On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).
Article 97 of the GDPR requires the European Commission to submit, by May 25, 2020, and every four years thereafter, a report on the evaluation and review of the GDPR to the European Parliament and to the Council of the EU. In its report, the European Commission shall examine, in particular, the application and functioning of (1) the international data transfer tools and (2) the cooperation and consistency mechanisms under the GDPR. In order to prepare its report, the European Commission may request information from DPAs.
Against that background, the European Commission sent a Questionnaire on the Evaluation of the GDPR to national DPAs. The Contribution summarizes the responses of the DPAs within the EDPB to the Commission’s questions and conveys general policy messages from the EDPB on the application of the GDPR. It also provides key statistics relating to the cooperation and consistency mechanisms, the human and financial resources of DPAs, enforcement of the GDPR and data breach notifications at the national level.
Key takeaways and statistics from the Contribution include:
International Data Transfer Tools
- Adequacy decisions. The EDPB welcomes the interest of third countries in engaging with the EU in the context of an adequacy decision. In this respect, the EDPB emphasizes that the adequacy decision on Japan adopted under the GDPR is an important precedent that should be taken into account to adjust the practice for future adequacy decisions and the review of existing ones. In the context of that adequacy decision, the assessment of the legislation of the third country was combined with specifically negotiated additional rules only applicable for transfers between the EU and this third country. The EDPB encourages the European Commission to ensure that an architecture of adequacy, relying on such additional rules, will be “a sustainable and reliable system that will not raise practical issues regarding the concrete and efficient compliance by foreign entities and enforcement by the third country data protection authority.” The EDPB further invites the European Commission to regularly monitor the binding nature and effective application of those rules in the third country.
- Standard Contractual Clauses (“SCCs”). The EDPB stresses the urgent need for the European Commission to update the existing SCCs in light of the GDPR, and to draft additional SCCs to cover new data transfer scenarios such as those occurring in a processor-to-processor relationship or transfers of personal data from a data processor in the European Economic Area (“EEA”) to a data controller outside the EEA.
Cooperation Mechanism
Between May 25, 2018, and December 31, 2019:
- 1,346 procedures were initiated to identify the lead DPA and the concerned DPAs in a preliminary phase to enable DPAs to cooperate even before the formal One-Stop-Shop procedure is triggered. All DPAs have been identified at least once as a lead DPA or a concerned DPA.
- 807 cross-border cases have been registered in a central database called Internal Market Information (“IMI”) Case register, from which all cooperation and consistency procedures can be initiated, including one-stop-shop procedures.
- Lead DPAs issued 141 draft decisions to the concerned DPAs for their opinion, which triggered the formal One-Stop-Shop procedure. In most cases, none of the other DPAs concerned objected to the draft decision submitted by the lead DPA and the draft decision resulted in a final decision.
However, the DPAs have identified the following challenges when implementing the one-stop-shop procedures:
- differences in the national administrative procedures (differences in complaint-handling procedures, positions of the parties in the proceedings, admissibility criteria, duration of the proceedings, deadlines, possibility of sharing confidential information with other DPAs, concrete consultation of the concerned DPAs on draft measures, etc.);
- differences in the interpretation of several concepts relating to the cooperation mechanism (e.g., “relevant information,” “without delay,” “draft decision,” “amicable settlements”); and
- different approaches of the lead DPAs regarding the start of the cooperation procedure, the timing of involvement of concerned DPAs and the communication of relevant information to them.
The EDPB is examining possible solutions to overcome these challenges and to improve existing cooperation procedures. It also calls upon the European Commission to check if national procedures impact the effectiveness of the cooperation procedures and considers that, eventually, national legislators may also have a role to play in ensuring further harmonization.
In addition, DPAs have triggered 115 Mutual Assistance procedures under Article 61 of the GDPR and launched 2,427 procedures to assist each other on a voluntary basis.
No joint operation procedure has been yet triggered by DPAs. However, several DPAs are considering starting this type of cooperation in 2020.
Consistency Mechanism
Between May 25, 2018, and December 31, 2019, the EDPB adopted consistency opinions, including:
- 31 opinions regarding the national lists of processing subject to a data protection impact assessment (DPIA);
- Two positive opinions on Binding Corporate Rules (“BCRs”), while more than 40 BCRs are in the pipeline for approval, half of which could be expected to be approved by the end of 2020;
- Two opinions on the draft accreditation requirements for a code of conduct monitoring body pursuant to Article 41 of the GDPR; and
- One opinion on draft SCCs between data controllers and data processors according to Article 28(8) of the GDPR.
Budget and Human Resources of DPAs
- The EDPB notes that the effective application of the GDPR and the success of the one-stop-shop mechanism is largely dependent on the time and resources that DPAs have at their disposal. However, most of the DPAs explicitly stated that they do not have enough resources, with only nine stating that they do not see the need for further resources at this stage.
- Most DPAs also stated that they are not properly equipped to contribute to the cooperation and consistency mechanisms.
Enforcement of the GDPR at the National Level
- Between May 25, 2018, and December 31, 2019, 30 EU/EEA DPAs received approximately 275,557 complaints in total.
- DPAs made use of a wide range of corrective measures, i.e., administrative fines, but also warnings and reprimands. Regarding administrative fines, 22 EU/EEA DPAs made use of this corrective power, issuing approximately 785 fines altogether. Only eight DPAs have not imposed any administrative fines yet, although most of them have ongoing proceedings that might lead to an administrative fine in the near future.
- The circumstances that are most frequently taken into account when imposing administrative fines are: (1) the degree of cooperation with the DPAs; (2) whether the infringement had a systematic / repetitive nature; (3) whether the action was intentional, (4) the measures taken by the data controller to remedy the problem or to avoid future infringements; (5) the nature and duration of the infringement; (6) whether relevant previous infringements were made by the same data controller; (7) the nature of the data controller (e.g., a professional in the industry, an entity under great public attention); (8) the categories of personal data affected, and (9) the number of affected individuals.
Data Breach Notifications
- 160,040 personal data breaches were notified to 29 EU/EEA DPAs.
The Contribution concludes that the application of the GDPR in this first year and a half has been successful and it is premature to revise it at this point in time. Instead, the EDPB calls on the EU legislator to intensify efforts to adopt the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as the “Draft ePrivacy Regulation.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code