09 Feb 2024

The GDPR six years in: from harmonisation to alignment

Executive summary

Six years into the implementation of the General Data Protection Regulation (GDPR), Europe’s digital legal landscape has undergone significant transformations. From evolving case law from the EU’s Court of Justice (CJEU) to the completely new pieces of legislation stemming from the AI Act and the European data strategy, Europe’s regulatory environment has become much more complex.

Our vision for Europe in 2030 underscores the emergence of potential internal market barriers and a fresh challenge to the unified European data market due to recent data regulations. It urges the European Commission to prioritise the implementation of the existing data strategy rather than introducing additional regulations.

In 2020 we identified opportunities for harmonisation. As the GDPR now undergoes a second review, new challenges have arisen, particularly with the introduction of additional digital rules. The AI Act, the Data Act and other parts of the data strategy will all significantly impact organisations’ data processing operations, often conflating personal and non-personal data. The impact of these new laws is yet to be determined, but the potential for overlaps and erratic enforcement is real. We have already sounded the alarm regarding the potential negative impact on data flows, but these issues permeate other aspects of data processing.

Before the impact of these new regulations is clear, a reopening of the GDPR is premature. The current GDPR review should focus on addressing interpretation issues and fostering companies’ compliance:

  • The review should highlight the need to prevent diverging interpretations and enforcement across legislation and Member States. It should aim to forecast and reconcile the responsibilities of data protection authorities (DPAs) and other competent authorities under new regulations like the AI and Data Acts. It should address areas of friction between the GDPR and new regulations, promoting collaboration between the Commission, competent authorities and industry stakeholders.
  • The European Data Protection Board (EDPB) should prioritise practical guidance to strengthen harmonisation, and to reduce compliance burden whenever the GDPR text allows. These include guidance on anonymisation and pseudonymisation, distinguishing personal from non-personal data, research and innovation in health and AI, tools to support SMEs, joint controllership, compensation thresholds for non-material damage, and tools for data subject rights compliance.
  • Work should be pursued to enhance adequacy decisions and other data transfer tools. This includes advancing work at a global level on mutual recognition of standard contractual clauses (SCCs), fostering more consistent recommendations from DPAs, facilitating binding corporate rules (BCRs), and the development of pan-European codes of conduct and certification.

Industry needs a focused GDPR review that addresses interpretation challenges and promotes compliance for companies, strengthening Europe’s single market. It must prepare alignment with new regulations, promote practical guidance from the EDPB, secure international data transfers, and the full use of GDPR mechanisms. The next review in 2028 will be better able to assess the impact of recently adopted data strategy legislation, ensuring a more comprehensive evaluation of the evolving digital landscape.

Download the full position paper
For further information, please contact
Alberto Di Felice
Policy and Legal Counsel
alberto.difelice@digitaleurope.org +32 471 99 34 25
Béatrice Ericson
Manager for Data Economy & Privacy
beatrice.ericson@digitaleurope.org +32 4 90 44 35 66
Back to Data privacy
View the complete
PDF
Our resources on Data privacy
15 Jan 2024 resource
DIGITALEUROPE’s response to the public consultation on a reporting scheme for data centres in the EU
Read more
PDF
16 Nov 2023 Position Paper
One Data Act to rule them all? Avoiding competing data sharing rules: DIGITALEUROPE’s views on the European statistics regulation revision
Read more
PDF
18 Oct 2023 Position Paper
AI Act trilogues: A vision for future-proofing, governance and innovation in Europe
Read more
PDF
View all resources
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept