Market Intelligence
Information and Communication Technology EU Laws and Regulations

EU General Data Protection Regulation (GDPR) Recently Re-Evaluated

Since the EU General Data Protection Regulation (GDPR) entered into force in 2018, the European Commission has published two reports on its application*. The second report, published in July 2024, provides an extensive overview of the regulation’s performance and challenges since its implementation, from the Commission’s perspective.  Overall, the report finds that the GDPR has delivered positive outcomes for individuals, businesses, and society, despite facing challenges related to procedural efficiency, resource constraints, and varying interpretations.  However, the report finds that continued efforts are needed to harmonize enforcement, support small- and medium-size enterprises (SMEs), and further adapt    regulatory frameworks at the member state level to ensure compliance with GDPR.  Below is an overview of the second report’s key findings on the international dimension of data transfers and suggestions for future steps.

GDPR Transfer Toolbox:  The GDPR transfer toolbox offers mechanisms such as standard contractual clauses (SCCs), adequacy decisions, binding corporate rules (BCRs), and other tools to ensure data protection when transferring outside the EU.  These instruments require transferred data to maintain protection equivalent to EU standards.

Adequacy Decisions:  The European Commission now uses adequacy decisions as strategic tools for broader international cooperation.  Adequacy decisions simplify personal data transfers without additional safeguards, ensuring adequate protection and enhancing trade and regulatory cooperation.  The EU-U.S. Data Privacy Framework (DPF) is supported by an adequacy decision.  The EU also has adequacy decisions for data transfers with the United Kingdom and Republic of Korea.

Instruments Providing Appropriate Safeguards:  The EU modernized SCCs in 2021, consistent with the implementation of GDPR in 2018, providing flexible templates for various transfer scenarios, and ensuring compliance with GDPR and Schrems II requirements.  BCRs remain popular for intra-group transfers, though approval processes are lengthy.  Efforts are ongoing to streamline adoption of BCRs and other mechanisms like certifications and codes of conduct. The Commission is developing new SCCs for scenarios where non-EU data importers fall under GDPR, addressing risks like local laws and EU Member states government access to data.

Complementarity with Other Policies:  Data protection increasingly complements other domains, such as trade, law enforcement, and digital security. The Commission integrates data protection into broader international policies to facilitate secure global data exchanges.

International Cooperation on Data Protection:  The Commission supports non-EU countries in developing and implementing data protection frameworks through direct involvement in privacy regulations, expertise sharing, and training via the Enhanced Data Protection and Data Flows project.  The Commission has established the Data Protection Academy, which trains non-EU data protection authorities, fostering exchanges between EU and third-country data protection authorities in order to build capacity, improve cooperation, and promote best practices.  The Commission also seeks to establish enforcement cooperation agreements to align regulatory actions for cross-border privacy violations.  The European Commission also advocates for shared data protection principles via its contributions to multilateral fora like Convention 108, the G20, and the G7. The EU also contributes subject matter expertise to the OECD’s Data Free Flow with Trust (DFFT) initiative promotes continued data security for international data exchanges.

Legal Instruments and Mutual Assistance:  There is a recognized need for appropriate legal instruments to facilitate closer cooperation and mutual assistance between EU and third-country regulators, especially to address cross-border privacy violations effectively. The Commission aims to open negotiations for enforcement cooperation agreements with relevant third countries, particularly G7 countries and/or countries with adequacy decisions.

Challenges and Next Steps:  The report concludes by noting the EU is committed to expanding international cooperation on data protection, aligning privacy regulations globally, and tackling challenges associated with cross-border data flows and enforcement.  To reach that end, the Commission noted its intention to continue work on:

  • Cross-Border Privacy Violations - As privacy violations often have effects across borders, the Commission has highlighted the importance of cooperation between EU and non-EU regulators to address these challenges, including emphasizing the need for mutual assistance agreements to ensure effective investigation and enforcement **.  
  • Negotiations and New Cooperation Agreements - The Commission intends to seek authorization to negotiate enforcement cooperation agreements with third countries, including exploring ways to support the exchange of information in investigations, ensuring a level playing field for entities operating in both EU and non-EU jurisdictions.

*Note: The first report on the evaluation and review of the General Data Protection Regulation was issued on June 6, 2020, two years after the Regulation entered into force. To read the full report: Communication from The Commission to The European Parliament and The Council

**Note: Enforcement of the GDPR:

  • Takes place on a national level in EU Member States.
  • Fines for severe non-compliance can reach up to 4 percent of a company’s annual worldwide turnover or 20 million euros.
  • Each Member State appoints a Data Protection Authority (DPA) responsible for monitoring and enforcing the law.
  • Each Member State applies its own procedural and administrative rules to any GDPR enforcement procedure.

More information on: GDPR enforcement Tracker.

For additional information, please contact Tea Jardas, Commercial Specialist, U.S. Mission to the European Union.