1 year GDPR – taking stock
The past 12 months have been remarkably busy for data protection authorities and data protection professionals across the EEA and beyond. Almost one year ago today, the General Data Protection Regulation entered into application. 25 May 2018 marked the beginning of an exciting new phase for data protection with an unprecedented growth of the global community of data protection professionals, new legislative initiatives being taken in many places across the globe and public awareness at an all-time high. 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of EU citizens polled indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This last result shows an increase of 20 percentage points compared to 2015 Eurobarometer results.*
More and more countries are introducing data protection and privacy legislation of their own. While there is no such thing as ‘one size fits all’ for data protection, the GDPR could still serve as a source of core principles. Every nation has to conceive its own data protection laws, but some measure of compatibility will greatly facilitate economic exchange and help build trust among consumers.
Closer to home, we have seen some more immediate results. From the very first day, the first cross-border cases were logged in the EDPB’s IMI case register and queries started pouring in at the national supervisory authorities (SAs). During the first year, a total of 446 cross-border cases were logged in our cross-border case register. 205 of these have led to One-Stop-Shop (OSS) procedures. So far, there have been 19 final OSS outcomes.
At a national level, most Supervisory Authorities (SAs) report a substantial increase in queries and complaints received compared to the pre-GDPR era. The EEA SAs have been working around the clock since May 2018 to bring these cases to a good end. Over 144.000 queries and complaints, and over 89.000 data breaches have been logged by the EEA national supervisory authorities**. 63 % of these have been closed and 37% are ongoing.
The resolution of cross-border cases, especially, is time and resource intensive: SAs need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities. The GDPR does not offer a quick fix solution in case of a complaint, but the procedures in place are robust and efficient. Together, as European SAs, we have worked and will continue to work tirelessly to make this new level of cooperation a reality.
Compliance can only be achieved through an effective combination of guidance, stakeholder engagement, and, where necessary, enforcement by the national SAs.
With this in mind, since its creation, the EDPB has endorsed the 16 GDPR related WP29 guidelines and adopted 6 guidelines of its own. This guidance is intended to help businesses understand the exact implications of the GDPR for their data processing activities. In addition, the EDPB completed its first major consistency exercise, which resulted in the adoption of 30 opinions on national DPIA lists.
We do not do this work in a vacuum. To make sure that all upcoming guidance achieves the double goal of enabling compliant data processing and stronger rights for individuals, the EDPB regularly engages in stakeholder consultations. So far, the EDPB has organised 2 stakeholder events and 6 public consultations.
We plan to keep up the good work in the next years. Earlier this year, the EDPB adopted its work program for 2019 and 2020, which includes a list of further guidance. We will also see several cross-border cases, carried out by SAs, leading to a final outcome in the coming months. And, last but not least, we want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I strongly believe that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.
Chair of the European Data Protection Board