EU admits it has been hard to implement GDPR

Official report on data protection regulation notes burden on smaller companies

Europe’s flagship data rules are proving difficult to implement two years after coming into effect, placing a particular burden on small and medium-sized companies and those developing new technologies, an official report has revealed.

A confidential draft seen by the Financial Times found that smaller businesses were particularly affected by the costs of compliance with the General Data Protection Regulation (GDPR).

Meanwhile, a lack of clarity over how the rules relate to emerging technologies has meant regulators have struggled to apply them in fields such as artificial intelligence, blockchain and the internet of things.

“Further challenges lie ahead in clarifying how to apply the principles to specific technologies,” the draft said. “Some stakeholders report that the application of the GDPR is challenging especially for small and medium-sized enterprises (SMEs).”


When the bloc's rules were introduced in 2018 to give online users more control over their data, concerns were raised that they would be overly burdensome for large technology companies such as Google. Since then, however, some privacy groups have argued that the rules do not go far enough in protecting individuals' information.

The official report, set to be published on Wednesday as part of a legal obligation for Brussels to give an update on the progress of the data rules' implementation, also pointed to other areas of difficulty including confusion over how the rules were applied at individual country level.

It highlighted the “lack of a consistent approach” between how data protection authorities in different member states interpreted parts of the GDPR that allowed for some flexibility, for instance the minimum age that children were allowed to consent for social media companies to handle their data.

Some countries have set the minimum age at 16, others at 13, 14 or 15. Officials said that, though this did not constitute an infringement of the privacy rules, such discrepancies need to be “harmonised”.


Despite the challenges, the report also highlighted the benefits of implementing the GDPR during the pandemic, arguing that the framework facilitated communication between data privacy authorities over the implementation of tracing apps to help curb the spread of the disease.

Separately, EU regulators also pointed to rapid and tough action taken by some data protection authorities in enforcing the rules since their introduction. There were 785 administrative fines between May 2018 and November 2019, including a €50 million fine against Google in France because of the way the company obtained consent from users.

In the past Vera Jourova, the EU's vice-president in charge of values and transparency, has said GDPR leads to more "harmonised rules across the single market".

She said: “We have to actively monitor how member states implement the GDPR in their national legislation to ensure that the ‘one continent, one law’ principle is there. We need to help SMEs and we need to see a truly European and vigorous enforcement.” – Copyright The Financial Times Limited 2020