The European Union’s General Data Protection Regulation has been a pillar since its implementation in May 2018, impacting data security and influencing other pieces of legislation worldwide. Although the regulation applies to the EU, the globally interconnected economy has necessitated international organizations aligning with the requirements, and the framework has become a standard that many look to for guidance in data protection.
Currently, the European Commission is planning to slash GDPR requirements. Commission President Ursula von der Leyen aims to focus on slashing regulations in order to aid in competition with international businesses, especially in light of recent global geopolitical and economic shifts. The intent of the changes soon to be proposed is to simplify the outlined requirements and enable businesses to comply with the regulation more easily while maintaining data privacy and protection rules.
What’s Driving the Push to Cut Back GDPR?
The plan to simplify GDPR is motivated by several interconnected factors. The EU wants to increase competitiveness against global tech powers like the United States and China, especially in light of recent isolationist and protectionist moves placing global business connections in jeopardy. Organizations and individuals alike have long believed that the regulation “creates more harm and hurdles than any palpable benefits,” according to Dr. Ilia Kolochenko, CEO at ImmuniWeb and an Adjunct Professor of Cybersecurity at Capitol Technology University in Maryland.
Businesses and startups in Europe, especially small- and medium-sized enterprises (SMEs), are concerned that GDPR requirements restrict their ability to carry out business, as international companies would often “rather go to the US or UK, where the regulatory landscape is more friendly for businesses,” says Kolochenko. The bureaucratic burden and costs of compliance with GDPR mean that many organizations prefer to avoid it entirely, making it difficult for EU businesses to thrive.
What Could Change in GDPR?
The possible revisions to GDPR that are currently under consideration focus in part on simplifications regarding documentation and reporting requirements as well as enforcement policies. This includes plans to streamline consent mechanisms to alleviate the burden on organizations and users, ease restrictions on data transfers, and narrow the scope of the requirements for SMEs and organizations of less than 500 people. Changes under the upcoming omnibus simplification package and Digital Fairness Act may conflict in some areas and lead to potential “targeted adjustments” to fulfill the goals of both.
One controversial proposal for GDPR changes is the suggestion of German Member of the European Parliament Axel Voss to replace the regulation’s “one-size-fits-all approach” with a tiered system based on risk. This idea is a response to the existing framework’s imbalanced model that significantly burdens SMEs but is not able to effectively regulate large tech firms.
The timelines for the introduction and consideration of these changes are tentative, as the Commission planned to agree on the simplification package on April 16th, now pushed back to May 21st and expected to be delivered “by June.” Political dynamics within and around the Commission may further complicate the picture, as opening up the possibility of changing GDPR could cause a lobbying war between tech firms and data privacy groups.
The Privacy vs. Innovation Dilemma
Advocates for data privacy and tech experts have had differing responses to the Commission’s plans for GDPR. Privacy activist Max Schrems notes that the core GDPR rules may be a target, but personal data protection is an inalienable liberty under the EU’s Charter of Fundamental Rights, making it difficult for privacy laws to be excessively slashed. Others fear that the potential lobbying pressure could cause the regulation to be completely weakened and crumble.
The reaction from the business community and tech lobbyists to the proposed changes is more optimistic. Organizations have long been frustrated with the complicated documentation required under GDPR, inadequate protection against data breaches, inconsistent enforcement of policies across the EU, and the business burden of the regulation. Balancing innovation and economic agility with the fundamental rights of citizens to have their data protected is a delicate task, requiring significant consideration.
Implications for the Global Digital Economy
Slashing GDPR requirements and policies could have far-reaching implications and impacts, well beyond the bounds of the EU. Weakening the regulation could potentially diminish the EU’s leadership in digital ethics, undermining the reputation and influence of the Commission’s data privacy precedent. Other nations, especially tech giants like the U.S. and China, might react to the changes with regulatory shifts of their own, either to counter perceived or actual negative impacts of the changes or to follow the EU’s example in slashing regulations.
The EU has been a leader in data privacy and protection regulations, and the upcoming changes could spark significant shifts globally. It is possible that it will prompt a run of deregulation and gutted protections, especially with excessive pressure from tech lobbyists. On the other hand, it could set a pragmatic precedent, leading to simpler, more streamlined legislation that effectively regulates data privacy and protection without requiring overwhelming amounts of red tape.
A Defining Moment for Europe’s Digital Future
The trajectory of the upcoming GDPR changes could mean big things both across Europe and worldwide. Citizens, companies, and regulators have varying interests, goals, and desires on the issue. What is at stake is not simply the specific requirements of the regulation, but the global influence of the EU’s data protection policies. Calling GDPR into question could lead to a significant global shift in data privacy and protection as other nations follow suit or respond with their own policy changes. The legacy of GDPR is strong; looking ahead to smart regulation, it is crucial for worldwide leaders to address both the logistical challenges of inefficient regulation and the necessity for effective data protection.
