A GDPR progress report: how is the law being implemented in the EU?

A little over a year after entry into application, and after 95.000 complaints filed, 59.000 breaches reported, and nearly 60 million euros imposed in fines, we’re taking a closer look at the way the EU General Data Protection Regulation is being implemented.

Today Access Now is releasing an implementation progress report that examines in detail the status of the GDPR across the 28 EU Member States, focusing our “wellness check” on key measures for users’ rights. We have found that a large number of Member States have interpreted the derogations, exceptions, and restrictions available under the GDPR differently, which may lead to fragmentation in the level of protection for data subjects across the EU. In the worst cases, a small number of Member States have adopted national measures that contradict the spirit, objectives, and text of the GDPR.

Based on our findings, we then lay out recommendations to ensure that the rights and protections encompassed under the GDPR are effectively delivered to data subjects across the EU. For example, we make specific recommendations to Member States to help them ensure that their national adaptation law is in line with the GDPR; to the EU Commission to use its institutional powers in cases where users’ rights are being restricted as the result of poor implementation of the GDPR; to Data Protection Authorities to prioritise the processing of users’ complaints; and to the European Data Protection Board to ensure cooperation between authorities and transparency in discussions and proceedings.

It would be easy to see the mixed results and issues we describe in the report as indicative of failure but that would ignore the complexities of both the digital economy and the way the legal system works in the EU. The long-term changes that the GDPR should bring about will take time to achieve. We cannot expect radical change in just 12 months, in some of the most complex markets of our time.

It is also too soon to say that the GDPR has succeeded, or failed, to achieve its objectives. What we can say is that we are encouraged by the growth in awareness of data protection, by the choices that some companies are making for a business model that is more respectful of our data protection and privacy rights, and by the first couple of enforcement cases. We are also excited to see that the global conversation about the importance of data protection is advancing, in part thanks to the GDPR.

The bottom line at this stage: for the full potential of the GDPR to be realised, we must move from the implementation to the enforcement stage. With long-term investment and commitment from the EU Commission, the Member States, DPAs, the EDPB, and the help of civil society, the GDPR has the potential to be one of the EU’s greatest successes in the protection of fundamental rights.

You can read our full report here.