A few weeks ago, the General Data Protection Regulation – GDPR for short – celebrated its fifth birthday. A reason to celebrate? Some call it so, others so. The GDPR has definitely achieved one thing: the issue of data protection has reached all of us more than ever. But: Has the GDPR fulfilled its big promises, for example to put data octopuses like Facebook or Google in their place? We take a closer look at what is going well so far and what still needs to change.
“The GDPR protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,” says lawyer and data protection expert Christof Kolyvas from Bochum, summarizing the approach of the regulation. What sounds dull in legal terms means, translated into everyday language: The GDPR wants to protect people and their rights, not data. Does she?
Annoying cookie banners no GDPR birth
In any case. Some things have improved in terms of the protection of personal data and generally in terms of IT security. Even if the GDPR has given us an endless click orgy in the form of cookie banners as a “by-product”. The cookie banners have nothing to do directly with the introduction of the GDPR. They are the result of an oversight. Because parallel to the GDPR, the so-called e-privacy directive or “cookie directive” should also be reformed. This reform is the responsibility of each individual EU Member State. Germany has not yet been able to come up with a uniform solution. Why? The resolution will follow later.
What distinguishes the ePrivacy Directive from the GDPR? The policy is basically the digital promise by companies to keep personal data confidential. The GDPR, on the other hand, deals with data processing itself. For example, disclosure to countries outside the EU is not permitted.
And why are the annoying cookie banners also “problematic” from a GDPR point of view? Internet users often consent to something they would never consent to upon closer inspection. However, some of the companies deliberately designed the consent process in their favor.
A rejection is often confusing, complicated or still not planned at all. That is why the cookie banners are not only a nuisance, but also lead to a complete loss of control over the processing of personal data due to their design. This is not in the sense of the GDPR.
Also read: Simply explained: What does the new GDPR mean?
Fines are effective
The Austrian lawyer and data protection activist Max Schrems has been fighting Facebook for years. A few years ago, he asked for information about what personal data Facebook had stored about him on its own platform. The GDPR is also shaped by his years-long battle against Mark Zuckerberg’s company. Facebook, Twitter and Co. now have an uncomplicated function for querying the personal data stored by the company. If desired, companies must even delete “all” data.
“The imposition of fines, the case law of the European Court of Justice on the GDPR and the national courts make the effectiveness of the uniform EU regulation visible,” emphasizes data protection expert Christof Kolyvas. In fact: Just recently, the data protection authority responsible for Facebook in Ireland imposed a record fine of 1.2 billion euros. Facebook thus replaces Amazon as the “record holder”. The previous fine leader has brought it to a fine of 746 million euros.
DSGVO also a problem with the authorities
The authorities in Ireland seem to be doing a good job. However, this is only true to a limited extent. Because the big corporations like Facebook, Microsoft, Google or TikTok did not choose Ireland as their European headquarters because of the lush green meadows. In addition to the low tax rates, the island attracts with an extremely lax interpretation of the GDPR. In addition, the Irish data protection regulator is chronically understaffed. The authority could therefore work much more effectively. The headline-grabbing fines thus serve the purpose of smoke candles.
A similar official problem applies to Germany, but in the opposite direction. Germany is treating itself to a federal data protection officer in the person of Ulrich Kelber. However, he has enough to do with making communication with 17 state authorities reasonably tolerable and expedient. Because the subject of data protection is federally regulated in Germany. Accordingly, each individual federal state has its own data protection authority, Bavaria even allows itself two. That makes a uniform German line in terms of GDPR at least difficult.
Nevertheless, data protection expert Christof Kolyvas sees Germany on the right track when it comes to data protection. “For small and medium-sized companies, the implementation of the GDPR initially means an increased effort. However, companies that take data protection into account at an early stage save later costs due to wrong decisions or legal disputes.”
The Bochum lawyer would like to see simplifications for the future, especially for smaller and solo self-employed people. Even after five years, there is still a great deal of ignorance and uncertainty about the GDPR.
Also read: These are the most absurd implications of the GDPR
Positive and negative consequences of the GDPR
The GDPR not only brought people positive things, such as the possibility of viewing, changing or deleting stored data or objecting to its dissemination. The fact that companies have to secure the use of the data has also increased the administrative burden. Because whenever a company wants to process personal data, it needs a legal basis as a reservation of permission. They obtain this in the form of special forms – online as well as analogue. Many may know these from medical practices. Since the introduction of the GDPR in May 2018, new patients have had to fill out a slip with which they consent to the processing of their data. This is necessary in order to be able to exchange diagnoses between doctors and clinics. With these forms, however, users should pay attention to the type and scope of data use and processing they agree to. One should be careful with formulations such as “legitimate interest” and rather consult an expert.
Incidentally, the “legitimate interest” is also often found in cookie queries. The question always remains as to what can be understood by a legitimate interest. Users should make sure that the legitimate interest of the person responsible really prevails.
GDPR on the way to a global standard?
Even if the implementation initially caused a stir, the GDPR now also serves as a model in other regions of the world. One of the biggest fears of critics has not come true: US companies have not turned their backs on Europe because of the GDPR.
Accordingly, the regulation could become a model for other countries outside the EU. Incidentally, that would also be in the interests of globally active companies. Because they have no interest in countless “standards” because different regulations cause higher costs for compliance.
Launched as a mammoth European data protection project, the GDPR has moved many things in the right direction over the past five years. Of course, such a law cannot immediately cover every small yet important detail. In addition, five years in the field of rapidly changing IT means a very long time. Certain developments were not at all alarming at the time.
Understand GDPR as a constantly changing strategy
“The GDPR must be seen as part of the EU’s data strategy. In order to include them in a future EU data strategy, regular adjustments will be necessary,” data protection expert Christof Kolyvas makes clear. Since the actual implementation of the GDPR in 2018, the Bochum lawyer has recorded an increased number of inquiries from companies. Previous practice has shown that the GDPR has improved European data protection and made it more uniform.
However, there are still a lot of gray areas. Some companies take advantage of this to interpret and adapt the provisions of the GDPR according to their own needs. Keyword: “Privacy Washing”. The term goes in a similar direction to “greenwashing”, which is well-known in business.
With “privacy washing”, companies act in accordance with the provisions of the GDPR. But thanks to the gray areas and legal sophistry, they still use personal data initially for their own economic purposes. Protecting people comes second.
AI requires GDPR adjustments
In this context, the topic of artificial intelligence (AI) is now playing a dominant role. Because the GDPR also came into play to curb so-called profiling and the power of algorithms in social media. Data protection experts see an urgent need to catch up here. Because AI has further worsened the whole situation. AI makes it even easier for Facebook or Google to create certain “movement profiles” of people based only on tiny data traces.
That is why there are increasing calls to sharpen the GDPR, especially when it comes to the use of AI. The previous guidelines for creating data profiles date from 2018 and therefore no longer reflect current developments in the field of AI. The problem has been a thorn in the side of the EU for a long time. Therefore, since May 2022, as part of the so-called Artificial Intelligence Act Efforts to clearly limit the excesses of AI. The new AI guideline should then apply in parallel with the GDPR. Perhaps this will actually succeed in establishing the GDPR as the “gold standard” in terms of data protection.