The EU Commission publishes its first evaluation of the GDPR

In June, the EU Commission published its first evaluation report of the General Data Protection Regulation (GDPR) after two years of application. We provide a brief overview of the main findings of this report.


The Commission must issue a public report on the evaluation and review of the GDPR (Article 97). The first report was due on 25 May 2020 and then every four years thereafter.

The Commission is required to focus the report on the application and functioning of:

  • transfers of personal data to third countries or international organisations under Chapter V, and
  • co-operation and consistency under Chapter VII.

However, the Commission has taken a broader approach in order to address issues raised by various actors during the last two years. These include input from the Council, the European Parliament, the European Data Protection Board, national data protection authorities and other public and private stakeholders.

In a nutshell

While the Commission is of the view that it is too early to draw definite conclusions regarding the application of the GDPR, the last two years have generally been positive. The GDPR has strengthened the protection of individuals’ right to data protection and ensured the free flow of personal data within the EU. The report also states that businesses are developing a data protection compliance culture and increasingly use such compliance as a competitive advantage. Moreover, the GDPR’s “technologically-neutral” and principles-based approach was put to the test during the COVID-19 pandemic and has proven to be successful.

However, the Commission has also identified a number of challenges and proposes a range of actions to address them. It also considers that most of these challenges will benefit from more experience to be gained in applying the GDPR in the coming years.

In particular, while harmonisation across the Member States is increasing, there is some fragmentation between national laws and this should be closely monitored to ensure a uniform application of the GDPR across Member States. The Commission also recommends data protection authorities provide assistance to those companies that are struggling the most with the implementation of GDPR, such as SMEs, and assist citizens to effectively apply their rights.

Main findings

1. Enforcement of the GDPR and the functioning of the co-operation and consistency mechanisms

The Commission has found that European data protection authorities have made balanced use of their strengthened sanctioning powers, including warnings and reprimands, fines and temporary or definitive limitations and bans on infringing processing activities. For the period up to the end of 2019, 22 European data protection authorities issued approximately 785 administrative fines ranging from a few thousand euros to several million, depending on the nature and gravity of the infringements.

Data protection authorities have also developed their cooperation through the one-stop-shop and mutual assistance mechanisms. The Commission confirms that these have been largely used in cross-border cases and important decisions subject to the one-stop-shop mechanism are in the pipeline.

2. Harmonised rules but still a degree of fragmentation and diverging approaches

While the GDPR is intended to create a consistent and harmonised approach across the EU, it also allows Member States to legislate in some areas and further develop the GDPR. As a consequence, there is a degree of fragmentation, partly due to the extensive use of national derogations.

For example, the difference between Member States on the age of children’s consent in relation to information society services creates uncertainty as to the application of children’s data protection rights across the EU. Similarly, Member States have different approaches to implementing derogations from the general prohibition for processing special categories of personal data, and the level of specification and safeguards, including for health and research purposes.

The Commission emphasises the importance of not legislating beyond the margins set by the GDPR or introducing additional requirements, to avoid impairing the effective functioning of the internal market and creating unnecessary burdens on companies.

3. Empowering individuals to control their data

The report shows that individuals are increasingly aware of their data subject rights.

While the new right to data portability is rarely used, it has the potential to empower individuals in the data economy by allowing them to switch between different service providers and to choose the most data protection-friendly services in the market. Unlocking this potential is one of the Commission’s priorities, particularly considering the increasing use of Internet of Things devices, in order to foster competition and support innovation.

The Commission also found that the GDPR strengthened procedural rights, such as the right to lodge a complaint with a data protection authority through representative actions and the right to judicial redress. Although individuals are increasingly using these rights, the Commission recognises the need to further facilitate their exercise and enforcement.

4. Opportunities and challenges for organisations, such as SMEs

The GDPR generally offers opportunities to companies by fostering competition and innovation, ensuring the free flow of data within the EU and creating a “level playing field” with companies established outside the EU.

However, the Commission’s report shows that the application of the GDPR is challenging especially for small and medium sized enterprises (SMEs). To address this issue, the Commission recommends using the “compliance toolbox” in the GDPR to help demonstrate compliance, including use of codes of conduct and certification mechanisms.

5. The application of the GDPR to new technologies

The Commission believes that the GDPR demonstrated its flexibility during the COVID-19 crisis, particularly in relation to the design of the tracing apps and other technological solutions to fight the pandemic. Indeed, the Commission states that the GDPR has been conceived in a technology neutral way and is principle-based. It is therefore designed to cover new technologies as they develop.

The Commission asks data protection authorities to be ready to deal with future challenges by clarifying how to apply the general GDPR principles to specific technologies such as artificial intelligence, blockchain, Internet of Things or facial recognition, which require monitoring on a continuous basis.

6. Developing a modern international data transfer toolbox

The Commission is actively engaged in adequacy decisions for third countries. The EU-Japan mutual adequacy decisions, which entered into force in February 2019, created the world’s largest area of free and safe data flows and the adequacy process with the Republic of Korea is at an advanced stage. Further exploratory talks are ongoing with other important partners in Asia and Latin America. The adequacy mechanism may also have an important role in relation to the future relationship with the United Kingdom.

In addition to these new jurisdictions, as part of the first evaluation of the GDPR, the Commission is also required to review the adequacy decisions that were adopted under the former rules, including the 11 concerned third countries and territories.

Finally, the Commission confirms that it is working on a comprehensive modernisation of standard contractual clauses, to update them in light of new requirements introduced by the GDPR.

In the report, the Commission stresses the need for data protection authorities to take appropriate enforcement action and ensure effective compliance with the GDPR and a true level playing field in relation to the processing activities of non-EU companies that are active in the EU market. This approach should be “pursued more vigorously in order to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR”.

7. Promoting convergence and international co-operation in the area of data protection

Finally, the GDPR has emerged as a key reference point at international level and acted as a catalyst for many countries around the world to introduce modern privacy rules. This trend towards global convergence is a positive development to better protect individuals in the EU when their data is transferred abroad.

What next?

The Commission has identified a number of actions to be taken by several actors, including the Commission itself, Member States, the European Data Protection Board and national data protection authorities. The Commission will monitor the implementation of these actions in light of the next evaluation report in 2024.

By Tanguy Van Overstraeten and Ceyhun Pehlivan