FREE-Group Remarks on the implementation of the General Data Protection Regulation (GDPR)

We are writing in response to the European Commission call for “feedback” on the implementation of the General Data Protection Regulation (GDPR) (see https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12322-Report-on-the-application-of-the-General-Data-Protection-Regulation)

Fundamental Rights European Experts (FREE) is a group of experts on European human rights and data protection law.[1] Although focussed on issues relating to the EU Area of  Freedom Security and Justice, we also take an interest in broader issues of fundamental rights protection in the EU, in particular in relation to data protection law under the EU General Data Protection Regulation (GDPR), the Law Enforcement Data Protection Directive (LEDPD), the rules relating to EU FSJ-related databases, and the links between these areas.

Presumably, the above call relates to the mandatory European Commission’s review of the operation of the GDPR under Article 97 of that regulation which stipulates that:

  1. By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.
  2. In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of:
  3. Chapter V on the transfer of personal data to third countries or international organisations with particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC;
  4. Chapter VII on cooperation and consistency.

However, the review required under Article 97(1) is manifestly broader than the report mentioned in the call – which oddly does not mention Article 97 but which, it says on the website, will cover (only) international transfers of personal data to non-EU countries and the cooperation mechanism between national data protection authorities, i.e., the two topics mentioned in Article 97(2)(a) and (b). There are in fact a range of other, and wider, issues relating to the practical implementation and effect of the GDPR.

The Commission’s reference to “feedback” is also strange, given that there is as yet nothing to provide feedback on – such as a draft or provisional Commission report under Article 97(1) (see below).

We also note in this context that, in carrying out the above-mentioned evaluations and reviews, the Commission “may request information from Member States and supervisory authorities” (Article 97(3)); is required to “take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources” (Article 97(4)); may, if it deems this necessary, “submit appropriate proposals to amend this Regulation, in particular taking into account of developments in information technology and in the light of the state of progress in the information society” (Article 97(5)). The Commission may also more generally, if it deems this appropriate, “submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure uniform and consistent protection of natural persons with regard to processing” including in particular – but not limited to – “the rules relating to the protection of natural persons with regard to processing by Union institutions, bodies, offices and agencies and on the free movement of such data” (Article 98).

Under Article 97(1), the Commission is supposed to submit its report on the evaluation and review of all of the GDPR to the European Parliament and to the Council, and make it public, by 25 May this year, i.e., in a few weeks’ time and less than a month after the deadline for “feedback”. This should not be limited to the two topics selected.

We are deeply concerned that the Commission’s call for “feedback” seriously fails to meet the requirements of Article 97(1), (3), (4) and (5), and Article 98 – and even in relation to the two selected issues (Article 97(2)) is inadequate:

  1. the call for “feedback” on two issues is not broad enough to meet the requirements of Article 97(1);
  2. the deadline is much too short; there is as yet nothing to provide feedback on; and there are unacceptable limits on wordcount – in no way can this short, limited call be said to allow the Commission to “take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources” even on the two selected topics, let alone on the whole of the GDPR and its practical implementation (Article 97(4));
  3. while we do not believe the text of the GDPR should be reopened, there is no indication of the Commission’s thinking on this matter, or on the approach it will take to that under Article 97(5)); and
  4. there is also no indication of the Commission’s thinking on the need for amendments – or new rules – of other Union legal acts in this area (Article 98) – which we believe should include its considerations in relation to the (stalled) E-Privacy Regulation. Although the review of various legal acts under Article 98 need not coincide with the review of the GDPR under Article 97(1), it would in our view make sense to link the two, at least in relation to (a) the proposed e-Privacy Regulation and (b) the complex relationships between the different EU data protection regimes (GDPR, Law Enforcement Data Protection Directive, Regulation 2018/1725 – and various other instruments, e.g., in relation to the CSFP – in particular as concerns transfers of personal data from one regime to another (e.g., making available of PNR data by private sector entities to law enforcement- or border agencies; compulsory retention of or access to e-communications data held by private sector entities by law enforcement agencies – and the elephant in the room: access to private sector and law enforcement data by the Member States national security agencies).

In the circumstances, we strongly suggest that the Commission’s report, based on the unduly limited “call for feedback”, planned for submission to Parliament and the Council in the near future, should take the form of a draft (or interim or provisional) report with special attention to the two selected issues, but with the Commission making explicitly clear that this is only the start of the work, i.e., confirming that it will still seriously examine still-to-be-provided input from Parliament, the Council, and others such as ourselves and other civil society organisations, both on the two issues mentioned in Article 97(2) and on all other issues that arise in relation to the GDPR, with a view to a wider, comprehensive report in the not-too-distant future (although perhaps after the summer) that will properly take those views into account and address all issues under the GDPR.[2]

In the meantime, thanks to the contribution of Professor Douwe KORFF, we have limited ourselves to merely listing, in the attachment, a wide range of important issues that we strongly believe the Commission’s full review under Article 97(1) should cover, with very brief comments. We would be happy to expand on each of those issues, or indeed on why we selected them, if asked to do so (and given enough time).

We wish the Commission and its members good health in these difficult times.

Yours sincerely –

Emilio De Capitani

(FREE-Group Executive Director)

Attachment:   List of main issues to be addressed in the full Article 97(1) review

Attachment  List of main issues to be addressed in the full Article 97(1) review (Author Professor DOUWE Korff)

  1. Preliminary issues:The need for full involvement of the bodies mentioned in Article 97(4), in particular of European Parliament and civil society:

This should allow for full and substantial input from European Parliament and from genuine civil society organisations (as distinct from lobbyists for corporate interests and soi-disant “independent” think-tanks that are a mere front for such interests) , with sufficient time for preparation and proper consultations and discussions.

  1. The question of whether, in general and in respect of the two main issues for review (Chapters V and VII), there is a need to amend the text of the GDPR itself (Article 97(5))

The GDPR (for all its defects) is a great achievement. We strongly oppose re-opening (amending) the text of the GDPR for the time being, as this will merely allow for a repeat of the extensive negative lobbying aimed at reducing protection we saw in the extended adoption process, create prolonged uncertainty and undermine the “golden standard” status of the GDPR.

  1. The question of whether there is a need to submit legislative proposals for amendments to other data protection legal acts (Article 98)

It is crucial that a strong ePR is adopted as a matter of urgency which does not anywhere or in any way undercut or undermine the principles, rules and high level of protection of the GDPR.

  1. Mapping the operation of the GDPR in its wider contexts

On the basis also of requests for information from the MSs and the SAs (Article 97(3)), the Commission should map out in detail the operation of the GDPR in its own terms and in relation to the other EU data protection regimes – and in relation to national security, covering at least the following:

  1. Lack of harmonisation, partly due to the “further specification” clauses.[3]

The Commission should map and assess:

  1. the extent to which the divergencies caused by the “further specification” clauses pose obstacles to the free flow of personal data within the Union, especially also in relation to the digital environment (and thus potentially to the Digital Single Market), but also:
  2. whether the divergent legal rules adopted by the MSs under the “further specification” clauses (including but not limited to Articles 8, 9, 10, 23, 85, 86, 87, 88 and 89) really offer the “appropriate”/“suitable” safeguards and comply with the fundamental rule-of-law requirements (“law”, legitimate aim, necessity and proportionality) required of them by the GDPR.The relationship between the GDPR and other data protection regimes in the EU and in the EU Member States.[4]

The Commission should map and assess:

  1. Links and transfers of personal data processed subject to the GDPR (in particular, by private-sector entities) to entities in the MSs that process the data after transfer outside of any EU data protection rules, i.e., the MSs’ national security agencies (the elephant in the room)The application of the GDPR to non-EU/EEA controllers and processors under Article 3(2)(a) and (b) GDPR (as also expressly called for by the LIBE Committee of the EP)

The Commission should map and assess the extent to which:

  1. non-EU/EEA companies that offer goods or services to individuals in the EU (in a targeted way), or that monitor the behaviour of such individuals (in particular, through online tracking tools):

(aa)      are aware of the fact that they must comply with the GDPR; and

(ab)      have actually taken any steps to ensure that they do comply (especially beyond merely creating a separate Privacy and Consent page for EU citizens);

and

  1. the extent to which the MSs’ SAs and/or the EDPB  have taken any information and enforcement actions in this respect and the outcomes of such actions.
    • The specific issues mentioned in Article 97(2)
      • International transfers of personal data to non-EU countries, including the question of adequacy (Chapter V)

The current arrangements are not fit for purpose:

  1. Re adequacy decisions:

(aa)      Adequacy decisions should not be political, executive decisions but legal ones. Ideally, the provisions in the GDPR relating to such decisions should be amended to ensure the decisions are subject to proper expert and democratic scrutiny by the EDPB and the European Parliament (rather than just taken with the EDPB being consulted). However, since we feel the text should not be re-opened (section 1.ii, above), we cannot recommend that. But it is still entirely possible to develop a practice under which the opinion of the EDPB is given full weight and in practice always followed, and under which draft adequacy decisions are presented to and discussed in Parliament before being formally adopted. If there is going to be a review of the text (now or in four years’ time), this is an issue that deserves more formal attention.

(ab)      adequacy decisions are largely reached in secrecy, with very limited, essentially ex post facto and non-binding input from the EDPB, and none from civil society including civil society groups in the third countries concerned;

(ac)       there is pressure to grant adequacy decisions to trading partners to facilitate trade, even if there is no really “essentially equivalent” protection and insufficient enforcement in the third country;

(ad)      access to personal data by third countries’ national security agencies remains an almost totally obscure(d) issue;

(ae)      there is no open, ongoing, regularly published monitoring of the situation in third countries that have been declared adequate; such monitoring should be continuous and include input from civil society groups in the third countries concerned, with regular, public reviews;

(af)       contrary to the CJEU’s requirement, there is no serious continuous supervision and assessing of the situation in third countries by the MSs’ SAs.

  1. Re other grounds for transfer:

On the basis also of requests for information from the MSs and the SAs (Article 97(3)), the Commission should map out in detail and assess:

(ba)      the “legally binding and enforceable instrument between public authorities or bodies” in the EU and corresponding public authorities and bodies in third countries mentioned in Article 46(2)(a). At the moment, no-one has any idea of the nature, scope and detail of such arrangements – let alone whether they really contain the required “appropriate safeguards”; and

(bb)      all the BCRs that have been approved by the MSs’ SAs and the groups of companies to which they relate (Article 46(2)(b) jo Article 47) and the extent to which they (i) actually provide on paper the required “appropriate safeguards” including “enforceable rights [granted to] data subjects with regard to the processing of their personal data” (Article 47(1)(b) and (ii) have actually ever been invoked by data subjects and (iii) the outcome of such actions and whether that has led to any reviews of the BCRs.

Moreover:

(bc)       the standard data protection clauses for transfers between controllers in the EU and controllers and processors in third countries were drawn up under the 1995 Data Protection Directive and are not fit for purpose under the GDPR; among many other issues, they do not properly address transfers made to controllers who are subject to the GDPR under Article 3(2).[5]

(bd)      there are no standard clauses for processor to processor transfers;

(be)      no codes of conduct have as yet been approved under the GDPR; the process is unacceptably slow;

(bf)       no certification mechanisms have as yet been approved either at MS level or at EU level;

(bg)      to the best of our knowledge, no ad hoc transfer clauses have ever been approved by any MS SA – and they are not to be encouraged either.

  1. Weaknesses in the GDPR enforcement mechanisms including in the cooperation mechanism between national data protection authorities (Chapter VII)

The MSs’ SAs remain weak and fatally under-funded and under-resourced, especially when it comes to supervision over the digital environment and the “Internet Giants”. We note in this respect the findings by the search engine Brave which showed that:[6]

  1. only five of the EU’s 28 SAs have more than 10 tech specialists.
  2. The EU’s SAs do not have the capacity to investigate Big Tech.
  3. Half of the EU SAs have small budgets (under €5 million).
  4. EU governments have not given their SAs the capacity to defend their decisions against ‘big tech’ companies in court on appeal.
  5. The UK Government’s privacy watchdog is Europe’s largest and most expensive to run. But only 3% of its 680 staff is focussed on tech privacy problems.
  6. The Irish Data Protection Commission is Google and Facebook’s ‘lead authority’ GDPR regulator in Europe. But while the number of complaints it deals with is accelerating, increases to its budget and headcount are decelerating.
  7. European governments have failed to equip their national SAs with sufficient powers and resources to enforce the GDPR.
  8. Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs. All other EU countries are far behind Germany.

We support Brave’s call on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR.

In addition, we note that the cooperation and consistency mechanisms in the GDPR do not function appropriately or adequately. The SAs and the EDPB do not at present effectively supervise compliance with the GDPR by entities with establishments in the EU, let alone by entities not established in the EU but who are subject to the GDPR by virtue of Article 3(2) GDPR, and they do not effectively enforce the GDPR.

In our view, it would have been much more sensible  to follow the EU Competition legal framework model where cases having cross border impact can be resolved by a truly central EU authority with decisional and sanctioning powers.

However, we would not want to open up the text of the GDPR on this issue – that would inevitably lead to other parts of the regulation also being opened for change – which would likely lead to a lessening of protection (see issue 1.ii, above). If there is going to be a review of the text (now or in four years’ time), this is another – perhaps even the most important – issue that deserves more formal attention.

We are asking the Commission and the EDPB to find ways of making the consultation, cooperation- and consistency mechanisms in the GDPR efficient and truly effective, so as to create credible means to face giant global corporations such as Google or Facebook. We urge the EU and the MSs to provide extensive further resources in terms of money, staff (especially technical experts) and other support to the EDPB and to any joint operations of supervisory authorities under Article 62 GDPR, so that they can seriously, speedily and effectively supervise and investigate major, especially international, corporations; and the SAs to make much greater use of the new powers they have been granted under the GDPR, and to impose real, serious dissuasive and punitive sanctions on wrongdoers. Until now, weak and utterly ineffective supervision and enforcement has been the sad hallmark of the system.

We also urge the Commission to encourage MSs to provide for actions by not-for–profit bodies representing data subjects under Article 80(2) GDPR. We believe such class (or quasi-class) actions can contribute significantly to compliance with the GDPR by major corporations whose actions affect millions of individuals. If NGOs representing those many individuals can effectively secure proper (and where appropriate, exemplary) payments to compensate for violations of the Regulation to each of the individuals affected, that would act as a proper deterrent. We note that in some MSs courts have awarded individuals several thousand Euros each for data breaches, without the need to show further specific damages. If tens or hundreds of thousands of data subjects could secure such payments through such actions, this could, we believe, affect a sea-change in the GDPR compliance environment.

(We note the recent US$5billion fine imposed by the US FTC on Facebook – which dwarfs the fines imposed under the GDPR to anyone to date.)[7]

  1. Other important issues:Codes of Conduct & Certification mechanisms

Codes of conduct and certification mechanisms can in principle be useful means to assist controllers and processors in demonstrating their compliance with the GDPR. However, they have to be strong and properly managed.

The Commission and the EU MSs have signally failed to make progress towards the creation of proper frameworks for codes of conduct and for the accreditation of strong certification schemes – in spite of having had four years to work on these. We call on the Commission to urgently make progress on these issues.

  1. Artificial Intelligence

Automated decision-making, profiling, machine learning, self-learning algorithms – and now “Artificial Intelligence” (AI) pose grave threats to data protection and other fundamental rights (including the right to an effective remedy and to a fair trial, equality, freedom from discrimination, etc.).[8] The GDPR contains the kernels of part of the solutions – they should be explored and nurtured. The Commission and the EDPB should urgently clarify how the GDPR can and should be used to protect our rights.

  1. Brexit

The United Kingdom’s trade and security arrangements, and the data flows that accompany those, were closely integrated with the other EU Member States and the relevant EU institutions before “Brexit”. There will be significant pressure on the Commission to declare the UK an “adequate” country for the purposes of the GDPR (and in relation to security). However, the UK has also made clear that it wants to be free to diverge from the EU rules including the EU data protection rules (GDPR and LEDPD). It is reported that “The British government is making impossible demands over access to Europol databases in the negotiations over the future relationship with the EU”. Similar issues arise in relation to personal data that are processed by EU controllers and processors under the GDPR – not least in relation to possible access to such data once transferred to the UK (after the post-Brexit transition period) by the UK national security agencies – an issue that has wrongly excluded from discussion while the UK was still an EU MS (see above, at 2.ii(b), above) – and in relation to onward transfers to US national security agencies.

We are urging the Commission to address all these elephants in the room: access to data by MSs’ national security agencies, access to data by UK national security agencies after the post-Brexit transition period, and transfers of personal data by the MSs and by the UK to US (and other “5EYES”) national security agencies.

– o – O – o –


[1]             See: FREE – Group “About” and FREE- Group “Members” on the internet homepage

[2]             While preparing our submission we heard from usually well-informed sources that the Commission has in fact already written the report on the above-mentioned two issues in near-final form. If that is true, it would make a mockery of the call for “feedback”. We assume that the Commission will actually still be looking for real and serious submissions, and take those properly into account.

[3]             See The DPO Handbook, produced in the EU-funded “T4DATA” project in 2019 by FREE experts Douwe Korff and Marie Georges, Part II, The General Data Protection Regulation, section 2.2, Status and approach of the GDPRE: direct applicability with “specification clauses”, pp. 102 – 109, available at:

[4]             For a list of those different regimes and the issues arising, see Douwe Korff and Marie Georges, The DPO Handbook, (previous footnote), Part I, section 1.4.6, Transmissions of personal data between different EU data protection regimes, pp. 89 – 91.

[5]             See the letter sent by FREE Group member Professor Douwe Korff to the EDPB on this latter issue on 19 February 2020.

[6]             See: https://brave.com/dpa-report-2020/ (Summary, quoted above with edits)

https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf (full report)

[7]             https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions

[8]             Yves Poulet, L’intelligence artificielle et le RGPD, 2020, For an earlier discussion, see Douwe Korff and Marie Georges, Passenger Name Records, data mining & data protection: the need for strong safeguards, report prepared for the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD) of the Council of Europe, 2015, section I.iii The dangers inherent in data mining and profiling, available at:

https://rm.coe.int/16806a601b

Leave a Reply