Article 97 of the GDPR requires the European Commission to undertake a review of the legislation every four years. The last report was in 2020, so the process was kicked off with an open consultation, running from January 11 to February 8, 2024.

The IAF recently submitted evidence to the review focused on our mission related to accountability, responsible innovation, risk-based governance, and the importance of knowledge creation to the economy and society. In this blog we discuss the key points from the IAF submission. (These comments were prepared by IAF staff and do not necessarily reflect the views of the IAF Board of Directors, funders, or members of the IAF extended community).

The IAF also submitted to evidence to the UK Government’s consultation about GDPR back in 2021.

The GDPR has now been in full force for six years, the IAF recognises the benefits that it has provided for data subjects in terms of greater awareness and engagement with their rights, and the improvements that many organisations have made to data governance. While there is still distance to be travelled in raising the strategic positioning of data governance, there is now better awareness at board level of the importance of governing risks related to personal data.

In some organisations GDPR has played a role in driving investment into privacy management programmes and organizational-wide data governance strategies. These strategies enable long term benefits in developing a culture of data stewardship and accountability, and greater trust in data use.

The key challenge is to effectively realise the potential of the GDPR as a risk-based system of regulation. This will require an effective balance between data protection and the other fundamental rights in the EU Charter.

How the GDPR can enable responsible innovation in knowledge discovery and creation

The IAF’s submission sets out the challenge the GDPR poses for knowledge creation and discovery. A longstanding policy approach from the IAF has been to highlight the importance of understanding the difference between ‘thinking with data’ and ‘acting with data.’ The knowledge creation and discovery process lie at the heart of the former and the context of risk for data subjects is fundamentally different at that stage, compared to the application. A risk-based approach to GDPR application should enable organisations to distinguish between the two concepts and apply safeguards at each stage proportionate to the risk. The IAF undertook the project Making Data Driven Innovation Work (2023) to understand how organizations discover and create new knowledge.

The broad approach to defining personal data under GDPR, combined with a lack of clarity and harmonisation over the definition of scientific research, approach to compatibility, lawful bases and exceptions create an overall effect of caution in using personal data in knowledge creation and discovery.

Although the GDPR adopts a “broad” definition of scientific research in recital 159, encompassing the activities of public and private entities, this intent has not been applied in practice in member state laws and Data Protection Authority (DPA) guidelines. The focus has generally been on public sector research in tightly drawn scenarios.

The IAF therefore believes that more could be done to clarify the position of scientific research on the face of GDPR, including more explicit recognition of the activity in the commercial sector. Additional statutory language should be included alongside further references that translate knowledge creation and discovery into practical business activities, drawing on provisions already in use in other jurisdictions, such as US State laws (e.g Colorado Privacy Act)  and Canada (Consumer Privacy Protection Act). We also note that the EU AI Act does not apply to scientific research and product orientated research, possibly creating inconsistency in the approach to scientific research between the Act and the GDPR.  see recital 12c and in Articles 5a and 5b (current text).

We have made some specific recommendations: scientific research and business activities that make up knowledge creation and discovery should be recognised as specific lawful bases in Article 6, subject to necessity and proportionally considerations. A new condition for using special categories of data should also be created in Article 9.  

Our submission also highlights the inconsistencies in approach to the question of anonymised data. The situation is challenging when DPAs often promote an approach to anonymisation that insists on elimination of all risks of identification, rather than applying the test of ‘reasonably likely’.   Further clarity would also create greater incentives for the use of privacy enhancing technologies (PETs).

The IAF also proposes that the GDPR be amended so that the business activities that are part of knowledge creation and discovery join scientific research as a compatible purpose under Article 5. This is relevant given that such activities can often use pseudonymised and anonymised data.

Legitimate interests, accountability and responsible innovation

The IAF submission also notes the importance of legitimate interests as a lawful basis in Article 6 GDPR and the need for further guidance to ensure that organisations have confidence about how and when to apply the provision. Again, the context of knowledge discovery and creation has uncertainty. We also highlight the value of legitimate interest and how it can be linked to wider accountability programmes to ensure effective it operates as an effective lawful basis.  A multi-dimensional approach to proportionality can also ensure that data protection rights are assessed in balance with other rights in the EU Charter, ensuring there is a fairer reflection of the role of data across the economy and society.

We have therefore proposed that the DPAs and the European Data Protection Board invest more resources into guidance and tools to support effective use of legitimate interests.  They should do this in the context of wider guidance on accountability and data protection assessments.  It is also important that EDPB guidance is issued on the question of how legitimate interests intersect with commercial interests once the Court of Justice has ruled in the case of Koninklijke Nederlandse Lawn Tennisbond.

The intersection between Artificial Intelligence (AI) and GDPR

The IAF previously submitted comments on the Commission’s proposed AI Act.   We noted the value in the two-step approach used by the legislation, between AI developers and AI users.  Such an approach fits with the two-step risk-based approach for GDPR advocated by the IAF: data (knowledge creation) and acting with data (knowledge application).

Our GDPR submission highlighted the following key issues related to GDPR and AI:

• The need for greater clarity about the use of personal data in AI training, to guard against bias and ensure diversity, noting the recognition that is granted in the AI Act.
• The need for clarification on application of legitimate intertest to AI data training.
• The importance of enabling organisations to effectively conduct joined up risk assessments related to AI, including new guidance on adverse processing impact, how legitimate interests assessments, DPIA and fundamental rights impact assessments should work together.
• In light of the Schufa CJEU judgment the IAF proposes that Article 22 should be revised to describe more clearly profiling and automated decision making, and the difference between the two in impact.
• The European Commission should take steps to enable joined up regulation between the data protection authorities, the AI office and other EU regulators.  We encourage the EU to look at the approaches to joined up digital regulation in the UK, Australia and Canada.

International Data Transfers

Since the Schrems II CJEU judgment in 2020 international data transfers has become an area of significant uncertainty for organisations. For many, the costs of compliance, particularly undertaking transfer impact assessments, have often become disproportionate to the risks posed.  This has also had the effect of diverting resources away from data governance programmes in other areas of risk, such as AI.

The IAF therefore highlights the importance applying the risk-based approach of the GDPR to international data transfers, and this is in keeping with the intention of the legislation.

As part of the risk-based approach, we also highlight the importance of accountability to international data transfers and how this should become part of the toolbox.  The submission stresses the importance of accountability to questions of government access and how the EU should build on the foundation established by the OECD Declaration on Government Access to Data.

The approach of Data Protection Authorities to GDPR implementation

Finally, the IAF flags the key role that DPAs play in GDPR implementation and addressing a number of the issues raised in the response.   We advocate for DPAs to undertake a greater step toward collaboration and consultation with stakeholders.  Key challenges related to consistency are also highlighted, guidance on legitimate interests.  The IAF calls for DPAs’ to place a greater emphasis on risk, harm and outcomes in developing their regulatory strategies.  The development of publicly facing strategies, drawing on consultation, is also important step that some DPAs need to take.  These strategic steps become ever more important in the context of AI regulation.

We have therefore proposed that Article 59 of the GDPR is amended to require DPAs to produce strategies that cover a three-year period, alongside a more detailed annual workplan to deliver the strategies. The strategies should also contain key performance indicators that are then covered in their annual reports.

Next steps

We now await the report of the European Commission later in 2024. It is unclear whether the GDPR text will be reopened. Some of the IAF recommendations would require amendment of the GDPR but many could also be addressed in new or updated guidance from DPAs or the European Data Protection Board. The IAF looks forward to engaging with stakeholders about these issues over the coming years.

---