In today’s digital landscape, safeguarding user personal data and fostering innovation are paramount. While the General Data Protection Regulation (GDPR) is often presented as the EU’s golden rule, its interpretation is, at times, too rigid, departing from the intention and the spirit of the law. Europe needs robust data protection that coexists with a strong innovation landscape. To achieve this, we believe it is important to allow a risk-based interpretation of the GDPR, applied consistently across Europe. The GDPR is still fit for purpose – it is rather the interpretation of the text and provisions that needs to be reconsidered in enforcement. By doing so, we can protect users’ privacy rights while encouraging the development of cutting-edge solutions.
GDPR: Still fit for purpose
Since its inception, the GDPR has played a crucial role in safeguarding personal data and ensuring privacy rights across the European Union (EU). Its comprehensive framework has set a global standard, demonstrating that robust data protection is not only necessary but achievable. It has also helped raise citizens’ awareness on the importance of safeguarding their data. The core principles of GDPR remain as pertinent today as they were at its implementation.
The current challenge: Strict interpretations
The main challenge lies in the interpretation of the GDPR by data protection authorities (DPAs). DPAs interpretation should take into account the nature, context and impact on individuals of the personal data processing activities and avoid a one-size-fits-all-approach. As required by Recital 4, “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”. Accordingly, DPA should balance data protection with other fundamental rights such as the freedom of expression or the right to conduct a business.
The need for consistent interpretation
There is a notable lack of consensus among DPAs on how to apply the regulation across the EU, leading to fragmented enforcement and uncertainty for businesses. This inconsistency undermines the GDPR’s goal of creating a single digital market and legal uncertainty. It also poses significant hurdles for tech companies striving to navigate the regulatory landscape. This has even caused competitive effects within the internal market between countries, which is regrettable.
To address this, DPAs must strive for a consistent interpretation of the GDPR. A single law demands a single, coherent interpretation to ensure that all stakeholders, from small startups to large organisations, can operate with clarity, legal certainty and trust. This consistency is essential for the integrity of the single market and enhancing the ability of tech companies to seamlessly innovate across member states and deploy their innovative services at scale.
Enhancing collaboration: The way forward
The solution lies in improved collaboration at multiple levels:
Within Member States
Collaboration within member states and between enforcing authorities is crucial for maintaining privacy and fostering innovation. This requires a concerted effort to understand the practical implications of data protection rules. Such an approach has been adopted in France and the Netherlands and must be adopted across the EU.
Considering the vast amount of new laws recently adapted in the EU that deal with data (DSA, DMA, DA, DGA, AIA…), a more risk-based approach to GDPR interpretation, along with essential cooperation, will be crucial to ensure these laws work well together, creating a seamless interplay between the GDPR and the new EU ‘digital book’ and preventing new compliance hurdles for European companies. By establishing a dedicated network at the member state level, authorities can work together to interpret the GDPR comprehensively, considering all facets.
Between Member States and at the EU Level
Stronger collaboration between different national regulators and at the EU level is equally important. The European Data Protection Board (EDPB) should lead this effort, and must work increasingly with other EU bodies such as the European Competition Network (ECN) and the Digital Services Coordinators Board (DSC Board). Such partnerships are essential to develop a competitive approach that respects both privacy, consumer rights, competition and innovation.
Accompanying and fostering compliance
Operationalising the numerous requirements of the GDPR can be quite complex for organisations, especially for tech companies. DPAs should work further to accompany businesses on their compliance journey. Providing GDPR compliance tools like codes of conduct and certifications will help businesses implement the rules effectively, reducing the likelihood of breaches and fostering a culture of compliance. Such an approach will also foster more constructive discussions and collaboration between tech companies and DPAs, contributing to DPAs’ understanding of business dynamics and the impact of data on business models and strategies. DPAs should not be seen solely as enforcers but as collaborative entities working alongside companies to ensure the GDPR’s principles are upheld.
Conclusion
As we move forward, embracing a risk-based approach to the GDPR and enhancing collaboration at all levels will be key to maintaining a future-proof and effective GDPR, capable of addressing Europe’s upcoming challenges and opportunities. By striving for consistent interpretation and supporting businesses in their compliance efforts, we can ensure that the GDPR continues to protect fundamental rights while fostering innovation and growth across the European Union.
The European Tech Alliance (EUTA) does not support the re-opening, nor amending the GDPR. Instead, we advocate for refining its implementation through improved cooperation and a risk-based approach. We are committed to working with all stakeholders to achieve these goals and look forward to a future where privacy and innovation go hand in hand.
