2 Years Under the EU GDPR

It has been two years since the EU General Data Protection Regulation (GDPR) entered into application. We have witnessed the first positive impacts of the law but also the challenges authorities, courts, and people have faced in its enforcement. The past 12 months have proven particularly demanding for the protection of personal data and the application of the law as the European Union - and the world - has faced significant political and health crises. 

In our first GDPR progress report, published in May 2019, we wrote: "for most, 2018 was the year of data protection awakening in Europe. Still, for the GDPR to reach its full potential, 2019 must be the year of enforcement." As it turned out, however, the last 1 year has been a time of crisis. From public health to political crises, human rights abuses to administrative backlog, a series of challenges have put the robustness of the GDPR to test. 

In this report, we look at how the multiple crises of the last year have impacted the application of the GDPR. We will start by addressing some of the internal challenges, wherein the mechanisms established for enforcement of the GDPR have begun to show their limitations, with a particular focus on the lack of cooperation among data protection authorities (DPAs) and the lack of resources to do their work. We will then analyse how external crises, such as the United Kingdom's decision to leave the European Union and the COVID-19 outbreak, are further challenging the application of the law. We close this report by putting forward a list of recommendations to enable the European Commission, EU states, and DPAs to address the hurdles here identified with the application of the GDPR.

Download the Report