GDPR: How to move forward
The General Data Protection Regulation (GDPR)'s enforcement, and redress mechanisms, according to data privacy experts, require an urgent review.
At the European Data Protection Supervisor conference on the future of data protection protection and enforcement, Estelle Massé, Europe legislative manager and global data protection lead at digital rights group Access Now, said that "changing the GDPR for a new set of data rules is not a solution, because we would be left with different legislation and the same model to operate with." Instead, she insisted that enforcement must alter.
According to Anna Fielder, president of the consumer advocacy group European Digital Rights, the GDPR needs to have more comprehensive enforcement. She thinks nongovernmental organizations that are willing to look into complaints and pursue collective redress, like consumer rights organizations and privacy campaigners, should collaborate with data protection authorities (DPAs). She claimed that this would lead to increased transparency, quicker resolutions, and better resource use.
Professor of European and Transnational Public Law at the University of Luxembourg Herwig Hofmann thinks the procedures for reaching verdicts in cross-border GDPR cases need to be improved. He listed clear deadlines for lead supervisory authorities to make a decision as one of his most important recommendations.
DPAs will need to have adequate budgets and resources, according to Vice-President of the European Commission Vra Jourová, in order to live up to the expectations of effective regulation. She added that in order to enforce the GDPR and other data-related laws, such as the upcoming Digital Services Act, Digital Markets Act, and Artificial Intelligence (AI) Act, regulators will need "an army" of knowledgeable individuals. DPAs will have to lobby national governments for better funding in order to accomplish this, she said.
According to some experts, the GDPR and other laws intended to control Big Tech and data-driven businesses are already outdated and unable to effectively monitor new technologies and how they use data.
The issue with trying to regulate new technology, according to Michael Veale, an associate professor at University College London, is that developers (and the businesses using the technology) frequently act as "rule setters" even when the services they provide violate the GDPR.
Consent issues are a common issue. For instance, if someone wants to use a service, they have to accept a broad set of conditions. "Look at cookie banners: It is impossible for an individual to meaningfully consent to a situation where a click means you have given 315 vendors the right to your personal data. We have a situation where companies are setting out what compliance should look like rather than what it should actually be," according to Veale.
Axel Voss, a member of the European Parliament, stated, "when we drafted the GDPR, we never discussed concepts like AI or the Metaverse, so the GDPR is never going to cover these emerging technologies and their impact on personal data."
Voss also questioned the focus of many DPA investigations, especially in light of the relatively small number of fines imposed on Big Tech companies in comparison to the hundreds levied against other kinds of businesses, government agencies, and people.
"It is best to focus on the companies and players that can do the most harm, rather than focus on those companies that may cause harm but not mean it or where the level of harm caused is relatively low," according to Voss. Treating every organization equally, he continued, "does not make sense."
By fLEXI tEAM