EU Digital Policy Official Sees Potential Changes for GDPR Data Processing
The GDPR’s Article 5 data-processing principles will likely remain intact, but there’s potential for compromise on revisions to other data-processing requirements in forthcoming negotiations, a center-right digital policy advisor for the European Parliament said Friday at the Privacy + Security Forum spring academy.
Sign up for a free preview to unlock the rest of this article
The European Commission is expected to issue a potential plan for GDPR revisions by May 21, according to a tentative agenda. Kai Zenner, head of office and digital policy adviser for Axel Voss, expressed optimism Friday about finding common ground with Austrian privacy activist Max Schrems and his camp on revising the GDPR to better reflect the regulation’s original “risk-based” intent. Voss is a German Member of the European Parliament from the European People's Party Group.
Stephen Almond, U.K. Information Commissioner’s Office executive director-regulatory risk, told us last month that the ICO is exploring a more relaxed approach to behavioral advertisement-related privacy enforcement, in part by using the GDPR's "legitimate interest" principles (see 2504280042).
Zenner said GDPR Article 5, “principles relating to processing of personal data,” is “rather safe” because agreement on them was so difficult to strike and there’s an “unwillingness to touch them.”
Changes “could be possible” for Article 6, “lawfulness of processing” and Article 9, “processing of special categories of personal data,” said Zenner. There’s also a desire to remove some notification requirements for industry, given “duplicative” reporting requirements with enforcers of the GDPR, the Digital Services Act and European cyber laws, he added.
Some think tanks and companies have been pushing for GDPR reform, he said: While industry is focused on “deleting” provisions that are creating unnecessary regulatory costs, civil society would like to see certain aspects of the GDPR strengthened, he said: “Different camps have very different opinions,” said Zenner, who helped negotiate and write language in the EU AI Act.
European lawmakers had learned from the mistakes of the GDPR when they wrote the EU AI Act, he said. The EU’s comprehensive AI regulation is more flexible than the GDPR in that it’s less “restrictive or fixed” with a regulatory “baseline” that can be updated regularly.
“Everyone” in Germany is still “traumatized” by GDPR enforcement, given the 18 different enforcers from member states, he said. There was a desire for a much more centralized enforcement body in the EU AI Act, he said. Ultimately, the AI regulation established the European AI Office, but national market surveillance authorities also have enforcement authority. The EU AI Act is somewhat of a “hybrid,” he said.