GDPR and Its Implementation Challenges

The effective implementation of GDPR hinges on recognizing the underlying issues it presents.

Recently, Axel Voss, a German Member of the European Parliament with a focus on data protection, shared a position paper that calls for urgent revisions. This paper was published two weeks ago.

On February 16, 2021, Voss initiated a field study to gather insights from individuals and organizations regarding their experiences with GDPR. He sought to identify the specific challenges they were encountering.

The feedback came from a diverse group, including corporations, citizens, researchers, healthcare professionals, data protection officers, lawyers, nonprofit organizations, and sports clubs, resulting in over 180 responses that clearly illustrated the practical implications of GDPR. Key concerns highlighted by respondents included:

“Too complex, increasing compliance costs, shortening other fundamental rights and severely hampering Europe’s digital transformation.”

Voss documented these findings in a position paper released on May 25, 2021, providing a systematic and accessible analysis of the practical difficulties associated with GDPR.

This article will further explore the findings of this study and offer additional commentary.

The challenges identified in the study can be categorized into several primary areas:

1. A Uniform Approach is Ineffective

   The GDPR does not account for the varying scales of organizations, from multinational corporations to local startups. It fails to distinguish between sectors such as healthcare and finance, or between technologies like AI and blockchain, lacking clear definitions and tailored regulations.

   “Furthermore, it does not distinguish between the processing of personal data by private individuals and by state authorities.”

2. Absence of a Risk-Based Approach

   Many small and medium-sized enterprises (SMEs) face a daunting choice between high compliance costs and inaction, driven by legal uncertainties. They often feel insecure about the criteria they might face when confronted with potential penalties.

   “The GDPR does not differentiate enough between low-risk and high-risk applications, determining largely the same obligations for each type of data processing.”

   Risk assessments should not only occur post-data leakage; organizations require strategies for prevention and response. The stringent penalties may deter larger corporations but can create a chilling effect on SMEs and startups, particularly those innovating in fields like big data and AI.

3. Complexity Hinders Compliance

   Participants in the study expressed that the myriad of regulations makes compliance challenging, with only a few experts truly able to grasp the full legal implications.

   “The provisions are too numerous, complex and difficult, allowing only a few distinguished experts to really keep track and understand all of the legal consequences.”

   Perhaps the GDPR should categorize requirements by industry, providing clear guidelines to assist startups in navigating compliance without the need for constant legal consultation.

4. Outdated Concepts in a Modern Context

   The GDPR is rooted in traditional data processing notions that do not align with contemporary technologies like big data, cloud computing, and the Internet of Things.

   “To start with, the law is based on the processing of individual data (thus ignoring Big Data) as well as on the processing by a single controller.”

   The definitions of data controllers and processors become convoluted in environments such as blockchain.

5. Research Limitations for Data Institutions

   The GDPR does not facilitate the flexibility needed for trustworthy entities to handle data for agreed purposes, limiting the ability to share data for research and innovation.

   “The law does not provide the opportunity for trustworthy third-party agents such as data trusts... to benefit from more flexibility.”

6. Conflict with Fundamental Rights

   GDPR does not treat data protection as an absolute right, failing to clarify how it interacts with other fundamental rights, such as freedom of business or expression.

   “GDPR does not take into account that the processing of personal data by the controller is, in itself, also protected by fundamental rights.”

7. Excessive Scope of Protection

   The GDPR aims to protect a wide array of rights and freedoms, which can create an unmanageable burden for data controllers.

   “GDPR postulates that it protects ‘fundamental rights and freedoms’ of natural persons. However, if the law wants to protect all rights and freedoms, it leads to excessive demand on controllers.”

8. Justification Requirements for Personal Data

   The lack of a cohesive framework for when data protection rights can be lawfully limited creates challenges, especially highlighted during the COVID-19 pandemic.

   “The GDPR, however, does not contain a coherent concept of how and when the data protection right is lawfully limited.”

Emerging Technologies

1. Artificial Intelligence

   The GDPR’s stipulations regarding purpose limitation and data minimization present significant barriers for AI development.

   “The GDPR provisions on purpose limitation and data minimisation as well as the restrictions on secondary use can be seen as the major obstacles for AI.”

   The stringent requirements for consent hinder innovation in AI, as the need for explicit consent can complicate data usage.

2. Internet of Things

   The principles of data minimization and purpose limitation are challenging to apply within the IoT framework, which thrives on extensive data collection.

   “The GDPR principles of storage and purpose limitation... are also difficult to implement. The Internet of Things is based on ‘data maximalism.’”

3. Cloud Computing

   The GDPR’s approach to data processing does not adequately address the complexities introduced by cloud environments, where multiple parties interact.

   “The GDPR links the processing of data either to a single person in charge... Both approaches are not sufficient for cloud computing.”

4. Blockchain

   The immutable nature of blockchain data presents a significant conflict with the GDPR's right to be forgotten.

   “One key property of Blockchain technology is that old data can be secured against modification... thus, blockchain runs counter to the GDPR’s ‘right to be forgotten.’”

In my ongoing research, I am continually impressed by the potential of blockchain technology. Its capabilities raise essential questions about information integrity and the manipulation of data.

As we reflect on these issues, it becomes clear that the intersection of GDPR and emerging technologies will require careful navigation to ensure both compliance and innovation.

Join Us in Shaping the Future of Data Protection

For more insights and discussions, connect with us at DataBulls.

References:

Axel Voss on LinkedIn: #GDPR #digital #data | 18 comments The #GDPR is now 3 - and it urgently needs revision. A few weeks ago, I asked for your input on how the General Data…