• The EDPB has reviewed implementation of the GDPR so far and has declared the first year and a half a success.
  • The EDPB did note areas for improvement, including the impact of implementation on SMEs and issues with cooperation across different jurisdictions.
  • However, notwithstanding these difficulties, the EDPB considers that it would be premature to revise the text of the GDPR.

The report

On 18th February 2020 the European Data Protection Board (“EDPB”) adopted its contribution to the evaluation of the GDPR under Article 97. The report is the EDPB’s reflection on the GDPR so far, noting areas of success and those where there is room for improvement.

Overall, the EDPB sees the first year and a half of the GDPR as a success, which has ‘strengthened data protection as a fundamental right and harmonized the interpretation of data protection principles’. In particular, the EDPB has emphasised that the GDPR is ‘a technologically neutral framework’ and is designed ‘to foster innovation by being able to adapt to different situation’.

Despite its generally positive outlook, the EDPB did acknowledge that it has not all been plain sailing, and the implementation of the GDPR has been challenging, in particular for SMEs. The EDPB has emphasised its commitment to developing tools to try and make compliance less burdensome for SMEs.

Similarly, the difficulty of implementing the cooperation and consistency mechanisms in the GDPR was also noted. The EDPB now publicly accepts that the ‘patchwork of national procedures and practices has an impact on the cooperation mechanism’ and notes that it is examining potential solutions to ensure the GDPR is applied consistently.

The report also touches on international data transfers and the resourcing challenges faced by supervisory authorities.

The EDPB concludes that it would be too soon to revise the text of the GDPR, and instead invites legislators to focus on adopting the ePrivacy Regulations to complete the data protection framework, a task that has thus far proven to be challenging.


The EDPB, unsurprisingly, has a taken a positive view of GDPR so far. It is certainly true that data protection has become a board level issue within most organisations, and data subjects are now more aware than ever of their rights. That being said, it is perhaps optimistic to suggest that the GDPR fosters innovation, given the difficulties that some emerging technologies such as blockchain have found in aligning themselves to the GDPR requirements, and the further issues that the market anticipates as innovation accelerates away from existing regulation.

SMEs will welcome the prospect of additional support for their compliance programmes. We will watch this space to see what solutions are proposed, and whether they actually help in practice.

The focus on cooperation and consistency will be no surprise to anyone that has struggled with the realities of implementing a single data protection policy across Europe. The commitment to finding a solution for consistent GDPR application will be a welcome statement for those companies who have grappled with local divergences, either by accepting certain jurisdictions as outliers from their overall data protection regime, or by having to take a risk based approach where they have chosen not to follow local derogations. However, it will be interesting to see whether any further harmonisation acts a race to the bottom to meet the lowest acceptable standard, or alternatively whether it requires more lax jurisdictions to take a more rigorous approach to enforcing the GDPR.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Hannah Brown

Hannah Brown
Associate, London
+44 20 7466 2677