Translating to "all-gifted," or "she who sends up gifts" the Greek myth goes that Pandora was created by the gods and bestowed with blessings and charms. In many ways, she was made and seen as perfect. Told never to open a jar, latterly mistranslated as a box, curiosity got the better of Pandora and, in opening the jar, she released all manner of evil.
The EU General Data Protection Regulation, and EU data protection law more broadly, have been heralded as the "gold standard." It has been an archetypal regulatory product and progenitor of the "Brussels effect." Urged on by the reports of two former Italian Prime Ministers Enrico Letta and Mario Draghi and in approaching its ninth anniversary since adoption, and seventh since becoming applicable, EU policy and lawmakers are considering whether and how to reform the GDPR in ways that support the competitiveness of European enterprises by not "imposing unnecessary burden."
The proposal concerns limited and targeted changes to the GDPR in view of simplifying it or extending certain measures currently applicable to small and medium-sized enterprises to include small mid-cap enterprises that have "outgrown the SME definition."
Article 30 GDPR requires data controllers and processors to maintain a record of data processing activities and prescribes out what information this record should contain, such as the purposes of the processing, the description of the categories of data, the categories of third-party recipients of the data and, where possible, a description of technical and organizational security, among other matters.
The GDPR provides an exemption to that requirement where the data controller or processor has fewer than 250 employees unless the data processing in question is likely to result in "a risk" to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or criminal conviction and offense data.
The European Commission proposal purports to "simplify and clarify" this exemption in two ways.
First, by extending the exemption to small and mid-cap enterprises with fewer than 750 employees. Second, by making the record-keeping obligations mandatory for those SMEs only when the processing activities are likely to result in a "high risk" to data subjects' rights and freedoms or where special category data is processed. The proposal clarifies that the processing of special categories of personal data that is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law should not "as such" trigger the requirement for maintaining records of processing.
The proposals, codified in a draft regulation, were the subject of a joint letter, published earlier in May, by the European Data Protection Board and the European Data Protection Supervisor setting out their preliminary feedback. The EDPB and EDPS welcomed that the obligation to keep records of processing activity would still be required for likely high-risk processing, recalling how "even very small companies can still engage in high-risk processing." Notably, in that letter, the EDPB and EDPS understood the European Commission to be considering a proposal to extend the exemption to organizations with fewer than 500 employees and with a certain annual turnover, not 750.
Separately, the European Commission proposes reforms to the GDPR provisions on data protection codes of conduct and certification mechanisms. Under current Article 40 GDPR, the EU member states, respective national data protection authorities, the EDPB, and the European Commission are required to encourage the drawing up of codes of conduct by relevant associations and other organizations representing data controllers and processors.
Similarly, Article 42 GDPR requires the same stakeholders to encourage the establishment of data protection certification mechanisms, seals and marks by relevant certification bodies or DPAs. The reforms seek to extend the requirement to have consideration of micro, small and medium-sized enterprises to the new proposed definition of SMCs, so that the "specific needs" of SMCs are taken into account.
Thus far, initiatives regarding GDPR codes of conduct and certification mechanisms have been few and far between. Though substantively modest, the winds of change and emphasis on innovation, competitiveness and "simplification" might engender renewed efforts.
Though not as profound as the consequences of the opening Pandora's box, the reopening of the GDPR will now animate heightened consultation, discussion and debate on whether and where to redraw the lines set in 2016, if not earlier under the GDPR's predecessor, the Data Protection Directive, which was finalized 30 years ago.
For all the reported hardships associated with the purported burdens of the GDPR, many organizations have nonetheless invested considerable capital and resources in GDPR compliance, much of which has extended to other compliance requirements contained in the panoply of EU digital regulation and broader business objectives.
Whether and how organizations adapt and adjust to the proposed requirements, and the impact to the EU's stated objectives, will be in the spotlight over the coming months, and perhaps even years, while these proposals move through the legislative machinery.
Joe Jones is the Research and Insights director for the IAPP.
