Time to make GDPR truly fit for purpose

Regulations need to be applicable, proportionate and ensure a level playing field in order to enable fair competition and promote competitiveness. When regulations are supplemented by extensive secondary legislation and guidelines, compliance becomes more difficult. Many companies simply lack the financial means and expertise to map out the regulatory landscape, and the complexity gives many the feeling of a ”mission impossible”. When companies are asked if they comply with GDPR, only about 40% of smaller companies say they do, while 87% of larger companies claim to do so. When surveyed, data protection officers said compliance is around 46% among employers. After six years with the GDPR, EU policy makers should ask themselves why these numbers are not higher and what needs to be done to make the data economy and the digital transition secure and successful.

The GDPR has increased awareness about the importance of data protection and strengthened the information security culture in many organisations, as internal procedures for data discovery and audit trails have improved – especially in sectors with a high uptake of digital technologies. This is very good.

At the same time, the heavy and costly administrative burden caused by GDPR leads to frustration among businesses. It is challenging to ensure that employees are adequately informed about the company’s privacy practices and that new or changed processing activities are reflected in records of processing activities and privacy notices (Article 30).

There is a wide-spread feeling of GDPR fatigue among businesses, including a sense that their compliance efforts will never be enough. One measure that would serve data protection is clarity about the rights of data subjects, especially with regard to their limitations.

There are still several misunderstandings about the legislation. For example, the use of consent is problematic and should be used as a last resort - not the preferable one. It also remains debated when the appointment of a data protection officer becomes mandatory and what tasks the data protection officer should perform.

The GDPR was meant to lead to a uniform application of data protection rules throughout the EU/EEA, which would allow for a level playing field. However, this did not prove to be the case, as Member States have the right to derogate at national level in relation to, for example, the processing of special categories of personal data (Article 9), the processing of personal data related to criminal convictions and offences (Article 10) and the obligation to appoint a Data Protection Officer (Article 37). This has a negative impact on cross-border activity and is an obstacle for the creation of a truly seamless single market. In addition, there are national practices fragmenting the Regulation’s application, with the biggest problem being the different perceptions of the use of legitimate interest. The use of this legal basis is central to innovation, marketing, and competitiveness.

We would like to point out the need to revise certain articles, e.g., Article 22. Meaningful explanation and human intervention in automated decision-making is a right that has rarely been exercised. However, as the use of AI solutions increases and becomes a competitive space, it should be considered that an explanation of automation can reveal sensitive business information. Therefore, we would like the Commission to consider clarifying in the GDPR that the meaningful declaration is balanced with the rights and freedoms of others, such as the right to the protection of property and trade secrets, and that it covers situations with actual legal effects, including what qualifies as such effects.

The Confederation of Swedish Enterprise will provide detailed comments to the Commission on additional articles of the GDPR to be improved during the upcoming consultation.