Stunned by the reluctance of certain policy-makers in Brussels to acknowledge that the GDPR has it downsides, we decided to execute our own public consultation in February. Today, on 25 May 2021 (which is also the 3rd birthday of the law), we are presenting your feedback that speaks for itself and which motivates us to continue our work for a more balanced and innovation-friendly data protection regime.
Readers of this blog as well as members of Brussel's Digital-Policy-bubble noticed last year that one of the numerous LIBE-resolutions (2020/2717(RSP)) generated quite some noise. The draft text, written by the S&D-LIBE-Chair López Aguilar, presented a very positive assessment of the General Data Protection Regulation (GDPR) and its implementation two years after its application. Together with 12 colleagues, we - as EPP-Shadow Rapporteur - tabled 68 amendments, rejecting most of his conclusions.
However, our situation in the subsequent compromise negotiations could be described as hopeless as we had a strong left-wing majority (Communists, Socialists, Greens, Liberals) against us in the LIBE-committee. We were therefore not surprised that our findings and ideas were largely ignored. Under those circumstances, we saw it already as a significant win to get a united EPP-group behind us that supported our position and rejected the Resolution content-wise. Almost all EPP members also voted against it or at least abstained together with many MEPs from ECR and some from RE. Our plenary amendments found even broader support and were only narrowly rejected. In numbers, the final vote on Thursday, 25 March 2021 was however devastating. The GDPR-resolution passed plenary by 483 votes to 96 and 108 abstentions.
How to deal with that defeat?
Since Axel and I follow the political discussion on data protection very closely for years, we were expecting this outcome. What nevertheless shocked us were the arguments that Shadows of certain other political groups did use during the political negotiations. While one individual was comparing the GDPR with the "bible" (which one "is not allowed to change"), others were systematically downplaying the public outcry after its application in 2018. Strong opposition would be "normal" for new laws. The "fault" would lie in fact with the "citizens that would not understand the law" and would distribute "wrong readings" on GDPR. When we tried to counter those arguments, we were told that we are against the fundamental right of privacy and would want to "kill" the law. We don't ... as you can read in more detail in our recent articles in the Financial Times, Politico and Frankfurter Allgemeine Zeitung.
To enhance our arguments and to get more feedback from those people that are actually dealing with the GDPR on a daily basis, we decided already one month before the plenary vote to announce our own public consultation on 16 February 2021. Your feedback was overwhelming and it took us more than 10 weeks to categorize and summarize every response. Striking was that only 1/3 of the more than 180 transmissions was coming from companies and business associations, while the large majority was from non-commercial actors such as citizens, researchers, scientists, nurses, data protection officers, lawyers, non-profit associations or sport clubs.
The feedback led to a 31-page-long document that you can find below. Divided into 10 chapters, it lays down the most important deficiencies of the GDPR and its implementation process in the 27 Member States of the European Union:
Conceptual Flaws of the GDPR
SMEs & Start-Ups vs Digital Gatekeepers
Private citizens and voluntary entities
The Guardians: EDPB & DPAs
Flaws and gaps in the legal text
Data protection in the health sector
International Data flows
Based on Art 97 GDPR, the European Commission will perform its second evaluation and review only in May 2024. An immediate legislative response to our document is therefore unrealistic. The goal is instead to build up political momentum by promoting a different mind-set and new ideas on data protection. In our view, the COVID-19 pandemic has clearly underlined how imbalanced data protection has become. More and more public authorities understand the right to privacy in an absolute way that suppresses the fundamental rights of other persons (i.e. right to life and to physical and moral integrity) or even the public interest. Moreover, the GDPR imposes disproportionate burdens on SMEs, start-ups, organizations as well as civil society. If the European Union truly wants to become a global leader in the data economy, significant changes are needed. Even before 2024, easy wins that would boost the competitiveness of Europe's digital economy are feasible. Examples are (a) clear exemptions for anonymization & pseudonymisation, (b) relaxing restrictions on secondary use of data, or (c) easier repurposing for scientific research, health and the training of Artificial Intelligence. Those improvements could happen, for instance, by new EDPB guidelines or new sectorial laws. The first ideas towards European health data spaces developed by the European Commission sound in this regard very promising.