DATA PROTECTION
EU: Multistakeholder Expert Group to Commission publishes evaluation of the GDPR.
The Multistakeholder Expert Group on the General Data Protection Regulation (GDPR) to the European Commission published its report on the application of the GDPR.
In particular, the report highlights positive developments including an increase in data protection compliance and awareness of data protection rules, alongside greater controls for individuals over their data. The report outlined increased use of the right to access and right to erasure but conceded that there is still a lack of awareness among data subjects about their rights and how to exercise them in practice. Notably, with regard to the right not to be subject to automated decision-making under Article 22 of the GDPR, the report asked for greater clarity on the interplay between the GDPR and the EU Artificial Intelligence Act (AI Act).
The report also considered concerns that the exercise of the right not to be subject to automated decision-making raised competition issues and worries amongst businesses that explaining automation could reveal sensitive information and jeopardize business secrets. On data portability, the report suggested that the lack of awareness of data portability owes to the potential absence of standardization of data formats and the potential risk that in porting data to another organization, organizations may affect the rights and freedoms of others.
The report also notes concerns about the application of data protection principles under the GDPR, including data minimization and storage limitation. Likewise, the report detailed that many organizations are concerned about compliance with transparency obligations under the GDPR, particularly in the use of vague or overcomplicated terms considered not to be in line with the GDPR.
In addition, the report noted concerns surrounding the application of the GDPR in line with other regulations, such as the EU's anti-money laundering (AML) obligations and the Payment Services Directive (PSD2). Likewise, concerns were made apparent surrounding the adoption of Standard Contractual Clauses (SCCs) for data transfers to controllers and processors outside the EU whose processing is subject to the GDPR because of legal ambiguity surrounding applicable requirements which have not yet been addressed by the European Data Protection Board (EDPB). The issue is further complicated by potentially conflicting advice issued by national data protection authorities on cross-border data transfers. The report noted similar concerns on the enforcement of the GDPR in cross-border cases, and that lack of coordination between data protection authorities and differences in national procedures resulted in slow and inconsistent decisions.
In particular, the report highlights positive developments including an increase in data protection compliance and awareness of data protection rules, alongside greater controls for individuals over their data. The report outlined increased use of the right to access and right to erasure but conceded that there is still a lack of awareness among data subjects about their rights and how to exercise them in practice. Notably, with regard to the right not to be subject to automated decision-making under Article 22 of the GDPR, the report asked for greater clarity on the interplay between the GDPR and the EU Artificial Intelligence Act (AI Act).
The report also considered concerns that the exercise of the right not to be subject to automated decision-making raised competition issues and worries amongst businesses that explaining automation could reveal sensitive information and jeopardize business secrets. On data portability, the report suggested that the lack of awareness of data portability owes to the potential absence of standardization of data formats and the potential risk that in porting data to another organization, organizations may affect the rights and freedoms of others.
The report also notes concerns about the application of data protection principles under the GDPR, including data minimization and storage limitation. Likewise, the report detailed that many organizations are concerned about compliance with transparency obligations under the GDPR, particularly in the use of vague or overcomplicated terms considered not to be in line with the GDPR.
In addition, the report noted concerns surrounding the application of the GDPR in line with other regulations, such as the EU's anti-money laundering (AML) obligations and the Payment Services Directive (PSD2). Likewise, concerns were made apparent surrounding the adoption of Standard Contractual Clauses (SCCs) for data transfers to controllers and processors outside the EU whose processing is subject to the GDPR because of legal ambiguity surrounding applicable requirements which have not yet been addressed by the European Data Protection Board (EDPB). The issue is further complicated by potentially conflicting advice issued by national data protection authorities on cross-border data transfers. The report noted similar concerns on the enforcement of the GDPR in cross-border cases, and that lack of coordination between data protection authorities and differences in national procedures resulted in slow and inconsistent decisions.
