European Commission opposes amending GDPR, focusing on enforcement instead
The European Commission does not plan to reopen the General Data Protection Regulation (GDPR), instead focusing on enforcement, as privacy in the age of artificial intelligence (AI) is becoming increasingly controversial.
The GDPR establishes standards for how to handle personal data in the EU.
A Commission spokesperson told Euractiv that the EU executive does not intend to reopen the data protection regulation before the next report, scheduled for 2028.The latest report on the application of the GDPR, published in late July, pointed to enforcement issues.
It is a familiar story: The first report also found enforcement issues, contributing to the Commission’s 2023 proposal for a GDPR Enforcement Procedures Regulation, on which EU legislators have since been working.
Though the report led to no changes to GDPR, the Council and Parliament did adopt positions on the procedural rules, with inter-institutional negotiations expected to begin in the coming months.
The Commission’s decision to prioritise GDPR enforcement was welcomed by left-leaning members of the European Parliament (MEPs), who fear that not doing so could undermine privacy and security standards.
Though MEP and rapporteur for the Parliament’s legal affairs committee opinion (JURI) on the AI Act, Axel Voss (EPP, Germany), argued that urgent action is needed, as the rise of artificial intelligence (AI) demands a shift in the spirit of the law.
The Commission and left-leaning MEPs are aligned with tech lobby Digital Europe’s previously stated views on a possible GDPR review.
“We need a discussion on the level of member states and (in Germany) between federal units (Länder) about better and more harmonised implementation of GDPR,” Sergey Lagodinsky (Greens/EFA Germany), former rapporteur for the GDPR Enforcement Procedures report, told Euractiv.
The AI debate
Implementing the current version of GDPR is particularly important if the EU wishes to ensure its companies have access to high-quality data to train AI models, MEP Birgit Sippel (S&D, Germany), rapporteur for the ePrivacy directive, told Euractiv.
Sippel highlighted as an example racial bias in datasets, which can reduce the effectiveness of an AI model looking for cancerous skin conditions.
On the other side, accessing and processing massive quantities of quality data is key to “non-discriminatory or gender-balanced AI models,” Voss told Euractiv.
In his view, there is a need to review GDPR in order to foster innovation in the current fast changing digital landscape.
“I would change the whole structure of GDPR […] from ‘everything is forbidden’ to ‘everything is allowed,’ providing that citizens’ privacy is not hindered,” said Voss.
EU Commission’s GDPR review finds enforcement issues
The European Commission found serious enforcement issues with the General Data Protection Regulation (GDPR) and called for clearer guidelines to strengthen data protection across member states in a report published on Thursday (25 July).
The courts
The lawfulness of using personal data for training AI is currently challenged in courts, along with complaints to data protection authorities.
There are several legal bases for processing personal data under GDPR. On a practical level, these often come down to legitimate interest, contract performance, or user consent.
Facebook and Instagram’s parent company Meta has lost legal cases over the lawfulness of its processing of EU personal data. The decisions by the Court of Justice of the EU made Meta switch its processing legal basis in November 2023 from a contract performance model to users’ consent.
In addition, the lawfulness of Meta invoking legitimate interest, a term open to varying legal interpretations, to use personal data for AI was contested by digital rights NGO Noyb in June. Meta eventually halted its AI plans in Europe.
The workarounds
Since GDPR was not permissive enough in terms of user data processing, EU legislators had to create “regulatory sandboxes” to allow AI companies to test new ideas on a small scale, under regulatory supervision, said Voss.
This overburdens AI companies and does not allow EU companies to thrive at the required speed to compete on the world stage, he said.
Lagodinsky however pointed to new regulations that allow for the use of personal data for AI training while ensuring data privacy, such as the Data Act, which provides a method to anonymise personal data.
According to him, The Data Governance Act establishes a market structure that facilitates the pooling and trading of data. Together, these laws are consistent with GDRP and effective in addressing the challenges posed by the rise of AI, he said.
“In the upcoming years, we should keep the core of GDPR principles through the artificial intelligence wave,” added Lagodinsky, pointing towards privacy and security.
“There are too many forces in the European Parliament and within the Council of the EU, that want to attack privacy requirements, in the name of security, and too many market players that want to lower the level of protection inside the GDPR,” said Lagodinsky.
A person close to the Greens group who did not wish to be named, stated reopening GDPR would be used by “far right groups [to] try to misuse the revision to create a lawful legal basis for police services to break into EU citizen’s devices for alleged security reasons.”
Irish privacy watchdog takes X to court over data processing for AI training
The Irish Data Protection Commission (DPC) initiated court proceedings against the social media platform X on Tuesday (6 August), according to Ireland’s High Court website.