The General Data Protection Regulation is almost a decade old since its approval by the European Parliament on April 14, 2016, with a balance marked by more citizen control over personal information, a tougher sanctioning framework, and new challenges due to coexistence with other digital norms of the European Union.
The European standard reinforced the transparency and security of personal data, in addition to consolidating tools that today are part of the daily life of companies, administrations and users. Among them is the right to be forgotten, which allows requesting the elimination or suppression of personal information on the Internet, and the right not to be subject to automated decisions based solely on data processing.
"The transparency and security of personal data improved and granted greater control to citizens over their own data" - Andrea López Francos, director of Corporate Legal Counsel of ARAG
More obligations for companies and more control capacity for citizens
The RGPD introduced specific obligations for companies and entities that handle personal information. Companies must have an internal record of processing activities and, in case of an incident, security breaches must be communicated within 72 hours. The regulation also regulated the figure of the Data Protection Officer, becoming a central piece in the supervision of compliance.
Along with this, the regulation tightened the sanctioning regime by raising the economic amount of fines for non-compliance. That reinforcement has been one of the most relevant elements of the regulatory change driven by Brussels.
A model with influence outside the European Union
The impact of the regulation has not been limited to the community space. The European regulation has served as a reference for laws approved in Brazil, Chile, Peru and in some states of the United States, which consolidates its weight as an international standard in terms of privacy and data protection.
Differences in application persist between countries
Despite that harmonizing objective, the practical application of the GDPR continues to generate friction within the European Union itself. Andrea López Francos warns of an unequal interpretation and application by national supervisory agencies, a situation that hinders the uniformity that the European text sought.
"The distinct interpretation and application of the provisions of the GDPR by the national supervisory agencies of the Member States despite one of the main objectives of the GDPR being to harmonize the European legal framework on personal data protection" - Andrea López Francos, Corporate Legal Advisory Director of ARAG
Added to that disparity is the lack of alignment with other recent regulations, such as the Digital Operational Resilience Regulation, the Digital Services Act, the AI Regulation, or the Data Act. That incomplete fit is causing legal uncertainty in an increasingly broad regulatory environment.
The EU is studying simplifying the framework without lowering guarantees
In that context, the European Commission presented in November of last year the Digital Omnibus proposal, put forward to simplify and cohere the regulation. The debate, however, revolves around how to order that regulatory framework without weakening the protection of fundamental rights linked to privacy.
"For that reason, the EU cannot risk that a regulatory simplification, although very necessary, could compromise the legal framework of the guarantees that constitute the basis of the European model of personal data protection" - Andrea A. López Francos
The discussion about the evolution of the GDPR remains open at a time when digitalization accelerates new uses of data and multiplies legal frameworks. The key, states Andrea A. López Francos, will be in preserving the balance between regulatory updates and citizens' rights.
"Therefore, any regulatory modification must be accompanied by an adequate balance with the fundamental rights and freedoms of citizens" - Andrea A. López Francos
That balance is, as of today, the main challenge of a regulation that changed the relationship between citizens, companies and institutions with personal data and that continues to be one of the bases of the European model of digital protection.