The GDPR: How it changed the data protection landscape and how it can be improved

Της Cecilia Dahl

On the 24th June 2020, the European Commission published their hotly anticipated two-year General Data Protection Regulation (GDPR) implementation report. This report looked at all of the key topics and areas that the GDPR has impacted and the areas upon which it will require some improvement and clarification. The report also hails the undoubted success of the GDPR and its achievements, most notably creating the foundation of a truly European data protection culture.

For businesses, the GDPR has been immensely successful in shining a spotlight on digital privacy, data protection rules and privacy policies. With the principles of transparency, lawfulness and fairness at its core, the regulation has provided much-needed clarity as to what organisations can and cannot do with personal data, and has placed data protection at the forefront of companies’ and citizens’ minds.

However, although the GDPR was a significant success and milestone for data protection rules, there still is still some room for improvement. There is a need for further harmonisation amongst the European Member States alongside up-to-date guidelines and interpretation with regards to the certain provisions that would be impactful to the uptake of emerging technologies.

Fragmentation

For businesses in particular, the importance of harmonisation amongst Member States rules is paramount to the consistency of operation and to the reduction of barriers for organisations looking to utilize personal data. However, the flexibility of Member State derogations, granted under the GDPR, has allowed for wide variances in some rules.

For example, the GDPR allows for Member States to decide upon the age of consent for children, ranging from 13 to 16 years old. This has resulted in a situation where you have nine Member States setting the age of children consent to 16, eight setting the age for 13, six for 14 and three for 15 years old.

Therefore, a business looking to operate across Europe will need to ensure that their policies are aligned to each Member State, ultimately going against the grain of the harmonisation purpose of the GDPR. This is a clear example of some of the obstacles still standing in the way of Europe being under one harmonised set of data protection rules.

Legal uncertainty for emerging technologies

Although the GDPR is technologically neutral, meaning that it is designed to be future-proof, there still remain some hurdles the GDPR must overcome to prove the accuracy of this principle.

As Europe embraces digitisation, more and more businesses are reliant on emerging technologies such as artificial intelligence (AI), blockchain and the Internet of Things (IoT). The future of European businesses lies in these technologies. The GDPR has to be robust enough for businesses to comfortably harness this new technological horizon.

However, national Data Protection Authorities (DPAs) are each providing and producing their own guidance, which has an impact on European businesses looking to uptake emerging technologies. For example, some DPAs are producing restrictive guidance on the role of ‘consent as a legal basis’ for processing personal data. This restrictive approach could be harmful for the development of AI algorithms as consent must be clear, concise and withdrawable at any point.

In addition, guidance on the role of data subjects’ rights in relation to emerging technology is also heavily desired. One of the key user rights is that of erasure: a citizen can ask for their personal data to be erased at any given point. However, this might prove problematic for blockchain algorithms as they rely on the collection and input of data that cannot be tampered with or removed.

Therefore, European businesses require much needed clarity on the rules in order for them to embrace digital transformation, alongside consistent alignment on guidance amongst national DPAs.

International data transfers

Another key component for the growth and prosperity of European businesses is the ability for organisations to transfer personal data across borders to third countries. The GDPR has multiple mechanisms to enable this, such as adequacy decisions, Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

With regards to adequacy decisions, these provide the most cost-effective, straightforward solution for data transfers as these are assimilated to intra-EU transmissions. However, at present the EU has only adopted adequacy with 13 countries, and the process of finalising these decisions is time-consuming and prone to many delaying obstacles.

The most relied upon mechanism of data transfer to third countries is SCCs, which is a legal agreement reached by the data exporter and data importer subsequently signed off by the competent Supervising Authority (SA). However, in light of the ‘Schrems II’ ruling on the 16th July 2020, SCCs are currently being revised by the European Commission and it is vitally important that the transition between the old and soon-to-be updated SCCs is seamless, as any disruption could be immensely impactful for businesses.

Although the ruling of the ‘Schrems II’ case, the Court of Justice of the EU (CJEU) validated SCCs but invalidated the EU-US Privacy Shield agreement, which is data transfer agreement between the US and EU. In addition, embedded within the Courts ruling was further stipulation on companies’ obligations when utilising SCCs. Now companies must assess the validity of third country laws in order to determine whether they meet equivalent standards of the GDPR.

It is now essential that both the EU and US authorities negotiate a replacement for the EU-US Privacy agreement, alongside the European Commission to swiftly adopt updated SCCs, providing clear and concise guidance in conjunction with the European Data Protection Board (EDPB).

Conclusion

For businesses to grow and expand, one of the most important factors is the continuity and consistency of the legal frameworks that regulate their operations. One of the main goals of the GDPR was updating and harmonising the data protection framework in Europe across Member States. In many respects, the GDPR did achieve this goal. However, there is still room for improvement.

The GDPR is a robust and versatile legal framework, allowing for some of its interpretation to be broad and less restrictive. However, the derogations granted to Member States have allowed for variances in defining key terms that opens the door for narrow constrictive definitions.

This fragmentation can be very harmful for businesses looking to grow in Europe, as rules may vary from one Member State to another. It will be impossible for European innovative SMEs to grow and scale in EU if each the member state has their own interpretation of all regulations in Europe. It is evident from the European Commission’s two-year GDPR report that rectifying this situation will be a priority in the coming years, and that we may even see amendments to the Regulation looking to bring Member States’ rules into closer alignment.