On 1 April 2020, almost two years after the General Data Protection Regulation (GDPR) entered into force, the European Commission published a roadmap for evaluating its application.
The roadmap specifically asks for feedback on the Commission’s strategy in dealing with the issue of international transfer of personal data to third countries, focussing on existing adequacy decisions, and the cooperation and consistency mechanism between national data protection authorities.
Why has the roadmap been published?
Article 97 of the GDPR requires the Commission to submit a report on the evaluation and review of the Regulation to the European Parliament and the Council by 25 May 2020.
The GDPR specifies that the Commission must examine the application and functioning of the mechanism for (i) transfers of personal data to third countries or international organisations under Chapter V and (ii) ensuring consistency and cooperation under Chapter VII.
Further, under Article 97 the Commission is required to take into account the positions and findings of the European Parliament and the Council, and if necessary to submit appropriate proposals to amend the GDPR in light of any technological developments.
What does the roadmap say?
The Commission has announced its intention to publish a report identifying issues in the application of the GDPR as requested by Article 97. The report will build on input from the Council, the European Parliament and the European Data Protection Board, as well as two earlier reports published by the Commission in 2017 and 2019, which both considered the protection of personal data since the GDPR had entered into force.
Publication of the roadmap launches a consultation process to gather input from citizens and stakeholders. As part of that process, the Commission will be sending detailed questionnaires to data protection authorities and the European Data Protection Board, as well as to the GDPR Multi-Stakeholder Group, a group made up of business and civil society representatives. The Commission will also conduct bilateral dialogues with the authorities of the relevant third countries.
Individuals, businesses or interested parties can register with the Commission here to provide feedback by 29 April 2020. Feedback will be published to the Commission’s website alongside a synopsis report explaining how any input will be taken on board or why some suggestions cannot be actioned.
What happens next?
The Commission has already received feedback from the Council on the application of the GDPR in a report setting out its position on 19 December 2019. In its report the Council raised a number of concerns, including the challenges of determining or applying appropriate safeguards in the absence of an adequacy decision and the strain of the additional work for supervisory authorities resulting from the GDPR cooperation and consistency mechanisms.
The Council’s report also flagged issues raised by individual Member States, such as the importance of considering the application of the GDPR in the field of new technologies and big tech companies, and the development of efficient working arrangements for supervisory authorities in cross-border cases.
The deadline for providing feedback on the roadmap from citizens and stakeholders is 29 April 2020. Following consultation with the relevant parties and receipt of any online feedback, the Commission will publish its report by 25 May 2020. There is no obligation on the Commission to take any steps following publication of the report. However, Article 97(5) states that the Commission shall ‘if necessary’ submit appropriate proposals to amend the GDPR.