If it ain’t broke, don’t fix it? Ten improvements for the upcoming tenth anniversary of the General Data Protection Regulation

Abstract

As the General Data Protection Regulation (GDPR) approaches its tenth anniversary, the European legislator is considering reforms thereto. This article offers a set of research-based suggestions for how such reforms could look like, based on two assumptions. First, that the GDPR is overall a solid piece of legislation that upholds the enduring objectives and principles of data protection law. Second, that any improvement cannot compromise the level of protection of fundamental rights currently offered. To this end, ten scholars from across Europe were invited to choose a provision of the GDPR and write about what works well, what does not, and why, as well as to suggest a solution for a concrete amendment of the text. The resulting wish-list discussing ten provisions (i.e., those concerning conditions for consent, children’s consent, automated decision-making, data protection by design, data security, data protection impact assessment, prior consultation, derogations for data transfers, dispute resolution by the European Data Protection Board, representation of data subjects and processing for scientific purposes) is necessarily random and far from exhaustive. However, it lays the groundwork for a constructive debate, and we invite others to build on the list with their own proposals