GDPR at two – no need for change, but better enforcement and transparency vital

Commenting today on the publication of the Commission’s report on the functioning of the General Data Protection Regulation (GDPR) EuroCommerce Director-General Christian Verschueren said:

“The GDPR is a major EU achievement and a valuable contribution to assuring European citizens that their personal data is being protected and properly used. This is particularly important as we see the digital transformation accelerating.  We therefore see no need, only two years after the GDPR came into force, to change it. However, we want to see the Regulation better enforced, and support the Commission in calling for adequate resources for national authorities, and more consistent application of the rules. We also call for more transparency and better involvement of stakeholders in the work of the European Data Protection Board (EDPB) in preparing guidelines consistent with the regulation and important to its proper implementation.”

Our sector strongly supports the vital role of the GDPR in protecting personal data and building consumer trust.  We also welcome the significant influence it has had in setting a global benchmark for data protection. The COVID-19 crisis and the need to trace infectious contacts effectively has underlined the need for data protection to be applied consistently across Europe, based on common understanding of the rules. Since the GDPR entered into force two years ago, companies have devoted significant resources to ensuring their compliance with the regulation. We therefore have a real stake in it working properly and achieving its objectives.  In response to the Commission report and in line with suggestions we have shared with the Commission and the EPDB, therefore we are keen to see action to ensure:

• Better enforcement: We have seen a tendency to look at creating new rules rather than enforcing the existing ones. This is important in making best use of the GDPR, creating legal certainty and avoiding overlaps or conflicting legislation.
• Time to fulfil its potential: rather than rush to add to the GDPR, it is important to let the regulation bed in and national data protection authorities and the Commission have time to use it effectively.
• Harmonised interpretation of the GDPR’s provisions: The EBPB plays an important coordinating role, but we increasingly see divergence between member states’  interpretation of the GDPR in practice, and in some cases contradictory guidelines that make compliance a headache, leaving companies and consumers uncertain on how to act. This needs closer coordination between national authorities and more harmonised and consistent application of the rules.
• Guidelines consistent with the provisions of the GDPR: in a number of cases, guidelines have gone beyond what the GDPR provides for, leaving our members uncertain of whether they are acting legally in applying them. To avoid this uncertainty, the EDPB should take account of practical examples provided by business when writing their guidelines.
• More transparency and stakeholder involvement: In drawing up guidelines, the EPDB is creating a form of implementing legislation similar to rules elaborated by EU agencies under other legislative acts. Yet the consultation process is often unsatisfactory, the processes and decisions of the EDPB lacking transparency and providing too few opportunities for stakeholders to understand the processes and contribute to more effective guidelines. In line with better regulation principles we would ask for this to change, for their very restricted workshops to be advertised and open to more stakeholders, and for the minutes of EDPB’s plenary sessions to be published.