The EU’s landmark General Data Protection Regulation (GDPR) has fundamentally changed how personal privacy is respected and protected. However, cracks in the foundations of this framework have appeared, with the emergence of new technologies leaving the GDPR’s long-term viability in doubt.
While businesses have undertaken extensive measures to ensure GDPR compliance, European data privacy regulators and experts have sought to support businesses by providing implementation guidance. Nonetheless, a lack of clear and consistent interpretation and application of the regulation leaves businesses in a state of legal uncertainty.
Legal uncertainties in data processing and transfer for businesses
Two primary legal uncertainties faced by businesses include interpreting the correct lawful basis for data processing and adequate data transfer mechanisms. The former was illustrated by the Irish Data Protection Commission’s (DPC) recent Facebook and Instagram decision. Following an initial decision in 2018 that established reliance on ‘contract’ as an appropriate legal basis for data processing for the personalised service, businesses of all sizes relied on this interpretation. Earlier this year, this was overturned following consultation from the European Data Protection Board (EDPB), with the DPC determining ‘consent’ as the appropriate legal basis.
The European Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing an adequate level of data protection as per the GDPR to permit the free flow of data with the EU. However, the European Union’s largest trading partners, including the United States and India, are not recognised. An adequacy decision provides businesses with an effective, cost-efficient and legally reliable framework to enable their continued cross-border operations. Without this, companies become overburdened, creating barriers to international growth.
For EU-US data sharing, the invalidation of GDPR’s privacy shield has increased both compliance costs and legal uncertainty. The Biden Administration’s efforts to restore the EU-US Data Privacy Framework by raising data protection standards are encouraging, but this framework will face legal challenges, while wider global data transfer issues remain.
Challenges to GDPR: emerging technologies and new regulations
As the data economy grows, the EU relies on industry’s innovation to realise this opportunity for continued economic growth. To achieve this, businesses require clear regulations. Two issues are apparent: the applicability of the GDPR to new technologies, and its interplay with other regulations.
The decentralised nature of blockchain technologies poses a direct challenge to the GDPR, which relies on the identification of data controllers and processors. Furthermore, the question of how principles like the right to be forgotten can be applied to the immutable nature of public blockchains remains unclear. The French data protection authority, CNIL, attempted to define the roles and called for stakeholders to question the necessity of using blockchain technology for their processing operations, confirming the challenges regulators face when applying GDPR to emerging technology.
Cloud, machine learning, and artificial intelligence are among the areas that EU officials have attempted to regulate in recent years – each challenging the GDPR’s principle of data minimisation. However, the necessity of big data for the optimisation of essential services makes finding a balance difficult, as shown by the development of the Data Act and AI Act. The advent of the metaverse is also creating challenges based on its inherently data-driven nature, with users reportedly displaying 20 million unique readings of body language in 20 minutes.
What potential frameworks can the European Union look to strengthen its data ecosystem?
The underlying objectives of the GDPR are undoubtedly of paramount importance. However, a more effective mechanism to uphold the protection of European citizens’ privacy that balances the European economy’s ability to grow and compete in a globalised world is needed. A key element in strengthening Europe’s data ecosystem is global openness; that is, forming a data protection regime through multilateral consensus rather than unilateral decision-making.
The OECD has been a leading forum to drive discussions and build international alignment on data protection standards. Equally, the G20 and G7 are important forums to build consensus on global data frameworks – visible, for example, via the G7’s intention to create International Data Spaces and promote data free flow with trust (DDFT). In addition to participating in these fora, the EU can also learn from the APEC Cross-Border Privacy Rules System (CBPR) Global Forum, which was established in April 2022 to facilitate multinational cooperation in promoting the interoperability of approaches to data protection. The data privacy certifications help companies demonstrate compliance with internationally recognised data privacy standards.
Future proofing EU framework for data and data protection
There is a need to clarify the EU legal framework for data while upholding the level of data protection offered by the GDPR. For this, we need a framework that provides clarity and certainty over rights and obligations and allows for consistent judicial interpretation. With regulators globally looking to Europe for best practice on data protection regulation, it is imperative that the EU solves current challenges, both internally and externally. As industry, experts, and regulators wake up to GDPR’s flaws, a narrative is growing that alternative international agreements may be necessary. The EU is well placed to lead the development and implementation of a sustainable, privacy-driven data framework within global multilateral fora. We encourage the EU to capitalise on the opportunities presented above.
Access Partnership is constantly monitoring developments in data privacy and security regulation. We liaise with stakeholders from the public and private sectors, as well as international organisations and regulatory bodies, to deliver cutting-edge insight and beneficial outcomes. If you would like to know more, please contact Lydia Dettling at firstname.lastname@example.org or Rory Gilliland at email@example.com.