Individuals’ privacy and data protection have never been taken more seriously in Europe and beyond its borders since the entry into force of GDPR in May 2018. The GDPR has made personal privacy a widely-recognized issue that is becoming even more important with the development of AI and other profiling technologies.

As part of their public service remit and specific relationship with their audiences, Public Service Broadcasters have a particular duty to ensure that personal data is processed in a responsible way and in compliance with the GDPR and other applicable data protection laws.

However, in general there are still some important challenges ahead for GDPR. The EBU Data Protection Officers group, representing DPOs from EBU’s membership, calls for increased action so that stakeholders truly benefit from a level playing field when complying with GDPR. 

“We’ve spent the past two years investing significant resources to ensure that our organizations are compliant with GDPR. What’s become clear is that the interpretation and the enforcement of GDPR needs to be both more consistent and more effective across the EU. This is crucial to maintain our audiences’ trust in the digital world” says Joost Negenman, EBU DPO group chairman and NPO’s Privacy Officer.

This is particularly relevant when negotiating controller-processor agreements with global third parties, such as big players in the IT sector and major online platforms, who can dictate their terms to customers. In practice, business customers are confronted with a "take it or leave it choice" due to the significant imbalance in bargaining power in data-driven markets. 

This imbalance can be solved by having strong EDPB guidelines and recommendations on the notions of “processor”, on the processor- controller relationship, on "joint-controllers" and more generally on how to determine the status of a service provider. Also most useful would be the adoption of EU model contracts that enable organizations to jointly push back against terms they deem unfair.

There are several other crucial areas where divergent views and approaches from supervisory authorities could have important consequences not only for individuals’ rights, but also for businesses’ activities. These include: cookies’ consent management; the interplay between GDPR and ePrivacy rules; DPIA and high-risk processing activities; and the scope of individuals’ rights and profiling. Unless GDPR enforcement rapidly becomes more consistent and more effective, data processes cannot be implemented uniformly across Europe.