As Europe marks the General Data Protection Rule’s (GDPR) two-year-review, ITI and our members continue to assess what is working well and what can be improved to create legal certainty for businesses, promote innovation and protect privacy. Below are five key areas to address with respect to GDPR’s implementation, as identified by ITI and our members:
Funding and enforcement. National data protection authorities (DPAs) together with the European Data Protection Board (EDPB) are at the heart of enforcing the GDPR. However, our members have increasingly noticed a lack of adequate funding for DPAs. These authorities must be equipped with financial resources and well-trained staff, so they can enforce the EU’s data protection rules to the best of their abilities.
Maintaining the OSS enforcement system. The one-stop-shop (OSS) enforcement mechanism is an example of a framework working well where a lack of funding has led to perceived issues. The OSS mechanism foresees that the national DPA in which a company is headquartered leads on any EU-wide investigation of GDPR violations involving the given company. Reports of lacking transparency and communication between DPAs create uncertainty and hinder cross-border investigations. Criticising the OSS mechanism equates to throwing the baby out with the bath water. Instead we advocate for maintaining the OSS mechanism and enhancing cooperation between national DPAs.
Certification tools. There is a need for more industry-driven certification tools to enable international data flows. These tools should include Codes of Conduct, Binding Corporate Rules and certification mechanisms, as they can support national regulators’ efforts in efficiently enforcing the GDPR. Timely review and approval of such industry-led initiatives by EU and national level authorities is a prerequisite to creating more certainty around data transfers and reducing administrative burdens.
Clarity. More clarity around data processing in areas such as human resources and scientific research is needed to ensure our members can properly implement GDPR’s provisions. In addition, clarification from the EDPB is needed as some of the current provisions under the GDPR are insufficient to provide companies with the legal certainty they need to innovate.
Enable innovation. We ask for data protection laws to enable promising new technologies like artificial intelligence (AI) to thrive and not stifle their deployment. Europeans should benefit from new AI-backed services; and allowing companies to use training data to develop AI is critical to bringing such new products to the market. At the same time, we are mindful that the rise of AI should not come at the expense of privacy rights. Our members are committed to protecting fundamental rights and upholding ethics and European values.
Overall, we applaud efforts undertaken by EU and national regulators to enforce the GDPR thus far. Addressing the challenges outlined above and in our detailed submission will be crucial to advance European data protection.