On 21 January, the Council of the EU adopted its report (PDF) on the application of the general data protection regulation (GDPR). This document feeds into the Commission’s review of the GDPR, due by 25 May 2020.

While emphasising that the GDPR 'has been a success', the Council outlines the issues of application and interpretation of the GDPR that have raised most concerns in the member states so far, including:

  • the challenges of determining or applying appropriate safeguards in the absence of an adequacy decision;
  • the additional work (and resource implications) for data protection authorities (DPAs) resulting from the co-operation and consistency mechanisms;
  • the unforeseen fragmentation of legislation;
  • the new obligations for controllers and processors in the private sector introduced by certain provisions of the GDPR; and
  • the steps to be taken by DPAs to tackle situations where controllers established in third countries fail to designate an EU representative.

The report argues that the Commission should take a similarly broad view in its review of the GDPR and tackle many of these issues raised by member states. The Council also emphasises the need to address the 'extensive influence of [big tech companies] and their business models' as well as to clarify 'how the GDPR is applied to and is able to respond to challenges posed by new technologies as soon as possible'.

While the Council does not suggest any legislative amendments should result from the Commission’s review, member states’ individual comments, which were published (PDF) prior to the adoption of the report, indicate that some may be open to the idea.

In summary:

  • three member states – the Netherlands, Germany and Czech Republic – were interested in re-opening the GDPR, particularly to address the uptake of new technologies;
  • eight member states, most prominently France, argued that, at this point in time, the GDPR should not be re-opened; and
  • nine member states, including Poland, gave feedback but did not express a clear position either way as to the fitness of the GDPR.

One of the comments made by the Netherlands has raised particular concerns. It suggested 'it could be very useful to evaluate whether the tools of the Data Protection Authorities are effective enough to oversee and efficiently address the processing activities of companies that process very large amounts of data' and that DPAs could 'station someone within the company – or even in the board of directors – for a given period of time, to internally oversee the processing activities of the company'.

Based on the above, as well as a series of meetings we had with EU officials on this issue towards the end of last year, re-opening or amending the GDPR is not a decision that would be taken lightly.

Perhaps the strongest argument in favour of amending the GDPR is that it would allow the proposed e-privacy regulation (currently stuck in the Council) to be withdrawn and reincorporated within the GDPR framework.

The Council also emphasises the need to address the 'extensive influence of [big tech companies] and their business models' as well as to clarify 'how the GDPR is applied to and is able to respond to challenges posed by new technologies as soon as possible'.