Data privacy experts believe the mechanisms in place under the General Data Protection Regulation (GDPR) to ensure compliance, enforcement, and redress need revisiting—and quickly.
“Changing the GDPR for a new set of data rules is not a solution, because we would be left with different legislation and the same model to operate with,” said Estelle Massé, Europe legislative manager and global data protection lead at digital rights group Access Now, at the European Data Protection Supervisor conference on the future of data protection and enforcement. Instead, enforcement must change, she said.
Anna Fielder, president of consumer advocacy group European Digital Rights, said there needs to be more integrated enforcement under the GDPR. She believes data protection authorities (DPAs) should work together with nongovernmental organizations, such as consumer rights groups and privacy campaigners, who are prepared to carry out investigations into complaints and pursue collective redress. This would result in greater transparency, quicker resolutions, and better use of resources, she said.
“It is best to focus on the companies and players that can do the most harm, rather than focus on those companies that may cause harm but not mean it or where the level of harm caused is relatively low.”
Axel Voss, Member of European Parliament
Herwig Hofmann, professor of European and transnational public law at the University of Luxembourg, believes the processes around finalizing decisions in GDPR cross-border cases need to be revised. One crucial recommendation, he said, is for lead supervisory authorities to have clear deadlines in which to reach a decision.
European Commission Vice-President Věra Jourová said DPAs will need to have appropriate budgets and resources to fulfill the expectations of effective regulation. She added regulators will need “an army” of skilled people to enforce the GDPR and other data-related legislation, including the upcoming Digital Services Act, Digital Markets Act, and Artificial Intelligence (AI) Act. This will require DPAs to push for better funding from national governments, she said.
Some experts believe the GDPR, as well as other legislation aimed at regulating Big Tech and data-driven business, is already out of date and cannot effectively oversee emerging technologies and the way they use data.
Michael Veale, associate professor at University College London, said the problem with trying to regulate new technology is developers (and the companies using the technology) often act as “rule setters” even when the services they offer infringe the GDPR.
A common problem is around consent. For example, if an individual wants to use a service, they must agree to a blanket set of terms. “Look at cookie banners: It is impossible for an individual to meaningfully consent to a situation where a click means you have given 315 vendors the right to your personal data. We have a situation where companies are setting out what compliance should look like rather than what it should actually be,” said Veale.
Axel Voss, member of European Parliament, said, “When we drafted the GDPR, we never discussed concepts like AI or the Metaverse, so the GDPR is never going to cover these emerging technologies and their impact on personal data.”
Voss also questioned the focus of many DPA investigations, especially the relatively small number of fines against Big Tech firms compared to the hundreds against typical companies, public-sector organizations, and individuals.
“It is best to focus on the companies and players that can do the most harm, rather than focus on those companies that may cause harm but not mean it or where the level of harm caused is relatively low,” said Voss. He added treating all organizations in the same way “does not make sense.”