Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
"The strength of the (EU General Data Protection Regulation) lays in its risk-based-approach," said Karolina Mojzesowicz, deputy head of unit for data protection at the European Commission's Directorate-General for Justice and Consumers, during a recent event organized by the Federation of European Data and Marketing in Brussels.
The big question, she asked, is whether enforcement lives up to it. While the GDPR provides a relevant framework for posing that question, but Mojzesowicz asserts the question is even more meaningful in the context of the EU Artificial Intelligence Act. She argued that the AI Act, a product safety regulation applying a more regulated philosophy to a risk-based framework, may not quite be fit for articulating the GDPR and fundamental rights in the context of AI.
The European Commission conducted a series of implementation dialogues during the summer, assessing ways to streamline and simplify the EU rulebook and looking at the GDPR and data/digital policies among others. When it comes to the GDPR, the message from a majority of stakeholders, as has been conveyed for years, was very clearly to not reopen the regulation in an effort to preserve legal certainty.
However, the Commission recognizes there is a need for "targeted changes and surgical changes" to the GDPR. Artificial intelligence model training is one area under consideration, a challenging area of GDPR compliance.
Another area concerns e-privacy, which remains a polarized debate. During the European Digital Rights' Privacy Camp 25, Anja Wyrobek, legal policy advisor to Member of European Parliament Birgit Sippel, noted e-privacy is "the last fort when it comes to protecting the privacy of communications." In Wyrobek's view, the issue lies with institutions not having the appetite to live up to expectations.
"Cookie fatigue is not the main issue here; it is an industry invention. The biggest problem is enforcement — only Italy and France are enforcing," she said.
Yet, many industry stakeholders report that the rigorous consent rules in the e-Privacy Directive present challenging obligations in practice.
Following the February announcement that the proposal for a Regulation on ePrivacy would be withdrawn after years of deadlock, the debate has moved to consider protections that could be retained from the defunct proposal and possibly included in upcoming legislative initiatives: the Digital Fairness Act, Digital Networks Act or perhaps targeted changes to the GDPR. "The masters are reflecting on that now," indicated Mojzesowicz.
The upcoming Commission proposal on digital simplification may shed some light on possible paths forward.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.