Commission publishes first GDPR evaluation report: no need for a change but some areas of improvement


On 24 June, the European Commission published its first evaluation report of the General Data Protection Regulation, two years after its implementation in 2018. The report states that the GDPR has proven to be successful in offering citizens a strong set of enforceable rights and in creating a new European system of governance and enforcement. The Commission also stresses that the GDPR has proven to be flexible in supporting unexpected situations such as the COVID-19 pandemic and has empowered citizens while giving businesses a significant comparative advantage in terms of compliance culture and strong data protection.

Without any doubts, the GDPR is an important piece of legislation that set a solid standard for the protection of personal data even beyond the borders of the European Union. However, some shortcomings still apply, and the Commission’s report identifies several areas for improvement, namely emphasizing the resources provided to data protection authorities (DPAs) and the need to address the fragmentation in the way Member States apply the law, crucial areas that were also flagged by Ecommerce Europe to the European institution on several occasions.

The report contains a list of actions to facilitate further the application of the GDPR for all stakeholders, especially for SMEs, to promote and develop a European data protection culture.

Main findings

The Commission finds that DPAs have been making increasingly use of their stronger corrective powers, ranging from warnings to administrative fines. However, they need to be adequately funded by their respective governments to acquire the needed human and technical resources. While many Member States have increased their staff and budgetary allocations, there is still a large difference between Member States that needs to be addressed. The Commission commits to using all tools at its disposal, including infringement procedures, to ensure Member States’ compliance with the GDPR. The use of infringement proceedings in the context of data protection would be a precedent in the EU.

A further reason for the fragmentation across the Union in terms of the application of GDPR is the difference in standards between Member States. The GDPR provides for a consistent approach for data protection rules across the Union. However, it also requires Member States to legislate in some areas and allows them to further specify the GDPR in others. This leads to a degree of fragmentation across the Single Market, which is fuelled by the extensive use of facultative specification clauses.

Additionally, vis-à-vis large digital platforms and integrated companies, the Commission stresses that strong and effective enforcement of the GDPR, especially in online advertising and micro-targeting, is essential to protect individuals’ rights.

Possible future steps

The Commission reveals it will set up a so-called “Data Protection Academy” designed to facilitate exchanges and cooperation between EU and foreign data protection authorities, as well as engage more with African partners to promote regulatory convergence and support capacity-building as part of the digital chapter of the new EU-Africa partnership.

Furthermore, it will explore whether possible future targeted amendments to certain provisions of the GDPR might be appropriate, in particular regarding records of processing by SMEs that do not have the processing of personal data as their core business (low risk), and the possible harmonization of the age of children consent in relation to information society services.

Ecommerce Europe, also as an active member of the European Commission’s Multistakeholder Expert Group on the application of the GDPR, will continue feeding the work of the EU institutions with its contributions to ensure that the interests of e-commerce players and consumers are well balanced.