Tomorrow, the General Data Protection Regulation (GDPR) will celebrate five years since its entry into application. To mark the occasion, Věra Jourová, Vice-President for Values and Transparency, and Didier Reynders, Commissioner for Justice, issued the following statement:
"Five years ago, in 2018, a pioneering act entered into application: the General Data Protection Regulation (GDPR). This landmark legislation has empowered citizens to truly gain control over their data and has created a level playing field for businesses. The GDPR has been a decisive step in shaping the digital transition in the EU. Not only have we set global standards for the safe regulation of data flows, but we have also created the foundation for a human-centric approach to the use of technology.
The GDPR has strengthened and harmonised a fundamental right to data protection for all citizens in the European Union. Individuals are now entitled to know which of their data is being used and for which purpose. They can exercise their rights to access, correct and erase their data.
At the heart of the GDPR lies trust. Trust for citizens that their personal data are safe. Trust for businesses in the competitive advantage that our regulatory framework provides. Looking back, we have successfully created a modern data protection culture in Europe, which has been a source of inspiration also in other parts of the world. There is more and more appetite from our international partners, from the Americas to Asia or Africa, to raise privacy standards across the world and, in this way, also facilitate the free and safe flow of data. This is a win-win for citizens, international trade and cooperation.
Enforcing the GDPR is a task entrusted to the independent national data protection authorities, and its thorough application remains a top priority for us. This is why we will soon propose new legislation to harmonise certain procedures of cooperation between data protection authorities on cross-border cases — of which there have been more than two thousand since 2018. It is also crucial that Member States provide their national data protection authorities with adequate resources for their important work. Since the entry into application of the GDPR, over €2.5 billion in fines have been imposed by the national data protection authorities for breaches of the GDPR.
The GDPR is future-proof. It is the foundation of the EU's arsenal of digital laws that shape the EU data economy, such as the Data Act and Data Governance Act. We saw it during the COVID-19 pandemic: the Regulation has allowed us, and will continue to allow us to guide the safe development of new technologies. The GDPR is, and will continue to be, a major tool for the EU to rise to contemporary challenges, and set a gold standard of data protection, both at home and abroad."
Background
The General Data Protection Regulation has been in force since 25 May 2018. The GDPR is a single set of rules aimed at protecting individuals with regard to the processing and free movement of personal data. It strengthens data protection safeguards, provides additional and stronger rights to individuals, increases transparency, and ensures that those that handle personal data are accountable. Under the GDPR, national data protection authorities have stronger and harmonised enforcement powers. It also creates a level playing field for all companies operating in the EU market, regardless of where they are established; ensures the free flow of data within the EU; facilitates safe international data transfers and has become a reference point at global level.
National data protection authorities are in charge of enforcing the application of these rules and are coordinating their actions thanks to the new cooperation and consistency mechanisms within the European Data Protection Board (EDPB). The Board issues guidelines on key aspects of the GDPR to support its consistent application. Since the entry into application of the GDPR, more than 700 final one-stop-shop decisions have been taken by the data protection authorities. Furthermore, the EDPB has issued nearly 50 guidelines and recommendations, which build a solid interpretative framework of the GDPR.
On 24 June 2020, the Commission published a first report on the application of the GDPR. The report found that the regulation offered citizens a strong set of enforceable rights and proved to be flexible to support digital solutions in unforeseen circumstances. The next report on the application of the GDPR is due in 2024.
Anticipating this report and in response to the EDPB call to the Commission of October last year, the Commission announced in its 2023 Work Programme that it would propose a legislative initiative to improve cooperation between data protection authorities when enforcing the GDPR. The proposal, which will be presented still this year, will establish a more targeted harmonisation of key aspects of the administrative procedures that are applied in cross-border cases.
On 27 April 2023, the EDPB launched the EDPB Data Protection Guide for small businesses. The Guide aims to raise awareness about the GDPR and to provide practical information to SMEs about GDPR compliance in an accessible and easily understandable format. The Guide contains an overview of handy materials developed by the national data protection authorities for SMEs, including through actions co-funded by the Commission.
