The 25th May 2020 marked two years since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK.  The change in law saw the biggest change in data protection law in 20 years and gave the regulator, the Information Commissioner’s Office (ICO), the ability to impose much tougher sanctions and levy higher fines on organisations that fail to comply with data protection law.

The introduction of the GDPR saw organisations of all sizes overhaul their data protection compliance, conduct audits and map out a plan to bring them in line with the requirements of the new legislation. 

The 2-year anniversary is also likely to mark the point at which many organisation’s policies and procedures, introduced at the time the GDPR was implemented, will need to be revised and reviewed. 

You are not alone in this feat.  The European Commission must also conduct a review of the GDPR and report the findings of this review to the European Parliament by 25 May 2020.  However, we understand that the findings of this review will not be published until June.

What do we expect the review to cover?

Under Article 97 of the GDPR, the European Commission is obliged to report to the European Parliament and European Council on the evaluation and review of the GDPR. 

This review must be conducted 2 years after the date the GDPR was implemented (i.e. 25 May 2020) and every 4 years thereafter.  As required by the terms of the GDPR, the review must concentrate on international transfers of personal data and the cooperation mechanism between national data protection authorities. 

The European Commission announced a public consultation in April 2020 calling for views on both of these issues.

International Transfers of Personal Data

A common theme in consultation responses are the lack of clarity and certainty in respect of international data flows.  In particular, there are concerns that standard contractual clauses as a transfer mechanism can be insufficient due to the fact that there is no processor to sub-processor standard contractual clauses. 

In global contractual chains, this poses uncertainty as it has led to individual interpretations of how to implement transfer mechanisms for international data transfers. 

In addition, consultation responses call for clarity on the territorial scope of the GDPR.  In the UK, ICO guidance indicates that if the GDPR applies to an organisation then a transfer mechanism (e.g. standard contractual clauses) does not apply. 

However, this indication is not replicated in guidance produced by the European Data Protection Board where the guidance states that the interplay between territorial scope and international transfers needs to be further assessed.  

Therefore, given the number of organisations calling for clarity in this regard, we expect the review to address the concerns raised in relation to international transfers of personal data and hope that further guidance is produced and additional standard contractual clauses are drafted.

Co-operation between national Data Protection Authorities 

Under the terms of the GDPR, national data protection authorities are required to provide each other with mutual assistance, conduct joint operations and adopt a consistent approach to the regulating the GDPR. 

The GDPR contains a formal consistency and dispute resolution mechanism. However, in guidelines produced by the Article 29 Working Party, there is an emphasis on co-operation between lead and concerned national data protection authorities to reach a mutually acceptable course of action, and indicates that the formal consistency mechanism should only be invoked where co-operation cannot be achieved.

A common theme from the consultation responses is the call for harmonisation of the way in which the GDPR is applied and enforced across all member states as there is currently disparity in the various approaches. 

Linked to the call for harmonisation is the need for national data protection authorities to be provided with sufficient resources to effectively carry out duties they are legally required to undertake in accordance with the GDPR. 

Under the GDPR, the obligations and role of national data protection authorities have expanded greatly and many of the consultation responses indicate that they feel authorities are not properly funded to carry out these duties. A greater level of funding would allow national data protection authorities to be more proactive in establishing mutual co-operation and harmonising the application of the GDPR across member states.

Conclusion

The report prepared by the European Commission is not due to be published until June.  However, we envisage that it will recommend a greater level of harmonisation between member states to ensure the GDPR is applied and enforced consistently across the EU.  In addition, we expect that the report will recommend further guidance to be published to assist organisations to interpret the requirements of the GDPR in a consistent manner.

 

By Bethany Paliga,Data Protection Practitioner and solicitor, Forbes Solicitors

Accredited Data Protection Practitioner and solicitor, Bethany Paliga, Forbes Solicitors, regularly assists and advises a variety of organisations with data protection compliance.