Attorney: GDPR Needs Stronger EC Enforcement, Not Risk-Based Approach
The General Data Protection Regulation shouldn't become a tiered, risk-based entity, though the European Commission should have more centralized power to enforce it, Charly Helleputte, Squire Patton Boggs EU data privacy attorney, emailed. His comments responded to Axel Voss' recent tiered GDPR proposal. Voss is a German Member of the European Parliament from the European People's Party Group. He discussed his proposal during a March 3-4 Centre for European Policy Studies Ideas Lab panel.
Sign up for a free preview to unlock the rest of this article
Voss argued that the GDPR's one-size-fits-all approach is "strangling" EU small and mid-size start-ups with high compliance costs while at the same time effectively failing to rein in Big Tech. He pitched the idea of a three-layer, risk-based approach similar to that of the Digital Services Act and the EU AI Act that would allow "proportionate, effective and enforceable compliance with EU privacy rules based on the size of the company, the type of data processing, and the impact on privacy."
The "mini" layer would apply to 90% of all businesses that process fewer than 100,000 data subjects and don't handle special categories of personal data such as health records, Voss wrote on LinkedIn. These companies would no longer need data protection officers, and would be subject to simpler transparency and documentation rules. Fines for violations would be capped at 500,000 euros ($543,000) rather than 20 million euros.
The "normal" layer of obligations would apply to all companies that process sensitive personal data or operate at a larger scale, but which still don't reach the level of large tech corporations, Voss said.
The "plus" level would apply to very large online platforms, online advertisers and data brokers, those which process data from at least 10 million individuals or provide services to 50% or more of a country's population, Voss said. These companies would have mandatory external audits, tougher transparency rules, and the obligation to prove they're complying with the GDPR (as opposed to regulators doing so).
"My proposal is not about weakening the high EU standards," Voss wrote. "It is about making the GDPR smarter, more enforceable, and more proportionate," cutting red tape and immediately boosting Europe's competitiveness in the digital world.
Helleputte disagrees with the approach. He told us that the GDPR, as a principles-based regulation, "tries to capture all possible processing activities through the lens of fundamental core principles" such as accountability, fairness, transparency and lawfulness. Those principles apply to all data controllers and processors, big and small, he added.
The principles are the "foundation of the regime," Helleputte said. They're core to how the rules were built and why they should last over time, be technology neutral and promote accountability. Helleputte said he doesn't "want a mini version of the GDPR to live alongside a GDPR+."
If there's anything that's not working well with the GDPR it's probably enforcement, Helleputte argued. It took national data protection authorities (DPAs) a long time to level up and begin enforcement action, and none of them, in the absence of a one-stop-shop, are really working, he said. Patches made by the European Data Protection Board (EDPB) aren't effective because the board is being weaponized over what are likely ill-drafted provisions, he added.
Privacy policy is often compared to antitrust, Helleputte noted. He said that while he usually disagrees with that stance, he believes antitrust enforcement mechanisms could also work for data protection. The European Commission could run centralized enforcement for "significant" cases, with criteria to be defined; and local DPAs could handle matters of domestic importance, leaving them some discretion as to priorities, with the EDPB ensuring consistent approaches.
Given the long, complex negotiations on the GDPR, will reopening it now spark problems?
The previous EC didn't show much appetite for reopening the regulation, Helleputte said, and shifting most enforcement powers to the EC is unlikely to appeal to many.
"But if the EU wants to keep its 'leadership' in privacy (and it is fair to say that the leadership is challenged by many other blocs, for example the initiatives in relation to international transfers), and get over a form of GDPR fatigue for those who need to comply, it needs to get enforcement right," Helleputte added.
While there have been "noises" about revising the GDPR, Hogan Lovells data protection lawyer Eduardo Ustaran, in an email, wrote, "I don't think that there is critical mass at the moment to trigger legislative reform." However, he said, some changes would not be misguided, and "the U.K. may show some possible areas of reform that could well be followed by the EU."
Talks between the European Parliament and Council on EC proposals for tougher GDPR cross-border data protection enforcement (See 2411040001) are ongoing, an EC spokesperson said Friday.