Does the GDPR Need Fixing? The European Commission Weighs In

The European Commission published its second Report on the General Data Protection Regulation (GDPR) on July 25, 2024, assessing the progress of its impact and effectiveness of application since the Commission’s first Report published in June 2020. The second Report acknowledges relative success of the GDPR in protecting individuals and supporting businesses, while also highlighting areas for improvement, with further progress being called for in supporting stakeholders’ compliance efforts, clearer and more actionable guidance from data protection authorities (DPAs), and achieving more consistent interpretation and enforcement of the GDPR across EU Member States.

This blog surfaces key takeaways from the Commission’s second Report on the GDPR, with an overview and analysis of the findings from various stakeholders, including DPAs. The Report draws conclusions following the past years of GDPR enforcement and applicability, exploring enforcement and the use of cooperation and consistency mechanisms; implementation of the GDPR by Member States and an overview of the exercise of the data subject rights; the GDPR as a cornerstone of the EU’s new legislative rulebook; and international transfers and global cooperation. 

1. Enforcement and the use of cooperation and consistency mechanisms are on a growth trend, bringing total fines of 4.2 billion EUR and increased use of corrective measures

In 2020, the Commission’s first Report highlighted the need for a more efficient and harmonized handling of cross-border cases across the EU, resulting in the 2023 Commission proposal for a Regulation on additional procedural rules currently being negotiated by EU legislators. 

In its second Report, the Commission assessed recent enforcement activity under the GDPR, highlighting a trend of increased cooperation between DPAs, increased use of the GDPR consistency mechanism and the growing intervention of the European Data Protection Board (EDPB) via its Opinions, with the following highlights:

• Almost 2400 case entries were registered in the EDPB’s information exchange system as of 3 November 2023;
• Lead DPAs issued approximately 1500 draft decisions with over 990 resulting in final decisions finding GDPR infringements (as of 3 November 2023); and
• DPAs from 7 Member States participated in 5 joint operations;
• DPAs from 18 Member States raised 289 relevant and reasoned objections, 101 of which were raised by German authorities, with a success rate in reaching consensus varying from 15% (German authorities) to 100% (Polish DPA).

The cases submitted to dispute resolution addressed the legal bases for processing data for behavioral advertising on social media and processing children’s data online.

Regarding the consistency mechanism, the report notes that:

• The EDPB has adopted 190 consistency opinions;
• 9 binding decisions were adopted in dispute resolution, with all instructing the lead DPA to amend its draft decision and others resulting in significant fines;
• 5 DPAs adopted provisional measures under the urgency procedure (Germany, Finland, Italy, Norway and Spain); and
• 2 DPAs requested an urgent binding decision by the EDPB under Article 66(2) GDPR, and the EDPB ordered urgent final measures in one case.

The Commission pointed to more robust enforcement activity by DPAs in recent years. DPAs use corrective measures and adopt infringement decisions in complaint-based and own initiative cases. The Report stated that DPAs have imposed “substantial fines in landmark cases against ‘big tech’”. For instance, DPAs have imposed over 6680 fines amounting to approximately EUR 4.2 billion, with Ireland accounting for the highest total fines (EUR 2.8 billion) followed by Luxembourg (EUR 746 million) and France (EUR 131 million). Liechtenstein, Estonia, and Lithuania were reported to have imposed the lowest fines, 9600 EUR, 201000 EUR, and 435000 EUR, respectively. The highest number of fines were imposed in Germany (2106) and Spain (1596). The fewest fines were imposed in Liechtenstein (3), Iceland (15) and Finland (20). Most fines were imposed for (i) infringement of the principles of lawfulness and security of processing, (ii) infringement of the provisions related to processing of special categories of personal data, and (iii)  failure to comply with individuals’ rights (Chapter III of the GDPR).

The Report showed that DPAs effectively used “amicable settlement” procedures, with over 20,000 complaints resolved, even though such procedures are unavailable in all Member States. This procedure was commonly used in Austria, Hungary, Luxembourg, and Ireland.  

Furthermore, DPAs launched over 20,000 own-initiative investigations and collectively received over 100,000 complaints yearly. In 2022, nine DPAs received over 2000 complaints. Germany (32300), Italy (30880), Spain (15128), the Netherlands (13133), and France (12193) registered the highest number of complaints, while Liechtenstein (40), Iceland (140), and Croatia (271) registered the lowest number. The median time to handle complaints from receipt to closure ranges from 1 to 12 months. 

The Report notes that German DPAs launched the highest number of own-initiative investigations, 7647 investigations, followed by Hungary with 3332, Austria with 1681 and France with 1571 investigations.

Besides fines, DPAs used corrective measures such as warnings, reprimands, and orders to comply with the GDPR. In 2022, German DPAs adopted the highest number of decisions imposing corrective measures (3261), followed by Spain (774), Lithuania (308) and Estonia (332). The lowest number of corrective measures was imposed in Liechtenstein (8), Czechia (8), Iceland (10), the Netherlands (17) and Luxembourg (22). Controllers and processors frequently challenge decisions in national courts, most commonly on procedural grounds. For instance, in Romania, all 26 decisions finding an infringement were challenged before the national court, while in the Netherlands, the rate of challenge was reported to be 23%.

2. Implementation of the GDPR by Member States continues to be fragmented

Similar to the 2020 Report, stakeholders still reported fragmentation in the national application of the GDPR, from national legislation to diverging interpretations of the GDPR by DPAs. The concerns regard in particular:

• The minimum age for a child’s consent in relation to the offer of information society services to the child;
• Introduction by Member States of further conditions concerning the processing of genetic data, biometric data or data concerning health; and
• Processing of personal data relating to criminal convictions and offenses.

However, the Report mentions that Member States consider that a limited degree of fragmentation may be acceptable. The specification clauses provided by the GDPR remain beneficial, particularly for processing by public authorities (the Council position states that “the margins left for national legislation to define specific framework for certain type of processing activities, for example when it comes to article 85 and 86 of the GDPR regarding the freedom of expression and information and the right of public access to official documents, remain beneficial and relevant notably for public authorities given the specificity of their processing activities”). 

Notably, the Report points out that the interpretation of the GDPR by national DPAs remains fragmented as DPAs continue to adopt diverging interpretations of key data protection concepts, creating legal uncertainty and disrupting the free movement of personal data. Some of the specific issues raised by stakeholders include different views on the appropriate legal basis for processing personal data, diverging opinions on whether an entity is a controller or processor, and, in some cases, DPAs not following the EDPB guidelines or publishing conflicting national guidelines. Some stakeholders also consider that certain DPAs and the EDPB adopt interpretations that deviate from the risk-based approach of the GDPR, mentioning areas such as the interpretation of anonymization, the legal bases of legitimate interest and consent, and the exceptions to the prohibition of automated individual decision-making.

The Commission highlights that it monitors the implementation of the GDPR on an ongoing basis, having launched infringement procedures against Member States on issues concerning the independence of DPAs (e.g., Belgium) or the right to an effective judicial remedy where the DPA does not handle a complaint (e.g., Finland and Sweden). The Commission also regularly requests confidential updates from DPAs on significant cross-border cases, particularly those involving large tech companies.

3. Two-thirds of Europeans have heard of the GDPR, and they are increasingly exercising their Data Subject Rights

A noteworthy mention is that individuals are increasingly familiar with and actively exercise their rights under the GDPR: 72% have heard of the GDPR, with 40% knowing what it is. Awareness is highest in Sweden (92%) and lowest in Bulgaria (59%). Additionally, 68% are aware of a DPA responsible for data protection, with 24% knowing which authority it is. Awareness of DPAs is highest in the Netherlands (82%) and lowest in Austria (56%) and Spain (58%) (2024 Eurobarometer survey as referenced by the Commission’s report). While these statistics show an increased awareness of the existence of data protection rights, understanding of the GDPR still needs to be improved, as evidenced by many trivial or unfounded complaints received by DPAs.

Nonetheless, several user-friendly digital tools have been developed to make it easier for data subjects to exercise their rights. Additionally, by adopting the Data Governance Act the Commission hopes to increase the number of such tools. Industry stakeholders have stated that the right to erasure is increasingly used, while the right to rectification and the right to object are rarely used.

Right of access: The most frequently invoked is the right to access (Art. 15 GDPR). Controllers report that they are challenged with “unfounded or excessive requests”, managing high volumes of requests, and dealing with requests unrelated to data protection. Civil society organizations note that responses to access requests are often delayed or incomplete, while the data received is not always in a readable format. Public authorities claim to have difficulties with resolving the interaction between the right of access and rules on public access to documents.

Right to portability: The Commission has adopted initiatives that facilitate easier switching between services, supporting competition, innovation, and user choice on the right to data portability. The Report makes reference to the role of the Data Act in enhancing data portability for users of smart devices, requiring products or servers to support this technically, and to the Digital Markets Act, which mandates effective data portability for users of core platform services, particularly those provided by “gatekeepers”. Other initiatives, such as the Platform Work Directive, the European Health Data Space Regulation, and the Framework for Financial Data Access Regulation, aim to bolster portability rights in specific sectors. Interestingly, the Report does not include any data on portability-related requests under the GDPR or complaints related to portability. 

Right to lodge a complaint: The large number of complaints received shows that there is broad awareness of the right to lodge complaints with DPAs. However, civil society organizations continue to point out inconsistencies in how complaints are handled across Member States. The Commission maintains that its legislative proposal on procedural rules should address these issues. Regarding collective redress, although few Member States have allowed non-profit bodies to take independent action under GDPR Article 80(2), the Representative Actions Directive, effective from June 2023, is expected to harmonize this process by facilitating collective actions for GDPR breaches.

Protection of children’s data: The EU and national authorities have increasingly implemented measures to safeguard children online, notably with the introduction of the Digital Services Act and its provisions to enhance children’s privacy and safety on online platforms. This policy priority has equally reflected in the data protection field, with DPAs working together to promote child protection in advertising and recently fining social media companies for GDPR violations when processing children’s data. Other key developments include the upcoming  EDPB guidelines on children’s data processing, and the creation of a task force on age verification to support the development of an EU-wide approach to age verification, under the auspices of the Digital Services Act Board. Age verification will be included in the European Digital Identity Wallet, which should be available to all EU citizens and residents in 2026. 

4. The position of DPOs and the availability of soft law tools need improvement  

The Commission’s Report focuses on the GDPR’s role in establishing a level playing field, noting how companies have embraced an internal data protection culture, recognizing it as a key competitive factor, thanks to its flexible compliance framework through soft law tools such as Codes of Conduct, certification mechanisms, and standard contractual clauses (SCCs). However, several shortcomings are identified, both from the perspective of stakeholders and regulators. From companies, it is noted that the use of soft law tools needs improvement, arguing that the development of Codes of Conduct has been limited due to bureaucracy and lack of engagement from DPAs. In particular, SMEs report that, despite the benefits of tailored support by DPAs, they still perceive compliance as complex and fear enforcement, as inconsistent approaches remain across Member States. The report calls on DPAs to proactively engage more and provide practical tools and guidance. 

EU data protection officers (DPOs) are also addressed by the Commission’s Report: despite being well-regarded as independent experts, several challenges are mentioned, such as difficulties in their appointment, lack of resources, additional non-data protection tasks, and insufficient seniority, with the EDPB calling for enhanced awareness-raising and support from DPAs to ensure that DPOs can effectively perform their duties under the GDPR. 

5. The GDPR is described as a cornerstone for the EU’s new legislative rulebook in the digital sphere

Since the 2020 Report, several EU legislative initiatives have complemented or specified GDPR rules to address emerging areas, some of them being proposed specifically to enhance data sharing. The Commission highlights several files, some completed, some still under legislative action: the Digital Services Act, the Digital Markets Act, the AI Act, the Directive on Platform Work, the Political Advertising Regulation, the Interoperable Europe Act, the anti-money laundering package, the Data Governance Act, the Data Act, and the European Health Data Space. Notably, the Commission includes the proposed e-Privacy regulation among the digital policy initiatives building on the GDPR. The report highlights that all new legislation must align with the GDPR and the Court of Justice case law interpreting it.

With multiple digital rules on the horizon, cooperation across various regulatory areas, such as data protection, competition law, consumer law, and cybersecurity, is needed. In its Report, the Commission notes that close cooperation is crucial when addressing issues such as the compatibility of “pay or OK” models with EU law. 

New digital regulations often establish specialized structures, such as the Digital Markets Act high-level group and the European Data Innovation Board, to coordinate enforcement. DPAs actively engage with other regulatory bodies through groups and task forces to ensure coherent and complementary actions. However, there is a need for more structured and efficient cooperation, especially for cross-border issues affecting many individuals, while ensuring that each authority remains responsible for compliance within their jurisdiction. The Report highlights that Member States should enhance national-level collaboration to support this.

6. Global ambitions continue with new adequacy decisions, trade agreements featuring data protection provisions, and enforcement cooperation agreements with third countries 

The Commission assesses that, since 2020, the concept of “international transfers” under the GDPR has been updated to reflect the CJEU  Schrems II ruling, which further clarified the level of protection provided by different transfer instruments to ensure that the GDPR is not undermined, as well as the assessment of the level of protection, with data exporters having to consider both the safeguards set out in the transfer instrument, as well as the relevant aspects of the legal system where the data importer is located. The Report also notes that the Schrems II ruling has also been reflected in the guidance of the EDPB, which updated its “adequacy referential”.

The Commission, therefore, provides a comprehensive update of the next steps in its global cooperation efforts since the Schrems II ruling. Following the invalidation of the adequacy decision for the EU-US Privacy Shield, the EU and the US developed the EU-US Data Privacy Framework: introduced by an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, the Commission followed suit, adopting an adequacy decision, with a first review set to take place in 2024.

New adequacy decisions in conformity with the latest interpretation have also been adopted, while others are expected soon: The Commission has adopted adequacy decisions for South Korea and the UK (with a “sunset clause” expiring in 2025). Adequacy talks are ongoing with Brazil, Kenya, and international organizations such as the European Patent Organisation. The Commission is also engaging with various countries globally to expand the network of adequacy decisions. Periodic reviews of existing decisions are also taking place, the most recent being Japan in 2024. The Commission also highlights the role played by these decisions as a strategic tool for improving EU relations and promoting regulatory convergence with third countries.

The Report calls for streamlining of the BCR approval process

The Report also praises the development of additional instruments beyond adequacy decisions, such as new SCCs, which introduce updated safeguards aligning with GDPR requirements, a modular approach offering a single entry-point covering various transfer scenarios, increased flexibility for the use by multiple parties, and a practical toolbox to comply with the Schrems II decision. The SCCs were welcomed by stakeholders, with feedback indicating that the SCCs remain the most used tool for transfers by EU data exporters.

The stakeholder feedback points out that model clauses are increasingly central to global data flows, with several jurisdictions having endorsed the EU SCCs as a transfer mechanism under their own data protection laws, with limited formal adaptations to their domestic legal order (for instance, the UK and Switzerland). Other countries have also adopted model clauses that share important common features with the EU SCCs (for example, New Zealand and Argentina). Moreover, the report exemplifies the creation of model clauses by other international and regional organizations or networks, such as the Council of Europe Consultative Committee of Convention 108, the Ibero-American Data Protection Network and the Association of Southeast Asian Nations (ASEAN), noting that this opens up new opportunities to facilitate data flows between different regions based on model clauses and providing the EU-ASEAN Guide on the EU SCCs and ASEAN model clauses as a concrete example.

In addition to SCCs, binding corporate rules (BCRs) remain prominent for data transfers between members of corporate groups or among enterprises engaged in a joint economic activity: since the adoption of the GDPR, the EDPB adopted 80 positive opinions on national decisions approving BCRs. However, the report calls on DPAs to streamline the BCR approval process, which stakeholders describe as long, complex, and detrimental to their broader adoption.

Privacy and Data Protection will Continue to be Featured in Trade Agreements

Highlighting the successful inclusion of data protection safeguards in recent EU agreements with, for example, the UK and Canada, the Report argues that integrating data protection safeguards within international agreements for ensuring effective and secure data flows will continue to be featured in further agreements, highlighting the Second Additional Protocol to the Cybercrime Convention, and the EU-U.S. bilateral negotiations on an agreement on cross-border access to electronic evidence for criminal matters.

The position of the Commission as a proponent of strong provisions to protect privacy and boost digital trade at the World Trade Organization in the ongoing negotiations on the Joint Statement Initiative on electronic commerce is also highlighted, noting that since the GDPR came into force, privacy and data flow provisions have been consistently included in EU free trade agreements, notably in the EU-UK Trade and Cooperation Agreement, in the agreements with Chile, Japan and New Zealand. At the same time, discussions are ongoing with Singapore and South Korea.

The Commission plans to negotiate enforcement cooperation agreements with third countries, such as the G7 members 

The Report also details that the Commission has maintained an active role in global privacy discussions on a bilateral (i.e. national governments, regulators, international organizations and especially with EU candidate countries) and multilateral level (i.e., contributing to the Consultative Committee on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)), engaging in discussions at G20 and G7, and with regional organizations like ASEAN and the African Union). Over the following years, it remains to be seen how the Commission takes such engagement further, particularly with regard to negotiating enforcement cooperation agreements. 

7. Concluding Reflections: next steps for the GDPR? 

The report concludes that to achieve the twin goals of GDPR – strong protection for individuals while ensuring the free flow of personal data within the EU and safe data flows outside the EU – there needs to be a focus on: 

• Robust enforcement: accelerate the adoption of GDPR procedural rules;
• Support: proactive support from DPAs to assist SMEs and stakeholders in GDPR compliance; 
• Consistency: ensure uniform GDPR interpretation and application across the EU;
• Effective cooperation: enhance collaboration among regulators;
• Global action: advance the Commission’s international strategy on data protection.

The Report notes that EDPB and DPAs are invited to fully use cooperation tools under the GDPR so that dispute resolution is used only as a last resort, and Member States are called to ensure that DPAs maintain full independence and receive adequate resources, including technical expertise, to address emerging technologies and new responsibilities in the context of a growing body of digital legislation. Within this ecosystem, the Commission will address the need for effective cross-regulatory cooperation to ensure consistent application of EU digital rules while respecting DPAs’ roles in the supervision of personal data processing.

Notably, after counting its successes and shortcomings in this second Report, the Commission is not calling for the reopening and updating of the GDPR. 

Editors: Dr. Gabriela Zanfir-Fortuna, Bianca-Ioana Marcu