Schrems II Re-Examined
The Court of Justice of the EU’s judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”; case C-311/18) of 16 July has already received significant attention. Now that the dust has somewhat settled, however, it deserves re-examination in light of its significant implications for the regulation of international data transfers under the EU General Data Protection Regulation (“GDPR”). In this contribution I will explore four important issues that Schrems II raises under the GDPR, namely (1) that the judgment makes significant changes to some long-held assumptions about how data transfers are regulated under the GDPR; (2) that the Court’s approach to the use of the Commission-approved standard contractual clauses (SCCs) for the transfer of personal data is somewhat tautological; (3) that the Court may not have put data transfers to the US in as much immediate danger as many commentators seem to assume; and (4) that the judgment may weaken the attractiveness of the GDPR as a model for other countries to adopt.
The GDPR’s framework for data transfers
In Schrems II the Court seemed to ignore the hierarchical structure of data transfer mechanisms on which Chapter V GDPR is based, and thus to throw in question long-established assumptions about the relationship between them.
The data protection authorities (DPAs) have traditionally required that the data exporter first consider whether the third country provides an adequate level of protection under Article 45 GDPR (i.e., whether an adequacy decision has been issued for the country of transfer), and then provide adequate safeguards under Article 46 if an adequacy decision is not available (see Guidelines 2/2018 of the European Data Protection Board (EDPB), pp. 3-4). This puts adequacy decisions at the top of the hierarchy, with appropriate safeguards being available if one cannot be used. The hierarchical relationship between the two follows both from the language of Article 46(1) GDPR, and from the fact that an adequacy decision is based on a deeper and broader investigation of a third country’s entire legal system than is possible for parties using adequate safeguards for individual data transfers.
However, in Schrems II the Court held not only that the standard of “essential equivalence” with EU law applies to adequate safeguards such as the SCCs (para. 96), but that the criteria for assessing adequacy contained in Article 45(2) do as well (para. 104). The Court thus abandoned the hierarchy between these two data transfer mechanisms, despite the express language of the GDPR and the long-standing practice of the DPAs. One could even ask what point there is of the Commission assessing third countries for adequacy if appropriate safeguards based on the same standards are available, in light of the fact that they can be implemented much more quickly than an adequacy decision can be approved.
In the hierarchy of data protection mechanisms, the derogations under Article 49 GDPR rank at the bottom, since they are not designed to provide protection and are to be used only when an adequacy decision or appropriate safeguards are not available (Article 49(1)). The Court makes a cryptic reference to the derogations in para. 202, stating that “in view of Article 49”, invalidation of the Commission’s decision approving the Privacy Shield as adequate does not create a legal vacuum. This seems to imply that use of the derogations can help compensate for invalidation of the Privacy Shield. However, both the wording of Article 49 and the position of the EDPB (EDPB Guidelines 2/2018, p. 4) make it clear that the derogations are to be strictly interpreted, as follows from the Court’s own holdings that derogations from fundamental rights are to be used only when strictly necessary (see Case C-362/14 Schrems, para. 92). Thus, the derogations cannot fill the gap created by invalidation of the Privacy Shield, except in a few limited cases.
The Court and the standard contractual clauses
Prior to Schrems II there was much anxiety about whether the Court would invalidate the SCCs on the basis that they are concluded between parties transferring personal data and cannot bind third country authorities. The Court upheld use of the SCCs approved in Commission Decision 2010/87/EU and amended in Commission Implementing Decision 2016/2297, finding that the protections they provide rest not on the legal system of the third country of transfer (as with an adequacy decision), but on protections that the parties transferring the data provide to ensure an adequate level of protection (para. 131), which may include supplementary measures such as “other clauses or additional safeguards” (para. 132). However, the Court’s reasoning here seems tautological, i.e., it held that while contractual clauses cannot bind third country authorities this can be remedied though safeguards including additional clauses (para. 132).
A more convincing argument for upholding the SCCs is the Court’s positive evaluation of the various provisions in them that allow transfers to be suspended or prohibited when the clauses are breached or it becomes impossible to honour them (paras. 137-148), and the emphasis it puts on them providing “effective mechanisms” (para. 147). Having helped negotiate the 2010 SCCs with the Commission on behalf of the International Chamber of Commerce (see FN 4 to Recital 7 of Commission Decision 2010/87/EU), I am pleased that the Court upheld the protections they contain; indeed, to my knowledge this is the only time the Court has given a positive endorsement to any data transfer mechanism.
The Court did not specify the content of other clauses or additional safeguards that parties may use with the SCCs, but, as discussed above, they will have to take into account the conditions for adequacy contained in Article 45(2)(a). Placing evaluation of criteria for adequacy in the hands of parties that carry out data transfers may lead to legal uncertainty, as the Court recognized (para. 147). The EDPB has stated that it will provide further guidance in this regard (EDPB FAQs of 23 July 2020, p. 5), but settling disputes under Article 65 GDPR between the DPAs on the types of safeguards to be used could require the EDPB to opine on issues that could be politically explosive, such as whether particular third countries abide by the rule of law or respect fundamental rights.
It is important to note that the Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Thus, they should be evaluated under a standard of proportionality, not of perfection. A few examples of clauses and safeguards could include the following:
- Legal measures: The parties to the transfer could agree on enhanced legal guarantees that build on those in the SCCs but provide stricter conditions for suspending data flows and deleting data in cases of unauthorized government access, as well as stricter penalties for breaches of their obligations.
- Technical measures: Strong encryption could be used to make it nearly impossible for unauthorized actors to read the data.
- Organisational measures: Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.
Data transfers to the US
Since the judgment was announced, there have been apocalyptic predictions about how it may mean the end of data transfers to the US. However, the reality will probably be less dramatic. While numerous complaints have already been filed (including by noyb, the NGO headed by Schrems), the wheels of data protection enforcement turn slowly, in particular since pan-European complaints (i.e., those that involve data transfers from multiple Member States) have to go through the EDPB, which has become infamous for delays. The DPAs also tend to be careful not to issue high-profile penalties before being completely sure that they have a strong legal case. This means that data will likely continue to flow over the Atlantic for some time before the GDPR enforcement machinery really starts to bite.
Two of the main issues the Court focused on in invalidating the Privacy Shield were the Ombudsman mechanism and data access by US authorities. The issues surrounding the Ombudsman may be the easier of the two to deal with in a legal sense (assuming the political will to do so in the US), and a thoughtful proposal in this regard has been made by Ken Propp and Peter Swire.
The issue of government data access is more difficult, as it will require strict adherence to the proportionality criteria that the Court set out (see para. 176 et seq). In this regard, a close examination of the Court’s Opinion 1/15, where it invalidated a proposed international agreement with Canada because of data protection concerns, could provide a useful starting point. Further guidance from the Court may be forthcoming soon in joined cases C-623/17, C-511/18, C-512/18 and C-520/18, which involve a challenge to data collection for national security and counter-terrorism purposes in various Member States plus the UK. If, as can probably be expected, the judgments in these cases result in the Court restricting data processing for these purposes, it may help identify measures that could put EU-US data flows on a firmer legal footing.
With the Court taking such a strict position in Schrems II, any hope of a stable and viable accommodation for data transfers between the EU and the US can only be based on changes to US law. This will depend on political factors that are impossible to predict, and in particular on the results of the forthcoming US elections.
Implications for the global reach of the GDPR
The EU has positioned the GDPR as the global reference point for data protection and privacy (see, for example, the joint statement in May 2020 by Commissioners Jourová and Reynders). Numerous countries have sought EU adequacy decisions or adopted data protection legislation based on the EU model, and the GDPR has been a success story in this regard.
Promoting the GDPR in other regions with different legal and cultural traditions requires the EU to walk a fine line: the standard of protection should be high in order to make it a desirable model, but it must be set at a level that is possible for third countries to attain. Striking the right balance is made more difficult by the apparent tension between the Court, which has tightened the legal standards for data transfers in recent years, and the Commission, which almost seemed to welcome the invalidation of the Privacy Shield as an opportunity to negotiate a yet another data transfer agreement with the US (see the statement of Commissioner Reynders following the judgment).
However, the judgment may cause some third countries to question whether it is worthwhile to strive to reach the EU’s data protection standards and to engage in protracted negotiations only to have the agreement, or the adequacy decision based on it, invalidated later on. Having now ensured that data transfers must meet a high standard, the EU should also take care not to set the bar too high, or it may make the GDPR a less attractive model for third countries.
As always a great in-depth and thoughtful commentary by Christoph. I am not sure about the final findings though. It is worth reading the Safe Harbour and the Privacy Shield discussions in full length. They are the most unusual types of decisions – essentially a collection of letters and assurances sometimes of questionable legal value. One of the documents contained in the lengthy Privacy Shield decision openly stated that the US government was undertaking mass surveillance of whole regions of the world. So, the question in my view is less of ‚unattainable levels‘ but a question of quality of decision-making by the Commission. The Commission can and must do better. The Court fortunately held the Commission to account, after in Court it had an emperor without clothes moment when explaining its approach and the protections offered to EU data.
Excellent dissection and analysis of Schrems II. However, the dust has yet to settle. Believing that the ultimate solution to the present/coming impasse between the EU and the US lies in with the US changing its law is mistaken. (And thinking this might have anything to do with an election in November 2020 is to have a TV and social media understanding of the US government.)
The GDPR is a beautiful conceptual creation of how data might be managed to protect individual privacy. It looks wonderful on paper, and as Kuner suggests, it sells/sold well. However, the GDPR is a failure:
1. It is a lie. As Commissioner Vera Jourava said on December 1st, 2016, at the Forum Europe Conference in Brussels: „I call this ‚Kissing the ring of the Digital God.'“ Its intent was to placate EU citizen’s concerns, not to resolve them.
2. Its implementation has been horrible. The Commission, the Member States, the EDPB, and the national DPA’s have all proven inept and incapable. They have failed to act and, where they have, it has been nearly wholly in the (national) interests of big business.
3. Most importantly, this beautiful invention (the GDPR) is not fit-for-purpose. It has made a mockery of ‚consent‘, an otherwise critically important concept in our society. Worse, it simply does not fit the needs of a digital society.
Quoting Commissioner Jourava again from the same meeting: ‘This is business and technology first, and then the law, partly lagging behind.’ Better said, it is the law, however wonderful to behold, completely out of step with reality.
There can be no cosmetic changes to the GDPR that will fix it. Schrems II makes that clear.
Europe will need to re-imagine the legal framework for the increasingly pressing challenge of ‘the absolute state’ vs. ‘absolute individual freedoms’ (again, Commissioner Jourava, same meeting).
The EU will have to change its law, not the US. Not because one is wrong or one is right. Not because one is of a higher moral authority or the other of a lesser. Simply because the GDPR does not work.
Chris Kuner, Verfassungsblog, Schrems II Re-Examined, 25 August 2020:
Below are some comments by me on the above blog. In each case, I first quote Kuner and then provide my comments. The quotes are in the order in which they appear in the blog.
NB: the text below lost some editing and footnotes but may still be useful.
“[T]he Court’s reasoning here seems tautological, i.e., it held that while contractual clauses cannot bind third country authorities this can be remedied though safeguards including additional clauses (para. 132).”
I do not think this is quite correct. The Court does not say inadequacies in third countries’ laws can be remedied by contract – of course they cannot (as the Court makes clear in para. 125 and repeats in para. 131). Rather, the Court suggests that (as you yourself note) private parties can adopt legal, technical and organisational measures to guard against violations of data protection rights by third country agencies (in particular against undue, untargeted access to the data concerned by those countries’ law enforcement and national security agencies).
To me, the most important implication of the judgment is that it is indeed now a legal requirement under EU (Treaty and Charter) law that personal data that are transferred to a third country must be protected against such abuses – and that if they cannot be effectively protected against such abuses, the data should not be transferred. Or to be more precise: if the personal data on EU individuals that are to be transferred to a third country cannot be protected against undue access by the third country’ agencies, the transfer would be in violation of the GDPR, and the data exporter would be liable to administrative fines of up to 4% of the organisation’s gross annual turnover. (There may be doubts about the extent to which the EU supervisory authorities will actually enforce this, or at least about how quick they may start to do this – see below – but the principle seems to me to be clear.)
“[S]ettling disputes under Article 65 GDPR between the DPAs on the types of safeguards to be used could require the EDPB to opine on issues that could be politically explosive, such as whether particular third countries abide by the rule of law or respect fundamental rights.
Yes, but so what? That is something courts and regulatory bodies do all the time. They should not be scared of “opining on issues that could be politically explosive”, especially not when it comes to protecting EU citizens (and others in the EU) against abuses by third countries that do not “abide by the rule of law or respect fundamental rights”. If they are too weak-spined to do that, they should not be in their official roles as guardians of a fundamental right enshrined in the Treaties and the Charter!
“It is important to note that the Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Thus, they should be evaluated under a standard of proportionality, not of perfection.”
I cannot see any explicit reference in the quote from the judgment to proportionality, unless you read “effective” as “reasonably effective in the circumstances”. But surely that is a stretch. The judgment says, in the very same paragraph, that the “mechanisms” (i.e., the clauses without or with “supplementary measures”) must:
make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to the clauses of such a decision are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. (para. 137, emphasis added)
I can accept that it may not always be possible for any measures to always, 100%, ensure that the risk in question will never materialise. But surely, given the “high risk to the rights and freedoms of natural persons” that can arise from undue access to personal data by agencies of a state that does not “abide by the rule of law or respect fundamental rights”, the bar should be set high.
In my opinion, if in the third country concerned (the one to which personal data are to exported from the EU) the law allows for access to the imported data (either while in transit, through access to Internet nodes in the third country, or after transit, e.g., through secret back doors to databases or under secret orders) in ways and subject to processes that seriously fail to meet European rule of law (and data protection) standards, then that should be regarded ipso facto as a “high risk to the rights and freedoms” of the data subjects. That in turn means that the proposed transfer – being a form of processing – must be subjected to a data protection impact assessment (Article 35 GDPR). Moreover, if this shows that any measures that may be adopted (such as SCCs by themselves, or SCCs with “supplementary measures”) cannot remove the “high risk”, then the relevant supervisory authority or authorities must be consulted (Article 36). And if those authorities find that a “high risk” does indeed remain and cannot be removed, they should use their powers under Article 58 to suspend or prohibit the transfer (see in particular Article 58(2)(f) and (j)).
“A few examples of clauses and safeguards [that could provide ‘supplementary measures’ to guard against abuse] could include the following:
• Legal measures: The parties to the transfer could agree on enhanced legal guarantees that build on those in the SCCs but provide stricter conditions for suspending data flows and deleting data in cases of unauthorized government access, as well as stricter penalties for breaches of their obligations.
• Technical measures: Strong encryption could be used to make it nearly impossible for unauthorized actors to read the data.
• Organisational measures: Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.”
These are useful, even if for now still limited suggestions – but they still raise issues. Just a few brief comments on each, if I may:
• Legal measures: The Commission SCCs already contain clauses on the following lines:
Obligations of the data importer
The data importer warrants and undertakes that:
It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
A footnote to the clause in the controller-to-processor SCCs (but which presumably can also be read into the other clauses) adds the following clarification:
Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
But of course, in the context of Schrems II, we are talking about “mandatory requirements [in third countries to which data are to be transferred]” which do go “beyond what is necessary in a democratic society”.
In many third countries, there are domestic laws that require a controller or processor in that country to do or not do certain things when the GDPR requires that a controller or processor who is subject to the GDPR does the opposite, e.g., when the law of the third country requires the controller or processor (in the context of data transfers: the data importer) to disclose personal data to a national agency of that country in circumstances that go “beyond what is necessary in a democratic society”, and that prohibit the controller or processor/importer in question from informing the EU-based data exporter – when the GDPR in fact prohibits the disclosure and demands the informing of the EU-based exporter (and through it, the EU Member State’s data protection authority).
In such circumstances, clauses requiring the suspension of data flows and the deletion of data in cases of unauthorized government access are ineffective: the data importer is legally barred from informing the EU data exporter and may also be prohibited from deleting the data (and the data may in any case already – wrongly – be in the hands of the not-rule-of-law-compliant state agencies).
In relation to countries with such rules-of-law-incompatible laws (and there are many), clauses about ex post facto informing the EU data exporter of abuses are useless: the data importer is legally barred from complying with them – or the authorities can gain access to data through back doors without the importer even being able to note this (let alone challenge it). The only solution in such cases is to not transfer the data in the first place.
• Technical measures: “Strong encryption” that would “make it nearly impossible for unauthorized actors to read the data” are indeed a possibly useful “supplementary measure” in relation to data transfers.
However, strong encryption only has limited use, i.e., only in cases in which the data are not decrypted in the third country (or they would again be accessible to the not-rule-of-law-compliant agencies there: see above). So they could work in relation to servers in those countries hosting data that remain under the control of the EU data exporter (e.g., fully highly-encrypted back-up data). But as Max Schrems has pointed out, the encryption would have to go further than is currently usual, to include e-communications metadata such as IP addresses, etc. Moreover, there would always remain a risk, in particular in countries with highly developed surveillance/decryption technologies. In that case, surely the simpler, lesser-risk option would be to move the data to an EU-based server/host?
• Organisational measures: You suggest that “Groups of data exporters and importers (such as in a trade association) could commit to suspend data transfers to countries that do not respect the rule of law, based on internationally-recognized standards (for example, those published by the World Justice Project). This approach is already used in other areas, such as fair labour standards.” Well, yes – in principle that sounds good.
But in practice, the vast majority of countries in the WJP’s “Rule of Law Around the World Index 2020” score abysmally. In the charts, only Australia and New Zealand, Western Europe and North America (USA and Canada) are marked in green, meaning a score over 0.7/1. The Index is also based on much broader issues of good governance and rule of law than those specifically important for data protection and state surveillance/access to personal data. In that respect, the Privacy International State of Surveillance Briefing Guidelines and questions are more directly relevant. PI has produced a series of reports specifically on this issue, based on these guidelines, covering Argentina, Brazil, Chile, Colombia, Egypt, India, Indonesia, Jordan, Kenya, Lebanon, Mexico, Morocco, Pakistan, Paraguay, the Philippines, South Africa, Thailand, and Uganda. We can certainly add the Peoples Republic of China and Russia (and quite a few further countries including also the USA) to the list.
The main point to make in this respect is that few countries outside the EU – and indeed many EU Member States – fail to meet the standards set by the Court when it comes to their national security agencies’ powers of access to data (especially data on non-nationals) and lack of effective remedies.
In sum: The suggested measures really have only very limited value.
“Apocalyptic predictions about how [Schrems II] may mean the end of data transfers to the US” are unlikely to come true in practice – because “the [EU] wheels of data protection enforcement turn slowly” and “[t]he DPAs also tend to be careful not to issue high-profile penalties before being completely sure that they have a strong legal case.”
Well, the authorities may be slow and scandalously weak in their enforcement, but (a) they cannot duck their responsibilities under the law (as clarified by the Court) forever – and some may have a firmer spine (and more resources) than others, and (b) as the indominable Max Schrems has shown, if it comes to it they can be forced (kicking and screaming) to do their job (even if it takes an excessively long time and unacceptably hard work on the part of individuals and NGOs).
“If, as can probably be expected, the judgments in [joined cases C-623/17, C-511/18, C-512/18 and C-520/18] result in the Court restricting data processing for these purposes, it may help identify measures that could put EU-US data flows on a firmer legal footing.”
“With the Court taking such a strict position in Schrems II, any hope of a stable and viable accommodation for data transfers between the EU and the US can only be based on changes to US law.”
I agree that, in the light of Schrems II and earlier judgments, it is likely that the Court will continue to interpret EU law in such a way as to protect the (data protection) rights of individuals in the EU as much as possible against undue, indiscriminate, insufficiently regulated access to their data by national security agencies (be that in the EU – although there the Court is hampered by the indefensible exclusion from EU law including the Treaties and – outrageously – the Charter of Member States’ activities relating to their national security, or outside the Union). And I agree that this situation can only be properly addressed by the transgressors (again, in the EU and beyond) changing their laws and practices to meet globally-recognised rule of law and privacy/data protection standards. But as noted below, that will not be easy to achieve.
“Numerous countries have sought EU adequacy decisions or adopted data protection legislation based on the EU model, and the GDPR has been a success story in this regard.”
“[T]he judgment may cause some third countries to question whether it is worthwhile to strive to reach the EU’s data protection standards and to engage in protracted negotiations only to have the agreement, or the adequacy decision based on it, invalidated later on. Having now ensured that data transfers must meet a high standard, the EU should also take care not to set the bar too high, or it may make the GDPR a less attractive model for third countries.”
There has always been a tension between the EU’s (and in particular the EU Commission’s) desire for “opening up trade” with third countries and to that end facilitating data flows including flows of personal data to third country trading partners, on the one hand, and ensuring full protection of personal data on individuals in the EU in accordance with the Charter on the other hand. The Commission has in the past too often been too ready to declare that third countries provide “adequate” protection, while glossing over manifest inadequacies in the laws and practices of such countries, not least in relation to access to EU data by the law enforcement and national security agencies of the third countries in question.
But if that is what made the EU data protection rules “attractive”, it was a scam: the EU sets high standards on paper, also on paper allows free transfers only to countries that ensure similarly high (“adequate”, now “essentially equivalent”) levels of protection – but then in practice a political body (or at least a not exactly non-political body), the European Commission, can undermine this principled approach by, essentially, pretending that certain third countries provide such levels of protection when in reality they do not – especially when it comes to national security agencies’ access.
If the Court has exposed the inappropriateness of this Commission policy, it should be welcomed!
– o – O – o –
Cambridge, UK, 26 August 2020
An excellent analysis, as always from Chris Kuner – a particularly perceptive commentary about the CJEU blurring the distinction between adequacy and appropriate safeguards and where, conceptually, that leaves the Commission’s powers under Art. 45. Looking at it from the other side, the decision marks a clear shift of responsibility from the Commission to data exporters and importers. Granted that this is an extension of what is already enshrined in model clauses, but it remains a significant and problematic extension. How can small and medium-sized private entities possibly be expected to conduct an analysis akin to the complex adequacy analyses carried out by the Commission over a period of years?
On a different point, I would respectfully take issue with a couple of the learned comments above. Yes, GDPR is an imperfect instrument, like any other piece of legislation of similar dimension and complexity, but it is a huge step forward. There is evidence of it actually having enhanced data protection in practice and of it being enforced by regulators (we have to remember that the larger breaches and penalties can take time to work their way through, especially when tightly-resourced DPAs are face-to-face with multi-billion dollar corporations). But I would agree wholeheartedly that the Irish DPC’s responsiveness and approach has been lamentable, particularly towards Facebook, which has had negative consequences far beyond data protection, and is in sharp contrast to the approach taken in other Member States. Perhaps it is not therefore surprising that the Irish DPC has, for the first time, just triggered the GDPR dispute resolution mechanism. Finally, I would also disagree with the comment above that GDPR makes a mockery of consent. In the world in which we live, informed consent is no longer realistic in most cases, as we have been saying in data privacy circles for nearly two decades. Very few of us read or understand privacy notices or what we are consenting to, especially in the age of AI and algorithms. GDPR recognises that and establishes flexible alternatives that provide a much better guarantee of data protection. The GDPR is a remarkable instrument and has been replicated and lauded around the globe. It can be improved, surely, but claiming that it does not work and should be replaced is not, I believe, a view that would have much support at the current time.
I have a policy not to get into debates online, so I would like just to thank all of you who responded in such detail to my post! I always appreciate and learn a lot from the comments and criticisms of colleagues, and this is no exception. I certainly recognise that some of my points are subject to argument, and may suffer from being set out in the truncated format of a blog post, but my main purpose was to provoke discussion, and I am happy that I seem to have succeeded in that!