GDPR two years on: where has it succeeded and how can we make it work better?

The General Data Protection Regulation (GDPR) has transformed attitudes towards digital privacy in Europe and is increasingly used as a model for other countries and regions. Since coming into force in May 2018 these four letters have gained recognition far beyond Brussels’ policy circles. In terms of EU initiatives, perhaps only the Erasmus programme has penetrated European citizens’ daily lives to such an extent.

With its second anniversary fast approaching, now is the perfect time to assess its ongoing impact and to consider how the digital privacy landscape is likely to change in the future. It is also worth reflecting on what the coronavirus has taught us about its implementation, and what needs to change.

For both consumers and businesses, the GDPR has been immensely successful in placing a spotlight on digital privacy, data protection rules and privacy policies. With the principles of transparency, lawfulness and fairness at its core, the regulation has provided much-needed clarity as to what organisations can and cannot do with personal data, and has placed data protection at the forefront of companies’ and citizens’ minds.

This is evident in the current debate surrounding mobile phone tracking apps that could help slow the spread of COVID-19, such as the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) initiative. Developers know that their products must respect strict data protection guidelines, which allows them to be built in from the start. This is one of the GDPR’s greatest achievements.

Arguably the most sweeping changes that came about from the GDPR were data subjects’ rights. The GDPR ensured that European citizens were granted updated data rights that gave users more control, including the ‘right to be forgotten,’ the ‘right of portability,’ the ‘right to correction’ and the ‘right to access.’

It is still unclear to what extent European citizens are using these rights, however this will likely change as the scope and technicalities of these rights are being validated and clarified through various guidelines, such as the guidance from the European Data Protection Board (EDPB) or rulings of the Court of Justice of the European Union (CJEU). Looking ahead, the more guidance and clarity there is, the more these rights are likely to be used.

From a business perspective, the GDPR also struck a good balance between strong data protection for citizens and the needs of businesses. The technological neutrality and flexibility granted under the GDPR means that it is not hindering innovation. In fact, it creates an ecosystem that allows for the digital transformation of society and industry, which is essential for the future economic well-being of our continent. Most notably this transformation will be harnessed through the use of artificial intelligence (AI) and machine learning algorithms.

Although the GDPR is designed to be futureproof, the interpretation of the rules will be critical when it comes to technological advancement. With the publication of its White Paper and data strategy in February, the European Commission clearly sees AI as an important driver of the European economy going forward. Harmonisation in GDPR interpretation will be a critical component of the European approach to AI. It is essential that we prevent fragmentation amongst member states in order to reap the full benefits of what this technology can offer.

Indeed, the GDPR granted EU member states a level of flexibility when it comes to interpretation and it will be with the member states’ derogations and interpretations that we will witness the evolution of the GDPR. We are already seeing some issues in the fragmented responses of national Data Protection Authorities (DPA) guidance to the processing of personal data during the COVID-19 crisis. To take one example, companies’ understanding of whether they can take their workers’ temperature at the entrance of factories varies across different countries. These inconsistencies make it difficult for companies to adjust and imposes extra costs.

Finally, the GDPR was a global milestone as many nations and regions began to discuss and adopt GDPR-inspired national legislation. For example, Brazil’s ‘Lei Geral de Proteção de Dados’ and the ‘California Consumer Privacy Act (CCPA)’ all have similarities to the GDPR such as improving data subjects’ rights and upgrading redress mechanisms for violations. This global trend will likely continue as the regulation matures and evolves. This is also a positive development for business which thrives on harmonised rules.

All in all, the impact the GDPR has had on society and industry cannot be understated. It has changed Europe’s mindset with regard to data protection and has influenced the wider world. Now more than ever, citizens and organisations are placing privacy policies at the heart of their actions. In the future, a more unified interpretation of rules across European member states would ensure that businesses and citizens can fully reap the rewards.