Has the GDPR entered the age of adolescence?

This question arose during the IAPP France KnowledgeNet panel 25 May to mark the third anniversary of the GDPR. After three challenging years, all the panelists — whatever their role in the privacy ecosystem, be they regulators, like Emile Gabrie, special advisor to the President of the CNIL and to the Secretary General, or group DPOs for international companies, like Europcar Mobility Group DPO Aurelie Banck, Sodexo Group DPO Anne-Cécile Colas or Match Group CPO Idriss Kechida — agreed on three findings.

The GDPR has become an international standard and gained huge traction around the world. This influence is also observed inside companies, where global compliance programs based on the GDPR principles and provisions are now the accepted and shared norm. Some even consider the GDPR slowly and progressively succeeded in breaking silos between organizational departments that did not work together before, such as legal and IT.

The empowerment of citizens and consumers alike to their data protection rights is pervasive. The GDPR can take credit for this success, which is manifested in the increase of access requests, portability requests and opposition to processing. The panel testified that, in certain instances, they now have to deal with several thousand requests per month. The number of complaints lodged before the CNIL, though increasing every year, remains far from these figures and serves as indirect evidence of the actual level of efficiency of the processes implemented within companies.

Privacy and data protection policies and procedures are now firmly in place within companies. On the regulator’s side, the cooperation among DPAs is up and running with more than 1,000 cases discussed at the EDPB level.

If we accept the GDPR is no longer in its infancy, we know what comes after is the phase of adolescence with its defining qualities: turmoil, uncertainty and conflict. The GDPR seems to be moving in this direction. 

Complex implementation issues are in focus, such as the operationalization of the privacy-by-design principle or the allocation of responsibilities and liabilities in joint controllership situations between companies, whether or not these companies are part of the same undertaking. 

Challenging instrumentalization of data protection rights looms ahead for companies, such as the industrialization of portability rights with a view to acquire personal data for undisclosed business purposes, or the leveraging of data protection rights in commercial and civil litigations with clients, customers, or NGOs. These challenges are the unexpected side effect of the GDPR's success. 

As a result, the need for pragmatic guidance from DPAs will become even more critical in the years to come and expected by companies. The undeniable productivity of the EDPB over the last three years with more than 90 recommendations has, perhaps, not always been clear or concise enough, nor has it been immune to over-doctrinal approaches. Moreover, at a national level, the diverging approaches of DPAs regarding the collection of health data for the fight against COVID-19 highlighted the persistence of a fragmented legal landscape the EDPB is not in a position to address. Therefore, the governance mechanism introduced by the GDPR could be called into question.

In light of these evolutions, the GDPR definitely seems to be far from the norms of regulatory maturity and still very much in its adolescence. Every actor has a lot on its plate: companies, DPOs and DPAs. The GDPR is, and will remain, a long and challenging journey sometimes in uncharted and stormy waters.