25 May 2020
Today is the second anniversary of the date in 2018 when the General Data Protection Regulation (GDPR) became enforceable. It is also the date on which the first official evaluation of the GDPR should be made. Even if the formal evaluation is delayed – some trends can already be identified.
Requirement for an evaluation
The formal requirement for the EU Commission to submit a review and evaluation to the European Parliament and to the Council is set out in Article 97 GDPR. The first such evaluation was scheduled for today, 25 May 2020. Subsequent reviews are to be made every four years.
European Data Protection Board (EDPB) pre-evaluation
The EDPB issued its contribution to the EU Commission’s formal evaluation in February this year. It made a generally positive assessment of the GDPR but acknowledged that implementation has been especially challenging for small or medium sized enterprises (SMEs). It pointed out that the ability of the member states’ Data Protection Authorities (DPAs) to support the ‘one-stop-shop’ mechanism (intended, together with co-operation, to improve cross-border legal certainty for data controllers and data processors) depends on them being provided with sufficient resources. As regards international transfers, to third countries outside the EU, EDPB called on the EU Commission to update the existing Standard Contract Clauses (SCC’s) in-line with the GDPR and emphasised the need to adopt a set of processor-to-processor SCC’s. (The Court of Justice of the European Union is due to deliver its judgment, regarding legality of the existing SCCs, on 16 July in the Schrems II case, Case C‑311/18.)
What else do we know Europe-wide?
Before the impact of Covid-19 in April/May 2020, the number of fines per month was increasing significantly. An insufficient legal basis for data processing was the reason for the greatest number of fines. The heaviest fines were issued for a lack of technical and organisational measures to ensure data security. (Supporting statistics are available here.)
What else do we know that specifically concerns Belgium?
Although legislation creating the Belgian DPA (APD/GBA) was adopted in December 2017, the transition period towards full GDPR implementation has been relatively long. The new Executive Committee, of five directors, did not take office until 24 April 2019, just over one year ago. Priority areas for the APD/GBA’s Strategic Plan 2020-2025 include: Telecommunications and Media, Direct Marketing, Education, support for SMEs and certain societal issues, notably: use of surveillance cameras and photography, online data protection and protection of sensitive data (see the summary here).
The APD/GBA now has significant inspection and sanctioning powers. Accordingly, it has two new departments: a litigation chamber, which is supported by an inspection service. Complaints to the APD/GBA are the source of the majority of most ongoing case referrals, but current own initiative investigations of the cookies policies of online media websites are likely to be followed by reviews of several of the other ‘most consulted’ websites in Belgium.
The level and intensity of GDPR enforcement in Belgium and across the EU is set to increase.
Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.