How to bring GDPR into the digital age

Axel Voss is a German member of the European Parliament focused on data protection legislation and other digital files. He is a member of the Parliament’s Legal Affairs Committee and legal policy spokesperson for the European People’s Party (EPP).

Europe has a love-hate relationship with its landmark data protection legislation, the General Data Protection Regulation (GDPR).

On the one hand, the legislation has been a clear win for Brussels: By setting data protection rules and levelling the global playing field, the European Union can claim to be a rulemaker rather than a ruletaker when it comes to protecting private information online.

On the other, its implementation has been a huge headache for the average business, organization and citizen. But most importantly, the GDPR is seriously hampering the EU’s capacity to develop new technology and desperately needed digital solutions, for instance in the realm of e-governance and health.

While the creation of our golden standard of data protection is a great achievement, it has come to be seen as something untouchable that ranks above all other legal interests and fundamental rights, with no exception.

Many of the important technologies of the future — such as artificial intelligence, blockchain or single sign-on solutions — were already widely known in 2016, when the GDPR was finalized. And yet, provisions in the legislation — which many argue was supposed to be “technology neutral” — make it impossible to properly use or even develop them.

In order to train AI systems, for example, you need to be able to process large amounts of data, particularly if you want to avoid discrimination in their algorithms. As several heads of state, including German Chancellor Angela Merkel, recently wrote in a letter to European Commission President Ursula von der Leyen, data is our new “global currency.” And yet, the vast majority of data is being stored outside the EU, which risks making it impossible for us to be competitive in any form of digital innovation, undermining our future economic prosperity.

The legislation poses similar problems to the use of blockchain or facial recognition. The GDPR even prevents the proper use of the home office solutions that became especially urgent during the pandemic. When dealing with personal data while working from home, users are left alone with numerous legal obligations that are difficult to understand and may find themselves unknowingly in breach of the law.

The coronavirus pandemic also highlighted how the GDPR has prevented better health management, as its provisions hampered the use of tracing apps or even the exchange of data between local authorities for contacting potential vaccine recipients.

These examples indicate the areas that should be of greatest concern. For many political players, data protection has evolved into an absolute right that outweighs all other interests. They argue that even small and proportionate privacy interferences for the good of all — like distributing the coronavirus vaccine — are unjustified.

If we rethink data protection in a more balanced way, the solutions to these problems are not that complicated.

First, we need to increase the processing of depersonalized, mixed and nonpersonal data. That can be achieved by simply promoting the use of techniques allowing anonymity or the use of pseudonyms, and by giving businesses the legal certainty to share more data voluntarily. This would already largely enable the development of digital solutions from AI to tracing apps.

We also need to offer more guidance and exemptions for smaller businesses, startups and organizations. If only large digital companies have the expertise and capabilities to easily implement the GDPR, this consolidates their monopolies even further. With more guidance, we could at least reduce the headache for small business owners and enhance the global competitiveness of European pioneers.

Finally, we need a clear, common approach to implementing GDPR rules, rather than letting each member country and national data protection authority go their own way. All this can be fixed if we revise the GDPR, remove most derogations and streamline the interpretations.

Many of my colleagues in the European Parliament claim now is not the time to make changes. They say they prefer to wait to see how things play out. But this “wait and see” approach does not work in the digital age, where technology moves so much faster than our ability to legislate.

There is no time left to waste. We must find a more balanced approach to data protection that protects our rights without creating unnecessary barriers to the digital innovation that is essential to our future.