Flaws of the GDPR: Perspective of the GDPR’s lead architect

One of the lead architects of the GDPR, Axel Voss, also a member of the European Parliament and authored the 2011 initiative report titled “Comprehensive Approach to Personal Data Protection in the EU”, wrote a position paper highlighting the law's weaknesses, after observing the unfulfilled promises of the GDPR. Following are the nine flaws that Voss described.

First, the GDPR is an overly bureaucratic law created largely using a top-down approach by EU bureaucrats.

Second, the law is based on the premise that data protection should be a fundamental right of EU persons. The absolute and one-side stipulations are rigid on data controllers and processors.

Third, the GDPR law aims to empower the data subjects by giving them rights into law, however, the protected data subject rights are not exhaustive.

Fourth, the GDPR is grounded on a prohibition and limitation approach to data protection. These old data protection mindsets, such as data minimization and storage limitation, are not workable anymore.

Fifth, the GDPR deems any processing of personal data as a potential risk and forbids its processing in principle, hence only allows processing if a legal ground is met. Such an anti-processing and anti-sharing approach may not make sense in current data-driven economy.

Sixth, the GDPR does not distinguish between low-risk and high-risk applications by imposing the same obligations for each type of data processing application.

Seventh, the GDPR also excludes exemptions for low-risk processing scenarios or when SMEs, startups, non-commercial entities, or private citizens are the data controllers.

Eighth, the GDPR lacks a mechanism that allows SMEs and startups to shift the compliance burden onto third parties, which then store and process data.

Ninth, the GPPR relies heavily on government-based monitoring and administration of GDPR privacy compliance.