With a major review scheduled for 2024, the EU will use the months ahead to reflect on where the GDPR stands moving forward. Is an overhaul needed to improve enforcement, and how will the bloc react to alternative approaches?
The 2024 GDPR review will enable EU institutions to take stock of its successes and failures
GDPR 2.0?
Nearly eight years after its adoption, the GDPR’s impact on society is unquestioned. But like any law, as our society develops, the GDPR must also evolve to reflect changing circumstances or risk becoming a drag on innovation. EU policymakers are acutely aware of this issue and have continuously undertaken various initiatives to provide guidance and resolve the deficiencies of the GDPR, especially when it comes to the regulation’s effective enforcement. Nevertheless, fundamental challenges persist, requiring serious evaluation and action.
By May 2024, the European Commission will undertake a comprehensive review and
report on the application of the GDPR, sparking rumours of a “GDPR 2.0”. However, questions remain over whether the GDPR really needs a complete overhaul, and concerns persist over whether there is the political will to make the amendments identified by the comprehensive review. One area recognised as needing attention is the facilitation of international data transfers. In particular, the need to establish a more reliable and futureproof legal framework and adequacy decision with the US.
While the review is unlikely to result in a total upheaval of the GDPR, legal guidance and further examinations of possible alternative solutions will emerge in 2024, paving the way for possible legal amendments in the coming years.
The EU will not seek to join the Global CBPR Framework
Watching on closely
While the EU is unlikely to propose solutions within the next year, we can already consider alternative approaches. The Global Cross-Border Privacy Rules (CBPR) Forum, established in 2022,[1] provides an alternative model for international data flows by facilitating the free flow of data for certified entities between signatories by enabling interoperability between data protection frameworks of the signatory jurisdictions. The UK, US, Australia, Canada, Japan, Korea, Mexico, the Philippines, Singapore, and Chinese Taipei are already part of the forum.
While the EU is unlikely to join this voluntary certification scheme anytime soon – it doesn’t want anything to dilute the sanctity of the GDPR – a move towards a more flexible, multinational system of mutual recognition and reciprocity is certainly noteworthy.
There is emerging international recognition regarding the potential benefits of an international agreement that establishes baseline and commonly agreed standards and protections on certain crucial aspects of data transfers. This includes public sector bodies and fair access to data. Establishing such standards will enable the recognition and reciprocity of national legal frameworks and the development of fairer, clearer, more efficient data transfer agreements or frameworks between jurisdictions. The EU will learn from the CBPR in 2024, taking note of its successes for future discussions on alternative international regimes.
Global discussions on the need for internationally recognised data protection standards will grow
The importance of adequacy decisions
To ensure the EU remains competitive, open, and influential in the global arena, the GDPR provides several mechanisms to enable businesses and organisations to transfer data between the EU and third countries. The most cost-effective and least burdensome method, however, is an adequacy decision by the EU with a third country. This enables the continued seamless flow of data while upholding the protection of citizens and their data without further obstacles or actions on behalf of businesses.
During the first review of the GDPR in 2022,[2] the European Commission explicitly recognised that adequacy decisions are “the most comprehensive, straightforward and cost-effective solution for data transfers” and are “an essential tool for EU operators to safely transfer personal data to third countries”. The Commission thus committed to intensifying dialogue with selected third countries in view of possible new adequacy findings. Despite this, the reality and practical application of adequacy decisions do not align with the value and priority placed on facilitating international data flows.
EU-US relations
In 2023, the third EU-US Data Privacy Framework was once again challenged in court. It is a decade since Max Schrems filed his first complaint – 10 years of EU businesses, citizens, and regulators operating without legal certainty and with increased costs regarding their closest and most important partner.
The need to address this issue ultimately facilitates the development of international data transfer mechanisms through a system of mutual recognition and reciprocity of standards. These may include international agreements on fair access to data by government and national security services.
Workable solutions
Aside from the agreements with 11 countries adopted under the 1995 General Data Protection Directive, which were carried over under the GDPR and the agreement with the UK upon its departure from the EU, the bloc has only concluded two other adequacy decisions since it entered into force. The first was with Japan in July 2018, followed by a second with South Korea in December 2021. This, along with the failure of two – perhaps three – data-sharing frameworks with the US, is a clear illustration of a systemic flaw with the EU’s General Data Protection Regulation when it comes to adequacy decisions.
This flaw in the GDPR has resulted in a situation where the EU sets and evaluates an artificial and unachievable standard of equivalence. While an adequacy decision does not require identical provisions and protections as guaranteed by the GDPR, a level of protection that is comparable or essentially equivalent must be provided by the third country. Differences are bridged through the negotiation of additional safeguards. In practice, however, we can see from the example of the EU-US data-sharing framework that this “bridge of additional safeguards” merely acts as a bandaid, covering but not resolving the underlying legal differences between the two jurisdictions. To provide a workable solution, a fundamental change is needed that enables more flexibility to recognise and work with the reality of third countries’ legal regimes.
