If you were asked which of the 99 Articles of the EU General Data Protection Regulation is having the greatest impact on privacy and data protection, which one might you choose? Certainly, Article 3 on territorial scope would be a good choice. Article 6 on lawfulness of processing would also be a strong pick. A case could also be made for any of the articles in Chapter 3 on rights of the data subject.
I might actually consider one of the GDPRâ€™s final provisions, Article 97, as perhaps the most consequential for the future of privacy and data protection in Europe and around the world. This article has already prompted member states, supervisory authorities and other European institutions to deeply reflect upon the problems, obstacles and hindrances to the GDPRâ€™s implementation and share and discuss their observations and experiences with its application since it came into force last year.
So, where do things stand in the Article 97 process to date? Let’s focus on comments recently submitted by member state delegations regarding their ongoing review and evaluation of the GDPR.
Preparing for the GDPRâ€™s Article 97 review
Article 97 instructs the European Commission, by May 25, 2020, and once again every four years thereafter, to â€œsubmit a report on the evaluation and review of this Regulation to the European Parliament and the Council.â€� At a minimum, these reports should examine â€œthe application and functioningâ€� of Chapter 4 on transfers of personal data to third countries or international organizations and Chapter 7 on cooperation and consistency mechanisms. What makes this review process so critical is that it may serve as an impetus for the commission to â€œsubmit appropriate proposals to amendâ€� the GDPR.
European authorities have already begun preparing for their first review of the application of the GDPR. Back in July, the Finnish Presidency issued a note to the delegations that contained a plan for its preparation of the European Councilâ€™s position on the GDPR evaluation. In particular, the presidency â€œwelcome[d] all observations from the delegations with respect to the review and evaluation of the GDPR.â€� Following the Sept. 3 DAPIX Working Party meeting, which brought together experts from each member state, delegations were asked to submit in writing their observations on the experiences obtained from the application of the GDPR, along with their initial positions on and recommendations for items to be included in the councilâ€™s report. Most recently, on Oct. 9, the council released a note to the delegations containing such comments from 19 member states.
The following sections highlight some of the key issues raised in the comments made by member state delegations about the GDPR. It focuses on areas where they have seen conflict arise, questions around which they would like greater clarity, and recommendations for what they believe should be done to address these issues.
It is also worth noting that some member states insisted that the review not be limited to the two topics mentioned in Article 97(2) (personal data transfers and cooperation/consistency), while others maintained that it is still too early to draw conclusions for a review of the GDPR.
Areas of confusion, inconsistency and fragmentation
For most, implementing the GDPR has been anything but simple, easy or straightforward. Along these lines, multiple member states submitted comments pointing to the uncertainty, confusion and fragmentation that persists around the GDPRâ€™s application. For its part, Germany admitted that â€œsome businesses and government agencies have said they feel overwhelmed following the GDPRâ€™s entry into application,â€� while â€œ[s]ome users have felt considerable uncertainty [and] been very confusedâ€� by seemingly new instruments created by the GDPR, such as records of processing activities and data protection officers.
To alleviate some of these ambiguities, the Czech Republic suggested that real cases of best practice, as well as cases of bad practice, could be published online for the benefit of other member states. It pointed to several issues in which best practices are needed, including conflict of interests of DPOs, professional qualifications of DPOs, the roles of controller and processor, transparency obligations to data subjects where data has been obtained from public sources, and additional identification pursuant to Article 11.
One of the biggest areas in which fragmentation has affected GDPR implementation has been in the protection of childrenâ€™s data. Namely, Ireland described the GDPRâ€™s approach to the protection of children as â€œfragmented and disjointed.â€� While references to protections for children can be found in various recitals (38, 58, 65, 71, and 75) and articles (6.1(f), 8, 12, 40, and 57), they are like â€œa jigsaw puzzleâ€� and â€œdo not provide a coherent picture.â€� France also pointed out that childrenâ€™s consent in Article 8, which leaves discretion to member states regarding the age of consent of minors, â€œis likely to cause implementation difficultiesâ€� and that assessing whether this needs to be revised should be a priority. In a similar vein, the Netherlands pushed for â€œonly one uniform age of consentâ€� to apply throughout the entire EU, as the current situation â€œleads to a problematic lack of legal certainty for all parties concerned; parents, children and controllers alike.â€�
Furthermore, the Czech Republic noted that, if the European Data Protection Board were to issue its own, even non-exhaustive, list of processing operations subject to or exempted from impact assessments, it would â€œcontribute to much more uniform and consistent application of the GDPR.â€� Germany also urged DPAs to harmonize their practice of interpretation more closely regarding risky processing operations and data protection impact assessments.
Member states made numerous comments about the effectiveness of and expectations placed upon supervisory authorities. On the bright side, member states drew attention to the effectiveness of the cooperation efforts between SAs. Latvia, for example, noted that several complaints by data subjects have been resolved successfully through the cooperation of the Latvian and Lithuanian SAs.
Others, meanwhile, focused on the shortcomings in the work done by SAs. For example, Germany noted that businesses would like â€œfaster and more concrete assistance from the data protection authorities,â€� while â€œ[d]ata subjects would like more advice and faster processing of their requests.â€� Germany also asked for transparent criteria for SAs regarding the issuance of fines â€œin order to ensure comparability and uniform enforcement.â€� France called for â€œnational disparities which hinder cooperation for supervisory authoritiesâ€� to be â€œexamined and removed.â€� Lithuania raised a question as to whether an appeal judgment in a national court in one jurisdiction would be legally binding on the lead SA in another jurisdiction.
Finding that a large number of data subjects make complaints to SAs after they are notified of a data breach via Article 33, Bulgaria stated that â€œdifficulties arise in handling complaints on the same issue.â€� Bulgaria noted that â€œthe obligation to handle complaints [vis-Ã -vis Article 77] itself obstructs the work of the data protection authority.â€� Bulgaria also noted that while Article 57, Paragraph 4 considered the excessiveness of a request to the SA is hinged on the repetitiveness of requests arising from a single data subject, it does not consider excessiveness in the sense of â€œmultiple identical requests made by a large number of data subjects â€¦ regarding the same case.â€� Germany also pointed out that â€œdata protection authorities are most likely overwhelmed by the massive volume of reportsâ€� in accordance with Article 33, of which there were 89,000 in the EU by April 2019.
Transfers of personal data
Most member states that commented on adequacy decisions offered positive reflections. Yet, a common criticism was that they â€œremain underused.â€�
To address this problem, Germany urged the commission to â€œkeep up its efforts to bring about additional adequacy decisions and to expand the existing ones to additional areas and sectors.â€� The Netherlands submitted a list of countries, suggested by Dutch trade organizations, as potential future candidates for an adequacy finding. These included Singapore, Colombia, Mexico, South Africa, Serbia and Dubai International Financial Centre, as well as all countries that have ratified and implemented the modernized Convention 108+.
Regarding codes of conduct, Belgium explained that â€œthere is a clear interest from various stakeholders to make useâ€� of them, but there is a reluctance to do so â€œdue to a lack of clear guidelines.â€� Bulgaria referred to codes of conduct as â€œan extremely useful and practically oriented voluntary accountability toolâ€� but one that is â€œwidely regarded as a form of indulgence that impedes the powers of the supervisory authority.â€� The Netherlands cast doubt on the validity of the interpretation of codes of conduct provided in the EDPBâ€™s recently adopted guidelines, arguing that the text of the GDPR should be clarified on this topic. In addition, the Netherlands stated that the institution of a monitoring body for codes of conduct should be optional, as it would likely act as a disincentive by introducing additional costs into the process.
Lithuania remarked that Recital 81 states standard contractual clauses may be adopted by SAs only after approval by the commission, a situation that â€œcreates legal uncertainty as to the mandatory nature of such procedure.â€� To remedy this, Lithuania recommended to consider whether this power of the commission be explicitly included in Article 28(8).
Finally, on binding corporate rules, â€œwhile a useful and necessary subsidiary mechanism,â€� Belgium argued that their use â€œalso runs counter to the harmonization objectives of the GDPR.â€�
To recap, Article 97(4) of the GDPR requires the commission to â€œtake into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sourcesâ€� while conducting its evaluation and review of the GDPR. In particular, the Council expects the Commission to request information from the Member States on three issues:
- the use of adequacy decisions;
- the independence and resources of DPAs, including about â€œtheir capacity to exercise their powers provided by the GDPR and to comply with their obligations in the context [of] the cooperation and consistency mechanismsâ€�; and
- verification of the effectiveness of the â€œcoherent interpretation and application of the GDPR throughout the EU by the cooperation and consistency mechanism provided by the GDPR.â€�
So, what are the next steps for the first Article 97 evaluation and review of the GDPR?
For starters, the DAPIX meeting scheduled for Oct. 21 will allow the delegations to discuss a draft report that lays out the observations on the GDPR made by the member states. The Finnish Presidency aims to adopt the final version of the report, in the form of an outcome of the proceedings, by the end of the year.
Whether substantive amendments to the GDPR will result from this review process remains to be seen, but it should not be ruled out. Indeed, several developments in information technology and information society â€” including growth in the data power of large tech companies, big data analytics and profiling, the potential for price discrimination, and blockchain applications â€” could pose a future challenge to the law. As the Netherlands put it direly, if the EU waits for these developments to materialize before amending the GDPR, â€œthere is a risk that the proverbial genie will be out of the bottle and these amendment[s] will turn out to be too little, too late.â€�
Above all, what these comments illustrate is that the GDPR is anything but settled law. For privacy professionals, it will be important to follow the Article 97 process until May 25, 2020, as the commission prepares its first report on the evaluation and review of the GDPR.