Europe’s ongoing competitiveness will increasingly depend on the ability of companies to analyse and leverage data. Over the coming years, several new laws - such as the Digital Services Act, the Digital Markets Act, the Data Act and the AI Act - will enter into force, designed to regulate how data may be used. However, it is principally the GDPR that determines how personal data may be used. For this reason, it is important to discuss and analyse the impact consequences of GDPR. Further proposals for the upcoming evaluation were presented in the publication ‘What’s still wrong with GDPR’ and provided the topic for a seminar at the Brussels office of Swedish Enterprise’s during May.
From a market perspective, any relevant regulations should be clear, applicable and proportionate, and encourage a level playing field for competition. However, when businesses are asked whether they are compliant with the GDPR, only around 40% of smaller companies say they are compliant, while among larger companies, 87% claim to be, according to a survey from Swedish Statistics on behalf of the Swedish Entrepreneurship Forum. Fewer say they have sufficient knowledge; between 37-84%. When the Swedish Authority for Privacy Protection asked data protection officers, they said compliance is about 46% amongst employees. After five years of the GDPR, it’s reasonable to ask why these numbers aren’t higher and what needs to be done to get the data economy and the digital transition secure and successful.
According to Helena Silling, Head of Global Legal Data & Privacy at Securitas, the GDPR is based on two pillars. The first of these is to provide stronger protection and control for individuals in an increasingly digitised world; the second is to enable and facilitate the flow of data within the EU/EEA, in order to strengthen innovation and competition. However, the data world is a complex place, she explained, and striking the correct balance between these two pillars is not always easy. Individuals seek products and services that help in their daily life and many services and products only seek to process identification data or contact details. Yet the GDPR requirements remain the same, irrespective of the nature of the personal data.
However, there are potential solutions for realising the foundations and core pillars of the Regulation in a better-balanced fashion. A business must always prioritise the handling of personal data, the purpose of the processing within services and products, the identification of risks to the individuals’ rights and freedoms. In order to achieve transparency, and to give the individual the desired control, the privacy aspect must be built in from the outset, and treated as part of procurement, development and change. This is achieved through ‘privacy by design’.
More alarming still is the heavy administrative burden. The level of detail is identical for all processing activities, even when the activity in question is harmless by nature. The lack of room for a risk-based approach is neither proportionate nor acceptable. Not least, third country transfers are consuming resources. Is there typically any actual harm likely to arise from business contact details being transferred to, or accessed from, for example, the US, wonders Helena? She suggested that there should perhaps be a whitelist created for certain categories, purposes or types of data.
Another question she posed was “What had happened to the free flow of personal data to enable innovation within the EU?”. She suggested that applying requirements based on the outcome of data processing, rather than on each individual act of processing, would enable the analysis of large datasets with limited risk of harm to individuals.
Svetlana Stoilova, Internal Market Department Advisor in BusinessEurope, stressed that the GDPR is necessary, and that none of the constructive criticisms being expressed by BusinessEurope should be seen as in any way questioning the need for the GDPR. Our data economy must be able to provide protection for our citizens while still permitting businesses to realise the full potential for making great technological forward leaps. The European Commission should review the extent to which the application of the GDPR is indirectly hampering the use of certain technologies and - in the interests of technological neutrality - deliver solutions for how innovation can truly thrive.
Five years down the line, companies are still trying to figure out the opportunities and the limits afforded by the GDPR. This is a Regulation that balances the right to data protection against other rights and freedoms in the charter; however, we must also remember that the freedom to conduct business is also enshrined within the Charter.
This is why the GDPR discussion is twofold; one side is concerned with making sense of the GDPR, particularly given the challenges faced by businesses over the past years in compliance. The other is what to include for suggestion to the European Commission for its 2024 evaluation of the GDPR.
Maintaining data protection and conduct business are not, and should not, be mutually exclusive. The latest Edelman Trust Barometer has again shown that businesses are most trusted entities, followed by NGOs and governments. This highlights that fact that businesses bear quite a heavy responsibility to their customers. Successful businesses are successful because their customers buy their products or services. Businesses will compete on the basis of having better a product or a service, and on the basis that they provide value for customers within the framework of the law. For this reason, Regulations such as the GDPR must be enforced in such a way that it supports the business environment, enabling companies to grow; it should not be an obstacle.
Overly strict interpretations of the GDPR within companies and during enforcement - combined with heavy fines for non-compliance - could lead to a “better safe than sorry” attitude when dealing with GDPR-related issues. This is essentially disproportionate, and risks leading to missed opportunities, a drag on growth and a reduction in competitiveness. For example, SMEs ask individuals for permission to use their data, even where it is not necessary. Such overzealous efforts by SMEs are created not only by a concern to be compliant for fear of DPA retribution - or through a lack of guidance - but also because finding an answer to their questions often takes considerably longer than actually carrying out the consent request itself.
As part of its GDPR evaluation, the European Commission needs to factor in an assessment of the true cost of compliance. This needs to take account of both the initial upfront cost of setting up a consumer-facing service or product as well as the continued compliance cost when rights are being exercised.
BusinessEurope aims to uphold the GDPR as an important standard for privacy protection. At the same time, it recognises that this could limit the potential for Europe to be leaders in the global competition for future strategic technologies, such as Artificial Intelligence (AI) and blockchain. This is a particular risk where the GDPR is applied in a formalistic, rather than strategic, manner.
Another element that the European Commission needs to evaluate is the extent to which the free movement of personal data - and the associated restrictions - are actually happening? Article 1 of the GDPR states that “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
In general, SMEs should not be obliged to hold records of processing activities, unless the processing is more than occasional or involves special category of data or poses a risk to the rights and freedoms of individuals. Nevertheless, the vagueness of the statement “the processing is not occasional” leads to the de facto inclusion of SMEs within the provision of the GDPR. This example is one reason, Svetlana Stoilova concluded, why greater clarity is needed and should be addressed during the evaluation.
GDPR must be seen through the prism of the regulatory landscape that currently exists, and there is a high awareness of GDPR. It is also a data protection model that has been exported to other countries, explained Olivier Micol, Head of Unit Data Protection, Directorate-General for Justice and Consumers at the European Commission.
On the topic of whether privacy protection is a guaranteed right or not, Micol pointed out that this remains debatable, and is a topic where there is an ongoing discussion about which rights carry the greatest weight. The European Union Court of Justice, the EUCJ, provides preliminary rulings that are important in being able to seek clarifications. The latest regulations, such as the Digital Services Act, the Digital Markets Act and the Data Act use the GDPR as a tool. In some cases, other regulations may limit one or more legal bases, but they do not change the GDPR.
On the need for guides, Micol says that there is no other framework with more guidelines than GDPR. Nevertheless, the EDPB and the European Commission have been working on developing interpretation and enforcement guides for the implementing authorities. In addition, a new guide - on anonymisation techniques and the processing of personal data with the support of legitimate interest - is underway.
GDPR