According to the evaluation report published by the European Commission on 24 June 2020, the EU General Data Protection Regulation (hereinafter “the Regulation” or “GDPR”) has achieved most of its objectives during its two years of application. In particular, the Regulation has succeeded in bringing controllable rights to EU citizens and has created a new European system of administrative and enforcement control. According to a survey published by the European Union Agency for Fundamental Rights in June 2020, as many as 69% of EU citizens over the age of 16 have heard of the GDPR, which means that the Regulation has also been effectively distributed to the citizens.
The legal situation has been clarified and supervision has become more effective
The Regulation has introduced transparency and clarity into data protection rules and facilitated access to individuals’ rights, such as the right of access to personal data, the right to delete collected data or the right to object to the collection and transfer of data. The regulation has also given national data protection authorities better tools to monitor compliance. In addition to warnings and remarks, the authorities may impose administrative fines, of which the latter has also been prescribed by the Finnish Data Protection Ombudsman during the past spring. By its decisions of 18 and 26 May, the Sanctions Board of the Data Protection Ombudsman imposed a total of EUR 200,500 in administrative fines on four different companies. As the maximum amount of the fine may be 4% of the company’s turnover or EUR 20 million, the imposed charges were quite moderate, which is justified, given the short lifespan of the GDPR.
A new administrative system
Much work has been done to ensure the uniform and effective application of the Regulation, which is reflected at a concrete level in, among other things, the so-called “one-stop shop” mechanism. The system is an innovative governance architecture for European data protection authorities, which has made it possible for companies carrying out cross-border data transfers to have only one liaison authority, namely the data protection authority of the Member State in which the company has its headquarters. The system has thus succeeded in cutting both unnecessary middlemen and bureaucracy. The European Data Protection Board is also currently developing specific guidelines on the use of certification and a code of conduct for the transfer of data outside the EU.
The supervisory authorities have become stronger
Between 2016 and 2019, the staff of the national data protection authorities of the EU Member States increased by a total of 42% and the budgetary resources by 49%. Although there are still significant differences between Member States, the resources of the internal market data protection authorities have almost been doubled in the last few years. The data protection authorities of many Member States have also increased their range of services, for example in the form of helplines. Most authorities have also sought to tailor data protection advice to the needs of both individuals and companies.
Although the GDPR can be said to have achieved the awareness of the majority of EU citizens, and most of the objectives of the Regulation, there is still a lot of work to be done. Data protection enlightenment is a relatively recent phenomenon, and there is a need to create an even clearer range of means to meet the needs of the citizens in order to make effective use of the rights offered by the Regulation possible. The current data protection culture has only just seen the light of day, and particularly cross-border data transfers require further development of cooperation between Member States in the framework of the European Data Protection Board. It is still worth emphasizing that many good things have already been achieved, such as the world’s largest area of free and secure data transfer.
As a law firm specialized in data protection, we at Nordic Law are happy to help if your company needs advice regarding data protection!
Our Trainee Jere Lehtimäki took part in writing of this article.