In an interim evaluation, the European Commission concluded on Wednesday 24 July that the General Data Protection Regulation (GDPR) is generally being properly applied in the European Union, just over a year after its entry into force.
Better still, European rules could even serve as a basis for the development of a "modern and high level digital standard" internationally, said the European Commissioner for Justice, Vĕra Jourová, who presented the Commission's assessment to the European Parliament's Civil Liberties Committee (LIBE).
A basis for multilateralism
At the international level, the GDPR could establish "the EU as a regulator and prescriber of standards [...] through the conclusion of multilateral agreements", in order to promote the safe flow of data with non-Member State that share European values, the Commissioner said. "All over the world, the GDPR is recognized as a local standard", she said.
‘Adequacy clauses’ are being assessed and/or negotiated with eleven non-Member States in order to guarantee an equivalent standard, an element required by the Court of Justice of the European Union (CJEU) in the event of data transfer outside the EU.
According to the Commission's report, this "convergence of standards", which aims to facilitate secure data flows, must also take place in parallel with trade negotiations. Thus, the EU-Japan Mutual Adequacy Agreement concluded at the beginning of 2019 is described as "the best example of such synergies" for the benefit of the bilateral Free Trade Agreement (see EUROPE 12178/3).
An adequacy clause is also being finalized with the Republic of Korea and similar discussions are under way with Latin American countries renewing their legislation in this area, including Chile and Brazil.
In addition, the Commission "intends to explore the possibility of setting up multilateral frameworks", in support of a Japanese proposal, in order to encourage EU partners to adopt an equivalent level of personal data protection.
Regarding the 'Privacy Shield' between the United States and Europe, according to the Commissioner, it is "a very useful tool to ensure the protection of privacy [of European citizens' data] in the United States" in a commercial context, with more than 4,700 participating companies.
With regard to judicial cooperation, Mrs Jourová pointed out to the European Parliament's Committee on Civil Liberties (LIBE) that the "European approach (was) different" from the American "CLOUD ACT", with Europe giving greater recognition to the importance of fundamental rights (see EUROPE 12296/16). It therefore urged the LIBE Committee to take a position on the 'electronic evidence' Directive which will govern the exchange of digital data between countries in criminal proceedings, as this type of evidence is necessary for 85% of investigations (see EUROPE 12227/8).
Finally, the Commission will join in the development of an additional protocol to the Budapest Convention on Cybercrime.
"One continent, one rule"
"The GDPR can only be fully successful if we apply the legislation uniformly and ensure its rigorous application throughout the EU", stressed Vĕra Jourová, urging Greece, Portugal and Slovenia to "hurry up" in aligning their national legislation into line with EU rules.
The Commission also calls on the Member States to avoid any 'gold plating'. "It is a burden when some countries introduce inappropriate measures in certain sectors", the Commissioner said, warning that "all our tools, including infringement procedures", will be activated if necessary.
Germany requires companies with more than 20 employees processing personal data on a daily basis to designate a 'data policy officer', excluding any specific obligation clauses of the GDPR. In Hungary, the GDPR's interpretation would be hampered by media freedom.
The Commission's assessment also highlights the role of the national data protection authorities, which have dealt with 516 cases with the European Data Protection Board. The latter is invited to work towards a "European data protection culture".
An advantage for companies
According to the Commission, the application of the GDPR Regulation would provide a "competitive advantage" for businesses in terms of consumer confidence and increased safety.
The report also assesses the transparency risks associated with artificial intelligence. "People should always know what is happening" to their algorithmically processed data, the Commissioner said.
A full evaluation of the GDPR is expected in spring 2020.
To consult the preliminary report: http://bit.ly/2Y75Zde (Original version in French by Martin Molko, intern)