GDPR successfully meets data privacy objectives, UK’s reopen plan lacks data protection guidance
Two years after it came into effect, 69 percent of Europe’s residents aged 16 and over are familiar with GDPR and 71 percent know about their national data protection authority, but there is still room for improvement in terms of data portability, reports the EU Fundamental Rights Agency.
The EU Commission has published a GDPR evaluation report, noting it has achieved its primary objectives of empowering citizens through data ownership, awareness of data privacy and their right of access, rectification, erasure, the right to object and the right to data portability, and the objective of establishing a new administration and regulation enforcement system across Member States.
“The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. We can do better though, as today’s report shows,” Didier Reynders, Commissioner for Justice, said in a prepared statement. “For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights. The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with Member States, so that the GDPR can deliver its full potential.”
The report provides GDPR application guidelines for stakeholders, specifically SMBs, to make data protection part of European culture. This can be done through new tools, toolkits and even helplines at national level.
Amid COVID-19, GDPR has showed flexibility for digital solutions. A number of companies have used GDPR compliance and data protection as a competitive advantage, to set themselves apart in the market.
While harmonization is growing in the EU, some states still display a certain degree of fragmentation, which the Commission will keep an eye on. Data protection authorities across the Union have issued warning and administrative fines to those breaking the rules. The increasing need for support has driven an overall 42 percent increase in staff and 49 percent increase in budget, but not all Member States are taking the same data protection measures.
The EU wants to leverage the full potential of international data transfers, while in partnership with EDPB, it is looking at revamping other data transfer methods such as Standard Contractual Clauses, widely used in data transfers.
In the interest of stepping up international cooperation, the EU is committed to supporting international initiatives such as the Africa-EU Partnership and ‘Data Free Flow with Trust’, and entering agreements of mutual assistance and enforcement cooperation.
“Europe’s data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other polices, such as data strategy or our approach to AI,” Věra Jourová, Vice-President for Values and Transparency, said in a prepared statement. “The GDPR is the perfect example of how the European Union, based on a fundamental rights’ approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. But we all must continue the work to make GDPR live up to its full potential.”
Thousands of UK small businesses to become data controllers with no guidance
When the UK opens its bars, restaurants, hairdressers and churches on July 4, GDPR fines may spread like the novel coronavirus as businesses have to collect their customers’ contact details and keep them for 21 days for contact tracing.
The country is focusing on keeping a low death rate instead of eliminating the virus, writes Forbes. The UK has decided to keep a distance of one meter instead of the WHO recommended of two, and Prime Minister Boris Johnson says business operators will be responsible for being able to contact all customers for contact tracing in the event that a person with the virus is found to have been in the establishment.
As a result, business owners will have to comply to data protection rules under GDPR. To collect children’s information, parental consent will be required. With a high risk of people not providing accurate information, they might have to show ID.
“We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly,” reads the government memo.
When a similar system was used in New Zealand, a number of privacy and abuse concerns were raised.
Trust Stamp has recently introduced a tool that provides biometric privacy-protecting location-tracking with cryptographic anonymization and matching algorithms, and other digital identity providers, many of them based in Britain, offer similar tools for selectively sharing personal information.