Is the EU throwing the GDPR out of the window?
On the misconceptions around the "red-tape bonfire" of the GDPR
We can all agree on one thing: the European General Data Protection Regulation (“GDPR”) is a hard read, it is technical, and you might even question what did it do for us apart from annoying cookie pop-ups and endless privacy notices.
This applies if you’re a lawyer or non-lawyer, if you’re from IT, if you’re working with privacy, or you’re just casually interested in the topic. If this 100+ page regulation wouldn’t be enough by itself, if you want to work with data protection in Europe, you should be aware some of the following too:
54 guidelines and 7 recommendations to date from the European Data Protection Board on how to interpret the GDPR, with often 50+ pages each,
129 cases in the field from the Court of Justice of the EU,
Even more guidelines, recommendations and fines in any of the 27 Member States that you are working in, which can be not only different but contradicting to each other,
National data protection and other related laws, such as in the fields of employment, healthcare, financial sector, advertising, AI, etc. - depending on the type of sector you work at.
And this is not all. No wonder that working with data protection has grown to be a profession on its own, which led to increased compliance costs such as hiring expert staff, increased working hours throughout the organisation to implement the law, internal and external trainings, privacy enhancing tools (“PETs”), and well, even fines, if things are not going very well.
As working in privacy is still considered a niche field, not all companies have this knowledge internally, and they often hire external companies or law firms for quite a big price to do a one-time privacy washing. After all, an expensive privacy notice from a Big 4 is still better than nothing.
The sentiment against European digital laws: the Draghi report
Things changed in Europe on 9 September 2024, when the so-called Draghi report was issued. Mario Draghi, former president of the European Central Bank painted quite a dark picture about the future of the European Union. In his report, it was argued that European competitiveness is falling far behind the US and the China. According to the report, one of the reasons for this is the administrative burden created by the excessive digital laws, which hinders innovation. To resolve this, the report proposed to simplify the GDPR and to harmonise it with the new EU AI Act.
To back all this, the report made quite harsh statements about the GDPR, for example (page 79 of the detailed report1):
“while the ambitions of the EU’s GDPR and AI Act are commendable, their complexity and risk of overlaps and inconsistencies can undermine developments in the field of AI by EU industry actors.”
The report does not stop at this point, it points to the following shortcomings of the GDPR such as:
Different implementation and enforcement per Member State,
Hindering innovation, in particular the use and development of AI,
Producing “administrative and compliance burdens and legal uncertainties”,
Disproportionately puts more weigh on the shoulders of SMEs compared to larger companies like Big Techs,
“Gold-plating”, i.e. stricter national implementation than required on a European level,
Storing overall less data in Europe than in the US or China.
These statements were followed by an intense lobbying, and the media started referring to red-tape bonfires (whatever that means), easing the burden, or statements such as “we don’t need to regulate in a stupid way” (according to the Danish Digital Minister on Politico).
A critique of the Draghi report
Despite the strong statements, the report lacks at least a reference to qualitative analysis and it seems to echo the voice of lobbyists. One of the few quantitative analysis to back these statements lies in the footnotes: the GDPR can increase costs for data-intensive industries by up to 24%, for manufacturing and services by up to 18% (as per a more detailed study referred on p. 319, footnote 262).
Although there are points of the Draghi report and the supporting study I agree with - such as the inconsistent application of the GDPR in Member States is an issue - most of the statements from the Draghi report are excessive or based on wrong assumptions:
Firstly, the study referred above explicitly ignores the actual benefits (and therefore the goals) of the GDPR, as they are “completely agnostic to the benefits that consumers derive from privacy protections” (p. 40). Neither the Draghi report, nor its supporting study refers to the value of privacy or the right to informational self-determination.
Accusing the GDPR of less data storage is kind of accusing the sky that it’s blue. Data minimisation and storage limitation are the stated principles of the GDPR: you mustn’t store data longer than necessary, i.e. longer than you need it. If it’s not necessary - than this is data that was not needed, as defined by the implementing company itself.
Naming European laws - by leading European officials - an administrative burden, something just “commendable” and nice to have, a mere cost, is shooting Europe in its own legs. These statements undermine the credibility not only of EU law, but of the EU in general.
The disproportionately higher costs for SMEs often comes from the fact that smaller companies outsource data protection, that I’m very much aware of as a lawyer working in the field. Outsourcing - compared to in-house solutions - is usually more expensive and less efficient at the same time: lawyers and consultancies cost a lot, and they are less aware of the company’s internal processes.
Big Techs can afford GDPR fines and litigations, and hence breaching the law, as the illegal practice may still prove more beneficial than the fines themselves (see my article on Amazon’s fine that they haven’t even paid yet).
Despite the well-detailed calculations in the supporting study, it often relies on self-reported costs of companies, which may or may not include often unnecessary costs such as outsourcing implementation. It is also not clear what these costs involve exactly. The question is also that if you spent more than 5 million euros (~5.7 million USD) on GDPR implementation, and you still do not consider yourself fully compliant, than is the issue really the law or rather how you managed to deal with the law?
So is the GDPR going on the bonfire, red-tape, out of the window, and so on?
An introspective approach is always welcomed. Thinking about the status quo, and questioning whether the existing law truly achieves its practice is a valid debate. The GDPR did create inconsistencies, but it does not mean that it needs to be cut down or it has to be presented as the blocker of European innovation.
In my view, the statements demanding deregulations are not well-founded enough. According to the European Commission, a simplification of the GDPR is in fact coming, but this will mostly concern the record of processing activities for SMEs, while the core principles of the GDPR will not change.
As for the inconsistencies with other laws - well, it seems we will receive more guidelines.
What is your opinion on this? Are you for or against the simplification? Feel free to share your thoughts in a comment.
The future of European competitiveness, Part B | In-depth analysis and recommendations, September 2024, https://commission.europa.eu/document/download/ec1409c1-d4b4-4882-8bdd-3519f86bbb92_en?filename=The%20future%20of%20European%20competitiveness_%20In-depth%20analysis%20and%20recommendations_0.pdf
DATA, PRIVACY LAWS AND FIRM PRODUCTION: EVIDENCE FROM THE GDPR, Demirer et al, NBER Working Paper Series, Cambridge, as revised in December 2024, https://www.nber.org/system/files/working_papers/w32146/w32146.pdf