Close panel

Close panel

Close panel

Close panel

Big Data 18 Sep 2020

GDPR: Positive outcomes after two years of application

On May 25, 2020, the General Data Protection Regulation celebrated its second year of entry into application. As envisaged in the standard itself, the European Commission performed an assessment on its application and functioning over this period of time, taking into account the feedback provided by associations, companies, consumers and EU institutions. The commission has finally released the corresponding findings, which concludes that, on top of having a very positive impact, the COVID-19 crisis has demonstrated that the Regulation is prepared for the new digital age

Ana Segovia (BBVA)

First of all, the Commission expresses its satisfaction about the increased protection that the Regulation has proven to offer citizens. In an economy that is becoming increasingly based on data processing, the regulation has established itself as an essential tool to ensure that personal data are treated in a legitimate, fair and transparent manner. Transparency enables people to play a more active role in controlling their data in the digital world.

In addition, over this period of time, users have become more knowledgeable and aware of their rights. According to the Commission, 69 percent of the population over 16 in the EU have heard of GDPR and 71 percent know about their national data protection authority.

For companies, GDPR guarantees a level playing field across the European territory and equal opportunities for them all, regardless of where the data is processed. GDPR contributes to fostering trustworthy innovation by imposing an approach based on risk analysis and the application of principles such as data protection by design and by default. Respect for privacy has turned into a competitive element, playing an increasingly relevant role when users choose internet service providers.


The Commission also assesses the new regulatory challenges. Even though it does not propose any profound changes, it does put forth some measures. The report recognizes future challenges in clarifying how to apply the proven principles to specific technologies such as artificial intelligence, blockchain, Internet of Things or facial recognition. Moreover, the Commission underscores the need to guarantee strong and effective enforcement of the GDPR vis-à-vis large digital platforms and integrated companies, in areas such as online advertising and micro-targeting.

The Commission recognizes that some new rights, such as the right to data portability – which has a clear potential by enabling users to switch between different service providers – have not been fully used yet. It discusses several reasons, such as the lack of interoperability or the fact that data is not ported in real time, and states its determination to address this issue as part of the European Data Strategy.

Regarding Regulation monitoring, the Commission expresses its concerns about some national authorities not allocating sufficient human, technical and financial resources urging Governments to allocate more. The report also states that, despite the total number and volume of the fines imposed, the ultimate goal of GDPR is to change the culture and behavior of all actors involved, not to tap into new sources of public revenue.

The Commission identifies the challenge of designing better instruments to guarantee international data transfers outside the EU

The report also emphasizes the need for the European Data Protection Board to fulfill its role coordinating national authorities, setting GDPR interpretation criteria, and suggests an improvement of the one-stop-shop system, conceived to allow companies operating across different countries to engage with a single data protection authority.

Finally, the Commission also identifies the challenge of designing better instruments to guarantee international data transfers outside the EU, an issue of special relevance after the recent ruling of the Court of Justice of the EU invalidating the Privacy Shield, the agreement that enabled data transfers between the EU and the United States.

In conclusion, despite the challenges, the Regulation is considered to have delivered on its goals so far and has become a global standard.