The European Commission had previously indicated that it will review the provisions of the General Data Protection Regulation (GDPR) this year to see if any changes are needed in light of the experience of the past six years.
However, the Commission later stated that the review would not happen until 2028, although the GDPR obliges the Commission to submit its report on the review to the Parliament and to the Council every four years. The Commission claims that 10 years are needed to gain sufficient experience and it will also be necessary to see how the EU's artificial intelligence (AI) legislation develops and what problems it will raise. These can be reviewed at a later stage so that all stakeholders can be involved.
It was expected that the Commission’s review would modify the GDPR in such a way that focuses a little more on practical problems, for example, the relaxation of extensive documentation requirements for small businesses. Others say that the dynamic development of AI demands a shift in the spirit of the GDPR. Its rather strict rules have already forced the EU legislator to grant exemptions from certain GDPR requirements for AI applications, this is how the so-called ‘regulatory sandbox’ rules were introduced into the EU Artificial Intelligence Regulation. However, according to stakeholders, these exemptions are still not enough to ensure the competitiveness of the European AI development.
In the Commission’s view it was already known that if the GDPR is indeed amended, the amendment will not be comprehensive, since it is extremely time-consuming to negotiate with Member States and stakeholders and it would be doubtful to find a compromise. In April 2023, the European Parliament voted that it was essential to amend the GDPR implementing rules. In this context, several other actors had called for changes to certain provisions. For example, there is a lack of consistency in the practice of supervisory authorities about the legal bases for data processing, especially for clinical or scientific trials. In the Member States, the authorities’ practices on compliance requirements differ significantly. The EU Commission has therefore asked the European Data Protection Board to guide in these areas, but this has not yet been done. In addition, data protection authorities are so overwhelmed by complaints that they do not have the resources to deal with other issues (e.g. awareness campaigns, guidelines) and supervisory bodies are understaffed in many cases. The enforceability of children's rights also raises practical problems, which also would require certain amendments to the GDPR enforcement rules.
By Rita Parkanyi, Partner, KCG Partner
