Three years of GDPR: Many milestones, but calls for change increase

With its bold claims that it would set the benchmark for how organizations need to ensure data protection and respect peoples’ privacy and its bolder provisions about how it can punish wrongdoing with eye-watering fines worth up to 4 percent of a company’s global turnover, the GDPR has been at the forefront of compliance concerns even before the regulation took effect.

Yet, despite its achievements in trying to harmonize enforcement and data protection practices throughout the European Union, problems have become evident. Different countries have different enforcement appetites and approaches, cross-border collaboration and decision-making is slow and time-consuming, and no data protection authority (DPA) appears to have the resources necessary to do its work as effectively as it would like—especially when faced with complaints against Big Tech firms.

“Why can’t we be allowed to defend the rights of our national citizens just because a company isn’t headquartered in Belgium or because we are not the lead supervisory authority?”

David Stevens, Chairman, Belgian Data Protection Authority

Some are already questioning whether the regulation—and the way it is regulated—are fit for purpose and whether the GDPR needs to be changed (and to what extent).

European Data Protection Supervisor Wojciech Wiewiórowski, whose role is to oversee how the GDPR is implemented in EU institutions, believes the law “has created incredible harmonization, but that does not mean it is 100 percent satisfactory.”

While he believes “the benefits of the GDPR are generally positive compared to what was in place before,” Wiewiórowski says “differences in national law between the 27 EU member states will always mean that enforcement can be different from one country to the next, which can lead to problems understanding case law.”

Frequent criticisms

One key area where differences have become apparent is in the GDPR’s one-stop shop mechanism, where one DPA acts as the “lead” in cross-border privacy complaints.

Wiewiórowski believes there is a “danger” that a lack of consensus in the decision-making process could lead to DPAs “disowning decisions they don’t like” while the lead supervisory authority is forced to uphold a decision with which it disagrees. He says the one-stop shop is “not practical.”

Ireland’s data protection commission—the only DPA to go through the Article 60 and 65 processes—has said the mechanism is “unsustainable.”

“Only the European Commission can make changes to the one-stop mechanism, and there is currently no political will to do so,” says Wiewiórowski.

Several DPAs are supportive of what the one-stop shop is trying to do, though some have reservations about its effectiveness. Maria Wilhelm, head of the European Department for the Commissioner for Data Protection and Freedom of Information in Baden-Württemberg, Germany, believes the one-stop shop is “a great idea in theory,” but adds that “practical use must always be reflected upon and improved.”

“The advantage of the one-stop shop is that it enables DPAs to give feedback, which is no bad thing and leads to the improvement of the final decision itself,” says Wilhelm. “It helps regulators work toward a common understanding of GDPR enforcement, which is so much better than the piecemeal regime we had in place before the GDPR came into effect.”

While there has been criticism of the slowness of the one-stop shop’s cross-border dispute settlement procedure, Wilhelm points out Article 65 of the GDPR has only been used once so far—by the Irish Data Protection Commission in the Twitter case.

“The fact that so few cases have gone through the Article 60 and 65 processes illustrates how well the GDPR works in practice for the majority of cases,” she says.

David Stevens, chairman of the Belgian Data Protection Authority, believes DPAs “probably could—and should—have made a better one-stop shop mechanism before the GDPR came into effect.”

“The one-stop shop mechanism requires collaboration and resources, but the time and budget it takes for a DPA to draft a decision that then goes to 26 other EU DPAs to examine and consult over is substantial. We need to have a process that enables quicker and more effective decision-making,” he says.

Stevens also questions whether it is appropriate for one DPA to act as lead supervisory authority just because a company has nominated that authority to be its regulator.

“Why can’t we be allowed to defend the rights of our national citizens just because a company isn’t headquartered in Belgium or because we are not the lead supervisory authority?” he asks.

It is not just the one-stop shop that might need to be streamlined. According to Stevens, there is no mechanism within the GDPR for national DPAs to simply adopt decisions other EU DPAs have made against companies about which they share the same concerns. Instead, each DPA must make its own decision based on its own investigation—a process that will further drain resources, he says.

For example, Stevens applauds the action Italy’s DPA has taken to block access to social media app TikTok for users under 13 years of age and backs Germany’s recent move to ban Facebook from using data from WhatsApp users (even though Facebook owns the company). However, these regulatory interventions are confined to Italy and Germany, respectively, and cannot be simply transplanted into the national laws of other EU countries.

“Italy and Germany’s concerns around privacy with TikTok and Facebook are shared in Belgium and other countries, yet each DPA will have to go through the process of examining the same issues by themselves and at significant cost because there is no shortcut mechanism under the GDPR simply to incorporate the same decisions,” says Stevens. “We would have more harmonization if DPAs could simply replicate and incorporate into national law the decisions other DPAs have made that also impact their own citizens, but we can’t do it.”

Will to adapt in question

Some experts’ criticisms of the GDPR are much more fundamental and not limited to just certain aspects of it. Axel Voss, a member of the European Parliament who was closely involved in how the GDPR was drafted, believes the regulation has failed to achieve what it was supposed to; has led to massive bureaucracy and compliance costs; severely hampers Europe’s digital transformation; and needs an urgent overhaul.

“Miscalculations are part of policy-making, and we are responsible for fixing them. Yet, many of my colleagues disregard that major problems exist [with the GDPR] or do not see a reason to fix them immediately.”

Axel Voss, member of European Parliament

He is also highly critical of the one-stop shop principle, which he says has “helped big companies to escape liability due to the disproportionate workload or reluctance of some DPAs to impose sanctions.” He proposes other “concerned” DPAs should be allowed to play an active role in scrutinizing organizations’ compliance with the GDPR, thereby supporting the leading DPA of the country where the company is based—a position that might have significant tacit support among some data regulators.

In a position paper released Tuesday, Voss outlines several “conceptual flaws” with the GDPR. The “one-size-fits-all” approach, for example, makes no distinction about the size of the organization that is processing data, what it is using that data for, or its ability to comply, he notes.

He adds the regulation also fails to consider how different industry sectors use data and how reliant they are on it, the kinds of technology they use, or whether the data processing they are carrying out is low or high risk. Further, he says some of the concepts upon which the GDPR is based date back to the 1980s; cloud usage and Big Data are not even considered in it, while emerging technologies such as Internet of Things and blockchain run counter to what the law is trying to achieve—minimizing data and enabling the right to be forgotten.

“Miscalculations are part of policy-making, and we are responsible for fixing them,” says Voss. “Yet, many of my colleagues disregard that major problems exist or do not see a reason to fix them immediately.

“The European Parliament had a chance to call for a revision of the GDPR in a resolution back in March and did not use it. Meanwhile, the Commission does not want to open the ‘Pandora’s box.’ Thus, the political will of revising the GDPR is still lacking.”