The Old EU Data Protection Act survived without much legislative revision from 1995 until 2018, when GDPR was implemented. Suppose the EU Commission intends to live up to its digital ambitions as a ‘world-class data hub’ and reinforce its position as a global leader in data privacy and protection legislator. In that case, it must balance the legislation on data privacy to digitization and trade on several GDPR components like global data transfers, data sharing.
EU Commission must not give up the traditional lead on global data privacy rights and powers to consumers and citizens. However, the GDPR can be positioned in the broader global regulatory landscape by revising the data adequacy arrangements, removing human review from automated decisions, increase the number of lawful bases for processing sensitive data to fit the digitization and data transformation options in the fast world of 5G.
Resolve the 20-year conflict over how to transmit transatlantic data flows
If the EU Commission acts timely, there would be no need to scrap several GDPR components by updating some of the data protection rules and replace them with improvements to reflect the new Data Transformation and Digitization upgrades currently taking place in the corporate world.
The GDPR data protection framework is often labelled as both prescriptive and inflexible, which suppresses growth and innovation. Therefore, the European Union must first address and resolve the 20-year conflict over how to transmit transatlantic data flows. This is crucial for both economies, and the EU cannot become a data island as data knows no borders.
The above revisions will address the level of compliance obligations businesses must adhere to. E.g. consent mechanisms are impractical and criticized as the inflexible rules limit how companies can develop artificial intelligence (AI) blockchain, big data and data transformation systems.
Some burdensome, costly, and impractical examples
The revisions will further structure the data protection to reflect the highly active cybercriminals and engage in the digital economy by reducing the overwhelming documentation on consent requests and complexity and restricting the use of data for worthwhile digitization purposes. One option is to replace the conditions with a legalistic version of consent by introducing data processing legitimacy that benefits society, often bypassing user input.
Article 5 and Article 22 of GDPR pose constraints that limit the execution of the new AI systems with barriers on organizations to collect new data and reusing existing personal data for other purposes that could enhance innovation as data is the new black.
Article 5 also requires data to be collected for specified, explicit, and legitimate purposes. In contrast, Article 22 stipulates that data subjects must not be exposed to decisions made solely based on automated processing, including profiling restricting the use of big data in AI and automation.
Data as the new black can boost productivity, innovation and growth and encourage competition
GDPR revisions could allow automated decision-making by removing the human review from algorithmic decisions. Businesses can instead document how decisions are made, rather than detailing complex information about their systems and the logic involved;
- Renewing the data adequacy conditions
- Disrupt data flows between borders without the need for specialized transfer mechanisms.
Revising the option to share data with many more countries could boost productivity, encourage competition, and stimulate much-needed innovation and growth in the EU and the global economy. At the 14th annual GRC/GDPR Summit, on the 14th of November 2021, we will address the above issues: https://www.copenhagencompliance.com/2021-annual-european-grc-gdpr-summit/