Disharmonization with the Implementation of GDPR: Still the EU’s utopian moves

GDPR is regulated based on the EU's human rights approaches to the privacy and rights of its citizens.

The European Union (EU) enacted a set of standards in 2016 to regulate data flow to the blue continent. This configuration–which took effect in May 2018–known as the General Data Protection Regulation (GDPR), is already a standard or benchmark for countries worldwide. GDPR is applied in the European Union countries and the European Economic Area, consisting of the EU countries including Iceland, Liechtenstein and Norway.

GDPR is regulated based on the EU’s human rights approaches to the privacy and rights of its citizens. Despite its transnational nature due to its cross-border and inter-country implementation, the EU is still not resolving issues that revolve around the nascent nature of digital interaction–one of which is convergency.

GPDR, on paper, is known as the toughest data protection law on the planet. Countries worldwide have tried to implement regulations similar to those of the GDPR after its enactment. China, South Africa, Brazil and Australia are countries that revised, implemented and responded to the new GDP Regulation (Coos, 2021). This is due to the Brussels effect, making countries respond to the EU’s new law.

If one countries doesn’t have the equal or higher protection of data on its national law legislation, GDPR explicitly states that those countries without equal or higher personal data protection as GDPR, the EU through its European Data Protection Board could decide to hinder any data flow from the EU to those countri(es). Such moves could have a major business impact on the countri(es) without any EU data flow (ICO, n.d).

What if any countries didn’t have an adequate data protection law as GDPR? EU through its commission board, is one of the alternatives to provide any additional and contractual protection as: Standard Contractual Clause, Binding Corporate Rules (BCR) and Additional Safeguards that runs as a bilateral agreement between the EU and countri(es) involved. The provisions require a legally binding pledge to be complied with, but they can also be used voluntarily to show compliance with data protection regulations.

Adoption of SCCs by the European Commission is vested in two areas: (1) controller-processor relationships and (2) personal data transfers to non-EEA nations. Regarding future intra-group transfers, the benefit of BCRs over Standard Contractual Clauses is that, once approved by the Data Protection Authorities, they can occur anywhere in the world without further documentation (Deloitte, n.d).

The EU GDPR was named as the golden standard of data protection regulation because it contains key points that become a reference to similar regulations. Three key points are that it gives legitimacy to a class action, hefty fines, and covered international reach. GDPR allows consumers across the EU to request assistance from a competent NGO for their personal data litigation. This makes a class action by people with the same interests accommodated with the GDPR.

 Hefty fines and other legitimated rulings are available where the fines are increased to as much as EUR 20 million or 4% of annual global income, whichever is higher (Consumer International, n.d). The international reach, as was already explained before, on the one hand, forces any nations to deal with the new GDPR either to conclude their new data protection regulation or make a binding agreement through SCCs or BCRs with the EU.

Apart from that, GDPR could be a benchmark for any nation before implementing similar data governance measures. This is ultimately because GDPR covers and distinguishes–in a rigid definition–between the data controller and data processor. The methods and reasons for which personal data is processed are decided by the data controller, while the data processor processes data on the controllers’ behalf. Any action (or combination of actions) taken concerning personal data is referred to as processing (including but not limited to collection, structuring, storage, use, or disclosure).

Typically, the data processor is an outside party that works with the business. Nonetheless, when dealing with sets of endeavors, one undertaking can serve as the processor for another. This depicts the value-chain concept in the digital ecosystem where most companies are using agency or business-process outsources to operate. Furthermore, the action of the data life cycle is also being defined as data processing in GDPR. 

Given the promising scope and granules, the enforcement of GDPR is still far from ideal, and how the EU as one single community should respond–especially in transnational cases. GDPR has defined the enforcement mechanism for transnational settings through the One Stop Shop (OSS) mechanism. This means that in order to comply with the GDPR if your company processes data across national borders, you will mainly need to cooperate with the supervisory body situated in the same Member State as your primary establishment, which is often your EU headquarters. For all issues pertaining to privacy, this enforcement body will serve as your “lead supervisory authority” (Deloitte, n.d).

These processes seem, on paper, to adequately depict the complexity of the EU legal order, which is dependent upon a multitude of actors at various levels of governance. However, this is where the problem begins. Procedural uncertainties and divergences in the cooperation method and the preponderance of national, rather than European, interests and regulatory approaches in the transnational GDPR enforcement are the two main areas for improvement in the GDPR implementation. These limitations impede the efficiency of the fundamental rights safeguarded by the EU data protection law.

The dispute settlement procedures designed by GDPR are when complainants have the discretion to lodge their case to where DPA (Data Protection Agency) or in legal terms is named as Supervisory Authority (SA). The SAs would be given a mandate to coordinate, supervise and manage the cases with other SA thus would make the SA as a Lead Supervisory Authority (LSA). LSA has a responsibility to issue collective decisions resulting from shared points of view with other SAs. If it fails, GDPRs will mandate this role for the EDPB (European Data Protection Board), which consists of DPAs and the heads of each state in the EU. EDPB is responsible for interpreting decisions for GDPR and making binding decisions, including corrective measures, such as financial fines, processing prohibitions, and warnings.

The lack of procedures begins with determining which LSAs to act by the complainants (in this case, individuals or companies). Businesses may declare their principal location as long as they meet specific requirements. Therefore, how the DPAs evaluate the validity of the companies’ designations needs to be clarified by using these standards. As such, questions have been raised about whether businesses will be able to forum shop and select flagship locations in nations that best suit their business and legal needs.

Although the creation of the EDPB and one-stop shop has addressed the problem of identifying the LSA, it highlights a more serious problem of poor communication and misunderstanding amongst DPAs over the proper application of the law. Several DPAs voiced concerns about how adequate the existing communication infrastructure is. Furthermore, no standard method is used by local authorities to interpret and implement the GDPR. Member states take distinct tacks when implementing varying degrees of specification and protection.

Further obstacles to guaranteeing the GDPR’s uniform implementation are the absence of clear rules and inadequate intraregional communication. Local regulations combined with GDPR have resulted in “a degree of fragmentation and diverging approaches,” both in terms of substance and procedure. The European Commission reported in February 2020 that no joint operation procedure had been initiated (Lin, 2024). The EDPB noted that the underuse of cooperative tools remained a problem two years later. In this sense, we perceive that the EU is approaching ASEAN-like decisions where there is no uniformity despite its strong regionalism, especially within these digital realms.

Additionally, in this ever-changing landscape of this digital sphere, the author considers that all nations should agree on one protocol regarding the digital configuration, especially the cross-border data flow. This could be treated like the establishment of Westphalia agreements as the founding agreements of what nations look like nowadays. With all the subsequent protocols coming after Wetsphalia, such as the Wina Convention, nations could agree on procedures to treat the exchange of information in the digital world. This could, in turn, minimize the siloed procedures as shown intra-DPAs in the EU, where the EU and its human-right approaches are trying to give a sense of extraterritoriality, single-handedly. It raises the question: Is a new UN agency needed to harmonize and derivate the convention and treatment of cross-border data flow?

Muwalliha Syahdani
Muwalliha Syahdani
Master Student at International Relations Department, Universitas Gadjah Mada. His study concentrates on: Science, Technology and Art in International Relations (STAIR) and Southeast Asia dynamics.