Government, regulators and industry rethink data protection at RAID

“Is the way we interpret the GDPR’s inherent concepts adaptable to our digital reality?”, asked Natascha Gerlach, Director of Privacy Policy, Centre for Information Policy Leadership (CIPL) opening a panel on rethinking data protection at RAID Virtual.

“As we reflect on that here in Europe we have seen, internationally, a wave of data protection legislation introduced. Over 170 of the 195 countries in the world have a form of data protection law.”

“There are a number that have taken their cue from the GDPR but we have also seen next-generation bills that pick and choose a bit more. The common thread we see is that privacy and data protection rights are central to many of our visions of modern society.”

In 2018, the GDPR replaced the 1995 Data Protection Directive, legislation which was implemented when under 50 million people used the internet; the vast changes in this period called for a rethinking of data protection legislation in the EU. Rapid digital development since 2018 has raised similar questions about whether the GDPR can effectively regulate emerging technology that was yet to be developed when it was drafted.

With similar challenges presented to policymakers globally, RAID Virtual brought together a panel of experts from the EU, the US, and the UK to discuss the jurisdictions’ differing responses to this challenge. In the session, titled ‘Rethinking Data Protection’, Gerlach was joined by:

• Katherine Harman-Stokes, Acting Director, Office of Privacy and Civil Liberties, U.S. Department of Justice
• Tine A. Larsen, President, National Commission for Data Protection (CNPD) – Luxembourg
• Cecilia Alvarez, Director of Privacy Policy Engagement, EMEA, Meta
• Isabel Simpson, Solicitor, KPMG UK (EMA Head of Data, Digital and Technology for KPMG Law)

Recent years have seen the implementation of a wide range of new laws across the EU that concern data. These included the Digital Markets Act, which came into force at the end of 2022, and had provisions on the way large tech companies could combine user data between platforms. The Data Act came into effect at the start of this year and is intended to promote the EU’s data economy through clear, competition-friendly regulation, primarily impacting industrial data.

The Digital Services Act was also a key recent piece of EU legislation which came into force a month later and governs companies’ obligations regarding the removal of illegal data. Most recently the AI Act was approved by the EU Council in May and takes a risk-based approach to regulating AI.

Gerlach asked Álvarez to reflect on how the GDPR fits alongside this raft of related EU legislation

“It has been a while that we have been living with the GDPR data protection framework and I think that any good law has the ability to remain relevant and contribute to EU prosperity. We should avoid thinking that privacy is a ‘super right’ per sé. We need to have this balance between the fundamental rights and other interests that we have at stake.

“This is also a reminder that we have in recital four. This is the foundational principle that is so current and important which relays the importance of not going into absolutism and using the balance from the foundational principle that we have in the charter and which is embedded in the GDPR.

“We are facing many things that are new for all of us and the best thing that we can do is engage in dialogue to understand how we can work together instead of being engaged in antagonistic processes. The importance of having due process, legal certainty and accountability and not having the regulatory capture is essential for the health of our data protection framework.

“Another factor relates to evolution. There is not a single great law that survives if it does not evolve and adapt to the circumstances it needs to exist. There are two main considerations that are relevant to this. One is the impact of technologies that are data-driven and where data plays an important role.

“The European Data Strategy is something that is extremely important. To quote a section that is relevant, GDPR should contribute to a data strategy which ’aims at creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty’. The strategy also reads ’data is an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general‘; so to serve humankind

“Overall, the GDPR has a long life as long as it is truthful to its foundational principles, it is enforced with legal certainty and it evolves with the ability to have a forward-thinking way to interpret the principles according to the new scenario and the way that the regulatory framework evolves.”

With data protection covered by a patchwork of state-level law in the US, a draft of the American Privacy Rights Act 2024 was released in April to bring increased clarity and harmonisation through federal legislation.

Although the proposed act, which has bipartisan support and includes data protection rules for AI, would have several stages to pass through before potentially passing into law, it has received widespread support both from policymakers and industry. Gerlach asked Harman-Stokes to compare the proposed US legislation with the EU’s GDPR which it has drawn comparisons with.

“The proposed federal bill does pick up on many of the same concepts that are captured in the GDPR. But I think if we go back in history, you’ll see that many of those concepts are part of the Fair Information Practice Principles and are really reflected in the different data protection legal regimes around the world”, Harman-Stokes said.

“The bill is comprehensive and it has a lot of the same concepts as the GDPR. This includes the controller concept, with the controller setting the means and purposes of collecting data, which translates into a ‘covered entity’ in the American bill.

“Data processor translates into service providers. Then you have privacy policies required in some instances. You also have privacy impact assessments for higher-risk data uses. The bill also picks up non-profits which is a twist I think.

“Right now non-profits don’t fit within the US-EU data privacy framework with the previous privacy shield. I think this is a good attempt to bring non-profits into the set of common principles that can be applied across the US.

“One thing that we really focus on in the United States is risk-based policy. Looking at the bill it talks specifically about data brokers. It also focuses more controls on high-impact social media companies.

“It does address enforcement of the privacy concepts and there are private rights of action under some circumstances. So I think it is a good solid comprehensive bill. In terms of its likelihood of success, there is a lot going on in Congress right now so it is hard to say.

“It seems to me that it does provide some compromises between the intractability we have had in previous bills. In my opinion, it is the most likely to succeed of any of the bills we have had to date.”

Since the UK withdrew from the EU in January 2020, it retained the GDPR framework implemented through the Data Protection Act 2018. It later began a process to reform this legislation through The Data Protection and Digital Information Bill which reached the Committee Stage in the House of Lords but was not finalised in the wash-up period after the General Election was called.

At RAID Virtual, held before the General Election was announced, Gerlach asked Simpson about some of the ways this bill could have amended the UK GDPR.

“The UK is certainly rethinking data protection in the sense that they have looked at not only GDPR but also other laws throughout the UK that impact how personal information is used. The idea is that the government went through a consultative process with industry bodies and they wanted to look at how they could best encourage innovation with safety.

“They looked at how they could best encourage innovation by way of simplification and clarity. The important thing is that they did not want to lower the standard of data protection but rather to simplify and help privacy professionals and organisations in the areas that they are struggling with.

“There are a number of areas where organisations and individuals struggle with the current laws. It really echoes what Kathy said about risk-based policy but also proportionality as well.

“One of the areas where organisations have been struggling is international transfers. What the bill attempts to do is remove some of the barriers to international transfers whilst also ensuring the standard remains high. The new approach should allow organisations to really simplify their process for low-risk transfers in particular.

“Another area of clarity within the bill is around the legal basis of legitimate interest. Currently under UK GDPR if an organisation would like to rely on legitimate interest they would have to carry out a legitimate interest assessment.

“The bill makes it easier for controllers by helping them to understand if a purpose will be accepted as legitimate. It does this by including examples such as direct marketing, ensuring security and transfers into group. It also recognises purposes that are legitimate and lists them out in an annexe.

“It also introduces some clarity around purpose limitation as well. It’s been quite interesting because it’s restated some of the GDPR provisions on purpose limitation. It clarifies for example in the area of consent that there is no scope for arguing that processing for a different purpose is compatible and that new consent should be obtained.

“In summary what we’ve seen is an attempt to simplify language, an attempt to reduce paperwork, for example in relation to records of processing activities. The overall theme of the bill is to continue safeguarding data but encourage innovation through that simplification and clarification.”

In the EU, Data Protection Authorities are tasked with ensuring compliance with the GDPR and other data protection laws within their respective member states. They work alongside the European Data Protection Board, which facilitates effective collaboration between DPAs and ensures that data protection laws are applied consistently throughout the bloc.

Gerlach invited Larsen to discuss the function of the GDPR in the context of the EU’s digital framework and whether the role of the data protection authorities could change.

“In our view, the GDPR continues to be a success in enhancing trust and legal certainty and has led to positive outcomes for the harmonisation of EU law and the strengthening of the data protection culture at the EU and global level.

“While data protection is a vital component of responsible innovation and the technology-neutral approach of the GDPR allows it to adapt to the evolution of technologies on its own, it cannot cover all the challenges presented by the digital transformation of our society and our digital economy.

“Since the GDPR came into force the EU has passed several new important digital laws. Even though these new laws are without prejudice to the GDPR, the data protection authorities on a national basis and within the European Data Protection Board must now clarify the interlinks between this new legislation and the GDPR.

“The DMA, DSA, DA and AIA are privacy by design, or at least data protection is built inside. In so far as personal data is involved, personal data protection principles and existing rules are considered as a baseline, a fundamental constant on which other aspects are built upon.

“All these texts make explicit reference to the GDPR. The DPA remains responsible for monitoring the GDPR in the digital decade, but the different new laws seem to reform the GDPR silently in many areas and introduce new regulatory bodies.

“So even though the GDPR is not touched upon it is the main central regulation and the new regulations are not considered as lex specialis either, the challenge is about how to articulate all the legislation and their impact on the obligations and tasks on all the actors concerned.”

RAID’s Director Ben Avison reflected: “Data protection in a rapidly evolving digital world requires a complex balance of factors. The panel reflected that although there are significant developments in the technology that the GDPR is relevant to, its fundamental principles remain central to the way that privacy rights are ensured.

“This same focus on balancing the protection of rights with a policy approach that facilitates the societal benefits that accompany innovation has been relevant to the UK in the Data Protection and Digital Information Bill, as discussed by Isabel, and in the potential data privacy bill progressing in the US, as mentioned by Katherine.

“RAID will pick up this discussion in September in what continues to be a hugely consequential area in the regulation of technology.”

Write-up by Nick Scott. Editing by Ben Avison.