Evaluation of the General Data Protection Regulation

by EIAD – European Academy for Freedom of Information and Data Protection. Europaische Akademie fur Informationsfreiheit und Datenschutz Academie europeenne pour la liberie d’information et la protection des donnees

Berlin, 27 January 2020

A. General remarks

Article 8 of the EU Charter of Fundamental Rights (EUCFR) guarantees the protection of personal data and requires independent data protection oversight. With the General Data Protection Regulation (GDPR), there has been one EU data protection law directly applicable in all Member States since 25 May 2018. The extent to which the goals of the GDPR have been achieved cannot yet be seriously assessed after only 18 months. According to Art. 97 GDPR, the European Commission is required to continuously review the application and effectiveness of the Regulation and to report on this for the first time on 25 May 2020 and, if necessary, to submit proposals for amending and further developing the Regulation.

There is no denying that the GDPR has advanced the harmonisation of European data protection law and its application compared to the largely fragmented previous legal situation. The regulation has also strengthened the data protection rights of individuals subject to the processing of their data. The GDPR also provided data protection supervisory authorities with effective means of enforcement. However, it has become apparent that there are still shortcomings in the areas described above which need to be remedied.

The GDPR has had a significant impact on the global debate on data protection issues.

Several non-European countries and federal states have now passed laws based on the model of the GDPR. Examples include the Californian Consumer Privacy Act (CCPA), which came into force on January 1, 2020, and the new Thai Data Protection Act. The US Congress has received several drafts for a federal data protection act. It is currently discussing them on a bipartisan basis.

In addition, the data protection agreement concluded between the European Union and Japan in early 2019 has created the world’s largest zone with a uniformly high level of data protection. This has improved the opportunities for the European economy to remain competitive in the face of ongoing digitization.

The present opinion is based on the experience gained so far and is therefore provisional in nature. It is focused on key areas of action in which further development of the legal framework already appears appropriate.

B. Proposals

1.     Harmonisation

The large number of opening and concretisation clauses in the GDPR urgently needs to be reviewed with a view to reducing them. As a result of the fact that the Member States have made use of national options in very different ways, a regulatory patchwork of the most diverse provisions continues to exist in many areas. This severely compromises the goal of harmonising data protection law in the EU as far as possible and the associated free movement of data. Moreover, fragmentation causes considerable practical and legal problems for legal practitioners.

1.1.     The opening clauses of the GDPR for processing by public authorities allow not only for more precise regulations in the law of the Member States, but also for clarification by Union law.

The legal requirements for such regulations, such as those in Article 6 (3) GDPR and Article 9 (2) GDPR, should be specified with regard to the particular relevance of data processing by public authorities to fundamental rights in such a way that the guarantees specified in the GDPR may only be deviated from in favour of the persons concerned. In addition, so far there are Europe-wide references, the EU legislator should make greater use of its power to specify in order to further develop the principles of the GDPR in a harmonised manner for the public sector.

1.2. The diversity of regulations is particularly serious in the research field. The application of the provisions on scientific research has shown the need for more integrated rules on processing for scientific purposes, in particular for European cross-border research. Art. 89 GDPR should be revised accordingly in order to ensure a uniformly high level of data protection throughout the EU.

1.3. A higher degree of harmonisation is also needed for the processing of personal data in the employment context. The requirements for employee data protection of Art. 88 GDPR should be designed as binding guidelines for the processing of employee data and not merely as an option for national legislators. Nevertheless, it should still be possible to specify the requirements in national law and collective agreements.

1.4. In view of the increasing importance of interactive, cross-border media, more binding and concrete criteria are needed for weighing up the relationship between data protection, free speech and freedom of information. Art. 85 GDPR should be further developed accordingly.

1.5. The cooperation of DPAs is crucial for the uniform application of data protection law. The principles set out in Chapter VII (Art. 60-78) GDPR must be made more effective. There is a need for legal remedies if a supervisory authority fails to take a decision pursuant to Art. 58 in cases of cross-border importance, delays it, or intends to refrain from taking a formal measure pursuant to Art. 58 (2) GDPR with a view to amicably resolving a dispute with the company. It must be ensured by corresponding changes in Art. 64-66 GDPR that the provisions on the coherence procedure also apply to such cases.

2. Profiling / Automated decisions

Greater attention must be paid to automated systems which make or prepare decisions important for the individual or for society. Of particular relevance in terms of data protection law is the compilation and evaluation of data for the purpose of assessing individuals (profiling) and the use of algorithmic decision making systems, for example in connection with the use of “artificial intelligence” (AI).

2.1.    Art. 22 GDPR should be adapted to cover all cases where the rights and freedoms of natural persons are significantly affected. Profiling must be regulated as such (and not just decisions based on it). It should be clarified that the rules for automated decision-making also apply to decisions that are essentially based on algorithmic systems (algorithmic decisions). In this respect, absolute limits must be defined, admissibility requirements must be standardised and the principle of proportionality must be specified. In doing so, the specific requirements for the use of sensitive data and for the use of data relating to children shall be taken into account. The transparency requirements of Art. 12 et seqq. for profiling and automated decisions should be formulated more specific. Persons affected must always be informed when profiling is carried out and what the consequences are. In the case of algorithmic and algorithm-based decision-making systems, the underlying data and their weighting for the specific case must be disclosed in a comprehensible form.

2.2.    With regard to the functioning and effects of algorithmic and algorithm-based decision systems, in particular to avoid discrimination effects, mechanisms of algorithm control should be implemented. The requirements for data protection impact assessment formulated in Art. 35 (7) GDPR should be specified accordingly.

3.     Data protection technology

In addition to written law, ensuring effective data protection is largely determined by the design of technical systems. The statement “Code is Law” (Lessig) applies more than ever in view of increasingly powerful IT systems and global processing. It is therefore all the more important to ensure that technical systems are designed in a way compatible with data protection, especially with regard to limiting the scope of personal data processed (data avoidance, data minimisation).

Anonymisation and the use of pseudonyms are effective techniques for limiting risks to the fundamental rights and freedoms of natural persons, without unduly restricting the knowledge that can be gained from the data processing. In view of the high speed of innovation, it is necessary to examine to what extent the legal requirements guarantee adequate protection.

3.1. The provisions on technological data protection (Art. 25 GDPR) should take into account the particular risks arising from the use of new technologies and business models (in particular artificial intelligence, data mining, platforms). Corresponding specifications for the design of such systems should be specified by the European Data Protection Board.

3.2. In view of the rapid technological development, the requirements for anonymisation and pseudonymisation in Art. 25 GDPR and for the use of anonymised data should be made more specific. This should be supplemented by prohibitions of de-anonymisation and the unauthorised dissolution of pseudonyms, with the possibility of criminal prosecution.

3.3.     The responsibility of the manufacturers of hardware and software should be increased, for example by extending the definition of the responsible person to include the natural or legal person, public authority, agency or other body marketing file systems or personal data processing services.

At the very least, they should be included as addressees of the rules on data protection by means of technology design and by means of privacy by default, Article 25, and security of processing, Article 32 GDPR, in addition to the controller and processor, with the consequence that providers of personal data processing systems and services are responsible and liable for the implementation of the requirements at the time of placing on the market. In particular, they are to be legally obliged to provide all information required for a data protection impact assessment prior to the conclusion of a contract and all information and means necessary for the implementation of the rights of the persons concerned, irrespective of company and business secrets. This could also make the provisions on certification under Art. 42 effective. Consideration should also be given to extending the regulations on liability and compensation (Art. 82 GDPR) and on sanctions (Art. 83 f) to manufacturers.

4.     Rights of data subjects / self-determination

Self-determination and the rights of the persons concerned by the processing are at the centre of the fundamental right to data protection and the fundamental right to informational self-determination established by the Federal Constitutional Court. Although the GDPR standardises the central possibilities of influence of the individual on the processing of his or her data and his or her rights vis-à-vis the responsible parties, the actual possibilities of influence of the data subjects are often very limited. This applies in particular to the practice of various powerful companies offering services in which data subjects are trapped by lock-in effects. The rights of those affected should therefore be further strengthened.

4.1. The rules on consent (Art. 7 GDPR) and the right of objection (Art. 21 GDPR) must be supplemented in such a way that the persons concerned can make use of technical systems to determine their data protection preferences when exercising their decision-making powers. Those responsible must be obliged to respect these specifications and the decisions based on them.

4.2. In Art. 12 ff GDPR it must be ensured that the information provided for the data subject relates to data processing actually intended. It should also be clarified that the controller must inform the data subject of all known recipients to whom personal data of the data subject are or have been disclosed. In addition, the person responsible must be obliged to record the transmission of the data and the recipients, so that he cannot evade his obligation to provide information on the grounds of “lack of knowledge”.

4.3. The transparency obligations pursuant to Art. 12 et seq. are to be specified with regard to the use of profiling techniques and algorithmic decision-making procedures (cf. point 1, 2nd indent above).

4.4. The right to restriction of processing (blocking) in Art. 18 GDPR should be extended to those cases in which the necessary deletion is not carried out because the data must be kept only for the purpose of complying with retention periods.

4.5. The right to data portability (Art. 20 GDPR) should be specified in such a way that the data must be made available to the data subject in an interoperable format. It should also be ensured that the right covers all data processed by automated means that the data subject has generated (including metadata) and not only those that he has deliberately entered into a system. Furthermore, companies and platforms with a high market penetration should be obliged to make their offerings interoperable by providing interfaces with open standards.

C. Evaluation of the legal framework

Article 97(1) of the DS-GVO provides for an evaluation of the GDPR after 25 May 2020 at four-year intervals. In view of the rapid technical development in the field of data processing, it appears necessary to shorten this evaluation interval to two years. Even if the legal framework is designed to be technologically neutral, it must react to technical developments as quickly as possible otherwise it will fast become obsolete.


Written by Orla Lynskey


In its eagerly anticipated judgment in the Digital Rights Ireland case, the European Court of Justice held that the EU legislature had exceeded the limits of the principle of proportionality in relation to certain provisions of the EU Charter (Articles 7, 8 and 52(1)) by adopting the Data Retention Directive. In this regard, the reasoning of the Court resembled that of its Advocate General (the facts of these proceedings and an analysis of the Advocate General’s Opinion have been the subject of a previous blog post). However, unlike the Advocate General, the Court deemed the Directive to be invalid without limiting the temporal effects of its finding. This post will consider the Court’s main findings before commenting on the good, the bad and the ugly in the judgment.

 The Court’s Findings

 In reaching this conclusion, the Court reasoned as follows. It first narrowed the multiple questions referred by the Irish and Austrian courts down to one over-arching issue, whether the Data Retention Directive is valid in light of Articles 7, 8 and 11 of the Charter (setting out the rights to privacy, data protection and freedom of expression respectively). It then conducted its assessment in three parts.

 First, it examined the relevance of these Charter provisions with regard to the validity of the Data Retention Directive. Although the Court recognised the potential impact of data retention on freedom of expression, it chose not to examine the validity of the Directive in light of Article 11 of the Charter. It noted that the Directive must be examined in light of Article 7 as it ‘directly and specifically affects private life’ and in light of Article 8 as it ‘constitutes the processing of personal data within the meaning of that article and, therefore necessarily has to satisfy the data protection requirements arising from that article’[29].

 Second, it considered whether there was an interference with the rights laid down in Articles 7 and 8 of the Charter. It noted that the Data Retention Directive derogates from the system of protection set out in the Data Protection Directive and the E-Privacy Directive [32]. It cited Rundfunk  as authority for the proposition that an interference with the right to privacy can be established irrespective of whether the information concerned is sensitive or whether the persons concerned have been inconvenienced in any way [33]. The Court therefore held that the obligations imposed by the Directive to retain data constitutes an interference with the right to privacy [34] as does the access of competent authorities to that data [35]. The Court also held that the Directive interferes with the right to data protection on the mystifyingly simplistic grounds that ‘it provides for processing of personal data’ [36]. It observed that these interferences were both wide-ranging and particularly serious [37].    

 The Court then, thirdly, assessed whether these interferences with the Charter rights to privacy and data protection were justified. According to Article 52(1) of the Charter, in order to be justified limitations on rights must fulfil three conditions: they must be provided for by law, respect the essence of the rights and, subject to the principle of proportionality, limitations must be genuinely necessary to meet objectives of general interest.
The Court held that the essence of the right to privacy was respected as the Directive does not permit the acquisition of content data [39] and the essence of the right to data protection was respected as the Directive requires Member States to ensure that ‘appropriate technical and organisational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of data’ [40].
With regard to whether the interference satisfies an objective of general interest, the Court distinguished between the Directive’s ‘aim’ and ‘material objective’: it noted that the aim of the Directive is to harmonise Member States’ provisions regarding data retention obligations while the ‘material objective’ of the Directive is to contribute to the fight against serious crime [41].
The Court observed that security is a right protected by the EU Charter and an objective promoted by EU jurisprudence [42]. It therefore held that the Data Retention Directive ‘genuinely satisfies an objective of general interest’ [44] and proceeded to analyse the proportionality of the Directive.

 The Court effectively adopted a two-pronged proportionality test, considering whether the measure was appropriate to achieve its objectives and did not go beyond what was necessary to achieve them [46].
Applying the ECtHR’s Marper judgment by analogy, it noted that factors such as the importance of personal data protection for privacy and the extent and seriousness of the interference meant the legislature’s discretion to interfere with fundamental rights was limited [47-48]. It held that the data retained pursuant to the Directive allow national authorities ‘to have additional opportunities to shed light on serious crime’ and are ‘a valuable tool for criminal investigations’ [49]. Therefore, it found that the Directive was suitable to achieve its purpose.

With regard to necessity, it noted that limitations to fundamental rights should only apply in so far as is strictly necessary [52] and that EU law must lay down clear and precise rules governing the scope of limitations and the safeguards for individuals [54]. It held that the Directive did not set out clear and precise rules regarding the extent of the interference [65]. It highlighted several elements of the Directive which fell short in this regard.
By applying to all traffic data of all users of all means of electronic communications the Directive entailed ‘an interference with the fundamental rights of practically the entire European population’ [56] and did not require a relationship between the data retained and serious crime or public security [58-59].
Moreover, no substantive conditions (such as objective criterion by which the number of persons authorised to access data can be limited) or procedural conditions (such as review by an administrative authority or a court prior to access) determined the limits of access and use to the data retained by competent national authorities [60-62]. Nor did the Directive determine the time period for which data are retained on the basis of objective criteria [64-65].

 The Court also held that the Directive did not set out clear safeguards for the protection of the retained data. This finding was supported by the Court’s observation that the rules in the Directive were not tailored to the vast quantity of sensitive data retained and to the risk of unlawful access to these data [66]. Rather, the Directive allowed providers to have regard to economic considerations when determining the technical and organisational means to secure these data [67]. Moreover, the Directive did not specify that the data must be retained within the EU and thus within the control of national Data Protection Authorities [68]. For these reasons, the Directive was declared invalid by the Court [69].

 The Good, the Bad and the Ugly

 The Good The judgment is to be welcomed for its end result – the invalidity of the Directive – as well as for many other reasons. It is a victory for grassroots civil liberties organisations and citizen movements: the preliminary references stemmed from actions taken by Digital Rights Ireland – an NGO – and just under 12,000 Austrian residents. More of these types of initiatives are needed in order to assure effective privacy and data protection. From a more substantive perspective, the judgment also recognises the dangers posed by aggregated meta-data – that it may ‘allow very precise conclusions to be drawn concerning the private lives’ of individuals [27] – and by data retention more generally – that it ‘is likely to generate in minds of the persons concerned the feeling that their private lives are the subject of constant surveillance’[37]. It also acknowledges that such data retention may have a chilling effect on individual freedom of expression [28].

 The Bad Nevertheless, some aspects of the judgment are less welcome. Most notably here, the Court glosses over the fact that it assesses the proportionality of the Directive in light of its ‘material objective’ – crime prevention – rather than its stated objective – market harmonisation. This sits uncomfortably with the Court’s finding in Ireland v Council that the Directive was enacted on the correct legal basis as its predominant purpose was to ensure the smooth functioning of the EU internal market. The Court also incorrectly applies Article 8 of the EU Charter. Not only does it consider that there is an interference with this right every time data are processed [36], it also fails to consider how the application of this right can be applied to a piece of legislation which pursues law enforcement objectives. The Data Protection Directive excludes data processing for law enforcement purposes from its scope (Article 3(2)) and the right to Data Protection should, pursuant to Articles 51(2) and 52(2) of the Charter, be interpreted in light of and reflect the scope of the Directive. This conundrum is conveniently overlooked by the Court.

 And the Ugly However, the most disappointing element of the judgment, like the Opinion of the Advocate General, is that it does not query the appropriateness of data retention as a tool to fight serious crime [49]. Given the prominence of this issue in both the EU and the US in the post-PRISM period, empirical evidence is needed to justify this claim.

Written by Orla Lynskey Posted in EU constitutional law, Fundamental rights, General, Internal Market, Proportionality and Subsidiarity Tagged with article 7 Charter, article 8 Charter, data retention directive, Directive 2002/58/EC, directive 2006/24/EC, Joined Cases C-293/12 and 594/12 Digital Rights Ireland ltd and Seitlinger and others, personal data, Privacy, proportionality, right to data protection
– See more at: http://europeanlawblog.eu/?p=2289#more-2289