GDPR compliance codes on the horizon

European Commussion Flag

The European Commission is to tackle the “degree of fragmentation and diverging approaches” that persist in the application of the General Data Protection Regulation (GDPR), to simplify the cross-border processing of personal data.

Outlined in its two-year evaluation review of GDPR, launched earlier this week, the European Commission outlined the strengths of the regulation, but noted that when implementing “derogations from the general prohibition for processing special categories of personal data”, member state legislation had often followed different approaches.

To address this issue, the commission said that as a first step, it would begin to map the different approaches of member states and will, as a following step, “support the establishment of code(s) of conducts that would contribute to a more consistent approach in this area and make the cross-border processing of personal data easier”.

Commissioner for justice Didier Reynders, said: “The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant their citizens a high level of protection. We can do better though, as today’s report shows.

“For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights. The commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with member states, so that the GDPR can deliver its full potential.”

The commission said the ongoing fragmentation was due to the extensive use of “facultative specification clauses”. For example, the age children can consent to information society services varies across member states. However, national legislation should not go beyond the margins set by the GDPR or introduce additional requirements when there is no margin.

Ann Bevitt, a partner in London at law firm Cooley, told Data Economy: “In the six-plus years during which the GDPR was negotiated and agreed by the various EU bodies, the need for harmonisation was a key driver for change and there was a general recognition that businesses required this to function on a pan-EU basis. 

“However, we are still seeing lots of divergence in approach (and not just in respect of the age at which children can consent) which is incredibly frustrating for businesses operating in more than one member state,” she added.

The commission further said fragmentation challenges cross-border business, as well as innovations in new technological developments and cybersecurity solutions.

Despite the disparities in application, GDPR has set examples for of number of other jurisdictions, and drew praise for the collaborative work it has facilitated, “from Chile to South Korea, from Brazil to Japan, from Kenya to India, and from California to Indonesia”.

On this point, the report read: “The EU’s leadership on data protection shows it can act as a global standard-setter for the regulation of the digital economy”. It further quoted UN secretary general António Guterres, who urged the EU to continue to take the lead, “to shape the digital age and to be at the forefront of technological innovation and regulation”.

The legislation has also seen companies in France, Germany, Austria, Italy and Bulgaria pay more than €100 million in fines for data breaches between May 2018 and January 2020.

Elsewhere the report was largely positive, with key findings noting that since May 2018: data protection authorities were making use of their stronger corrective powers; international cooperation was gaining strength; and GDPR had created new roles and jobs, including compliance support role for small businesses.

Věra Jourová, the European Commission’s vice-president for values and transparency, said: “Europe’s data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other polices, such as data strategy or our approach to AI.

“The GDPR is the perfect example of how the European Union, based on a fundamental rights’ approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. But we all must continue the work to make GDPR live up to its full potential.”