33 Proposals for improving the General Data Protection Regulation

The GDPR itself provides for its own regular evaluation. Four years after it came into force and two years after it began to apply, the EU Commission presented its first evaluation report in June 2020. In this report, however, it does not address weaknesses and suggestions for improvement, but deals solely with the implementation of the GDPR in practice. In doing so, it ignores the many suggestions for improvement from member states, Union bodies and civil society. The book "Improving the General Data Protection Regulation" now makes 33 easy-to-implement suggestions (see link below).

Although the GDPR has only been applied for just over two years, ten years have already passed since it was drafted. Since then, much has changed in the processing of personal data due to digitalization. "The use of digital platforms on the Internet, as well as the penetration of data processing into all areas of life through smartphones and through the Internet of Things, have caused the scope of personal data processing to grow strongly. Technologies such as Big Data and Artificial Intelligence are leading to an increasing asymmetry of power between large data-processing companies and the people whose data is processed. Unfortunately, the General Data Protection Regulation has not yet provided an adequate response to this," says Alexander Roßnagel, professor of technology law at the University of Kassel and spokesman for the research network "Forum Privatheit", summarizing his own evaluation of the regulation. "This is because the GDPR is risk-neutral with respect to data protection principles, the permissibility of data processing and the rights of data subjects. Neutrality may make sense elsewhere. But here, it results in allotment gardeners or sports clubs being subject to the same data protection requirements as large global corporations, which have far greater data processing power and thus naturally pose a higher risk to individuals' fundamental rights."

Fundamental rights and freedoms could be strengthened by these improvements

But it is not only this conceptual shortcoming of the GDPR that stands out in its evaluation. There are also many small regulatory gaps, ambiguities, value contradictions, technical errors and overregulation that urgently need to be remedied. "The regulatory framework contains many compromises and is often too abstract. Both lead to legal uncertainty, acceptance problems, enforcement obstacles, barriers to action and investment obstacles," Roßnagel said. According to Christian Geminn, a legal scholar at the University of Kassel and co-author of the book, improvements "are possible in part with just a few changes to the wording of the law. This can both increase the efficiency and effectiveness of the protection of fundamental rights and increase the acceptance of data protection." The innovative elements of the GDPR such as data protection by design of technology, data protection-friendly default settings, certification or data protection impact assessment will also gain from the proposed concretizations. In other elements of the regulation, such as the right to data transfer, which was originally intended as a measure to limit the power of big data corporations, improvements also make sense.

The book analyzes the GDPR against the backdrop of more than two years of application in practice, evaluates it - especially from the perspective of citizens and consumers - and derives 33 concrete suggestions for improvement that will make it possible to better achieve the goals of the regulation and strengthen its acceptance. One example: in order to sufficiently inform the data subject about this additional risk of data processing whenever data are collected that are also to be used for profiling, Articles 13 and 14 should be supplemented accordingly. The analyses, evaluations and proposals presented in the book are intended to help provide arguments for the necessary discussion on the further development of data protection law in the EU. Furthermore, the book aims to show how fundamental rights and freedoms can be better promoted and protected in the digital world.

Roßnagel, Alexander and Christian Geminn, Improving the General Data Protection Regulation: Proposals for Change from a Consumer Perspective, Nomos, Baden-Baden 2020. ISBN print: 978-3-8487-7706-8, ISBN online: 978-3-7489-2099-1.

Open Access: https://www.nomos-elibrary.de/10.5771/9783748920991/datenschutzgrundverordnung-verbessern

Contact:

Prof. Dr. Alexander Roßnagel
University of Kassel
Department of Public Law
E-mail: a.rossnagel[at]uni-kassel[dot]de

Dr. Christian Geminn
University of Kassel
Project Group for Constitutionally Compatible Technology Design (provet) at
Scientific Center for Information Technology Design (ITeG)
E-Mail: c.geminn[at]uni-kassel[dot]de