In May 2024, European Commission is expected to issue its Second Report on the evaluation of the General Data Protection Regulation (GDPR). This is a mandate of the GDPR itself that requires, in particular, to take into account of “developments in information technology” (Article 97 GDPR).
Since the First Evaluation Report in June 2020, European Commission has led a great deal of policy initiatives in the digital area proposing smart regulation based on the principles of accountability and responsibility to address undesirable behaviors of the big platforms.
All these initiatives have resulted in new rules like Digital Markets Act (DMA), Digital Services Act (DSA), Data Governance Act (DGA), Data Act (DA), Artificial Intelligence Act (AI Act), building on GDPR as a testimony of the EU gold standard in protecting, using and accessing personal data.
Accountability and responsibility in the GDPR
The principles of accountability and responsibility embedded in GDPR are key elements for any future-proof regulation. While some voices call for “review” of GDPR, the technologically neutral, principles-based approach of GPDR constitutes its undeniable strength in order to remain future proof and adaptable to emerging technologies and new uses of data.
Adding sectoral regulations in a kind of “regulatory lasagna” is not the optimal way to address specific challenges. When analyzing some legislative instruments, one may deduct that the legislator has thought: “double regulation protects better” as if legislators would like to translate the German proverb “Doppel genäht hält es besser” (better safe than sorry).
As an example of future-proof rules, the civil liability regimen of Roman Law, which has passed the test of time.
Outdated ePrivacy regulations
As a counter example, European electronic communications service providers are subject to outdated sector-specific ePrivacy rules, dating back in 2002 and lastly reviewed in 2009. European Commission put forward a proposal to update these rules in January 2017 and 7 years later, co-legislators have not been able to agree on a final text. This is a clear example of how legislative instruments should not be built.
Years of unsuccessful negotiations between European Parliament and Council/Member States reflect that a future proof legal instrument cannot be built upon a list of close cases or exceptions.
Overreliance on outdated exceptions makes a poor text, not fit for purpose and that can have a very negative impact on European companies and European economy, at large, without delivering better privacy protection for citizens, which ultimately is the reason for being of the regulation.
Redesigning legislative approaches for the Digital Era
Ahead to the new legislative term, European Commission will need to take stock of the lack of progress and to draw conclusions for next steps.
European Commission should not insist further in maintaining a specific rule for a sector that has turned to be horizontal, as we cannot talk anymore of “e-communications” but to “digital” at large, covering all kind of digital services and players of today and tomorrow (eg.: Metaverses are only at inception stages, but will grow exponentially in the coming years).
Instead, European Commission should re-focus on what is most important in the current ePrivacy Directive: the principle of confidentiality, enshrined in the Charter of Fundamental Rights of the EU, the Treaty of the Functioning of the EU and the national Constitutions. If additional rules are necessary to develop the constitutional principle of confidentiality of the communications, these should be included in a horizontal instrument like GDPR or the forthcoming DNA (Digital Networks Act).
Digital Networks Act: Redefining digital regulation
According to Commissioner Thierry Breton, responsible for Internal Market, European Commission will work a bold, future-proof and game-changing DNA to redefine a shift in digital regulation. Probably, this is where the principle of confidentiality of communications fits best, without reviewing GDPR with the inherent risk of opening such a comprehensive and complex legislation. Careful consideration must be given to the fact that those who call for reviewing GDPR are maybe those more interested in weakening it.
Including the principle of confidentiality of communications within the future DNA would make unnecessary sector specific rules, as all entities providing digital communications would be subject to this fundamental principle.
The DNA would then provide the right answer to foster EU digital innovation in a privacy friendly way, enabling the responsible processing of personal data.
