Every four years, the European Commission evaluates the Data Protection Regulation (GDPR). The first report has now been presented. In this, the Commission states that Europe needs the acquis to be applied uniformly. This will help smaller companies and facilitate international data exchange. "It is welcome that the coming measures reflect what the business community has demanded and proposed," commented Carolina Brånby, policy manager.
In spite of all the criticism the GDPR has attracted, the Commission believes that the overall reform has been positive for Europe. The legislation has given citizens greater control over how their personal data is used, and the initial evaluation report does not propose any changes to the GDPR. Despite difficulties in interpreting and applying GDPR, both the Confederation of Swedish Enterprise and BusinessEurope agree that any revision after only two years into its application would be premature. However, there are many other measures that do need to be taken. Among other things, a great deal of work remains to be done in order to harmonise its application in the EU, facilitate corporate compliance and secure international data transfer. Most of the business proposals put forward have been taken into account in the 42 measures to be implemented by Member States, data protection authorities, the European Data Protection Agency (EDPB) and the Commission.
Companies operating in a number of Member States have experienced considerable frustration over differences in interpretation and implementation of the GDPR and in complementary national laws and regulations. Member States and data protection authorities are now urged to improve their coordination and ensure correct and harmonised application of data protection rules. The European Data Protection (EDPB) has been invited to produce simple and easy-to-understand guidelines, something that companies have long sought.
The application of the GDPR is a challenge, particularly for SMEs. The handling of personal data uses a risk-based assessment and therefore the Commission considers that it cannot provide exemptions for SMEs; company size is not in itself an indication of the risks that processing personal data can create for individuals. However, several data protection authorities have provided practical tools for SMEs. The assistance consisted of templates for processing contracts, records for processing activities, seminars and hotlines for consultation. In future, all data protection authorities in the internal market will be offered further assistance.
Brexit means that data transfers to the UK should be treated as transfers to third countries. The Commission is in the process of making its own assessment, in order to hopefully make an adequacy decision that will allow legal transfer, like Privacy Shield with the US and Japan. The Commission has also begun working on modernising its Standard Contract Clauses (SCC) and the possible effects of the forthcoming judgment, on 16 July, in the Schrems II case. The process for approving Binding Corporate Rules (BCR) will be streamlined and the work on conduct codes and certification mechanisms be finalised as tools for data transfers by the EDPB.
Many of the Commission’s evaluation proposals are in line with the measures and needs outlined in the report ”What's wrong with the GDPR?” However, in the opinion of the Confederation of Swedish Enterprise, these lacks two very important measures; an initiative on a supplementary EU regulatory framework regarding the processing of personal data relating to criminal convictions and offences. Today, in Sweden, this kind of processing needs to be authorized case by case of the data protection authority Datainspektionen. Instead it should be authorized by Union law for entities to process relevant personal data to be able to follow international rules for combating serious crime and corruption within Europe, and by European companies exporting to third countries. In addition, the business community is demanding a harmonised regulatory framework for regulatory sandboxes, in order to enable personal data use in a closed environment for research and development. In its evaluation, the Commission stated that it will request the EDPB to develop guidelines and opinions to encourage research, AI and data use. The question is whether it will be enough to meet the challenges of the future and to strengthen Europe's competitiveness. A clearly harmonised regulatory framework that enables innovation offers major benefits for research and development, start-ups and investors.GDPR