The Council of the EU is ready to adopt its position on the review of the General Data Protection Regulation (GDPR). The text was approved following a silence procedure launched on 6 December 2019 and is expected to be formally adopted, without discussion, in the coming days, possibly at the Ecofin Council on 21 January, according to a European source.
The Commission must submit a report to the European Parliament and the EU Council on the evaluation and review of the Regulation by 25 May 2020, taking into account the positions of the co-legislators. The GDPR Regulation provides that this evaluation should, in particular, cover the application and functioning of Chapter V on the transfer of personal data to non-Member States, as well as Chapter VII on cooperation and coherence.
Nevertheless, as already suggested by the first written comments submitted by Member States in October (see EUROPE 12349/16), the EU Council asks the Commission to adopt an “overview” in its review and to go beyond these two chapters.
While the final text, dated 15 January, acknowledges that the GDPR Regulation has been a “success”, it identifies a number of implementation and interpretation issues of particular concern to Member States, including enhanced cooperation between supervisory authorities.
The question of the adequacy of the resources of national supervisory authorities and the European Data Protection Board (EDPB) should definitely be addressed in the review by the Commission, the EU Council points out.
It also highlights the risk of fragmentation of legislation due to the margin of manoeuvre left to national legislators to maintain or introduce more specific provisions in order to adapt the application of certain rules. While the EU Council considers that this room for manoeuvre remains justified, it nevertheless considers that its evolution should be closely monitored.
Indeed, in their written comments, several countries, notably France and Ireland, considered that the discretionary power left to Member States regarding the age of consent of minors (Article 8), to be set between 13 and 16 years of age, has led to legal uncertainty and fragmentation of the EU digital market.
The text furthermore mentions new obligations and increased workload for SMEs, difficulties in determining or applying appropriate safeguards in the absence of an adequacy decision and measures to be taken by supervisory authorities to deal with situations where data controllers established in non-Member States do not appoint a representative in the EU.
Another area of concern is new technologies. The EU Council asks the Commission to clarify as soon as possible how the GDPR Regulation applies to new technologies, such as artificial intelligence, facial recognition, block-chain technology or new types of profiling. While noting that some emerging technologies can also be assets to enhance the privacy of European citizens, it recommends that their development be closely monitored.
Finally, the EU Council underlines that the GDPR Regulation has only been applied since May 2018. Thus, it believes that most of the issues identified by Member States will benefit from more experience in applying the Regulation over the next few years. Additional guidance from the European Data Protection Board (EDPB) could also help to resolve some issues, according to the institution.
See text: https://bit.ly/2NxsjW4 (Original version in French by Marion Fontana)