GDPR: a three-year-old who must still learn to walk before it runs

Wojciech Wiewiórowski

Three years ago today, the most fundamental piece of legislation for data protection in the European Union, the General Data Protection Regulation (GDPR), entered into application. Today, we take a moment to reflect on what the last three years have had to offer.

The GDPR has been a sensational achievement for Europe and its citizens, acting as a lighthouse for the entire global policy-making scene, and illuminating long-held privacy and data protection values enshrined across the horizon of the European legislative landscape. It has acted as a catalyst for many jurisdictions around the world to draft and implement their own privacy and data protection legislation. Even the most disillusioned ones would acknowledge that we now have more than 130 states with a data privacy law and several other jurisdictions with official Bills at various stages of development, compared to the roughly 80 data privacy laws when the legislator started to negotiate the GDPR.

On a more personal note, let me express how much it saddens me not to be able to reflect on this anniversary with my predecessor, Giovanni Buttarelli, who gave so much to make the GDPR a success.

Yet it is exactly because the GDPR was accompanied by the highest ambitions and hopes that the EU should not turn a blind eye to its current shortcomings. The GDPR granted data protection authorities with the competence to curb unlawful data power, and to bring it within the ambit of the rule of law. Unfortunately, we have seen very little of either of these things for now.

I have three wishes for our three-year-old GDPR.

1. Courage! It is time to step up our enforcement actions. As data protection authorities, we should all pursue courageous applications of the law, making use of all the powers in our regulatory toolbox. It is high time for the GDPR to deliver, particularly with regard to the giant players causing the systemic harm in the digital ecosystem. Our citizens can no longer wait.

2. Growth! We must recognise that, currently, GDPR enforcement represents an uneven burden for few authorities, which are de facto acting as a gateway to the protection of EU citizens’ privacy and data protection rights. Legitimate doubts are cast as to whether this is a sustainable model in the long term. In the meantime, it is time for authorities to team up and make full use of all mechanisms at their disposal to cooperate as effectively as possible.

3. Resilience! The EU legislator is currently discussing important proposals for the digital markets. It is essential that the role that the GDPR plays in the EU legal system is not diminished by the new proposals, particularly those impacting the governance of data in the EU. On the contrary, the GDPR can and should be applied in tandem with other regulatory systems.

In the longer term, I believe that we need to start reflecting on more efficient solutions to safeguard our rights and liberties. We need to be able to prioritise enforcement actions against the greatest harms in our digital ecosystems and to protect individuals in a meaningful way. The future approach should at the very least redistribute the costs of enforcing EU legislation more equitably, and enable systemic challenges to be effectively tackled at EU level.

Reflections have only just started, so please stay tuned with the EDPS.