Was GDPR v1.0 the data protection solution everyone hoped for? Let’s explore how General Data Protection Regulation (GDPR) didn’t live up to our expectations. And let’s also ask the important question; will GDPR v2.0 be able to solve the issues?

After a near decade of pulling back and forth, the balance in the tug-of-war between monetising personal information and safeguarding it took a major step towards the latter. The General Data Protection Regulation (GDPR), and its enforcement from 2018 was a watershed moment in global technology regulation. It forced even multinational organisations to take personal information seriously or risk possible penalties reaching up to 4% of annual global turnover. Overnight, the GDPR became Brussels officials’ poster child of powerful legislation. One that could show that all organisations need to abide by the law just as much as one-person start-ups. However, in the five years since the GDPR entered into force, it has become clear that the GDPR wasn’t the solution we thought it was. Serious concerns and numerous loopholes have been discovered by privacy activists, technology experts and even national privacy watchdogs alike.

Current issues with GDPR

The core problem is that under the GDPR, all companies, including the tech giants, are overseen by the national regulator in the EU country in which they are headquartered. In practical terms, this so-called “one-stop shop rule” directs most of the major compliance investigations run through the Irish and Luxembourgian systems, because the largest technology companies, such as Meta, Alphabet, Amazon, and Apple, have all set up their European headquarters in one of these two countries (due to favourable taxation and other legislation). This in return results in EU-wide precedents that reflect the political climate of only two countries, not 27.

Both Ireland and Luxembourg have faced mounting criticism in the recent years for slow, and even lax, enforcement which they officially deny. However, claims of lax enforcement does not equal no enforcement, the Irish data authority has recently imposed a >$200M fine against Meta. Meta however earns a million dollars every 15 minutes, and therefore we are back at the same problems we had before the GDPR. That ignoring the law can be very profitable, and private individuals still have little leverage to safeguard their privacy online.

To my mind this brings us to a very unpleasant question – is the GDPR really a tool for safeguarding EU residents’ privacy, or a tool for punishing US-based multinationals?

It is 2023, and year after year there is talk about EU-wide class actions and seemingly widespread support for them. Yet the actual legislation fails to materialise again and again. Retaliating against the big US-based multinationals for disregarding the European Commission is one thing. But making me, as a private individual, decipher corporate structures and hunt for the correct competent authorities is another problem.

Evolution of the GDPR

The European Union is finally taking concrete steps in fixing the dysfunctionalities of its poster child. The solution? More legislation.

The now 7-year-old law will get a facelift before summer 2023. The solution seeks to correct its glaring problem: the extremely lop-sided way that Irish, and to a lesser extent Luxembourgian, data protection commission and courts can steer the entire 27-country bloc.

The details are unfortunately scantly available. The official take is that the new legislation will “harmonize some aspects of the administrative procedure” in cross-border cases and “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms”, as the Commission explains. Simply put, it seeks to end the jurisdiction shopping inside the 27-country bloc.

However, fixing failed regulation with more regulation can often end up doing the opposite. So why not take the chance to simply state that; EU Data Subjects may choose to use their home jurisdiction. While proceeding to combine the GDPR, the ePrivacy directive (aka the “EU cookie law”), and even the 3Q2023 Data Governance Act, to ensure that there are no conflicting requirements. One could possibly dare to wish for a plethora of improvements from the perspective of private EU residents, but so far, the silence is deafening.

How the improvements will help individuals/businesses

It is clear that the precedents cannot rest solely on two countries’ shoulders in a union of 27 countries. For us private individuals, the proposed changes are a step in the right direction. Any organisation that is clearly GDPR compliant will not face any issues, and ending jurisdiction ­shopping will level the playing field between local organisations and big multinationals. It will be interesting to see what, if any, effect the new legislation will have on the EU-US relations regarding privacy protections as well. But we might have to wait until the, seemingly inevitable, Schrems III case goes through the court system to find out whether the EU-US data protection tug-of-war will finally end.

Meanwhile, one should keep hybrid (cloud + on-premises) solutions in mind when deciding where and how to process any personal data. Hybrid solutions can bring the best of the two worlds, geographically determined identity data residency with cloud-based IAM capabilities, as explained in more detail in Understanding hybrid cloud.

Get in touch to discover how Ubisecure’s hybrid cloud solutions could support your data protection requirements as we enter the next (hopefully more impactful) phase of GDPR.