Last month, the European Commission concluded that GDPR had been an “overall success” since its implementation two years ago, which I’m sure was a huge relief to a number of companies that have had to deal with the data privacy headaches over the last couples of years.
Given the huge investment of resource from Member States, it might prove sensible to put on the brakes slightly as realistically, it’s just too early to tell whether GDPR has been a success.
Measuring success
Yes, there have been a number of successes and the principles of GDPR are now being exported to a number of different countries around the world, which clearly demonstrates their merit or at least popularity with regulators. However, as the Commission does acknowledge, there are still a number of actions that need to be ironed out and improved.
As highlighted in the report, there is the need for the proper allocation of resources for data protection authorities in Member States, the need to take further action on the harmonized enforcement of GDPR, the need to implement more codes of conduct and there also needs to be a clearer understanding and close monitoring of the application of GDPR to new technologies – especially as we see the increasing use of both facial recognition and AI across Europe.
However, there are still some obvious issues missing here and, whilst the report has brought forward a number of sensible conclusions, and many will be particularly relieved with suggestions to update standard contractual clauses, more needs to be done and a number of questions still need to be asked.
Is GDPR really helping improve data privacy compliance?
The introduction of the GPDR brought with it a large burden of accountability and heavy documentation requirements, which often lead to heavy compliance plans for businesses. This huge surge in compliance and documentation in particular has driven businesses to employ large teams of people often engaged in drafting and updating documents.
Data Protection Impact Assessments seem sensible for high risk processes, but it is not clear that the need for legitimate interest impact assessments, records of processing, appropriate policy documents and exemption forms are really driving positive change rather than a focus on paper pushing.
Is the approach to enforcement working?
The Data Protection Authorities ‘risk-based’ approach to enforcement is pragmatic, but will often leave companies unsure as to what exactly they are supposed to do. The authorities (and some are clearly better at this than others) need to give far more pragmatic guidance and examples, and codes of conduct are just taking too long to materialize. There cannot be a blanket approach to guidance either; this needs to be done on a sector by sector basis.
Do people understand their data rights?
Whilst individuals have become far more aware of their privacy rights as well as the principles of GDPR, it’s still not clear that the new data subject rights brought in by GDPR have all been successful. In practice, data subjects are routinely annoyed since they think that rights like “the right to be forgotten” are absolute and there has been little take-up in reality of the right to data portability which was hailed, pre-GDPR as potentially transformative.
Do multi-jurisdictional companies have a clear set of guidelines?
There is a significant lack of harmonization between jurisdictions (on quite fundamental principles in GDPR) that has created a number of problems for companies acting across multiple jurisdictions. For example, last year there were a number of differing views issued by data protection authorities on cookie compliance, including contrasting views on whether emails need to be included in data subject access requests.
There have also been a number of different exemptions put forward (in areas such as media and employment) which clearly show that GDPR is far from the “one set of rules” as the report claims.
Room for improvement
GDPR is a work in progress and it is perhaps simply too early to tell whether it is a success or failure. What is clear is that there are a number of issues that still exist, some of which were highlighted in the report and others that were not.
The European Commission need an honest dialogue on GDPR’s strengths and weaknesses. To keep regulation fit for purpose, a number of changes still need to be made and clarity over guidance (particularly between jurisdictions) needs to be ironed out. GDPR could certainly be a success story, but we simply are not quite there just yet.