Calls for GDPR Changes Increase as EU Seeks Input

It’s been about four years, so expect some tweaks to GDPR interpretation of fines and enforcement, said Daryl Crockett, CEO of ValidDatum, a data security and privacy consultancy with offices in the U.S. and U.K. The GDPR is sometimes used as a weapon against individuals and companies, said Crockett. Disgruntled and former employees can launch data subject requests for information as harassment against companies, she noted: The companies have to devote resources to providing documentation for frivolous requests. “If you have enough people doing that at the same time,” it’s akin to a DNS cyberattack, she said: “That can really suck the resources from a company doing business.”

The World Privacy Forum and the Center for Global Development are collaborating on a four-year project with recommendations for the Organisation for Economic Co-operation and Development. One argument in their examination is that the GDPR isn’t “fit for purpose in all jurisdictions,” said WPF Executive Director Pam Dixon. Some countries lack the resources and infrastructure to enforce GDPR-like regulations in order to trade with more developed European nations. “If you care about privacy, you’re going to care about the potential update to the GDPR because” some countries need a pathway to comply with the GDPR, so it’s not an “all-or-nothing” proposition. Certain countries don’t have proper running water and electricity so it’s unlikely they would be able to fully comply with the GDPR, she said.

"I doubt there is any appetite to reopen, at least significantly, the GDPR," emailed Linklaters data protection attorney Tanguy Van Overstraeten, who advises multinationals on privacy. It was the outcome of a nearly five-year, difficult negotiation among the EU institutions, and any attempt to reopen it could upset the delicate balance reached.

Instead, there may be other avenues, such as the growing number of legislative proposals that "are surrounding the GDPR without touching it as such" but that offer an increasing number of situations for data reuse, Van Overstraeten said: These include the proposed data governance, AI and data acts. Another possibility could be for data protection authorities at the EU and national level to take a more risk-based approach to enforcement in line with the accountability principle. The GDPR goal is to ensure the protection of personal data where it is or might be in danger, "not to create a form of protectionism that applies in all situations even when there is no harm or the risk of adverse impact is clearly absent or very remote."

The GDPR's shortcomings have "allowed large tech companies to collect and process personal data in a way that puts news publishers at a major competitive disadvantage, inhibiting their ability to commercialise content and communicate with their subscribers," the European Publishers Council warned on last month's Data Protection Day. A 2020 EPC report on GDPR's impact on publishers said the regulation increased concentration in markets where collection and processing of personal data is important, including online advertising markets on which news publishers heavily depend. "The effects identified in the report are still very much applicable in 2022," a spokesperson emailed.

The European Digital Rights' top priority is better and more harmonized enforcement of the existing rules across the EU, emailed Policy Adviser Chloe Berthelemy. The legislation is still relatively new, and some national enforcers are trying to find their footing. They need more resources, and "there is a dire need to guarantee their political independence and improve their functioning in order to speed up the processing of data subjects' complaints."

"Few will pop open the champagne" for GDPR's anniversary, blogged Center for Data Innovation Senior Policy Analyst Benjamin Mueller. For the many businesses trying to make sense of the measure, "it will be a somber affair" because the regulation "remains mired in confusion and contradiction" that weigh down Europe's digital economy. Mueller noted two cases: A Belgian Data Protection Authority ruling finding the Interactive Advertising Bureau Europe's transparency and consent framework noncompliant, and Austria's Data Protection Authority decision that a website using Google Analytics violates GDPR. The regulation creates de facto data localization rules amounting to digital protectionism, Mueller wrote. French privacy watchdog CNIL also ruled illegal the transfer of Google Analytics website traffic data statistics to the U.S. on the ground that additional measures it adopted to regulate transfers under its analytics function "are not sufficient to exclude the accessibility of this data for US intelligence services," CNIL said Feb. 10.

Freed from the EU, the U.K. government can consider a new direction on data protection, speakers said at a virtual Feb. 9 techUK event. The government sees data as one area where it has flexibility after Brexit to make changes to help the economy, said Member of Parliament and former government minister John Whittingdale, who led the consultation on a new regime. This isn't about "torching GDPR," he said: The government wants high standards of data protection. But there's a strong view that the regulation was vague in some places and that clarity and simplification are needed. The government also wants data to be more easily used for purposes like AI, machine learning and other uses of benefit to society that need massive amounts of data.