Beyond GDPR

Published on 2024-03-22 privacy

When the General Data Protection Regulation (GDPR) came into effect throughout the EU in 2018, it pushed the boundaries of privacy regulation world wide. It enshrined principles such as data minimisation or the right to data portability into law.

In my work I often deal with the GDPR. And while I honestly think it is a great step forward, I also have some grievance. So in this article I am trying to explore what I would like to see in the next iteration of privacy regulation.

Obvious disclaimer: I am not a lawyer and have no clue what I am talking about.

What is personal data?

Art. 4 and Recital 26 define that data is personal data if it can be linked to a natural person. Art. 9 defines what "special categories" of personal data are.

I have several issues with this definition:

I don't have the perfect definition for personal data either. But the GDPR has pushed to envelope once. I wish that it can do it again and introduce an even better model.

Easy to understand

I really like how the GDPR tries to be easy to understand. But I quickly found things I didn't understand or that seemed outright contradictory to me. Let me give you some examples:

For most of my usecases, Art. 6 boils down to: "If you have a contract with someone, you can safely process their data as long as it is required for the contract. For anything else, you need consent that was freely given and can be revoked at any time." Clear guidelines, easy to understand.

Art. 9 explains that actually, there are "special categories" that follow a slightly different set of rules. Basically, a contract is not enough and you always need consent.

It would have been nice if this exception had been mentioned in Art. 6. But there is also a contradiction here, right? How can I "freely give" consent that is required for a contract? Say you are caught in a kafkaesque legal battle and your sleazy lawyer wants to know all of your secrets. Do you really have a choice in that situation? It cannot be required and freely given at the same time, or am I missing something?

Art. 17 defines the right to be forgotten. "You are allowed to demand the deletion of all your data from anyone." That sounds nice, doesn't it? But it's not what that article actually says. It just repeats that data processing is only allowed under specific conditions, and that your data must be deleted if those conditions are no longer met. I honestly don't know why this article exists, it just seems so redundant.

Maybe this article is meant to clarify some gaps in the previous rules, e.g. that withdrawing your consent by default only affects future data processing, and that you can demand deletion of already existing data in addition to that. But even then I find it weird that these clarifications come several articles later instead of simply providing a complete definition of consent from the start.

Chapter 9 then goes on to list a whole lot of additional exceptions. Or rather, it lists cases in which national law might overwrite the GDPR. So in order to know whether any of this applies you have to check the entire national law.

I am sure there are explanations for everything I don't understand. I guess that regulation like this has some degree of inherent complexity. But there are also some obvious improvements that could be made, either by changing the structure of the text or by providing auxiliary material.

Restrictions on data propagation

GDPR contains plenty of restrictions for processing data. But once someone has your data, there are next to no restrictions on who can access it. If you give your data to a company with 10.000 employees, all of them can now legally access that data. Heck, the company can also pass the data to subcontractors.

One of the principles of the GDPR is "data minimisation", which is super important to limit the attack surface. But to my knowledge there are basically no concrete rules that actually enforces this.

As an example: A local film festival recently started to sell their tickets exclusively via a third party online platform. Before that, it was possible to buy tickets anonymously in cash. Now you have tell that platform what movie you want to see. It is reasonable to assume that they are hosting their databases on AWS, so the whole of Amazon can probably also see that. And the GDPR doesn't protect you from any of it.

Focus on principles instead of compliance

The GDPR is based on some truly great principles, for example:

Unfortunately, none of that really materialized. The GDPR should have smashed targeted advertising and centralized social media. Instead, companies were told that they can continue as before as long as they fill out some paperwork and add cookie banners to their websites.

Some time ago I saw a website that had been build by a young colleague of mine (I won't name names). It had no cookies. It had a cookie banner. They had come up in a world where every "respectable" website had a cookie banner, so they thought that having one was a legal and aesthetic requirement.2

I am not sure what exactly went wrong here. The power of advertising companies such as Google and Facebook certainly played a role. But I also blame the EU. With the benefit of hindsight, I hope that they can come up with a better communication strategy next time around.

Wild idea: make it a tax

Imagine if companies had to pay taxes on the size of their database.

I can easily come up with a justification that contains enough buzzwords to sway your average politician: In these trying times full of ransomware and cyber terrorism, storing any kind of data is a public security hazard. The companies that are most likely to leak data should also pay the biggest part of the cleanup-bill.

So far the GDPR concentrates on fines instead of taxes. I am not well versed in the discourse around these two options. But maybe it's not even that important whether this is a fine or a tax. The juice is in how it is calculated:

The fines in the GDPR can be high and they are also supposed to consider the "number of data subjects affected and the level of damage suffered by them". But I want something more specific. I want something like this:

= base value
* number of unique datasets
* sum of sensitivity for each field
* number of natural people with access

This would explicitly incentivize corporations to keep datasets small, throw away historic data, avoid highly sensitive fields, and restrict the pool of users. Also note that looking at unique datasets would encourage a high k-anonymity, something that the GDPR doesn't even consider.

There are clearly still a lot of details that need to be worked out. I also have no clue how much administrative work this would cause. But it is an idea.


GDPR is great, but it could be better. It especially suffers from a lack of enforcement of its principles. Maybe a tax could help with that.

  1. The GDPR does have a more nuance perspective on data sensitivity when it comes to fines (see Art. 83).↩︎

  2. I understand that cookie banners are often actually required by GDPR, but by the ePrivacy directive. But the point that the underlying principles got lost somewhere still holds.↩︎