General Data Protection Regulation: Current Challenges and Future Directions

The paper provides a comprehensive analysis of the General Data Protection Regulation (GDPR), with a focus on transparency, fairness, and security in the processing of personal data. The authors examine the provisions of the GDPR, emphasizing the importance of lawful and transparent processing, purpose limitation, data accuracy, and security measures. They also explore the rights of data subjects, including access, rectification, erasure, and data portability, which enhance individual control over personal data. Cross-border data transfers require compliance with GDPR, necessitating adequate safeguards or reliance on specified exceptions. The authors highlight the pivotal role of supervisory authorities in enforcing GDPR, conducting inspections, initiating proceedings, and imposing fines for non-compliance. Private enforcement mechanisms also empower non-profit organizations. Looking ahead, the authors discuss how GDPR can be adapted to emerging technologies such as artificial intelligence and IoT. They also propose amendments to harmonize enforcement practices across EU member states, which will strengthen data protection mechanisms in the face of technological advancements.

The paper was prepared within the implementation of the project no. 20-27227S “The Advent, Pitfalls and Limits of Digital Sovereignty of the European Union” funded by the Czech Science Foundation (GAČR).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic €32.70 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Price includes VAT (France)

eBook EUR 77.03 Price includes VAT (France)

Hardcover Book EUR 94.94 Price includes VAT (France)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Notes

Article 8 of the Charter of Fundamental Rights of the European Union (CFR) reads:

1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and based on the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data that has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, p. 1–88 (hereinafter—GDPR).

EUROPEAN DATA PROTECTION BOARD (2020). Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Version 1.0. Adopted on 02 September 2020.

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition—2 years of application of the General Data Protection Regulation. . Brussels, 24.6.2020. COM(2020) 264 final.

Article 29 Data Protection Working Party, “Opinion 3/2010 on the principle of accountability”, adopted on 13 July 2010. 00062/10/EN WP 173. See also Alhadeff, J. et al. (2012). The accountability principle in data protection regulation: origin, development, and future directions. In D. Guagnin, L. Hempel, C. Ilten a.o. (eds.), Managing Privacy through Accountability, 2012, Palgrave Macmillan, 49–82.

Article 29 Data Protection Working Party, “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” Adopted on 4 April 2017. As last Revised and Adopted on 4 October 2017, WP 248 rev.01.

CNIL. Artificial intelligence: the CNIL opens a consultation on the creation of datasets for AI., https://www.cnil.fr/en/artificial-intelligence-cnil-opens-consultation-creation-datasets-ai.

Proposal for a regulation of the European parliament and of the council laying down harmonized rules on artificial intelligence (artificial intelligence act) and amending certain union legislative acts. COM/ 2021/206 final (hereinafter—AIA).

The Regulation (EU) 2022/868 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (DGA).

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on harmonized rules on fair access to and use of data (Data Act). COM/ 2022/68 final.

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679. COM/ 2023/348 final.

References

Alhadeff, J., Van Alsenoy, B., & Dumortier, J. (2012). The accountability principle in data protection regulation: Origin, development, and future directions. In D. Guagnin, L. Hempel, & C. Ilten (Eds.), Managing privacy through accountability (pp. 49–82). Palgrave Macmillan. ChapterGoogle Scholar
Article 29 Data Protection Working Party, “Opinion 3/2010 on the principle of accountability,” adopted on 13 July 2010. 00062/10/EN WP 173. Google Scholar
Article 29 Data Protection Working Party, “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” Adopted on 4 April 2017. As last Revised and Adopted on 4 October 2017, WP 248 rev.01. Google Scholar
Bradford, L. R., Aboy, M., & Liddell, K. (2020). International transfers of health data between the EU and USA: A sector-specific approach for the USA to ensure an ‘adequate’ level of protection. Journal of Law and the Biosciences, 7, 1–33. https://doi.org/10.1093/jlb/lsaa055ArticleGoogle Scholar
Carrière-Swallow, Y., & Haksar, V. (2019). The economics and implications of data: An integrated perspective. In IMF departmental papers/policy papers 2019/013. International Monetary Fund. Google Scholar
Chen, J., Edwards, L., Urquhart, L., & McAuley, D. (2020). Who is responsible for data processing in smart homes? Reconsidering joint controllership and the household exemption. International Data Privacy Law, 10(4), 279–293. https://doi.org/10.1093/idpl/ipaa011ArticleGoogle Scholar
COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation. . Brussels, 24.6.2020. COM(2020) 264 final. Google Scholar
Eskens, S. (2020). The personal information sphere: An integral approach to privacy and related information and communication rights. Journal of the Association for Information Science & Technology, Association for Information Science & Technology, 71(9), 1116–1128. https://doi.org/10.1002/asi.24354ArticleGoogle Scholar
European Commission. (2023). Data protection: Commission adopts new rules to ensure stronger enforcement of the GDPR in cross-border cases. From: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3609
EUROPEAN DATA PROTECTION BOARD. (2020). Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Version 1.0. Adopted on 02 September 2020. Google Scholar
Gstrein, O. J., & Zwitter, A. J. (2021). Extraterritorial application of the GDPR: Promoting European values or power? Internet Policy Review, 10(3). https://doi.org/10.14763/2021.3.1576
Hallinan, D., Bernier, A., Cambon-Thomsen, A., et al. (2021). International transfers of personal data for health research following Schrems II: A problem in need of a solution. European Journal of Human Genetics, 29, 1502–1509. https://doi.org/10.1038/s41431-021-00893-yArticleGoogle Scholar
Hamulák, O. (2018). La carta de los derechos fundamentales de la union europea y los derechos sociales. Estudios constitucionales, 16(1), 167–186. ArticleGoogle Scholar
Hamulak, O., Kocharyan, H., & Kerikmäe, T. (2020). The contemporary issues of post-mortem personal data protection in the EU after GDPR entering into force. Czech Yearbook of Public and Private International Law, 11, 225–238. https://rozkotova.cld.bz/CYIL-vol-11-2020/224/Google Scholar
Judgment of the Court, 6 November 2003, C-101/01 – Lindqvist. Google Scholar
Judgment of the Court (Grand Chamber), 7 December 2010, C-585/08 – Pammer a Hotel Alpenhof. Google Scholar
Judgment of the Court (Fourth Chamber), 11 December 2014, C-212/13 – Ryneš. Google Scholar
Judgment of the Court (Second Chamber), 19 October 2016, C-582/14 – Patrick Breyer v Bundesrepublik Deutschland. Google Scholar
Juliussen, B. A., Kozyri, E., Johansen, D., & Rui, J. P. (2023). The third country problem under the GDPR: Enhancing protection of data transfers with technology. International Data Privacy Law, 13(3), 225–243. https://doi.org/10.1093/idpl/ipad013ArticleGoogle Scholar
Kokott, J., & Sobotta, C. (2013). The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR. International Data Privacy Law, 3(4), 222–228. https://doi.org/10.1093/idpl/ipt017ArticleGoogle Scholar
Lynskey, O. (2016). The foundations of EU data protection law. Oxford University Press. Google Scholar
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on harmonized rules on fair access to and use of data (Data Act). COM/2022/68 final. Google Scholar
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679. COM/2023/348 final. Google Scholar
Proposal for a regulation of the European parliament and of the council laying down harmonized rules on artificial intelligence (artificial intelligence act) and amending certain union legislative acts. COM/2021/206 final (AIA). Google Scholar
Ramiro Troitiño, D. (2023). EU elections and internet voting (i-voting). In Digital development of the European Union: An interdisciplinary perspective (pp. 319–333). Springer International Publishing. ChapterGoogle Scholar
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, p. 1–88 (GDPR). Google Scholar
Rosen, J. (2012). The right to be forgotten. Stanford Law Review Online, 64, 88–92. https://review.law.stanford.edu/wp-content/uploads/sites/3/2012/02/64-SLRO-88.pdfGoogle Scholar
Sloot, B. V. (2017). Privacy as virtue: Moving beyond the individual in the age of big data (p. 230). Intersentia. https://www.larcier-intersentia.com/en/privacy-virtue-9781780685052.htmlBookGoogle Scholar
Stehlík, V., & Vardanyan, L. (2020). Schrems II: Will it really increase the level of privacy protection against mass surveillance? Bratislava Law Review, 4(2), 111–128. https://doi.org/10.46282/blr.2020.4.2.215ArticleGoogle Scholar
Techcrunch. (2020). https://techcrunch.com/2020/09/09/facebook-told-it-may-have-to-suspend-eu-data-transfers-after-schrems-ii-ruling/
The Regulation (EU) 2022/868 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (DGA). Google Scholar
Troitiño, D. R. (2022). El futuro digital de la política europea. Google Scholar
Troitiño, D. R., Kerikmae, T., Barbosa, P. A. R., & Shumilo, O. S. (2020). El libro blanco sobre inteligencia artificial: análisis y comentarios sobre mercado, valores y cooperación europea. In Inteligencia artificial: de la discrepancia regional a las reglas universales: integración de percepciones políticas, económicas y legales (pp. 303–318). Thomson Reuters Aranzadi. Google Scholar
Van Alsenoy, B. (2012). Allocating responsibility among controllers, processors, and “everything in between”: The definition of actors and roles in directive 95/46/EC. Computer Law and Security Review, 28, 25. ArticleGoogle Scholar
Vardanyan, L., & Kocharyan, H. (2022). The GDPR and the DGA proposal: Are they in controversial relationship? European Studies, 9(1), 91–109. https://doi.org/10.2478/eustu-2022-0004ArticleGoogle Scholar
Veale, M., Binns, R., & Ausloos, J. (2018). When data protection by design and data subject rights clash. International Data Privacy Law, 8(2), 105–123. https://doi.org/10.1093/idpl/ipy002ArticleGoogle Scholar
Wagner, J. (2018). The transfer of personal data to third countries under the GDPR: When does a recipient country provide an adequate level of protection? International Data Privacy Law, 8(4), 318–337. https://doi.org/10.1093/idpl/ipy008ArticleGoogle Scholar

Author information

Authors and Affiliations

Faculty of Law, Comenius University, Bratislava, Slovakia Matúš Mesarčík
Faculty of Law, Palacký University, Olomouc, Czech Republic Ondrej Hamuľák

Matúš Mesarčík