Five years after the EU General Data Protection Regulation entered into force, European Commissioner for Justice Didier Reynders considers it the "world's flagship privacy law," but is "one part" of a "package of landmark proposals aimed at shaping Europe's digital future."

Reynders was one of many at the IAPP Europe Data Protection Congress 2023 in Brussels to weigh on in on the GDPR's efficacy and status.

"In 2018, we faced many questions on what the impact of the GDPR would be. Now, just five years on, we have seen the development of a rich body of case law, guidance and decisional practice. This brings greater legal certainty for businesses on their obligations and clarity for individuals on their rights," Reynders added in his keynote remarks. "Data protection awareness among industry and society in general is greater than ever before."

The pros and cons

European lawmakers, regulators, academics and others used dedicated DPC breakout sessions to reflect on the state of the EU's landmark data protection law, steps surrounding enforcement, and its interplay with the EU's broader digital regulatory framework – including the EU Artificial Intelligence Act, the Data Act, the Digital Services Act and the Digital Markets Act.

"Nothing is perfect," said University of Namur Professor emeritus Yves Poullet, who called the GDPR "a success," with resulting enforcement by proactive data protection authorities along with some subsequent legal challenges, increasing public awareness and attention around data protection risks.

Member of European Parliament Axel Voss, meanwhile, described a host of "problems with the GDPR" that include a lack of harmony among member states caused by the regulation's uniform application and splintered interpretations among courts and regulators. He also mentioned a lack of guidelines, standards and legal clarity within the regulation's text, and a need to adapt to new technologies and today's "digital age."

Voss said the GDPR's established legal bases for lawful processing of personal data may not be the best approach for the data-driven world.

"I say we should come to a situation where we are saying, 'You can do what you want, but do not touch the privacy of our citizens.' I know it might be hard to define, but this might be a better way forward," he said, noting regulations under the EU's digital legislative package are "trying to circumvent" the GDPR.  

For European Commission Head of Unit Data Protection, Directorate General for Justice and Consumers Olivier Micol, those regulations are the "biggest achievement" of the GDPR.

"It has provided the foundation for a host of other pieces of legislation. These other pieces of legislation have not come because there was a problem with the GDPR. The GDPR laid the foundation of other pieces of legislation," he said.  "We have to judge the GDPR in relation to the objective of the GDPR. The GDPR is not the regulation for everything."

Reynders echoed similar statements on the DPC keynote stage, noting the GDPR "remains the cornerstone of the EU's digital regulatory framework." No other digital regulation that has passed or that is under consideration in the EU have personal data protection as their main objective, he said.

"Each of these new EU initiatives pursues a particular aim and they might help or build upon the GDPR in a certain way, but the GDPR is still the base of the entire EU legal framework," he said. "Whenever these new initiatives do touch upon the processing of personal data, they rely upon the rules of the GDPR and so we continue to work with a masterpiece of regulation at the center of the data protection regulations that we are organizing at the EU level."

Harmonized cross-border enforcement

Reynders also touched upon proposed regulation to streamline cooperation between data protection authorities in enforcement of cross-border cases, saying it is "further enhancing the efficiency of cross-border enforcement of the GDPR" and "supplements the GDPR in a targeted way" to improve enforcement and deliver quicker remedies.  

"It does not affect any substantial element of the GDPR," he said, reiterating the goal is to improve enforcement, not to reopen the "so-called Pandora's Box" of possible amendments to the regulation.

"Data protection authorities interpret the GDPR on a daily basis when adopting guidelines, investigating complaints and approving codes of conduct, to name just a few examples. In all of these activities, a common approach to application of the GDPR is necessary," Reynders said. "Authorities must work together to achieve this level of consistency. Consistency means legal certainty for businesses and clarity for individuals in all cases."

During a separate DPC session on cross-border enforcement, European Data Protection Board Head of Secretariat Isabelle Vereecken said the proposal came about from the need for more detailed rules and cooperation under the GDPR.

"You would expect it is sufficiently detailed, but in practice, things are much more complex," she said, adding the EDPB is hoping to address several issues, including deadlines for cross-border cooperation and dispute resolution.

Romain Robert, a member of the Litigation Chamber of the Belgian Data Protection Authority who previously served as program director at advocacy organization NOYB, said deadlines are desperately needed, citing one of the advocate's complaints against a large tech company that remains unresolved after more than five years over a dispute regarding who should serve as the lead supervisory authority.

Reform required?

Proposed harmonization regulation and a suite of other digital legislation with potential overlaps raise lingering and fresh questions surrounding the GDPR. But do those factors mean amendments or a "GDPR 2.0" are necessary just five years in?  

The European Commission's Micol said, "Maybe one day." For now, the commission is planning a report to be released next year with a complete review on application of the GDPR. Micol indicated the report is likely to "look at the different elements" and ultimately help "decide on follow-up action."

Voss is more inclined to proactively address gaps in the regulation. He said waiting for issues to arise or mount with the GDPR before ultimately moving to legislative consideration is not a desired path.

"What we are experiencing in the legislative process is we are coming up with new ideas, but saying 'Do not touch the GDPR," Voss said. "We have to be more revolutionary on this issue in saying, 'No, it's not perfect. We have to improve this all the time.' We need a flexible legislature to act on these problems."