.png)
.png)
The European Commission recently concluded a comprehensive four-week consultation period, running from January 11 to February 8, inviting stakeholders from various sectors to share their views on the General Data Protection Regulation (GDPR), marking its sixth year since enactment. This consultation aimed to gather feedback on the efficacy of the GDPR and identify areas for potential improvement.
During the consultation, companies, privacy professionals, lawyers, and other stakeholders were encouraged to provide their opinions on the GDPR, including its strengths, weaknesses, and areas where it might be lacking. The feedback obtained from this consultation holds significant weight and could lead to adjustments in the rules and potential changes to enforcement mechanisms employed by data protection authorities (DPAs), particularly concerning cross-border cases under the "one-stop shop" mechanism.
"One of the key concerns raised during the consultation is the evolving technological landscape and its impact on data usage, particularly with the proliferation of artificial intelligence (AI)," said Serena Tierney, a senior consultant at Ignition Law. "Some stakeholders argue that the GDPR may not fully address the challenges posed by AI-driven data processing activities, leading to legal uncertainties and compliance challenges."
Tierney emphasized the need for legislative clarity regarding the use of personal data in relation to AI. "At present, it is not clear whether using information scraped from the internet, such as social media posts, constitutes 'processing of personal data,'" she explained. "The use of AI tools trained on datasets created in this way, as well as their creation in the first place, is currently subject to legal uncertainty which should be resolved."
Another issue raised during the consultation is the varying interpretations of the GDPR by different DPAs and the perceived disparities in enforcement attitudes across member states. "The GDPR provides for effective enforcement, but responsibility still rests on the coordination of the members of the EDPB and the individual DPAs to use their powers effectively," said Robert Grosvenor, managing director at Alvarez & Marsal. "Cooperation has typically been based more on the art of diplomacy and mutual interests than effective pan-European enforcement practice."
Grosvenor suggested the possibility of establishing a central EU body responsible for enforcing cases with significant pan-European impact. "More could be done by the EDPB to focus on real outcomes rather than perceived data privacy concerns," he added.
Despite these concerns, experts generally agree that the GDPR provides a solid foundation for data protection and privacy rights in the digital age. However, there are concerns about compliance practices. "Much of the irritation to both individuals and business about GDPR is caused by clumsy compliance practices," said Tierney. "Far better to drive understanding and implementation of best practice, which is essentially a job for the regulator."
Sophie Stalla-Bourdillon, senior privacy counsel at Immuta, underscored the importance of moving beyond superficial compliance efforts and prioritizing robust data security measures. "Many organizations choose to comply with GDPR in a cosmetic way," she remarked. "Simply ticking a compliance box often doesn’t reflect the reality on the ground, where basic data security could still be lacking."
Overall, the conclusion of the GDPR consultation reflects ongoing efforts to evaluate and refine the regulatory framework to address emerging privacy challenges effectively. By soliciting stakeholder feedback and considering expert insights, policymakers aim to ensure the continued effectiveness of the GDPR in safeguarding individuals' privacy rights in the digital era.
By fLEXI tEAM