The European Parliament adopted by 483 votes to 96, with 108 abstentions, a resolution on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application.

General observations

Parliament welcomed the fact that the GDPR has become a global standard for the protection of personal data and is a factor for convergence in the development of norms. The GDPR has placed the EU at the forefront of international discussions about data protection, and a number of third countries have aligned their data protection laws with the GDPR.

The resolution concluded that, two years after its entry into application, the GDPR has been an overall success. Therefore, it is not necessary at this stage to update or review the legislation.

Legal basis for processing

Parliament underlined that all six legal bases laid down in the GDPR are equally valid for the processing of personal data, and that the same processing activity may fall under more than one basis. It is concerned that

controllers often mention all the legal grounds of the GDPR in their privacy policy without further explanation and without referring to the specific processing operation concerned. This practice hinders the ability of the data subjects and the supervisory authorities to assess whether these legal grounds are appropriate.

Concerning valid consent, the resolution noted that the implementation of valid consent continues to be compromised using dark patterns, pervasive tracking and other unethical practices. Individuals are often put under financial pressure to give consent in return for discounts or other commercial offers.

Data subject rights

Parliament stressed that there is a need to facilitate the exercise of individual rights provided for by the GDPR, such as data portability or rights in the context of automated processing, including profiling. It noted that the right to data portability has not been fully implemented in several sectors.

GDPR challenges

The resolution observed challenges to the GDPR such as:

- insufficient means given to SMEs, start-ups, organisations and associations, including schools to manage the application of the GDPR;

- uneven or non-existing enforcement of the GDPR

- lack of cooperation and consistency within national data protection authorities due to different interpretations of the GDPR.

Guidelines

The resolution noted that the COVID-19 pandemic has highlighted the need for clear guidance from data protection authorities on the adequate implementation and enforcement of the GDPR in public health policies, in particular in the context of the use of location data and contact tracing tools.

International personal data flows

Parliament stressed the importance of allowing free personal data flows at international level without lowering the level of protection guaranteed under the GPDR. According to Parliament, international cooperation in the field of data protection and the convergence of relevant rules towards the GDPR will improve mutual trust, foster understanding of technological and legal challenges, and eventually facilitate cross-border data flows, which are of key importance for international trade.

Future Union legislation

Further efforts are needed to address broader issues of digitisation, such as monopoly situations and power imbalances through specific regulation, and to carefully consider the correlation of the GDPR with each new legislative initiative in order to ensure consistency and address legal gaps. The Commission is reminded of its obligation to ensure legislative proposals, such as the data governance, data act, digital services act or on artificial intelligence, must always fully comply with the GDPR and the Law Enforcement Directive.