News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Five years in: Impressions on GDPR's maturity Related reading: IAPP infographic highlights GDPR's influence, impact 5 years later

rss_feed

""

Five years after the EU General Data Protection Regulation entered into force, European Commissioner for Justice Didier Reynders considers it the "world's flagship privacy law," but is "one part" of a "package of landmark proposals aimed at shaping Europe's digital future."

Reynders was one of many at the IAPP Europe Data Protection Congress 2023 in Brussels to weigh on in on the GDPR's efficacy and status.

"In 2018, we faced many questions on what the impact of the GDPR would be. Now, just five years on, we have seen the development of a rich body of case law, guidance and decisional practice. This brings greater legal certainty for businesses on their obligations and clarity for individuals on their rights," Reynders added in his keynote remarks. "Data protection awareness among industry and society in general is greater than ever before."

The pros and cons

European lawmakers, regulators, academics and others used dedicated DPC breakout sessions to reflect on the state of the EU's landmark data protection law, steps surrounding enforcement, and its interplay with the EU's broader digital regulatory framework – including the EU Artificial Intelligence Act, the Data Act, the Digital Services Act and the Digital Markets Act.

"Nothing is perfect," said University of Namur Professor emeritus Yves Poullet, who called the GDPR "a success," with resulting enforcement by proactive data protection authorities along with some subsequent legal challenges, increasing public awareness and attention around data protection risks.

Member of European Parliament Axel Voss, meanwhile, described a host of "problems with the GDPR" that include a lack of harmony among member states caused by the regulation's uniform application and splintered interpretations among courts and regulators. He also mentioned a lack of guidelines, standards and legal clarity within the regulation's text, and a need to adapt to new technologies and today's "digital age."

Voss said the GDPR's established legal bases for lawful processing of personal data may not be the best approach for the data-driven world.

"I say we should come to a situation where we are saying, 'You can do what you want, but do not touch the privacy of our citizens.' I know it might be hard to define, but this might be a better way forward," he said, noting regulations under the EU's digital legislative package are "trying to circumvent" the GDPR.  

For European Commission Head of Unit Data Protection, Directorate General for Justice and Consumers Olivier Micol, those regulations are the "biggest achievement" of the GDPR.

"It has provided the foundation for a host of other pieces of legislation. These other pieces of legislation have not come because there was a problem with the GDPR. The GDPR laid the foundation of other pieces of legislation," he said.  "We have to judge the GDPR in relation to the objective of the GDPR. The GDPR is not the regulation for everything."

Reynders echoed similar statements on the DPC keynote stage, noting the GDPR "remains the cornerstone of the EU's digital regulatory framework." No other digital regulation that has passed or that is under consideration in the EU have personal data protection as their main objective, he said.

"Each of these new EU initiatives pursues a particular aim and they might help or build upon the GDPR in a certain way, but the GDPR is still the base of the entire EU legal framework," he said. "Whenever these new initiatives do touch upon the processing of personal data, they rely upon the rules of the GDPR and so we continue to work with a masterpiece of regulation at the center of the data protection regulations that we are organizing at the EU level."

Harmonized cross-border enforcement

Reynders also touched upon proposed regulation to streamline cooperation between data protection authorities in enforcement of cross-border cases, saying it is "further enhancing the efficiency of cross-border enforcement of the GDPR" and "supplements the GDPR in a targeted way" to improve enforcement and deliver quicker remedies.  

"It does not affect any substantial element of the GDPR," he said, reiterating the goal is to improve enforcement, not to reopen the "so-called Pandora's Box" of possible amendments to the regulation.

"Data protection authorities interpret the GDPR on a daily basis when adopting guidelines, investigating complaints and approving codes of conduct, to name just a few examples. In all of these activities, a common approach to application of the GDPR is necessary," Reynders said. "Authorities must work together to achieve this level of consistency. Consistency means legal certainty for businesses and clarity for individuals in all cases."

During a separate DPC session on cross-border enforcement, European Data Protection Board Head of Secretariat Isabelle Vereecken said the proposal came about from the need for more detailed rules and cooperation under the GDPR.

"You would expect it is sufficiently detailed, but in practice, things are much more complex," she said, adding the EDPB is hoping to address several issues, including deadlines for cross-border cooperation and dispute resolution.

Romain Robert, a member of the Litigation Chamber of the Belgian Data Protection Authority who previously served as program director at advocacy organization NOYB, said deadlines are desperately needed, citing one of the advocate's complaints against a large tech company that remains unresolved after more than five years over a dispute regarding who should serve as the lead supervisory authority.

Reform required?

Proposed harmonization regulation and a suite of other digital legislation with potential overlaps raise lingering and fresh questions surrounding the GDPR. But do those factors mean amendments or a "GDPR 2.0" are necessary just five years in?  

The European Commission's Micol said, "Maybe one day." For now, the commission is planning a report to be released next year with a complete review on application of the GDPR. Micol indicated the report is likely to "look at the different elements" and ultimately help "decide on follow-up action."

Voss is more inclined to proactively address gaps in the regulation. He said waiting for issues to arise or mount with the GDPR before ultimately moving to legislative consideration is not a desired path.

"What we are experiencing in the legislative process is we are coming up with new ideas, but saying 'Do not touch the GDPR," Voss said. "We have to be more revolutionary on this issue in saying, 'No, it's not perfect. We have to improve this all the time.' We need a flexible legislature to act on these problems."


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Jennifer Bryant IAPP Staff Contributor
Tags
Europe
Enforcement
Privacy Community
Privacy Law
Privacy Operations Management
1 Comment

If you want to comment on this post, you need to login.

  • comment SAYYAPARAJU PANDURANGA RAJU • Nov 19, 2023 
    Agree with Jennifer and the EU officials about the evolving GDPR.  There is no doubt that GDPR set a benchmark in privacy laws and paved way for many countries to take cues from it.  The rise of new technologies like AI is bound to test the efficacy of GDPR in various dimensions/situations, notwithstanding its robustness.  GDPR, as such, may not require fundamental changes, but can keep fine-tuning/improving with emergence of new challenges and scenarios.  The harmony among EU nations in speaking same language and tone in interpretations, resolving complaints and disciplining errant firms is needed to avoid undesired delays and firms taking shelter in one lenient jurisdiction.
Related Stories
A view from Brussels: The EU GDPR and 'Pandora's box'
1
Pandora may not have been a privacy pro but, all things being equal, re-opening the EU General Data Protection Regulation box would be right down her alley. According to Greek mythology, Pandora was a woman created in 700 B.C. The legend says that her curiosity got her to open a jar containing miser...
Read More queue Save This
Related Stories
Tags
Europe
Enforcement
Privacy Community
Privacy Law
Privacy Operations Management
Recent Comments