The European Commission plans to assess the effectiveness of its General Data Protection Regulation, which came into force in May 2018, by asking for input to inform a report set to be released next month.
The GDPR is designed to ease intra-EU data flows and third-party compliance with the bloc’s rules. The framework contains principles required for the European Commission to determine that an adequate level of data protection exists for companies based in third countries; it also harmonizes personal data protection regulations across all 28 EU member states.
The U.S. has called the bloc’s approach to data protection overly restrictive and innovation-stifling. The two sides are addressing this divergence in approaches to privacy and cross-border data flows in the World Trade Organization’s plurilateral talks on e-commerce, which began last year.
“The Commission will report on the application of the General Data Protection Regulation, two years after its entry into application,” the Commission said in an April 1 press release. “It will include the issue of international transfer of personal data to third countries and the cooperation and consistency mechanism between national data protection authorities.”
Comments are due by April 29, the release states.
While many U.S. stakeholders have acknowledged that the GDPR was a necessary first step in advancing privacy laws, they have also cautioned that the policy may be costly and onerous.
A June 2019 study from the Center for Data Innovation said the GDPR “has not produced its intended outcomes; moreover, the unintended consequences are severe and widespread.” Specifically, the global technology think tank contended that the policy was not consistently implemented across member states and said it negatively affected the EU’s economy and businesses.
Isabelle Roccia, senior policy manager for Europe, the Middle East and Africa at BSA | The Software Alliance, said the EU must assess whether the GDPR has worked as intended.
“The GDPR is one of the most advanced and widely accepted versions of privacy law globally,” she said in a statement to Inside U.S. Trade this week. “As the Commission conducts its GDPR review, it will be important to assess if GDPR worked as intended to successfully harmonize data protection laws throughout the EU and beyond for two reasons: First, so that consumers know and trust what privacy controls they have, regardless of where they are in the EU; and second, so that businesses know what their obligations are, which improves the EU single market.”
Additionally, as the GDPR review progresses, it will be imperative to “strengthen data flows mechanisms that are currently under threat in European Courts,” Roccia continued. “It is critical to ensure the continuity of GDPR transfer tools so that businesses can continue to protect personal data, innovate, and responsibly service customers globally.”
BSA | The Software Alliance, which bills itself as the leading advocate for the global software industry, is calling on countries around the world to use all “mechanisms and fora at their disposal to reach convergence on privacy,” she added, pointing to the G7, G20 and the Asia-Pacific Economic Cooperation forum.
“[W]hether that’s through the G7, the G20, APEC, bespoke agreements such as the EU-U.S. Privacy Shield, or through free trade agreements. Privacy laws don’t have to be identical, but they do need to be interoperable. This makes it easier for privacy systems to work together, which is essential in today’s global economy,” Roccia concluded.
