Review of the General Data Protection Regulation (GDPR)

KEY MESSAGES

1. Revising the GDPR after only 2 years of application is premature as its impact is still being fully understood.
2. National Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB) should cooperate to ensure consistent decision-making truly enable a single set of European data protection rules.
3. Member States should reduce or refrain from utilising opening clauses that diverge from achieving harmonisation.
4. As innovation should be permitted to thrive under the GDPR, a closer Commission review on the extent of its impact on use of certain technologies and tech-neutrality should take place.
5. The Commission should carry out public consultations to introduce various standard contractual clauses on a number of issues businesses, particularly SMEs find difficult to apply.
6. DPAs should ensure flexible application of all legal data processing methods in any situation and not edge towards prioritising one method in practice.
7. The Commission, Parliament and Council should achieve its intentions of fully aligning ePrivacy with the GDPR otherwise creation of an overlapping and contradicting track of privacy law will throw the GDPR application into contention along with its global influence.
8. The EDPB should offer guidance on the use of grace periods in the event of termination of existing international data flow tools (eg. adequacy or standard contractual clauses).