So they wanna reform the GDPR?

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition, advertising and music for decades and I’m now writing for The Monopoly Report. If you have a tip to share in confidence, find me on Twitter or Bluesky.

Our latest Monopoly Report podcast is out with Jessica Lee - Partner and Chair of the Privacy, Security & Data Innovations practice at Loeb & Loeb. We talk about the state of Health Targeting. Seems everyone reading this wants that big pharma money - Jessica and I go deep into the story behind the ruleset.

Some EU Policymakers are hankering for a GDPR change

A number of press reports have recently noted that prominent EU politician and MEP Axel Voss and privacy activist Max Schrems have come together (sort of) to propose a targeted revision of the GDPR so as to differentiate as between big and small firms.

(Note: the two are not exactly aligned philosophically as Voss’ primary goal for this new GDPR framework is to reduce paperwork and increase innovation; while Schrems is seeking increased enforcement. #StrangeBedfellows).

Under the Voss / Schrems plan, the legal burden would be largely determined by the size of the company:

1. Small-companies - A large percentage of businesses currently subject to the GDPR would have fewer documentation requirements and no DPO requirement (kind of like how the UK is approaching GDPR reform),

2. Regular – keeping most of the existing rules for companies that process sensitive personal data or operate at a larger scale (including ads companies?), and

3. Large - would cover EU DMA designated very large online platforms (VLOPs) and companies whose business model is built fundamentally on the processing of personal data, such as ads companies(?) These large companies would be subject to mandatory external audits.

Does this GDPR proposal have legs?

The fact that Voss and Schrems are both engaged in this idea makes it worth some discussion. (Imagine Bernie Sanders and Ted Cruz co-sponsoring legislation…. or Liam and Noel Gallagher agreeing to record another Oasis album).

But keep in mind, it’s VERY early and the proposal isn’t fully baked. Remember when the ADPPA was being discussed last year in the U.S. Congress? Some reporters may have felt that it had momentum – but that was mostly because it was high level and none of the more-thorny points of contention (e.g., state pre-emption) were fleshed out. When those issues WERE discussed eventually, the ADPPA quickly lost that momentum and ultimately died on the vine.

In that light, I’d pump the breaks when thinking about the viability of the plan – it’s way too early and there’s tons of gravity working against it.

What are the particulars of this proposal?

• Scale – I’m a huge fan of tying a privacy ruleset around scale (although I think it’s better to tie it to the scale of the data set rather than company size). If we’re treating DeepSeek or pre-acquisition Instagram differently than Microsoft simply because they have fewer employees, then we’re in for a litany of bad outcomes.

• Where does adtech fit in? - I understand that big tech fits in the “large” bucket. But I’m not sure where your run of the mill DSP fits. You can make the case that the DSP falls into either the medium or the large bucket. But if it’s the latter (as the proposal implies), I’m not really sure what the point is here. Magnite and TikTok should not be treated as the same.

• DSARs and privacy-by-design – there’s talk about making adjustments to 'the right to be forgotten' or 'data minimisation'. DSARs would NOT be my personal starting point for change. And in my view, data minimization should be folded into rules around the scale of data processed. My guess is that Voss is pushing for data minimization rules in order to address concerns around the use of data for model training in connection with generative AI. As of now, EU data protection law doesn’t have a great answer when it comes to regulating AI. (In fairness, nobody does).

• Changes to the EDPB – Voss wants to remove the enforcement role of the European Data Protection Board. There’s certainly a debate to be had re: whether the EDPB has become too powerful. Part of the problem is cultural in that individual EU data protection regulators insist on treating EDPB advisory opinions as if they’re the law of the land. I’m not sure how you fix something when a large constituency doesn’t see it as broken.

• Whitelist to Blacklist – Voss wants to move away from the current regime where data processing is prohibited EXCEPT via certain approved legal basis. (For those of us in ad land, the choices are consent and legitimate interest – although the latter is at best frowned upon). Voss wants more focus on prohibiting specific “bad” practices and allowing most other types of processing activities. Companies like Meta (i.e., who have pretty much run out of legal basis to declare) would likely be in favor of this.

Next I’ll sketch out some areas that I think are rife for reform. If you want all the details on how I’m thinking about GDPR reform, you should subscribe to the Chapell Report. Just click the ad below or DM me if you want more info.

What would I do if I ran GDPR reform?

Here’s a list of the GDPR areas that I’d consider reforming. I’d write more, but Ari makes me fold his laundry whenever I go over 1,500 words.

• Size / Scale – I like the concept, but would tailor the rules not to company size, but size and sensitivity of the data set being processed. Companies would be required to outline in their privacy policy which bucket they fall into and a short description of why.

• Move the EDPB into an advisory role – What’s that you say? The EDPB is ALREADY (mostly) in an advisory role? Yes, but the EU DPAs treat EDPB opinions as gospel at this point.

• Disband (or at least alter) the One stop shop (OSS) – This might be one of the few areas that Max Schrems and I agree on (as NOYB seems to be gunning for the end of the one stop shop process.) Don’t get me wrong. Conceptually, I like the simplicity of having to deal with a single EU data protection regulator. I wish we could make that approach work in the U.S. But it’s odd that Ireland has become the EU’s GDPR enforcement capital and there’s an open question re: where processing decisions are really being made by non-EU companies. And that casts doubt on the entire OSS process.

• Definition of Personal Data – Let’s codify the definition of personal data and provide distinct examples and avoid the game of cat and mouse between the EDPB, EU DPAs, the digital media industry and the CJEU that’s taken place over the last decade. Let’s also have clear guidance around pseudonymization and/or de-identification of a data set. I’ve made this point repeatedly over the years.

• Incorporate an update of the ePrivacy (cookie) Directive – We need to move away from the “consent for anything ads related” approach - and the cookie rules are the fulcrum. This might be the most contentious issue of all. It’s hard to see how those reforms will be addressed as part of a larger GDPR package when there was zero political will to address them as a standalone. But equally, there’s not much point to reforming GDPR if you don’t also tackle ePrivacy. (Btw, I had Peter Craddock on TMR pod to discuss some of these issues).

What’s the bottom line on GDPR reform (from the pov of ad land)?

I realize that the ads world is not the only consideration, but I’ll say this. If this revamped GDPR doesn’t address the political issues undermining ePrivacy, if it continues to facilitate the crusade against all targeted ads, and if it fails to clarify the definition of personal data, then - at least when it comes to regulating the ads world, they’ve built the ship to wreck.