Our amendments against the GDPR-draft resolution of the LIBE-committee strongly disagree with its overoptimistic and self-applauding tone and instead underline that there is much room for improvement.
On Monday the 14th December 2020, we - as EPP-Shadow Rapporteur - tabled overall 68 amendments against the draft resolution of LIBE-Chair Juan Fernando López Aguilar (S&D). We are in particular proud and grateful for the cross-committee support by 12 EPP colleagues (First Vice-President Roberta Metsola, EPP-LIBE coordinator Jeroen Lenaers, Head of the German CDU/CSU-Delegation Daniel Caspary, Pascal Arimont, Anna-Michelle Asimakopoulou, Eva Maydell, Kris Peeters, Ralf Seekatz, Henna Virkkunen, Jörgen Warborn, Isabel Wiseler-Lima, Javier Zarzalejos), who co-signed some or even all of our amendments.
The draft resolution
After reading the draft response to the Commission's evaluation report on the implementation of the General Data Protection Regulation two years after its application (2020/2717(RSP)), we were stunned by some of its conclusions. While it rightly points out that the GDPR has established global standards for privacy laws (para 1), the statements that it "has been an overall success" (para 2) and that only "some stakeholders reported that the application of the GDPR is challenging especially for SMEs" (para 7) completely ignores the numerous practical problems as well as the public outcry that followed its application in 2018. If European politics do not want to be confronted with the accusation of being disconnected from reality, such conclusions should not be published.
This is particularly unfortunate as other findings are completely correct. The uneven level of enforcement by national DPAs (para 9), too lengthy investigations by DPAs (para 11) or the insufficient resources of DPAs (Para 12) are indeed a concern. The findings that the consistency mechanism should be applied more often (para 14), that there are often inconsistencies between DPAs and the EDPB (para 15) and that derogations led to fragmentation in the GDPR implementation (para 17) are absolutely correct, too. BUT all things considered, the draft resolution takes a way too positive point of view and thereby denies any responsibilities of the legislator for existing GDPR flaws. For the S&D rapporteur, only the Member States and big tech companies should take the blame.
Well, the reality is not so simple ...
It should be clear at this point that our view on the GDPR is not so one-sided. We do not see the law as a success story of the European Union. Yes, it heavily improved the data protection frameworks in Europe and strengthened our citizen's right to privacy (Art 8 ECHR). This is good and no one wants to take this achievement away. However, like with every complex legislation there are also many things that did not work like the legislator envisioned. The GDPR created - for example - a new business model for law firms, which are now writing expensive privacy policies for ordinary citizens. While the GDPR wanted to target in particular big tech companies, in reality it is SMEs as well as start-ups that suffer under new complex obligations. They just cannot afford their own legal departments to guarantee GDPR-compliance when processing the private data of their customers.
Although we are heavily criticizing certain aspects of the GDPR, we do not demand that it should be withdrawn. Instead, we are arguing in favor of a few surgical legislative adjustments combined with a better and more harmonized application across the European Union. Our AMs can be summarized with 7 key demands:
The Commission should perform a comprehensive evaluation in 2022 but already start with a targeted revision now in order to rectify a small number of specific legislative shortcomings.
It needs to be crystal clear to everyone that all six legal grounds for processing data in Art 6 GDPR are equally sufficient. Furthermore, almost each of those grounds require clarifications on how they should be interpreted and applied.
Micro enterprises and especially clubs, societies and citizens that are processing data in voluntary or private capacities should benefit from exemption clauses. SMEs and start-ups should at least receive better guidance and more support (e.g. toolbox).
The enforcement by DPAs should be harmonized, the one-stop-shop mechanism strictly guaranteed and colliding guidelines among EDPB and DPAs avoided.
The large number of national derogations need to be reduced as it leads to a fragmented Digital Single Market.
Privacy adequacy decisions remain one crucial tool for enabling international data flows but other approaches such as code of conducts should be promoted, too. The EDPB should thereby reconsider its draft guidelines as they are making SSCs useless for international data transfers.
We need to make sure that emerging technologies can perform under the technical neutral GDPR and should avoid any overlapping with new horizontal laws. Based on this important point, we also argue for withdrawing the proposals for a new ePrivacy regulation. Instead we are proposing to update certain provisions of the old ePrivacy directive and put them into a new GDPR-chapter for the processing of communication data.
Have a look at our AMs
Feel free to download the file below if you want to check in detail what we have tabled against the GDPR-Resolution in the LIBE-committee. We are following the GDPR file from the beginning and will continue to observe its application across Europe. Any feedback is therefore highly welcomed - especially if you are willing to contribute some points that are so far missing in our list.