It looks like GDPR reform, touching both its enforcement and its substantive rules, may be happening. I only hope that it will not be a wasted effort. In March, the EU Justice Commissioner announced that the EU Commission’s “simplification” agenda will involve reducing GDPR compliance burdens for smaller organisations. Moreover, Axel Voss, a prominent Member of the European Parliament from the dominant EPP faction called for a reform in the similar direction. Apparently, the privacy activist Max Schrems joined Voss’ call, though I assume with reservations and for different reasons. My regular readers won’t be surprised that I welcome the idea of GDPR reform, as I’ve been writing about GDPR’s problems and the need for change, most recently in A serious target for improving EU regulation: GDPR enforcement. However, even though we don’t know much about the various March proposals, what has been released causes me to worry that they are missing the biggest issue with the GDPR: its imbalanced, privacy-absolutist enforcement framework. In this text, I will briefly summarise what we know about the new proposals and what I think is missing in them.

What do we know about the proposals?

We know the least about the EU Commission’s plans. All that Commissioner Michael McGrath said was: 

So, it is a real focus of the European Commission to improve the competitiveness of the European economy and to bring forward a whole range of simplification measures, and we have started that process with a number of omnibus packages already focused on sustainability reporting, sustainability due diligence. And yes, GDPR will feature in a future omnibus package, particularly around the recordkeeping for SMEs and other small and medium-sized organizations with less than 500 people. So we will be examining what ways in which we can ease the burden on smaller organizations in relation to the retention of records while at the same time preserving the underlying core objective of our GDPR regime.

Hopefully, relaxing recordkeeping rules is not the full extent of the Commission’s ambition, because that would really be a performative exercise and a wasted chance to really improve EU’s competitiveness.

As to the Voss (Voss-Schrems?) proposal, we know a bit more, based on Axel Voss’ LinkedIn post and on press reports from an event where he presented the idea. The big picture changes (which Schrems did not agree with) would involve the following according to Euractiv:

Voss wants to remove the enforcement role of the European Data Protection Board and "adjust" fundamental principles like 'the right to be forgotten' or 'data minimisation' to modern technologies.

He also wants to flip the logic of the legislation, currently prohibiting personal data processing by default with certain exceptions, to a regime that only prohibits certain privacy-violating practices.

This is somewhat vague, but I welcome the idea that adjusting the key GDPR principles is necessary, due to the imbalanced GDPR interpretations that are currently being enforced. I also like the idea—if I understand it correctly—of removing GDPR Article 6 which requires a “lawful basis” for the processing of personal data

As to removing the enforcement role of the European Data Protection Board, I think that a more important issue is making sure that any decisions or guidance can only be made when approved by a body that is truly institutionally and intellectually independent from privacy enforcers. If that can be achieved, then it may be a good idea for the EDPB or some other body to even centralise on an EU level case-handling functions (but not issuing fines or directions!), at least for cross-border cases. (For more details, see my text A serious target for improving EU regulation: GDPR enforcement.

Voss also proposed a “a new three-layer risk-based approach.” 

The first (“GDPR mini”) layer would apply

to 90% of all businesses (i.e small retailers, manufacturers) that process personal data from fewer than 100.000 data subjects and are not handling special categories of personal data (Art 9 GDPR, i.e. health records).

This seems not to appreciate how broadly the special categories of personal data (Article 9 GDPR) are being interpreted by data protection authorities—which I’d say is one of the prime examples of the privacy-absolutist enforcement framework. So if such disproportionate interpretative approaches to key definitional GDPR elements are not tackled, then a tier meant for “90%” could end up applying to a small minority.

As to the benefits of being in a “mini” tier:

No Data Protection Officer (DPO) required anymore. Simplified transparency rules & no excessive documentation. Lower administrative fines (i.e. capped at €500.000 instead of €20M). Only core obligations (i.e. Art 5) apply.

Interesting, but could mean not too much in practice if the general approach of the privacy enforcement doesn’t change.

As to the other tiers, the one that may cause the most controversy is “GDPR plus:”

for large VLOPs, online advertisers, and data brokers, meaning all those companies whose business model is built fundamentally on the processing of personal data. A threshold of 'processing data from 10M+ individuals' or 'handling 50%+ of a country’s population' seems to make sense. 

If this is combined with the kind of enforcement reform I outlined, the largest companies operating digital services across the EU would probably welcome being placed in a separate category. It would also make sense to have fully centralised EU-level GDPR enforcement for this tier. Perhaps Voss casts the net a bit too broadly (all online advertisers, really?). But on the other hand, many non-”big tech” cross-border digital service providers would probably prefer to have centralized GDPR enforcement, so some flexibility may be needed.

The proposed rules for the “plus” tier would involve:

Mandatory annual external audits (similar to financial audits).  Stronger transparency obligations (i.e. publicly disclose processing records). Reversed burden of proof: companies must prove compliance, not the regulators. Real consequences for structural violations.

All those things may be sensible, but only if the rules (or rather the legal interpretations) against which those organizations are meant to be measured are applied proportionately. This is clearly not the case now, as I’ve been arguing repeatedly.

What is missing?

The main missing element in the proposals is a serious enforcement reform to balance the currently dominant privacy absolutism. Beyond that, the Voss plan suggests the right direction of rethinking some of the key GDPR principles. I’d add that we should also rethink the key definitional notions, including “personal data” and “special categories” of personal data. Also, GPDR reform should simplify digital data protection by addressing problems with a separate “cookie law,” i.e. with the ePrivacy Directive (see e.g. my Consent for everything? EDPB guidelines on URL, pixel, IP tracking).

Frankly, with a better, more balanced approach to enforcement—based on a realistic political economy perspective on bureaucracy and ideologies—I don’t think there would have been a need for much substantive reform. But we are now in a situation where the GDPR “in action,” as interpreted by the authorities and the courts, has been shaped by privacy absolutism. To address that, we likely need both changes in enforcement and in substantive rules. 

Sensible GDPR reform needs to be based on a realistic understanding of what is wrong with the current system. Yes, there are some “red tape” concerns, but this pales in comparison with the more serious, structural problem of an enforcement framework which is institutionally biased in the direction of privacy absolutism. To focus on “record keeping,” without tackling the latter problem would be to waste this opportunity. Europe needs a proportionate data protection framework, which protects individuals, while avoiding absolutist zealotry and placing privacy above everything else. 

Not too long ago, the idea that there may be an opening for a substantive GDPR reform seemed fanciful. Now, it is the official policy of the European Commission. I hope that the reform process will be open to voices from outside the privacy bubble, and will result in restoring the balance between privacy and data protection, and other vital interests of Europeans, like economic security and freedom of expression and information.