The author dissects feedback on the European Data Union Strategy.
This article was first published on EU Tech Loop and has been shared on Euronews as part of an agreement with EU Tech Loop.
In response to a European Union call for feedback on data policies, Western Europe led participation and 25 per cent of respondents want the GDPR reviewed.
The European Commission’s DG Connect recently published a summary of the consultation on the European Data Union Strategy, which sought feedback on the interplay between the Open Data Directive (ODD), the Data Act, and the Free Flow of Non-Personal Data.
The summary provides no surprises: although the General Data Protection Regulation (GDPR) was not a main focus, 25 per cent of respondents called for its review.
Also, more Europeans responded to the Call for Evidence than to the Commission’s questionnaire. Lastly, Western European countries have traditionally been more active in consultations than their Eastern or Northern counterparts.
Europeans are more active in providing unique feedback
The European Commission generally consults stakeholders in two ways (aside from ad-hoc Implementation Dialogues, Reality Checks, and more): first, through a Call for Evidence (where stakeholders can submit free-form feedback), and second, through a controlled Public Consultation questionnaire, which is increasingly criticised as one-sided, since opponents of the proposed direction have limited space to explain their views.
We are ready to correct ourselves if we're wrong, but this critique helps explain why participation differed between the two in this particular case: 247 organisations and individuals responded to the Call for Evidence, while only 171 completed the Commission’s questionnaire.
The Commission traditionally doesn’t publish a thorough summary for Europeans' unique feedback, raising doubts about whether that input is considered at all.
Central and Eastern Europe is traditionally passive
Of the 171 respondents to the Commission’s questionnaire, 49.12 per cent came from Western Europe (Germany at 19.88 per cent, Belgium at 19.88 per cent – note that many associations have headquarters in Brussels – and France at 9.36 per cent).
Southern European responses accounted for 12.23 per cent (Italy at 4.09 per cent, Spain at 4.09 per cent, Greece at 2.34 per cent, and Portugal 1.71 per cent).
Nordic countries contributed 9.93 per cent (Sweden at 5.26 per cent, Finland at 2.92 per cent, and Denmark at 1.75 per cent).
Central and Eastern Europe remained passive: organisations from 11 Central and Eastern Europe member states made up just 8.16 per cent of responses (Romania at 1.75 per cent, Hungary at 1.75 per cent, Estonia at 1.75 per cent, Czechia at 1.17 per cent, Slovenia at 0.58 per cent, Poland at 0.58 per cent, and Lithuania at 0.58 per cent).
No responses were received from Bulgaria, Slovakia, Latvia, Croatia, Malta, Cyprus, or Luxembourg.
What about the GDPR?
Although the GDPR was not the focus of the consultation or Call for Evidence (and we believe that if it had been, far more respondents would have called for a review), stakeholders still cited the GDPR as a stumbling block for the EU’s data economy.
Put simply: if European companies cannot access non-vulnerable data because it is classified as “personal” and member states are not proactive in granting legal exemptions for certain data types, then changes to the Open Data Directive or the Data Act will not help.
Despite no focus on the GDPR in the consultation’s supporting documents, the European Commission’s report states that 27 per cent of respondents still believe the GDPR should be included in data-legislation consolidation efforts.
Additionally, many stakeholders believe the ePrivacy framework is outdated and call for alignment with the GDPR.
The report read: “Moreover, 27 per cent want to include the GDPR in the consolidation efforts. ... Many stakeholders believe the ePrivacy framework is outdated or call for an alignment with the GDPR”.
Respondents also highlighted persistent data issues: fragmented enforcement, one-sided interpretations by local data protection authorities, and the GDPR’s “kiss of death” effect through an overly broad reading of what constitutes “personal data”.
It said: "Among respondents who give more detail to their answers, the majority reports that the inconsistent enforcement and one-sided interpretation of regulations by data protection authorities is a significant issue. Key areas for clarification include the interplay of the GDPR with the Data Act and the AI Act, and the interpretation of ‘personal data,’ especially in the context of IoT” or internet of things.
Of the 136 stakeholders who believe the EU should review current legal regimes, 25 per cent identified the GDPR as needing the most urgent action, while other regimes drew far less support.
It said: “Most of the 136 responding stakeholders think the EU should re-examine legal regimes to facilitate data usage for AI training (yes: 70 per cent; no: 30 per cent). Of those saying ‘yes,’ 34 respondents identify the GDPR, 15 the Copyright Directive, 12 the AI Act, 9 the Data Act and 4 the ePrivacy Directive as the main legal regimes to be re-examined. The majority reports the need to strike a balance between protecting personal data and enabling the use of data for AI”.
Lastly, respondents (using the Commission’s own language) “repeatedly” highlighted the need to simplify GDPR compliance.
While that’s important, we believe that the broader tasks shouldn’t be forgotten: reviewing the GDPR itself, clarifying what counts as “personal data,” and assessing how member states apply the rules (and how active they are in creating exemptions).