First Findings
Generally, SRIW appreciates the EC's efforts in drafting a thorough report. Future reports may benefit from a closer involvement of stakeholders. A finding, which is aligned with EC's suggestion towards supervisory authorities and the EDPB. A continuous and open exchange will benefit any party and should be good practice at any level of regulatory activity.
The report acknowledges unnecessary burdens in practice because of an inconsistent interpretation by supervisory authorities.
Additionally, the report encourages supervisory authorities to emphasize a balancing of different interests. The report stresses that data subject's rights and interests are important, while in a diverse, innovative society those rights and interests are not provided absolute, but within a complex interplay of rights and interests of various stakeholders.
This culminates in repeated support and highlighting of the positive potentials GDPR offers once one of its key principles, the risk-based approach, will be recognised more consistently and effectively.
In respect of codes of conduct, the report highlights that processes must be streamlined and harmonized across Europe. This finding is strongly supported by SRIW. Practical experience has proven that success and operational Codes of Conduct often suffer from unnecessarily burdensome procedures, inconsistent interpretations and other non-material aspects. The recommendation towards the EDPB to increase stakeholder dialogue in this respect is highly appreciated, because joint forces between Code Owners, Monitoring Bodies and the EDPB can positively effectuate this tool, and improve GDPR's implementation more dynamically and effectively.
Conclusion
The findings of inconsistent interpretations, the emphasis on a stronger implementation of the risk-based approach, including the privileges resulting in respect of obligations in respect of formalities, and the conclusion that Codes of Conduct may contribute positively to GDPRs implementation reflects a missed opportunity. Minimal adaptations were suitable to reflect the growing criticism of the one size fits all approach, without effectively lowering the level of data protection. Especially for SME, academia, non-profits formalities appear imbalanced to the associated risks and their effective increase of protection. A practical clarification reducing the formal burdens and facilitating focus on material, effective measures by good practices would have been an easy win. Codes of conduct were a perfect solution to bring such an approach to life.
Unfortunately, the EC considers no conflicts arising from the multitude of European legislation recently. Practitioners views are different, because in most cases the regulator missed its chance to actively ensure alignment. Instead, GDPR remains untouched, including it's partially overly conservative interpretation which eventually conflicts with principles and expectations expressed by recent European legislation, e.g. AI Act.
SRIW and its ecosystem will analyse the report in more detail, including references to its previous statements and - where needed - including additional notions. Each in the spirit of facilitating the needs of an innovative society which duly respects every individual stakeholder's rights and freedom.
