“Europe’s Big Opportunity” – The European Data Protection Supervisor on the General Data Protection Regulation
The EDPS’ detailed proposal for the GDPR is prefaced by his “vision”, which is divided into three sections: a better deal for data subjects, rules which will work in practice, and rules which will last a generation. It emphasises the need to maintain and strengthen standards for the individual, and to take as a starting point “the dignity of the individual”. In this respect the proposal re-iterates the Article 29 Working Party’s concerns about the weakening of the principle of purpose limitation, and also re-states the need for bodies and associations to be able to bring complaints and claims, not just individuals.
The EDPS’ recommendations go on to express concern about the confusion of safeguards with formalities, and to call for a clearer, simpler text, which enables controllers to easily understand their technical obligations. It holds up as an example the EU competition manual “where a relatively limited body of secondary legislation is rigorously enforced and encourages a culture of accountability and awareness among undertakings” and recommends a significantly shorter, simpler Regulation. Apparently its own recommended version, which has been produced within the boundaries set by the existing drafts, is on average 30% shorter than the existing drafts. It suggests the gaps should be filled “by accountability and guidance from data protection authorities“. Whilst this raises the possibility of a lack of certainty as to what is required in certain areas pending the publication of such guidance, such an approach would allow for the flexibility the law will need if it is to last a generation. In this regard the recommendations make the point that if the GDPR has the same lifespan as the current Data Protection Directive, it may not be replaced until the late 2030s, by which time “data-driven technologies can be expected to have converged with artificial intelligence, natural language processing and biometric systems, empowering applications with machine learning ability for advanced intelligence“. It is a useful reminder of why the GDPR is not just another piece of legislation, but is critical for shaping all our futures.