The GDPR review to be discussed by Justice Ministers

The Danish Presidency of the Council of the EU is hosting an Informal Meeting of Justice and Home Affairs Ministers in Copenhagen on Tuesday and Wednesday this week. Among many other things, Justice Ministers will also discuss the upcoming review of the General Data Protection Regulation (GDPR). 

According to the Presidency’s website, this initiative is part of the Danish Presidency’s priorities, aimed at supporting Europe’s competitiveness ambitions:

“On 23 July, the Danish Minister for Justice will host a discussion on the European agenda to simplify and modernize the EU’s regulatory landscape, especially in regards to GDPR. The topic has been put on the agenda as part of the Danish Presidency’s priority of supporting the efforts to strengthen European competitiveness and growth in light of recent geopolitical development”.

That’s a very welcome initiative, however, it’s important that the competitiveness edge does not stop at cosmetic (and very welcome) changes to reporting requirements and obligations. 

Three Danish proposals that matter 

We are yet to see what Ministers of Justice come up with tomorrow, but Covington writes, that a Danish non-paper for the GDPR review, published in early July, includes (among other things), three welcome changes that could potentially ease access to data for European SMEs without reopening the GDPR itself: 

1. Define a minimum threshold for when data subject rights apply (Articles 12-20 GDPR). Ideally, this would give SMEs more flexibility in low-risk or minimal data processing contexts. As we’ve noted previously, many European startups see data subject rights as “too absolute”, which hinders their operations and limits their ability to scale. 
2. Clarify when DPIAs are required and consider exemptions or simplifications for SMEs (Article 35 GDPR). Data Protection Impact Assessments (DPIAs) are required when data processing poses high risk to Europeans’ privacy and rights, but the definition of “high risk” is vague. A more streamlined approach could help by either exempting SMEs in certain cases or at least simplifying the DPIA process for them. 
3. Make the data subject’s right to lodge a complaint with the supervisory authority conditional upon certain criteria (e.g., prior engagement with the data controller) (Article 77 GDPR).  Currently, any individual or company can file a complaint directly with a national data protection authority (DPA) without first contacting the company responsible.The suggested changes could potentially help solve the issues with the companies peacefully, reduce the workload for DPAs and prevent from malicious, ill-intended complaints aimed at harming companies. 

These changes are very welcome, but they don’t address the challenges faced by European hyperscalers with annual revenues exceeding €43–50 million (the threshold above which companies no longer qualify as SMEs in Europe). To build a truly competitive advantage, and fuel the European data economy, more ambitious targets will be needed, but this is a solid starting point.