The GDPR has successfully met its main objectives but work still needs to be done to improve cross-border investigations, increase regulator resources and address fragmented approaches across the EU, according to the European Commission.
The review of the data protection legislation two years on highlights several areas for improvement.
One of the most pressing is the need for harmonization across the region. This is because, although the regulation must be applied across the board, it allows for member states to legislate in some areas and provide specificity in others.
This has led to the “extensive use of facultative specification clauses,” which has made for differences in areas such as the age of children’s consent across different countries, the report claimed.
This could create problems for cross-border business and innovation, especially in tech and cybersecurity innovation, the Commission said.
“A specific challenge for national legislation is the reconciliation of the right to the protection of personal data with freedom of expression and information, and the proper balancing of these rights,” it argued.
“Some national legislations lay down the principle of precedence of freedom of expression, whilst others lay down the precedence of the protection of personal data and exempt the application of data protection rules only in specific situations, such as where a person with public status is concerned.”
Other areas that need continued work include the more efficient handling of cross-border cases and the disparity in “human, financial and technical” resources between many regulators.
This echoes a report issued in April by web browser firm Brave, which claimed that regulators are unable to match the financial might of technology giants like Google and Facebook, which puts them at a distinct disadvantage in investigations.
Only five of Europe’s 28 GDPR regulators have over 10 tech specialists, while half have budgets of under €5m. The UK’s ICO, which is the largest and most expensive watchdog to run, has only 3% of its 680 staff focused on tech issues, the report claimed.
Stewart Room, global head of data protection and cybersecurity at DWF, took issue with the Commission’s claim that GDPR has “successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU.”
“A key problem to note is that there is an absence of such evidence on data protection performance levels under the previous legal regime (the 1995 Directive), so, therefore, there isn't a benchmark available to substantiate progress made under the GDPR,” he argued.
“In contrast, reports of personal data security breaches have not run dry, there are still structural problems in the AdTech environment and with the ceaseless progression of developments in technology, such as facial recognition and AI, there have to be doubts about the ability of the law and the regulatory system to keep up speed.”