GDPR is still proving difficult to implement, placing a major financial burden on SMEs, providing a lack of clarity for developing new tech such as artificial intelligence, and little consistency among individual EU states over how to implement the regulation.
So says a new draft report, commissioned by Brussels as part of a legal obligation to provide an update on the GDPR, which marked its second anniversary in May.
According to the FT, the report states: “Challenges lie ahead in clarifying how to apply the principles to specific technologies. Some stakeholders report that the application of GDPR is challenging, especially for small and medium-sized enterprises.”
It comes two years after Austrian lawyer and privacy activist Max Schrems warned of the inbalance of the regulation. At the time, he said: “There’s huge uncertainty for small businesses because some areas aren’t clear on what companies must do. And potential fines, at €20m for smaller companies, are too high – €100,000 would have been more sensible.
“I think the general objective of the law makes a lot of sense, but there’s still an issue about how, in practice, the data protection authorities are going to deal with it.”
And this last point has also been raised in the report, which highlights the “lack of consistent approach” between how different data protection authorities in different states police GDPR, in particular the age at which children could consent to allow social media firms to handle their data. Some countries have set the minimum age at 16, others at 13, 14 or 15.
It points out that, while this is not against the letter of the law, member states should be more harmonised.
The report comes amid growing unrest over how well GDPR is being implemented, with critics pointing out that many EU countries have simply have not given their data protection authorities adequate funding.
Out of all the critics, the Germans have been the most vocal, insisting that the “one-stop shop” model – which makes the Irish Data Protection Commission the top regulator in the EU – is flawed because the Irish DPC does not have the necessary resources.
Meanwhile, tech start-up Brave – which has been a long term critic of the likes of Facebook and Google – has also waded into the debate by revealing that under-funding is an EU-wide problem.
In response, European Commission chiefs have urged member states to provide adequate resources to their data protection authorities to make effective use of their enforcement powers, admitting that regulators have yet to reach their “full capacities”.
In a joint statement, Věra Jourová, vice-president for values and transparency, and Didier Reynders, commissioner for justice, praised GDPR for “not only shaping the way we deal with our personal data in Europe”, but for becoming “a reference point at global level on privacy”.
However they added: “GDPR has changed the landscape in Europe and beyond. Nonetheless, compliance is a dynamic process and does not happen overnight.
“The national data protection authorities have often not yet reached their full capacities. We therefore call upon member states to equip their data protection authorities with the adequate human, financial and technical resource to make effective use of their enforcement powers.”
GDPR two years on: EU chiefs finally admit funding issue
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise
Top EU data cop cutback threat triggers EU complaint
2019 Review of the Year: Why it’s crunch time for GDPR
GDPR is far too tough on SMEs claims Facebook nemesis