Five years of GDPR: Experts forecast changes to come for landmark privacy law

Image related to Five years of GDPR: Experts forecast changes to come for landmark privacy law

Written by Neil Hodge on Monday 12 June, 2023

The fifth anniversary[1] of the European Union’s General Data Protection Regulation (GDPR) coming into force has highlighted the many successes of the legislation –such as companies’ willingness to comply – but also exposed areas where the law is still untested and unclear. 

Currently, there is no political appetite to tinker with the GDPR – at least not until a new European Commission is appointed in 2025.[2] But privacy experts believe if the regulation is to stay relevant for another five years, it will need to provide clarity over a range of issues. 

Clare Walsh, director of education at the Institute of Analytics, a professional body for data experts, said harmonized approaches to enforcement among EU data protection authorities is a ‘must.’ 

In retrospect, she said, it was ‘probably not a great idea’ to expect the relatively tiny countries of Ireland and Luxembourg to handle all the EU’s privacy breach complaints regarding the world’s largest tech firms (e.g., Meta[3] in Ireland, Amazon[4] in Luxembourg). Such a premise means, ‘It was almost inevitable that it would result in delays handling complaints,’ she said. 

But Walsh added the ‘one-stop shop’ is beginning to work well. 

‘In the last year or so, we’ve seen some major wins for privacy enforcement,’ she said. ‘Once countries understand how to enforce, they will be better able to enforce, and cases are now coming through.’ 

Jim Allum, director, commercial and technical at software vendor Macro 4, said if the GDPR wants to continue to be recognized as the gold standard for data privacy regulation, it must adapt to the rate at which technology is likely to change,[5] which means fostering closer relationships with developers. 

‘That’s going to require closer dialogue with tech firms at an earlier stage to better understand the technology and the issues it raises,’ said Allum. ‘Surely, that’s better for tech companies, too, in the long run. They will encounter far fewer problems with the regulator if data protection is embedded in the process ‘by design and by default’[6] rather than as an afterthought.’ 

Per Hultman, head of IT operations at tech firm Walr, said the GDPR needs to look forward and tackle potential challenges associated with emerging technologies head-on. 

‘There’s a lot to be said for proactivity in this space,’ he said. ‘Integrating a forward-thinking approach toward improving transparency, simplifying compliance, and streamlining cross-border data transfers would all make for a better future for GDPR.’ 

As with any regulation, Hultman added, ‘It’s crucial the GDPR is adaptable to key aggregators of change. It must be able to navigate the evolution of technologies like AI (artificial intelligence), handle data transfers outside the EU, and preserve public trust. These will all be highly influential factors mediating data protection frameworks going forward.’ 

Rick Hanson, president at IT firm Delinea, said any future revision of the GDPR should make a clear distinction between personal information and personal identifiable information as, ‘They are not the same, nor should they be treated equally.’ 

‘The GDPR should make a clear separation between data such as my date of birth versus an IP address,’ he said. ‘In future revisions of the GDPR, it would be great to have risk categories of personal identifiable information, as not all data is of equal risk’ when compromised or exposed. 

Flavia Colombo, country manager, United Kingdom and Ireland at software firm HubSpot, believes the GDPR might no longer be fit for its initial purpose – protecting people’s data – as AI transforms how and why data is processed. 

‘The advancements in AI, particularly with large language models and generative AI, offer limitless possibilities for growth, from optimizing supply chain management to generating new product ideas,’ she said. ‘Yet, AI captures personalized data to create relevant content for its users and therein lies the potential problems.’ 

Colombo also believes the GDPR’s inability to keep pace with technological developments might create legal pitfalls or uncertainties regarding the degree tech firms – and companies using the tech – might be liable for breaches of the rules. 

‘Although the U.K. government has taken matters into its own hands with the pending Data Protection and Digital Information Bill,[7] which will create regulation around AI, the matter still remains there is no clear set of rules around AI. There may also be a lack of understanding as to how advanced AI might trigger GDPR responsibility,’ she said. 

Other questions regarding legal accountability persist, said Will Richmond-Coggan, a partner in the data protection team at law firm Freeths. For instance, he said, it is still unclear what is required for companies or individuals to bring a successful legal claim for a data breach or abuse of data. 

‘People are getting better at exercising their rights to access and correct information that may be held about them,’ he said. ‘But there remains a lot of misunderstanding about what the law requires on many sides, resulting in frequently needless litigation around everything from the placement of cookies by a website through to claims for compensation where a company and its employees or customers have all been victims of a data breach. 

‘Even five years on the parameters of precisely what will and will not be a valid claim are only just starting to be tackled by the courts, leaving a good deal of uncertainty for all those who are potentially embroiled in such litigation.’ 

_________________________________________________________________

References:

[1] Neil Hodge, ‘Five years in, GDPR still a lightning rod for criticism’, Compliance Week, 25 May 2023: https://www.complianceweek.com/data-privacy/five-years-in-gdpr-still-a-lightning-rod-for-criticism/33145.article – accessed June 2023

[2] Neil Hodge, ‘EDPS: U.K. GDPR reforms could create friction with the EU’, Compliance Week, 13 July 2023: https://www.complianceweek.com/data-privacy/edps-uk-gdpr-reforms-could-create-friction-with-eu/31851.article – accessed June 2023

[3] Kyle Brasseur, ‘Meta fined record $1.3B in GDPR data transfer ruling’, Compliance Week, 22 May 2023: https://www.complianceweek.com/regulatory-enforcement/meta-fined-record-13b-in-gdpr-data-transfer-ruling/33125.article – accessed June 2023

[4] Neil Hodge, ‘One year on, Amazon GDPR fine details remain clouded’, Compliance Week, 29 July 2022: https://www.complianceweek.com/regulatory-enforcement/one-year-later-amazon-gdpr-fine-details-remain-clouded/31913.article – accessed June 2023

[5] Neil Hodge, ‘Is ChatGPT the privacy problem? Or is GDPR?’, Compliance Week, 26 April 2023: https://www.complianceweek.com/data-privacy/is-chatgpt-the-privacy-problem-or-is-gdpr/33006.article –accessed June 2023

[6] Neil Hodge, ‘GDPR push for privacy be design ‘still a long way off’, Compliance Week, 16 February 2023: https://www.complianceweek.com/regulatory-enforcement/gdpr-push-for-privacy-by-design-still-a-long-way-off/32692.article – accessed June 2023

[7] Kyle Brasseur, ‘U.K. moves forward with GDPR reform bill’, Compliance Week, 9 March 2023: https://www.complianceweek.com/regulatory-policy/uk-moves-forward-with-gdpr-reform-bill/32798.article –accessed June 2023


This article has been republished with permission from Compliance Week, a US-based information service on corporate governance, risk, and compliance. Compliance Week is a sister company to the International Compliance Association. Both organisations are under the umbrella of Wilmington plc. To read more visit www.complianceweek.com