As required by GDPR Article 97, the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. submitted its first evaluation and review of the EU General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). to the European Parliament and Council on June 24th 2020.
The Commission concludes that generally, the GDPR has met its objectives successfully, these being to strengthen personal dataInformation which relates to an identified or identifiable natural person. protection and guarantee the free movement of personal data within the EU. It did however, also identify a number of areas that require improvement, due mainly to fragmentation caused by the way the law has been enacted into individual member state laws and the inconsistencies between guidelines published by the European Data Protection Board (“EDPB”) and guidance issued nationally.
The review also addressed the future of data protection in the UK. As the EU and UK continue to pursue an adequacy agreement, the Commission described a deal to be “essential” for cooperation on matters involving law enforcement and security, but gave no firm indication of whether full adequacy would be awarded prior to the end of the Brexit transition period, now confirmed as 31st of December 2020.
Regarding extra-territorial reach, the Commission also comments that DPAs should ensure their enforcement actions include foreign organisations operating within the EU market to ensure that a true level playing field is maintained within the EU. The Commission put particular emphasis on actions that involve the controller or processor’s representative in the EU. The report states, “This approach should be pursued more vigorously in order to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR.”
This further confirms that only Representatives who are established, experienced and well resourced, who can therefore deal with these issues as they arise, should be appointed.