The resolution welcomes the fact that the GDPR has become a global standard for the protection of personal data and is a factor for convergence in the development of norms. It also welcomes the fact that the GDPR has placed the EU at the forefront of international discussions about data protection, and a number of third countries have aligned their data protection laws with the GDPR.

It concludes that two years after its entry into application, the GDPR has been an overall success, and agrees with the Commission that it is not necessary at this stage to update or review the legislation.

The resolution also acknowledges that until the Commission’s next evaluation, the focus must continue to be on the improvement of implementation and on actions to strengthen the enforcement of the GDPR and that there is a need for strong and effective enforcement of the GDPR in large digital platforms, integrated companies and other digital services, especially in the areas of online advertising, micro-targeting, algorithmic profiling, and the ranking, dissemination and amplification of content.

However, it notes several areas of concern, including:

• in their privacy policy, data controllers often rely on all six lawful bases under Article 6(1) of the processing of personal data without further explanation and without referring to the specific processing operation concerned, which hinders the ability of data subjects and supervisory authorities to assess whether the grounds are appropriate;
• individuals are often put under financial pressure to give consent in return for discounts or other commercial offers, or are forced to give consent by conditioning access to a service through tying provisions, in breach of Article 7 of the GDPR;
• “legitimate interest” is very often abusively mentioned as a legal ground for processing and controllers continue to rely on legitimate interest without conducting the required test of the balance of interests, which includes a fundamental rights assessment;
• some companies continue to breach their obligations under Article 12(1) of the GDPR and fail to provide relevant information around data sharing, including listing the names of the entities with whom they share data, and do not provide information that is simple and accessible;
• enforcement of the GDPR by national data protection authorities is uneven and sometimes non-existent and has not substantially improved compared to the situation under the Data Protection Directive (95/46/EC); and
• supervisory authorities of 21 Member States out of 31 states applying the GDPR, i.e. all EU Member States, the EEA, and the UK, have explicitly stated that they do not have sufficient human, technical and financial resources, premises and infrastructure to effectively perform their tasks and exercise their powers.

To read the report in full, click here.