The world has not yet figured out many aspects of the data era, despite progress on better protection of personal data, Data Protection Commissioner Helen Dixon has said.
A tug-of-war between regulatory action on privacy and competition rules is playing out in the implementation of the GDPR, the DPC adds.
Interlocking laws
In its annual report, the Data Protection Commission points out that a new suite of interlocking laws – such as the NIS2 Directive, the Digital Markets Act, the Digital Services Act, the E-Privacy Regulation, the Artificial Intelligence Act, and the Data Sharing and Governance Act 2019 – demonstrate that the GDPR was never going to resolve all data issues in one single legislative instrument.
But different views have emerged on how to co-ordinate at both EU and cross-regulatory levels, and under which structures, the report adds.
“What is clear, if hardly surprising, is that not everyone is seeing things in the same way,” DPC Helen Dixon points out in her executive foreword.
The report adds that political debate rages on:
- Whether targeted advertising could or should be banned,
- Whether anonymity should be preserved in the online sphere,
- Whether derogations should be allowed in cases of child-sexual-abuse material,
- How to secure global data flows, while still protecting personal data,
- How to allow proportionate access, consistent with national security requirements.
Not all multinational activity falls within the scope of the GDPR’s one-stop-shop arrangements, however, leading to difficulty reconciling cross-border decisions on processing operations, the report points out.
Intended co-ordination efforts, across a level playing field, have been undermined, the report says, but fragmentation could be eliminated with the implementation of a single legal framework.
The Data Protection Commission (DPC) has been asked for more and more guidance and direction about how to comply with GDPR, and how to demonstrate accountability, according to its annual report.
Guidance
In response, the DPC intends to publish additional guidance – including more regular case studies of issues it has decided – and supporting the work of data-protection officers in their on-the-ground roles within organisations.
The DPC’s position, based on the terms of the GDPR and the EU Charter of Fundamental Rights, is that the processing of personal data:
- Must be grounded on an appropriate legal basis,
- Must satisfy proportionality requirements, and
- Must allow foreseeability by the public of the purposes and uses for which their data will be processed.
Insufficient consideration is given to the requirement to demonstrate that a given processing operation is grounded on one or more of the legal bases expressly provided for by the GDPR and the LED, the report adds.
“Such gaps are especially likely to be found in those cases where special category data is being processed or where data is being processed for law enforcement purposes,” the report says.