The GDPR journey has not been wonderful.

NOYB has 800 cases out and the enforcement process is difficult because procedural law is different in different countries.

This wasn’t what we expected when GDPR came out, NOYB’s Max Schrems said during IAPP’s International Association of Privacy Professionals Global Privacy Summit.

Andrea Jelinek of the European Data Protection Board said new regulations are expected to come out in the summer streamlining and harmonizing the process.

What’s going well with GDPR:

  • Schrems: GDPR is the least stupid privacy law around, but there is still a long way to go. The law is too vague, and that hurts most small- and medium-sized enterprises that are actually trying to comply.
  • Jelinek: GDPR is working and will continue to work.
  • Former UK Information Commissioner Elizabeth Denham: On day one, 500 million people got new rights and created a new standard. Other countries have used GDPR as an inspiration, but didn’t copy it. Rather, they adapted it to their own culture and preferences.

On international data transfers:

  • Jelinek: The EU-US DPF is an improvement, but the EDPB raised concerns and the European Commission takes our advice seriously.
  • Schrems: The DPF is an improvement, but it isn’t enough. There is an agreement on the level of protection you expect from your own country, but there needs to be agreement on protection of the data of other democratic countries. The U.S. definition of proportionality is not good enough, and neither is the redress.
  • Denham: In the short term I’m pessimistic. In the longer term, G7 countries should agree on government access to data. There should be a common standard, and we will get there eventually. The EU adequacy system is not sustainable.
  • Jelinek: That global standard for transfers should be the GDPR.
  • Schrems: We need a global standard. The fact that GDPR is based on data localization and exceptions. That’s why it the next 10 yers there will be a lot of Roman numerals after my name.

GDPR grades:

  • Schrems: For the law, C. For enforcement, F. Therefore, a school grade of D.
  • Denham: 8/10 because the law raised the benchmarks and changed the conversation
  • Jelinek: 7/10

GDPR at 10 years of age:

  • Denham: The GDPR will be reformed. It’s time.
  • Schrems: With class actions and emotional damages and a harmonized enforcement, GDPR could be a 10. It will be a different ball game.