The European Union’s independent data protection authority has released its 2018 annual report, which indicates that companies are still struggling to adapt to the General Data Protection Regulation, which took effect last May.
“So far, rather than adapting their way of working to better protect the interests of those who use their services, companies seem to be treating the GDPR more as a legal puzzle, in order to preserve their own way of doing things,” European Data Protection Supervisor Giovanni Buttarelli wrote in the report.
“We should expect this to change over the coming year, however,” added Buttarelli. He presented his report Tuesday to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs.
The supervisor office, which hears and investigates privacy-related complaints, received 298 complaints in 2018, a 111 percent increase over 2017.
While 240 of the complaints were inadmissible as they related to data processing at a national level rather than by an EU institution or group, the remaining 58 complaints spurred in-depth inquiries, a 132 percent increase compared with the number of complaints that led to investigations in 2017.
One admissible complaint highlighted in the report centered on an unnamed EU institution that organized an international conference and required attendees to submit scanned copies of their passports or identity cards to register for the event.
The supervisor office found that the “institution could have used a less intrusive means of verifying the identity of participants, such as checking passports or ID cards at the entrance to the conference and comparing them with the information submitted online.”
“We also noted that in certain [EU] Member States it is illegal to photocopy passports unless justified by the law,” the report added.
The institution in question also asserted that the registrants consented to have their personal data transferred to the authorities of the EU member state where the conference was being held. But the supervisor office disagreed, concluding that consent had not been given freely because it was a requirement for attending the conference.
The report also details the supervisor office’s efforts to prepare for the GDPR, which took effect on May 25, 2018. Wojciech Wiewiórowski, assistant supervisor, said in the report that the office updated its guidance documents, provided training sessions, and held visits and meetings with EU institutions ahead of the GDPR.
The GDPR’s enactment spurred the simultaneous creation of the European Data Protection Board, which is composed of 28 EU member state data protection authorities and the supervisor office and oversees the consistent implementation of the GDPR throughout the EU.
Last year, the board adopted 26 opinions, including a new opinion on the European Commission’s proposed rule to protect personal data and privacy during the collection of electronic evidence in criminal matters.
While the EU saw major data privacy regulatory changes last year, Buttarelli stated in his report that he “deeply regret[ed]” that the European Commission’s draft ePrivacy Regulation had not taken effect alongside the GDPR. The former protects electronic communications while the latter concerns data privacy.
“Only by concluding a new ePrivacy Regulation, which accurately reflects and supports the principles outlined in the GDPR, can we ensure that the fundamental rights of data protection and privacy are fully respected,” Buttarelli wrote.