s risk-based approach. The Second Report states that DPAs should work with the EDPB to develop concise and practical guidelines which are also accessible to individuals with no legal training.

• Innovative ways for data subjects to exercise their rights: the Second Report has found that data subjects are increasingly aware of, and able to exercise, their rights (in particular, the right of erasure). Legislation, such as the Data Governance Act, is intended to drive innovative ways for data subjects to exercise their rights. The Second Report also stresses the importance of continuing to raise awareness of data protection rights and obligations among data subjects, especially children, given their increased presence online in recent years.

• International data transfers: with regard to transfer impact assessments, the Second Report notes that it is important that the EDPB - building on its experience in applying the Schrems II requirements - considers exploring ways/tools to further assist data exporters in their compliance efforts in this context. To complement the existing SCCs, the Commission is developing additional sets of clauses to provide EU data exporters with a comprehensive and coherent package, including for transfers to third country data importers whose processing operations are directly subject to the GDPR.

You can view the second report on the application of GDPR here. 

Read the 2020 report on the application of GDPR here.