Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Will the European Commission hold its end of the bargain and effectively simplify the digital rule book? The task is commensurate with its potential impact. If done right, simplification could have tremendous effect on organizations' ability to limit the paperwork and box-ticking and build digital responsibility with mission-driven governance rather than mere compliance or fear of enforcement.
It is well established that the digital risk domains have multiplied, that their intersectionality triggers new and challenging questions every week — the Commission admits so itself. It is also apparent that the Commission is increasingly held accountable to Mario Draghi's recommendations for EU competitiveness issued last year.
Draghi himself is sharpening his message, including on implementation of the Artificial Intelligence Act. "The next stage — covering high-risk AI systems in areas like critical infrastructure and health — must be proportionate and support innovation and development. In my view, implementation of this stage should be paused until we better understand the drawbacks," he said.
We largely stand at the beginning of the simplification journey. The Commission is now looking for stakeholder input, opening a public consultation detailed by my colleague Joe Duball. For background, the Commission already proposed different packages. The fourth Simplification Omnibus package, proposed in May, aims to streamline rules, including GDPR record-keeping obligations, and reduce administrative burdens by 25% for businesses and 35% for small and medium-sized enterprises by 2029. According to the Commission, nearly 38,000 companies in the EU fall into this category.
Brussels will have to compose a mix of dynamics to achieve its yet-to-be-determined level of ambition for change.
First, calls for simplification are clear at the level of political leadership, but can only translate into practice if Commission services have the ability to deliver in practice. This means aligning internally across services or directorate-generals on the situation assessment, objectives and means to get there.
There is a certain degree of ownership by DGs for the laws they birthed and negotiated over time. Streamlining instruments will, by necessity, look at laws "owned" by the Directorate-Generals for Justice and Consumers, CONNECT, Internal Market, and Competition. All have different mandates and cultures that will need to be reconciled under a common objective. That would be a challenge in any given organization.
Second, the proposed simplification changes will go through the regular legislative process in the European Parliament, inviting stakeholders lobbying from all corners of industry and civil society. Similarly, it will require adaptation from member states to ensure proposed changes can be translated in their national legal and administrative systems, too.
The Commission will be heavily confronted with a balancing act of simplifying rules and delivering meaningful results for European companies and consumers. At the same time, it must avoid walking back on its value-based system that has made its mark on the global stage in a face-off with other models.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.