FEDMA Takes Part in GDPR Implementation Dialogue hosted by Commissioner McGrath

Yesterday, FEDMA took part in an Implementation Dialogue in Brussels on the application of the General Data Protection Regulation (GDPR), hosted by Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath. The dialogue brought together representatives of business and civil society organisations to share their insights from their experience with applying the GDPR.

The consensus from all stakeholders was an urge to the European Commission not to reopen GDPR but to focus on greater legal clarity and a more consistent enforcement.

The discussion was structured around four themes:

1. Further simplifying and reducing administrative burden

FEDMA called for a coherent legal environment that enables both data protection and innovation. The emphasis must be made on the need for balanced, risk-based interpretations of the GDPR that align with broader EU goals, including the Data Union Strategy.

Other industry organizations present detailed the need for targeted amendments or clarifications meant for SMEs and midcap companies, including on record keeping, use of pseudonymization, special categories of data, and Data Protection Impact Assessments (DPIA) for third party countries for low-risk data.

Representatives from consumer organizations pushed back against the claim that the current interpretation of data protection legislation hurts innovation, stating most abusers remain unaccountable for their actions.

Most agreed that the use of standardized icons, guidelines and templates would greatly improve the overall harmonization across members states.

2. Increasing legal certainty, reducing fragmentation and further harmonising enforcement

There is high uncertainty on the definition of personal data and the material scope of the GDPR, while other data laws only define non-personal data “negatively” as data that is not personal data according to the GDPR which makes the scope of non-personal data very narrow and unclear.  To address ongoing legal uncertainty around the limits of the notion of personal data under the GDPR, FEDMA underlined a pressing need for the EDPB to develop clear, practical, and workable guidelines on what constitutes anonymous data. Such guidance is not only essential to clarify the scope of the GDPR and help organisations more effectively allocate compliance resources, but it is also strategically important to support the European Commission’s efforts to build a strong and innovation-friendly Data Union.

As one industry organization explained, this fragmentation also leads to unfair disadvantages for a company dealing with a Data Protection Authority (DPA) with stricter views of GDPR (such as the CNIL) against companies in countries with more a lenient DPA.

Civil Society stressed the need to include consumers when it comes to any simplification measures, such as Article 8 of the GDPR (on child consent), which is failing across Europe.

The overall agreement however is that the EDPB must be responsible for ensuring the consistent application of the GDPR.

3. Facilitating compliance with the GDPR

FEDMA stressed the importance of Codes of Conduct and Certifications and how underutilised they are due to procedural gridlocks; we detailed how governance reform is essential to unlock their full potential.

Other representatives shared their (agonizing) experience in passing codes of conduct at European level. With only 2 codes with European validity in 7 years of GDPR, many agreed they are a missed opportunity of the GDPR. One industry association called for an amendment allowing the European Commission to approve codes of conduct on advice by the EDPB.

FEDMA also strongly reiterated the equal footing of legitimate interest (LI) compared to other legal basis to process personal data. When it comes to electronic marketing communications, the GDPR acknowledges that direct marketing can, under certain conditions, be based on legitimate interest, which was confirmed by the European Court of Justice last year. The various interpretations of the GDPR, such as the use of LI, will only lead to further fragmented implementation of consent exemptions.

Others mentioned the importance of LI for anonymised and pseudonymised data when it comes to AI training models. Clarification by regulators on this aspect is crucial to ensure European AI models can compete with American and Chinese ones.

4. Clarifying the articulation with other digital legislation

FEDMA drew attention to the ongoing challenging coexistence between the GDPR and the ePrivacy Directive. One example explained is Article 5(3) of the ePrivacy Directive, which mandates consent for any access to or storage of information on end-user devices, regardless of the actual risk posed to individuals. This black-and-white approach makes no distinction between different types of technologies or processing purposes. As a result, even Privacy Enhancing Technologies like pseudonymization, which are promoted as safeguards under the GDPR, are now being treated as intrusive under ePrivacy, especially following recent EDPB guidance.

Industry associations generally argued that the ePrivacy Directive must be fully repealed and broken down into existing or planned legislations to avoid yet another layer of legislation, while consumer organizations argued against breaking it up, stating its content needed its own law.

When it comes to the interplay between GDPR and the AI Act, the consensus was that further clarification is needed on impact assessments, training models and the different timelines across legislations to report a breach.

In our final remarks to the Commissioner, FEDMA laid out how simplification for SMEs and a coherent legislation and enforcement are beneficial for regulators, industry stakeholders and consumers alike.