GDPR Reform Package Expected to Spark Strong Tensions, IAPP Says
Expect vibrant, passionate debate among stakeholders over the European Commission's digital simplification package, similar to what transpired during development of the GDPR, IAPP officials said at a briefing Thursday, which was prompted by an apparently leaked draft (see Ref:2511100006]).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Anyone around when the GDPR was hammered out -- the proposal was made in 2012 and adopted four years later -- saw a variety of debates, IAPP Managing Director, Europe, Isabelle Roccia said in response to our question about potential tensions between the European Parliament and Council in eventual negotiations. Some GDPR debates were factual, others were more emotional because of the nature of the topic, which was fundamental rights. Similarly, recent commentaries on the simplification proposal show "that we may have a little bit of that dynamic as well at play."
Several government agencies and EU governments and regulators contributed to an EC call for evidence on the package, Roccia noted. While there were many commonalities in their positions, particularly among government agencies, several pointed to national interests, especially around cybersecurity, that some EU members will want to protect, she said.
French privacy watchdog CNIL's submission made clear that its approach to consent under the GDPR is based on its unique interpretations and regulatory practice, as is the case with other regulators, Roccia said. Some of these philosophies are deeply rooted in stakeholders' practices, and these differences of opinion will be where reconciliation will be needed during negotiations, she added.
The issues transcend the "technical, dry and boring," said Joe Jones, IAPP director of research & insights. Whether people like it or not, such issues are on the desks of presidents and CEOs, and with that comes some volatility, he said.
Some of the geopolitics that will arise will focus on the proposal's trade-offs, Jones said. There will be questions about what the EU is giving up, for what benefits and how benefits will be measured.
One key framing for the geopolitical debate is the EU's place in the world, Jones said. He noted that the bloc has had great success in exporting EU standards and regulations around the world, a phenomenon known as the Brussels effect. Accordingly, just more than 10 years ago, less than 10% of the world's population was covered by a comprehensive national privacy law. Today, that number is nearly 80%, and some of the most populous nations have copied the GDPR, Jones added.
"The question is, if that was phase 1 of the Brussels effect, what does phase 2 look like?" Jones asked. He questioned whether all the countries that adopted EU laws will now tackle simplification as Brussels has. Doing it differently would create global fragmentation, raising questions about what that would mean for the global digital economy, he added.
Proof of the intensity of the debate -- even before the proposal becomes official -- came Thursday in a letter from 127 civil society groups to the EC. The groups, which include Noyb, Amnesty International, the Center for Democracy and Technology and Privacy International, urged the EC to "rethink its plans."
What's being presented as a "technical streamlining" of EU digital laws is, in reality, "an attempt to covertly dismantle Europe's strongest protections against digital threats," the organizations wrote.
Among other things, they pressed the EC to "immediately halt any attempts to reopen the GDPR, ePrivacy Framework, AI Act or other core digital rights protections."