Although GDPR took effect two years ago, the European Commission issued a report card today that found its sweeping set of privacy protections remains a work in progress. The General Data Protection Regulation policy represented a big step in efforts to limit the power of major digital platforms such as Google, Facebook, and Twitter.
In the report, the EC patted itself on the back for raising awareness about privacy across Europe, as well as for a growing number of enforcement actions taken against tech companies. But the report also found GDPR’s impact continues to be limited, due to fragmentation across its member states and insufficient resources at some of the leading data privacy authorities.
While it’s hardly a final judgment, the two-year evaluation will be closely scrutinized by countries considering their own data privacy regulations. The perceived success or failure of GDPR could have a big impact on whether tech companies, in particular, will face an array of tougher regulation and enforcement.
“The general view is that two years after it started to apply, the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data,” the report says. “However, a number of areas for future improvement have also been identified.”
On the positive side, the report cites a survey that found 69% of the EU population ages 16 or older were aware of GDPR, and 71% of people had heard about their national data protection authority. The adoption of GDPR had also encouraged other countries — such as Australia and New Zealand — to consider similar measures.
But the report identifies a host of weaknesses that need to be addressed. One of the most fundamental is that the set of rules remains highly fractured. While the EU adopted the overall GDPR, member states still had to pass laws that harmonized local rules with the new regulations. And while GDPR was fairly detailed, it also included enough generalization so the rules enacted by member states vary quite a bit. “Developing a truly common European data protection culture between data protection authorities is still an on-going process,” the report says.
The enforcement of GDPR rules falls to the authorities in individual member states. The differences in rules across countries make it difficult for those authorities to cooperate on cases and take joint enforcement actions. In one example, the EC noted that countries still have different ages of consent for children.
In rare cases when cooperation happens, authorities have to choose the weaker of two sets of rules to remain consistent. And the different applications confuse multinational companies.
“This fragmentation also creates challenges to conducting cross-border business, innovation, in particular, as regards new technological developments and cybersecurity solutions,” the report says.
Budgets for data protection increased by 49% between 2016 and 2019, and enforcement staffing for data authorities has grown 42%. Still, governments in Ireland and Luxembourg, where many tech companies have their international headquarters, lack the resources needed to handle their immense caseloads, the report says.
Going forward, the EC plans to study national legislation adopted in the wake of GDPR to find ways to reconcile the rules across the continent. And it’s urging member states to invest enough in data enforcement to make the rules more effective.