GDPR review calls for more efficient handling of cross-border cases

The European Commission says that the handling of cross-border cases needs a more efficient and cohesive approach when using the cooperation tools provided in the GDPR. In its GDPR review, published today, the Commission says that the GDPR has met most of its objectives, in particular by offering citizens a strong set of enforceable rights. However, while harmonisation across the Member States is increasing, there is a certain level of fragmentation.

The Commission says that the Data Protection Authorities have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations. This is due to differences in national administrative procedures and varying interpretations of concepts relating to the cooperation mechanism. Also, there are different approaches regarding the start of the cooperation procedure, and the timing and communication of information. The European Data Protection Board (EDPB) has indicated that it will clarify procedural steps to enhance cooperation between the lead data protection authority and other data protection authorities involved in a particular case.

Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the ‘One-Stop-Shop', 79 of which resulted in final decisions. However, more can be done to develop a truly common data protection culture, the Commission says.

There are no radical proposals for opening up the GDPR. Going forward, the Commission ‘will explore whether, in the light of further experience and relevant case-law, proposing possible future targeted amendments to certain provisions of the GDPR might be appropriate’.

SMEs may see some changes, as well as organisations processing children's data. The Commission recognises that the harmonisation of the age for children’s consent would be helpful. Also, it promises to review the standard contractual clauses for international transfers, and support standardisation/certification, in particular on cybersecurity aspects. The Commission also intends to finalise the ongoing evaluation of the existing adequacy decisions and report to the European Parliament and the Council.

‘Like most stakeholders and data protection authorities, the Commission is also of the view that it would be premature to draw definite conclusions as to the application of the GDPR and to provide for proposals for its revision.’


Subscribe to PL&B International Report for more news and analysis on this topic.