More work needs to be done to improve regulatory harmonization and enforcement if Europe’s “gold standard” privacy regulation is going to achieve its goals, according to an expert panel speaking last week at Compliance Week’s virtual Europe event.
David Stevens, president and chairman of the Belgian Data Protection Authority (DPA), said the General Data Protection Regulation (GDPR) is “the start of a culture of data protection” that offers significant improvement on the EU’s previous legislative efforts. However, challenges remain.
“The GDPR needs to be made more future-proof than it is today,” said Stevens, though he added the regulation “is more flexible than we think.”
Stevens conceded there is a lack of common understanding among data regulators over how even basic concepts should be implemented nationally, interpreted, and enforced.
To improve the current situation, he said there needs to be more focus on enforcement of the rules, as well as better coordination among the EU’s 27 members when tackling cross-border inquiries.
Stevens said it makes sense for DPAs to adopt decisions other DPAs have made against companies they might have the same concerns about, rather than see each DPA pursue its own investigation or hand it over to the lead supervisory authority to investigate.
For example, Stevens applauded the action Italy’s DPA took to block access to social media app TikTok for users under 13 years of age. However, such regulatory intervention is confined to Italy and cannot be transplanted into the national laws of other EU countries, even though data regulators in other countries share the same concerns.
“It would be better for us to rely on each other’s efforts to help with harmonization,” said Stevens. “Also, for companies like TikTok, it is more complex to change their technology for Italy alone than to do it worldwide or for Europe as a whole.”
Like Stevens, Axel Voss, a German member of the European Parliament who was involved in drafting the GDPR, believes decisions taken in one country should apply everywhere in the European Union.
“We need much more harmonization in terms of alignment with all the interpretations of the regulation,” he said. “What was intended to be one data protection law for the whole of the EU is not yet in effect.”
Voss said while the intention behind the regulation is not failing, it is stifling data-driven innovation in areas like artificial intelligence and hampering Europe’s competitiveness by “lagging behind new technologies.” He added the caveats around the circumstances in which data can be processed “simply leads to confusion.”
“The GDPR already lags behind developments in new technology such as data mining, cloud computing, blockchain, and biometric data,” he said. “The processing of data is getting more complex, and the idea within the GDPR of data minimization only works in a world where industries are not data-driven.”
As a result, he said, many of the concepts that form the basis of the GDPR are “not up to date in a digital world,” so the legislation needs to be revised and modernized.
Voss was also critical of some regulators’ approaches to enforcing the rules as “not focusing on the real issues.”
In particular, he questioned those DPAs whose “risk-based” approach means they focus on widespread (but low-level) GDPR compliance problems that are much less harmful than the data abuses Big Tech firms commit.
“If regulators are looking at how small- and medium-sized enterprises might not be GDPR compliant, then they are not focusing on the largest companies that can cause more harm, more widely,” he said.
Neither Voss nor Stevens believes there is much chance in the short term of the regulation being modified to address such problems. Instead, both hope the European Data Protection Board, the EU’s overarching regulator in charge of overseeing the GDPR, will take a more active role in improving coordination and information sharing between DPAs.
During a separate session at CW’s event, Wojciech Wiewiorowski, the European Data Protection Supervisor whose role is to oversee GDPR compliance among the EU’s institutions, told attendees he also could not think of a “silver bullet” solution for the challenges of the GDPR. The law’s biggest problem “is the differences within the administrative procedures among each of the countries” in how they prioritize and investigate complaints, he said.
Wiewiorowski also scrapped any notion the GDPR would be reformed within the next three years.
“There is no possibility of any changes being made to the GDPR until 2025, when the terms of the current European Commission and European Parliament will have ended. There is no political will to act before then to change any part of it,” he said.