The idea of reopening the EU General Data Protection Regulation has been going around for some time. There is relatively broad consensus the legislation drafted 12 years ago could use a facelift, but less consensus on which areas the scalpel should target and how to do that painlessly.
It is becoming increasingly clear the GDPR is under pressure to deliver in a legislative, regulatory and technological context that is quite complex. Recently adopted legislation such as the Digital Markets Act and Digital Services Act, and that in the making including the AI Act, can challenge core principles of the GDPR and implementation guidelines developed overtime.
During an event hosted by German digital association Bitkom, European Commissioner for Justice Didier Reynders delivered a clear message: the first evaluation of the GDPR led to proposed procedural harmonization on cross-border enforcement, and somewhat narrow amendments given the regulation's full scope. For the evaluation due in 2024, "the commission will be looking at the regulation more broadly," Reynders said.
And the commission is already laying the groundwork. It has put the item on the agenda of its multistakeholder expert group meeting 27 Oct. and is gathering feedback from members via a questionnaire it sent to help scope out the evaluation.
A panel discussion at the upcoming IAPP Europe Data Protection Congress, titled "The GDPR Is 5 Years Old: Is It the Age of Maturity?," will explore the topic. Spoiler alert: there is a high chance panelists from the European Commission and European Parliament may say no, and so the interesting conversation begins.
Elsewhere:
- The EU-U.S. Data Privacy Framework is safe, at least for now. A French MP introduced a request for a preliminary reference before the EU General Court on 6 Sept., seeking the annulment of Articles 1 and 2 of the European Commission's adequacy decision underpinning the DPF. The court rejected the request for interim suspension but has yet to examine the substance of the case. IAPP Director of Research and Insights Joe Jones wrote a very didactic explainer on the process.
- This week, France's data protection authority, the Commission nationale de l'informatique et des libertés, released its draft practical guidelines on trustworthy use of artificial intelligence, a series of seven topical guides. The guidelines are open for public consultation until 16 Nov.