Pandora may not have been a privacy pro but, all things being equal, re-opening the EU General Data Protection Regulation box would be right down her alley. According to Greek mythology, Pandora was a woman created in 700 B.C. The legend says that her curiosity got her to open a jar containing misery and evil, releasing them upon mankind. In today's language, "opening Pandora's box" is akin to unleashing a whole host of issues, with the premise that it will be difficult to put them back in the box as if nothing happened.

Over the past five years, it is fair to say that GDPR implementation has not been a leisurely journey for anyone taking it seriously. When comments are made that it is not working perfectly, many concur. When a few voices chime in to question whether it should be "reopened" to try to fix some of its shortcomings — too much red tape for companies, not enough harmonization among regulators' approaches, etc. — one can imagine Pandora's smirk.

Fast forward from 700 B.C. to July 2023, the European Commission proposes new legislation to harmonize procedural elements of GDPR enforcement. And this week, the European Data Protection Supervisor and European Data Protection Board issue a joint opinion welcoming the European Commission’s "attempt to address some of the challenges identified by experts and practitioners related to the governance of the One-Stop-Shop mechanism." In their press statement, EDPS and EDPB highlight the following recommendations:

  • Further improve consensus-finding proposals among data protection authorities to avoid possible disputes at a later stage (earlier sharing of "preliminary findings" and "preliminary view"; better defined time limits for certain procedural steps).
  • Avoid unduly restricting concerned supervisory authorities' ability to raise relevant and reasoned objections on a draft decision, including on the scope of the investigation.
  • Preserve the current approach to the parties' right to be heard in the dispute resolution procedure, as the proposed changes appear to not be in line with the architecture of the one-stop-shop system.
  • Specify that the final measures are to be adopted by the competent DPAs during an Article 66 procedure "and, as appropriate, with a broader scope than the territory of the requesting DPA."
  • Address the existing practical obstacles to efficient cooperation between the national DPAs and the EDPS (for example, when an EU institution or agency provides and manages an information system that supports cooperation of public authorities in EU member states).

The legislative process has kicked in on the file, with Member of European Parliament Sergey Lagodinsky, a German member of the Greens group, as rapporteur in the Committee on Civil Liberties, Justice and Home Affairs. Lagodinsky was closely involved in the negotiations of the European Parliament's position on the AI Act, as well. MEP Axel Voss, a German member of the Conservatives group, will be one of five shadow rapporteurs.

Notably, Voss is a GDPR veteran, having been at the heart of the negotiations back in 2012-16. He is also a strong advocate for re-opening the GDPR. Voss will be speaking on this very issue at our upcoming Europe Data Protection Congress in Brussels, alongside the European Commission. That is a panel I will be sure to catch.

Elsewhere:

  • Interesting opinion this week from Advocate General Tamara Ćapeta at the Court of Justice of the European Union in a case involving an Austrian athlete found guilty of doping practices. The question at hand is whether publishing online the personal data of a doped professional athlete is compatible with the GDPR?

Ćapeta first considers that the GDPR does not apply to the factual circumstances of the case. According to her, "anti-doping rules primarily regulate sport as sport." Without even an indirect link between the anti-doping policies and EU law, the GDPR cannot regulate such processing activities.

She explains that "in modern societies, the only way to satisfy a generalised disclosure obligation such as that imposed by the Austrian legislature in the case at hand is through publication on the internet," adding that this is "adequate and necessary for achieving the preventive function of deterrence and informing stakeholders."

The opinion is not binding on the court.

  • With AI legislation and guidelines ballooning all over the world, the IAPP feels it is imperative to alert to the need for qualified professionals to do the work. AI governance is landing on privacy pros' desks across industries, across sectors, in private and public sectors. IAPP President and CEO J. Trevor Hughes, CIPP, and colleagues, including myself, spoke to policymakers in Brussels, London, Munich, Ottawa and Washington, D.C., about the role that privacy pros are and will continue to play in operationalizing AI. Read more about our outreach on LinkedIn. (Disclaimer: the IAPP is policy-neutral).