Out-Law Analysis 8 min. read
25 May 2023, 7:28 am
Five years on from its introduction into law, there is evidence that the General Data Protection Regulation (GDPR) has caused a shift in boardroom attitudes to data protection compliance – meeting a core objective of the legislators and regulators that drove reform.
Even before it took effect, businesses spent the months after the legislation was finalised updating their policies and practices and remediating contracts to prepare. The tougher penalties introduced for non-compliance provided a strong incentive for change, but we have also seen businesses seize the opportunity to use data protection as a differentiator in their market.
We expect the profound impact of the GDPR on business operations to continue between now and its 10th anniversary. This is a view shared by lawyers from across Europe who see potential for continuing technological development and its intersection with GDPR requirements to shape business strategies.
London-based Jonathan Kirsop of Pinsent Masons said: “I expect the continued and increasing prominence of data protection compliance, caused by the GDPR and the greater use and integration of data, for example in IoT devices, to drive businesses to put data protection at the heart of new projects.”
Paloma Bru and Lidia Vidal of Pinsent Masons in Madrid said that some companies in Spain are still not completely comfortable with their current situation in terms of GDPR compliance due to the costs, the technical complexity of some aspects, and because some view compliance as an obstacle to the business rather than as an element of added value. This, they said, occasionally leads to the lack of investment in the necessary resources to adapt to the GDPR regulatory reality. Despite this, they see scope for things to change.
Bru said: “As a result of the active role of the Spanish data protection authority (AEPD) in the increase of the number and the value of fines, the resources allocated to data protection compliance have grown exponentially over the last five years. There was proof of this early this year when the AEPD stated that more than 100,000 entities have appointed a data protection officer. Hopefully, the number of fines will stabilise or decrease in the coming year, demonstrating the awareness that companies are gradually acquiring in being more compliant.”
Niklas Follin and Fredrik Roos of Setterwalls based in Stockholm said they expect the GDPR to become a more integrated part of existing business processes instead of being treated a layer of compliance requiring issues to be solved retroactively. “This will increase efficiency and allow businesses to make more informed decisions early on,” they said.
Monika Maćkowska-Morytz of Kochański & Partners based in Warsaw said businesses should expect more granular, sector-specific data protection guidelines, recommendations, good practices, and opinions to emerge at both the European and the national level in the coming years. This, she said, “will have a direct impact on the need for entities to proactively respond and adapt their business practices and procedures” and predicted that some of these changes would affect business strategies.
David Schwaninger of Blum&Grob in Zurich said that while the GDPR only applies to Swiss companies to the extent that they are offering goods or services to, or monitoring the behaviour of, EU-based data subjects, businesses operating in Switzerland will, from 1 September 2023, need to comply with legislation that is similar to the GDPR - the new Swiss Data Protection Act. The forthcoming reform has led more Swiss companies to "put data protection compliance on their agenda", said Schwaninger.
Stephan Appt and Daniel Widmann of Pinsent Masons in Munich said the GDPR has been at the heart of data-related issues arising in the automotive industry amidst their drive to develop new connected and autonomous vehicles.
“Car manufacturers have recognised that they are not only making cars now, but also making data and becoming data-centric organisations,” Appt said. “In the connected car context, this leads to very complex legal questions, such as which type of data generated by a connected car is in scope of the GDPR, and what data protection role – controller, processor, or joint controller – is performed by multiple stakeholders, such as car manufacturers and third party service providers, when they process personal data.”
According to Widmann, other issues to have arisen in the automotive sector include over the question of data ownership and the rights to access, control and use that data. He said the GDPR’s ‘purpose limitation’ principle also raises potential challenges for car manufacturers wishing to make secondary use of the data they collect.
“Car manufacturers who record data generated for providing a specific service may also want to use such data to train their AI systems,” Widmann said. “For example, if the optical sensors of a car captures images of pedestrians walking down the street for a driver assistance system and a car manufacturer wants to use that data for purposes beyond providing the actual functionality, the authorities may expect to blur and anonymise the data, which is technically tricky and often reduces value, such as where the training of a system requires a clear set of validation data.”
The way in which businesses develop and use new technologies is expected to be a major focus of data protection authorities’ work in the years ahead. The establishment of a new taskforce within the European Data Protection Board (EDBP) to coordinate the response of national data protection authorities to Chat GPT is an example of this, and follows the imposition of a temporary ban, and subsequent lifting of that ban, on Chat GPT in Italy earlier this year.
Massimiliano Patrini and Miriam Cugusi of Milan-based law firm Gatti Pavesi Bianchi Ludovici said: “We can suppose that, in the next five years, businesses will face new challenges in complying with GDPR, mainly deriving from the development and massive use of AI and IoT devices.”
“Some provisions of GDPR do not readily apply to the AI and IoT context and, in general, to the massive processing of personal data to train algorithms. For instance, principles such as data minimisation, purpose limitation, the special treatment of ‘sensitive data,’ and the limitation on automated decisions are not easy to implement in AI. Therefore, stakeholders, supervisory authorities and EU authorities, need to collaborate to develop a GDPR interpretation that simultaneously protects data subjects and enables new AI applications development,” Patrini and Cugusi added.
Aurélie Caillard
Pinsent Masons, Luxembourg
We have already seen the regulatory attention given to Chat GPT in which issues such as transparency, the accessibility of the privacy policy, the exercise of user rights, the lawful basis for processing, and the protection of children's privacy all arose
Aurélie Caillard of Pinsent Masons in Luxembourg said AI has many potential benefits, to businesses, consumers and society more generally, but that safeguards are needed to protect against potential harm.
Caillard highlighted the controversial plans for AI-powered surveillance systems to be used at the Olympic Games in Paris next year as an example of how the technology can be used in pursuit of benefits – in this case, public security – but also how organisations can come in for significant scrutiny because of the intrusive nature of such technology.
She said AI raises many different data protection questions.
“We have already seen the regulatory attention given to Chat GPT in which issues such as transparency, the accessibility of the privacy policy, the exercise of user rights, the lawful basis for processing, and the protection of children's privacy all arose,” said Caillard, who said it is possible to imagine particular data protection risks around AI arising in specific sectors such as healthcare.
“If AI tools are used for diagnosing rare diseases it may be that the disease is so rare that supposedly anonymised data used to train such systems may in fact be identifiable,” Caillard said.
The pace of change in relation to AI has led some prominent technologists and entrepreneurs, including Elon Musk and Steve Wozniak, to call for a moratorium to be placed on the development of more powerful AI systems to enable safety protocols and governance frameworks to catch up with the rate of innovation.
Others do not want to see a ban on new technology. In a recent interview on the topic of AI, Luxembourg minister of digitalisation Marc Hansen said: “We are a country open to innovation, science and research. If the first reaction to every new technology was to ban it, we would be in the Stone Age.”
Dr. Axel Anderl and Nino Tlapak of Vienna-based law firm Dorda said the requirements of the GDPR have spurred some technological innovation to be initiated in jurisdictions outside of Europe, such as the US, China, India or the Philippines, with services developed to other standards then made available to European consumers online.
“A more balanced approach is required to ensure European-wide development of AI, blockchain,” they said. “This shall, of course, go hand-in-hand with ensuring data subjects' rights, but also more reflecting business interests as equally relevant as long as no sensitive data is involved.”
Jonathan Kirsop
Partner, Head of Technology, Media, and Telecoms
If requirements are so hard to comply with then there is a risk that companies will just start to ignore them and ‘accept the risk’
Pinsent Masons’ Jonathan Kirsop said that one area where a more pragmatic approach is needed is in relation to the GDPR’s requirements around international data transfers. Commenting in the aftermath of the recent enforcement action taken against Meta Ireland in respect of data transfer arrangements relating to Facebook, Kirsop said there are good reasons to avoid rigid interpretation and rules-based enforcement of international data transfers rules.
“There is clearly a risk – albeit it can be overstated – that US and other international companies simply cease to engage with European markets,” Kirsop said. “Similarly, this creates burdens on European SMEs, and larger companies, if they seek to comply with the requirements and – given the difficulty in doing so – encourages large-scale non- or partial- compliance given the global nature of cloud and other IT-based services which companies rely on. It seems to me that if requirements are so hard to comply with then there is a risk that companies will just start to ignore them and ‘accept the risk’. This does not seem a positive position to be in.”
For businesses, the GDPR is just one of a growing number of pieces of legislation relevant to their use of data.
Massimiliano Patrini and Miriam Cugusi of Gatti Pavesi Bianchi Ludovici said the EU’s Digital Content Directive already enables consumers, subject to certain conditions, to pay for products or services using their personal data and that this strengthens companies' interest in exploiting personal and non-personal data. Niklas Follin and Fredrik Roos of Setterwalls highlighted how new regulations like the EU AI Act and a new e-Privacy Regulation are on the horizon and the importance of businesses integrating GDPR processes with the new requirements the new legislation will introduce.
Daniel Widmann
Rechtsanwalt
Automotive companies need to update internal practices and procedures to be able to deal with an increase of data access requests and data sharing obligations
Stephan Appt and Daniel Widmann of Pinsent Masons in Munich said the proposed new EU Data Act will also have to be taken into account by businesses in relation to their data practices, particularly automotive companies. Among other things, the proposals envisage enhanced rights of access to and portability of data.
Widmann said: “Automotive companies have to have viable legal solutions to protect their intellectual property and trade secrets. They also need to update internal practices and procedures to be able to deal with an increase of data access requests and data sharing obligations.”
Appt said that the increased data transparency envisaged under the Data Act could lead to a reduction in the market share OEMs have in relation to after-sales. He added that implementing data access for third parties continuously and in real time would also be a technical challenge and that the prospect of more open ecosystems significantly increases cyber risk.
Aurélie Caillard of Pinsent Masons in Luxembourg said some businesses may also have to consider data protection risks as part of their obligations under the EU Digital Services Act.
“With the growing prominence of open-source models of developing AI, there are real questions over how appropriate control can be exercised and safeguards applied to data input to those models,” she said. “Very large online platforms that support the development of open source AI models are likely to face a duty to manage those data-related risks under the EU Digital Services Act and, potentially, disclose them to regulators.”
There are split views among the legal community on the extent to which the GDPR enables technological innovation.
Dr. Axel Anderl and Nino Tlapak of Dorda said that their experience is that it does not, though Monika Maćkowska-Morytz of Kochański & Partners, and Niklas Follin and Fredrik Roos of Setterwalls, highlighted how the cybersecurity market in particularly has boomed since the GDPR has taken effect. David Schwaninger of Blum&Grob said the GDPR has also spurred some businesses to digitise internal processes.
Jonathan Kirsop of Pinsent Masons said he believes the GDPR “is and has been a net inhibitor – not enabler – of technological innovation”. He said that while this has served to put a check and balance on potential harmful developments, including in the field of AI and profiling tools, the GDPR has stifled potentially positive innovation.
“A good example is in respect of the so-called ‘purpose limitation’ principle and its effect on organisations’ ability to use personal data collected for other purposes to train AI and other tools to create accurate, and unbiased, outcomes,” Kirsop said. “Similarly, the restrictive nature of the research exemption – which allows for the use of personal data for research purposes but only in limited and essentially academic environments – has had a limiting effect on commercial organisations’ ability to use and manipulate data to research and test technological tools and carry out related analytical activities.”
“It is notable that these are two areas which the UK government is looking to address in the Data Protection and Digital Information (No.2) Bill, with the intention of facilitating greater innovation within the overarching framework implemented by the GDPR,” he said.