The EU Member States' assessments of the GDPR, contributing to the Commission's review of the regulation

The Working Party of on Information Exchange and Data Protection (DAPIX) is meeting on October 21st. On the agenda, the Preparation of the Council position on the evaluation and review of GDPR.

According to Article 97 of the GDPR, the Commission shall submit a report on the evaluation and review of the Regulation to the European Parliament and the Council. The first report is due by 25 May 2020.

Following the DAPIX discussion on 3 September, the delegations were asked to send in writing their positions.

19 Member States did so. The document is now found in the register of the Council and it is really an exciting read.

The following are some of the most interesting remarks of these MSs positions (in my opinion). However there is a significant number of remarks and suggestions deposited by he MSs that I leave out. Hopefully I will find the time to write a part two of this article.

• Sector specific EU law must also be checked and brought in conflicts and legal uncertainties to line with the GDPR to prevent the risk of conflict and legal uncertainties
• The MSs’ DPAs should harmonize their practice of interpretation more closely (e.g. they have different lists of risky processing operations and privacy impact assessments), and uniform standards for weighing up must be found
• Legal authorization to process personal data must be sufficiently defined with regard to the conditions to be met. If such authorization, particularly in the private sector, is based on balancing legitimate interests, it is the responsibility of the processor to weigh up the different interests. This fundamental problem is already inherent in Article 6(1) (f). “Legitimate interests” may be interpreted very differently across Europe
• The effectiveness and operability of Article 25 should be further improved, for example by providing practical guides for interpreting the technical safeguards for data security and for privacy by default
• Drafting sector specific codes of conduct in accordance with Article 40 could be a suitable way to ensure the consistent application of the GDPR throughout the EU, in particular in areas of Member State competence such as the processing of health data
• New accountability tools must be put in place by the GDPR (e.g. certification, Data Protection Officer)
• Given the much higher limits for administrative fines, it would be desirable to define transparent criteria for the supe rvisory authorities to issue fines in order to ensure comparability and uniform enforcement
• While the GDPR states that “children merit specific protection with regard to their personal data”, its approach to the protection of children is both fragmented and disjointed. References in various recitals (i.e. recitals 38, 58, 65, 71, 75) and Articles (i.e. 6.1(f), 8, 12, 40, 57) resemble a jigsaw puzzle but, unlike a completed jigsaw, they do not provide a coherent picture of protection for children.
• On a procedural level, national disparities which hinder cooperation for supervisory authorities should be examined and removed. In particular, national procedural rules which seek to avoid decisions of supervisory authorities being subject to the cooperation mechanism and the onestopshop mechanism should be removed (for example, amicable resolution procedures which result in no formal decision being taken by the authorities and the plaintiff’s authority thus never being consulted within the framework of onestopshop procedures).
• Notwithstanding any potential efforts in the area of competition law, the GDPR should also be evaluated in light of the data power of large tech companies. Just like the Commission intends to look at the cooperation between data protection, consumer and competition authorities, we should evaluate all these areas of law in light of the data power of big tech. Solely focusing on one area of law will not be sufficient to tackle the problems that come with the enormous data power of big tech. This dual approach is preferable because these areas of the law all take a different perspective. Where competition law mostly focuses on market power from a topdown perspective, data protection law takes a bottomup approach that aims to give individuals control over their personal data. Where competition law aims to prohibit abuse of a dominant market position (potentially based on the possession of data), data protection law should facilitate that individuals have or take control over their personal data and are in the position to determine where they want to store their data and under which conditions, thereby limiting data power of big tech
• Competition law and consumer law contain norms that can be interpreted based on data protection law.
• We need to evaluate whether it is necessary to introduce specific sanctions for when companies breach the GDPR multiple times. A possible option could be to introduce the possibility for DPA’s to station someone within the company or even in the board of directors for a given period of time, to internally oversee the processing activities of the company.
• As Article 42(1) points out, all actors involved (Member States, supervisory authorities, the Board as well as the Commission) are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, in particular at Union level. The GDPR makes an approach at Union level possible in various ways. Article 42(5) GDPR renders the option for the EDPB to approve the certification criteria using the consistency mechanism, resulting in a common certification, the European Data Protection Seals. In addition Article 43(8) empowers the Commission to adopt a delegated act specifying the requirements to be taken into account for the certification mechanisms. However under Article 42(5) the different national supervisory authorities may also approve those certification criteria at the different national levels. The use of certification mechanisms that are only valid at national levels seems to be counterproductive, because they thwart further harmonization. The Netherlands would like these certification processes to be part of the evaluation. Depending on the outcome of the evaluation, we may have to reconsider the possibility of applying a certification mechanism that is only valid in a national context, or restrict that possibility to only those situations where they do serve a legitimate purpose.
• In addition to the important task of the EDPB to issue guidelines, recommendations and best practices on various topics and by doing so clarifying the meaning of the terms used in the GDPR for the sake of day to day practice, it would be - also on a practical level - very helpful if the EDPB could ensure that only one harmonized form is issued to notify personal data breaches because controllers are now confronted with forms that vary from Member State to Member State.