A major digital rights NGO found serious differences between the EU Commission’s proposed changes to the bloc’s landmark General Data Protection Regulation — and what data professionals in the field really want altering.
Owen Carpenter-Zehe
A new survey from experts at a leading digital rights NGO has found big gaps between the EU Commission’s proposed changes to the its flagship data protection law — and what professionals in the field want to see fixed.
The digital rights NGO noyb report, published Thursday (5 March), asked 500 data protection officers and professionals working on the bloc’s General Data Protection Regulation (GDPR) about compliance: which parts of the law affect their workload the most, what aspects of the law they see as most important for data protection, and what could be updated.
Max Schrems, chairperson of noyb and privacy activist, pointed out there was “an enormous gap between the needs of real people working on compliance every day, and the problems pushed by the ‘Brussels lobby bubble’.”
The commission has already proposed changes to multiple aspects of the GDPR in its so-called “digital omnibus” — a bundle of laws intended to reduce the regulatory burden and workload for European businesses.
The proposal has been scrutinised by civil society and the EU’s data protection board for potentially reducing protections.
One example of the schism between data professionals and the Brussels executive is the suggested change to people’s ability to ask a company or a “data controller” how their data is being processed (the Right to Access).
The commission is making it easier for controllers to reject requests.
The executive argues for the change because some requests are abusive or excessive, which has caused controllers to “dedicate significant resources to responding to abusive access requests.”
According to the survey, data professionals said these requests rank low in their workload, with over 70 percent reporting they cause “some,” “little,” or “no work”— the lowest survey options.
Additionally, data workers view these requests as a very useful and important tool for data protection.
The report suggests that most controllers actually get few data requests. And those that do, such as large online platforms, typically use automated response mechanisms.
The survey found similar workload discrepancies for proposed changes to the rules for data-breach notification and automated decision-making.
Those working in the field would like to see clear “whitelisted” and “blacklisted” data-processing activities from the commission, similar to the list of illegal uses of AI designated in the AI Act; 79 percent said such lists would save them “a lot of work.”
And the data protectors themselves also call for a tiered regulation system, with reduced burden for smaller businesses, while 70 percent want stricter rules for larger companies.
To establish such tiers, they want clear thresholds based on metrics like “affected people” rather than the number of employees at a company — which is one of the commission’s main business-size metrics.
“By redefining key terms and creating overlapping rules, the proposal makes enforcement harder across authorities and allows companies to switch arguments between legal regimes,” complained the European Digital Rights group (EDRi) back in November, when the changes were proposed by the commission.
