Early on, the General Data Protection Regulation – or GDPR – faced a lot of naysayers, who warned that the law would fall short of expectations.
Now, as we mark the six-year anniversary of GDPR’s launch in May 2018, it seems clear that predictions about the framework’s impending failure missed the mark. To date, GDPR enforcement authorities have successfully brought cases against hundreds of businesses, including some that resulted in fines totaling hundreds of millions of dollars. The law has forced businesses across the globe to take data privacy more seriously than many were prior to GDPR’s implementation.
Although it’s clear that the GDPR did not turn out to be a failure, there are key areas where the law could stand to be improved. Here’s a look at some of the gaps in GDPR and how regulators might take steps to address them.
Subjective interpretation of GDPR’s requirements
One of the most common criticisms of the GDPR is that many of its mandates take the form of guidance rather than explicit instructions. Instead of defining exactly which types of technical controls businesses must implement to protect data, the framework can leave much to interpretation.
For instance, the GDPR states that businesses can collect and process personal data when they have a “legitimate interest” in doing so. But it’s not specific about what counts as a legitimate interest. Nor does it provide examples of valid legitimate interest for specific industries or business models.
This ambiguity in the GDPR places the onus on businesses to interpret GDPR requirements for themselves, which can be a time-consuming and costly process. It’s especially burdensome for smaller businesses, which typically don’t have legal and compliance experts on staff to assess whether the ways a business uses personal data contradict GDPR requirements.
That said, the vagueness of many of the GDPR requirements is, to a large extent, a feature more than a bug. If the GDPR were more prescriptive and rigid, it would likely become even more difficult for many organizations to meet the law’s requirements. For instance, if regulators attempted to define privacy controls for specific industries, businesses that operate across multiple verticals, or that aren’t among the industries for which regulators specify requirements, might find themselves facing even more ambiguity surrounding the law’s requirements than they already do.
For that reason, it can be difficult for the GDPR to depart from its current strategy of defining privacy on a “principles basis” rather than laying out specific, prescriptive guidance. But regulators can still take smaller steps to provide more clarity about how to interpret the law. They could point to examples of companies that they believe have successfully implemented adequate controls, for example. At the same time, the ever-growing set of enforcement cases involving the GDPR is creating an expansive body of precedents that businesses can draw upon to seek greater clarity about interpreting the framework’s mandates.
The issue of cross-border data transfers
The GDPR places stringent restrictions on organisations’ ability to transfer data produced within the European Union to external locations. The purpose of these restrictions is to reduce the risk that businesses operating outside of the EU will process personal data in ways that undermine the protection of EU citizens’ personal information, thereby undercutting the purpose of implementing GDPR protections in the first place.
The challenge with this very reasonable goal is that it’s much easier in today’s world for businesses to operate globally, so data infrastructure and supply chains often pay little heed to international borders. Complex requirements about transferring data outside of the E.U. substantially increase the burden that businesses face when complying with the GDPR.
In the past, regulators worked to address this issue through initiatives like Privacy Shield, which made it easier to transfer data between the EU and the United States. However, Privacy Shield was effectively abandoned in 2020, and although a new arrangement – the Data Privacy Framework – has emerged to replace it, it remains unclear to what extent this will resolve the complexity of cross-border data transfers over the long term. Plus, because the Data Privacy Framework only applies to the United States, there’s little it can do to simplify data transfers from the E.U. to other regions of the world.
Redefining cross-border data transfers with more permanent guidelines can address a gap in the regulation while providing clearer instructions for global businesses.
Tackling AI and other emerging technology
The designers of the GDPR couldn’t predict the future better than anyone else. Understandably, they drafted the law during the 2010s with an eye toward the technologies that existed at the time and the way those technologies could process personal data.
Fast forward to 2024, however, and the technology landscape has shifted massively. The most obvious change, perhaps, has been the emergence of new forms of artificial intelligence technology – particularly generative AI services powered by Large Language Models.
From the perspective of the GDPR, generative AI and LLMs raise a whole host of thorny questions, including those around data retention and data subjects’ right to erasure. The unlimited potential of AI naturally brings security concerns with it, so it’s imperative that a globally recognized regulation like the GDPR ensures its requirements don’t leave any gaps for enforcement.
And given the rate of AI adoption, the GDPR will need to provide more clarity sooner rather than later if they want to ensure that the law keeps pace with technology changes – and that businesses are able to take advantage of the most innovative technology without worrying about running afoul of the GDPR.
GDPR: A great privacy protection law with room for improvement
The GDPR is a fantastic law that has significantly advanced personal privacy in a world where personal data has become all too easy to misuse. As data processing evolves, and new technologies are rapidly implemented across the workforce, it’s imperative that the GDPR continuously monitors its requirements to reflect the current and future landscape. Addressing these swiftly will only make the law more valuable and easier to comply with.
Learn from the best: 6 pieces of advice from leading tech CEOs