EU member states must respect the “spirit of the GDPR,” Justice Commissioner Vera Jourová said on Wednesday (22 May), after it transpired that some countries on the bloc are yet to bring their national legislation in line with EU rules.
Of the 28 EU member states, Jourová revealed that Greece, Slovenia and Portugal are still lagging behind in compliance with General Data Protection Regulation, which aims to give EU citizens greater control over the use of their personal data.
“Compliance is a dynamic process and does not happen overnight,” Jourová said. “Our key priority for months to come is to ensure proper and equal implementation in the member states.”
“We urge the member states to respect to the letter and the spirit of the GDPR.”
Pressed by EURACTIV as to how quickly the Commission would want to see Greece, Slovenia and Portugal step in line, Jourová said, “as soon as possible.”
She avoided giving a specific date, but also said that one of her objectives was to ensure that the Commission commitment to have “one continent and one law” for privacy legislation was complete by the end of the current mandate, which concludes at the end of October.
Jourová was speaking ahead of the first anniversary of the EU’s landmark data protection on Saturday (25 May). Recent research shows that the regulation has had a substantial impact on privacy awareness in Europe and beyond, with around 145,000 privacy complaints being filed, and up to 90,000 data breaches being brought to the attention of national authorities, according to Commission data.
One of the central challenges, Jourová said on Wednesday, was ensuring that data protection authorities across the EU are sufficiently staffed, in light of the sheer quantity of complaints issued.
She added that the Irish data protection authority had “the most difficult task”, as they are charged with dealing with complaints issued against some of the world’s tech giants, including Facebook.
In addition, research conducted by the International Association of Privacy Professionals (IAPP) shows that around 500,000 organisations are estimated to have registered Data Protection Officers in their organisations, and GDPR enforcement actions have resulted in more than €56 million in fines.
However, Omer Tene, vice president and chief knowledge officer of the IAPP, struck a sober tone in response to the figures, saying that while the numbers look convincing, there is much to be done in terms of updating the practical culture of data protection in EU business.
“In the first year, we’ve seen tens of thousands of complaints and data breaches, but we’ve yet to see much evidence that the GDPR has led to an improvement in organisations’ data practices,” he said.
Moreover, concerns have also been highlighted as to the impact that GDPR could have on emergent technologies, such as Artificial Intelligence.
The Center for Data Innovation has produced a report that demonstrates how GDPR “inhibits the development and use of AI in Europe, putting firms in the EU at a competitive disadvantage in the global marketplace.”
The study states that the GDPR is in need of reform by “not penalizing automated decision-making, permitting basic explanations of automated decisions, and making fines proportional to harm.”
A review of the application of GDPR will take place as part of a Commission event on 13 June. The Commission will make a further report on the success of the measures in 2020.
[Edited by Zoran Radosavljevic]