5. GDPR – what’s working and what’s not?

June 26th, 2020

A couple of days ago the European Commission published a report, gathered with contributions from consumer-groups and industry experts around Europe (snappily called the ‘Multistakeholder Expert Group’) about their thoughts, and their members’ thoughts on GDPR. The feedback was gathered between June 2019 and February 2020. 

It runs to just under 20,000 closely written words, so in the 30 Celsius heat I’ve read and summarised it, so you don’t have to. Inevitably, in reducing something by a factor of fifteen, I’ll be simplifying greatly, but I think the observations so far raise some interesting points.

Main issues experienced by organisations in complying with the GDPR

SMEs would welcome the development of concrete, simple and user-friendly tools to help them apply the guidelines in practice. Civil society organisations see a need to move from the implementation to the enforcement stage. Whilst many businesses have implemented greater privacy protections, Civil society organisations observe that a large number of businesses and public entities are continuing with data practices that raise serious compliance concerns (e.g., lack of sufficient information in terms of use and data protection notices, consent that does not fulfil GDPR requirements, lack of facilitation of the exercise of rights, etc.). Civil society organisations therefore call for a stronger and more coordinated enforcement of the data protection rules by DPAs. They call on the Commission, the Parliament and the Council to fully align ePrivacy with the GDPR.

Impact of the GDPR on the exercise of data subjects’ rights

Consumer organisations observe that it is still possible to find websites targeting the European market completely lacking a data protection notice or not making it visible, or with data protection notices not updated to recent legal developments. Consumer organisations also note that the existing fragmentation of legislation on the age for children consent, inappropriate practices and the lack of enforcement impact the data protection rights of children, with negative effects also for their other fundamental rights and freedoms.

Requests for ‘meaningful explanation’ or human intervention in automated decision-making have not increased noticeably under GDPR, and neither have requests for data portability.

Member organisations report that it can be very difficult and time-consuming when data subjects exercise their rights – particular examples cited were when individuals want to obtain all emails where they are mentioned, or copies of CCTV footage. Several members mention the issue of how to verify, in a proportionate manner, the identity of an individual exercising their data rights. Therefore member organisations would generally welcome guidance from the EDPB to clarify the application of the data subjects’ rights. There should be a possibility, at all steps, for enquiring data subjects to ‘talk for free with a competent human’.

Impact of Article 7(4) GDPR regarding the conditions for valid consent

Civil society and consumer organisations note that cookie banners found on websites often give ambiguous information and force users to consent to the processing of their data and the sharing of such data with unspecified third parties for targeted advertising purposes if they want to access the website, or indicate that consent is “given’’ by simply browsing on the site. They warn that a number of digital players are relying on specific designs to discourage users from choosing the more privacy-friendly settings or to force consent. There are concerns about forced consent or contractual bundling of consent, which is the basis for the complaints against Facebook, Google, WhatsApp and Instagram filed by NOYB.eu in May 2018. Data Protection Authorities have been slow to process important cross-border investigations.

Experience with Data Protection Authorities (DPAs) and the one-stop-shop mechanism

Most members report broadly positive interactions with DPAs, but some note that some DPAs struggle or refuse to provide timely advice to the companies due to resources constraints, misunderstanding of their responsibility, and for some sector-specific cases a lack of expertise. For example, in the coordinated complaints filed by BEUC members against Google’s location data policies, it took over 8 months to obtain confirmation of the appointment of the lead authority. Some consumer organisations have also called for more concrete guidance, such as templates, to help smaller businesses. Overall, members call on the EDPB to support a shift towards more harmonised positions by DPAs. There is a perceived lack of harmony about procedural laws, and there needs to be a clearer, more consistent approach to data protection impact assessments (DPIAs).

Experience with accountability and the risk-based approach

Most member organisations report that GDPR compliance efforts ultimately contribute to improved data management. SMEs use standard solutions (easy compliance instruments and templates) because they have limited staff and money. Both business associations and consumer associations have witnessed an increased awareness from individuals on their right to data protection.

Data Protection Officers

It’s felt that guidance about the need for DPOs varies by DPA – more harmonisation is needed across the EU. It’s also felt that the “market for experienced DPOs is still immature” and there are still too few experts in the field taking into account the actual needs of organisations. Many DPO training courses are thought to be sub-standard.

The controller/processor relationship

Several members argue that the characterisation of controller and processor is still not clear. One of many difficulties mentioned is that of Controllers trying to add clauses about financial indemnification on which Article 28 is silent. The interplay between main contracts and data processing agreements is also a source of uncertainty. There is much debate about the benefit of standard contractual clauses for processors, particularly for SMEs without the resource to negotiate individual contracts with all their counter-parties. However, other members feel that a single set of generic clauses may be an impossible ask.

Adaptation/further development of Standard Contractual Clauses (SCCs) for international transfers

Most members agree that the current SCCs serve their purpose and are widely used for the transfer of personal data outside the EU. In general, the need for legal certainty and predictability is mentioned as vital for international data transfers and therefore any possible modification/update of the SCCs should take into consideration the large amount of already signed contracts.

Experience with the national legislation implementing the GDPR in the Member States

There is general concern about EU member states making specific national rules, for special categories of data under Article 9 and exemptions under Article 23 of GDPR, causing fragmentation, confusion and extra work. DPAs are thought to be under-resourced.

GDPR and new technologies

GDPR has undoubtedly made organisations more aware of essential principles such as data protection by design and by default, data minimisation, fairness and the ability to demonstrate compliance with these concepts. In principle GDPR is a good basis for innovation, by fostering privacy-friendly techniques such as pseudonymisation. However, this room for innovation will also depend on the interpretation of how GDPR principles and obligations apply to new technologies such as AI or blockchain. Ad-tech companies are a particular concern, where behavioural advertising relying on pervasive tracking and profiling of consumers which can ultimately lead to exclusion, discrimination, fraud and manipulation. A pragmatic interpretation of the GDPR, using a risk-based approach, will be essential for a rapid development of artificial intelligence and self-learning systems, blockchain and the Internet of Things.

Regarding blockchain, members mention that its implementation in a decentralised manner and its characteristics of immutability raise specific challenges for the application of the GDPR such as identifying the roles and responsibilities of the parties, the storage of data, dealing with data subjects’ rights in particular the rights of access, rectification or erasure, as well as enforcement. With the Internet of Things, several consumer organisations have found security flaws in various consumer connected products.

With AI, members see the GDPR as playing an essential role since it has the potential to create the trust and acceptance necessary to drive AI growth in the EU. Policing Purpose Limitation, Data Minimisation, Storage Limitation and Transparency will be difficult as processing activities may become more opaque and unpredictable when very complex algorithms are involved. Explaining clearly the logic and consequences of automated decisioning may become more and more difficult.

Codes of Conduct (under Article 40 GDPR)

The different interpretations of GDPR emerging at national level make an EU-wide code of conduct more and more difficult.

Data breach notifications (under Article 33 GDPR)

Organisations struggle to identify the moment when controllers can be considered to have become “aware” of a breach. More guidance is sought from the EDPB.

Adequacy decisions and other transfer tools

Business operators recognise the usefulness of tools like Standard Contractual Clauses and Binding Corporate Rules, although the latter can be difficult to implement due to the time required for approval.- this needs streamlining.

HMC’s summary of the summary

It’s clear that GDPR has been and is a force for good, focussing minds on the good stewardship of personal data. The problems look likely to come from under-resourcing of Data Protection Authorities, any further fragmentation of the customisable elements and a possible messy separation of the UK from the European Union. Small businesses need simple help – more on this aspect in future articles!