This page contains automatically translated content.

06/15/2021 | Campus-Meldung

Taking stock after three years of the General Data Protection Regulation

The General Data Protection Regulation (GDPR) played a pioneering role in the protection of fundamental rights, and many countries have now followed its example. Its principles are conditions for a livable, digital society. But existing legal loopholes raise many questions - and are being exploited above all by powerful data processors, such as global corporations.

Image: luis gomes

For the increasing handling of personal data, the GDPR for the first time provides uniform directly binding rules for data protection throughout the European Union. It has thus promoted discussion of the need for and content of data protection and strengthened respect for the fundamental rights of data subjects. In particular, with its sanction threats oriented to competition law, but also with its establishment of independent, strong supervisory authorities, it has brought much attention to data protection.

Despite this strengthening of data protection, fears of undue data protection bureaucracy were exaggerated. Practice showed that the changeover to the new data protection regulation was not at all as burdensome as opponents predicted. The GDPR largely continues the regulations of the previous data protection directive in force in Germany. Those who had already adhered to these had to make only a few changes in their practical work. Innovations in the regulation, such as the enactment of codes of conduct or the certification of processing operations, have hardly been adopted in practice yet. They could lead to further facilitation.

The intention was good - but so far, some things have fallen short of expectations.

Three years of data protection practice, however, also make weaknesses of the GDPR increasingly clear. On the one hand, it has not led to uniform data protection practice in the European Union: the abstract nature of many regulations leaves room for different interpretations, and the many opening clauses open up scope for divergent laws in the member states. With regard to the coordination of independent supervisory authorities, it has provided for complicated procedures that presuppose a uniform objective and a cultural change that is (still) lacking. On the other hand, it missed the necessary modernization of data protection in view of the challenges posed by cutting-edge information technologies such as Big Data, the Internet of Things or artificial intelligence: it contains predominantly abstract, technology- and risk-neutral regulations that are difficult and highly controversial to flesh out in practice. Examples of this include the necessary balancing of data-driven business models between the legitimate interests of the controller and the interests of the data subject that are worthy of protection, without the regulation specifying suitable criteria for this. The lack of clarity in many of the regulation's provisions ties up millions of working hours every day and hinders innovation and investment.

Legal loopholes are exploited primarily by powerful data processors

Social power always intrudes into gaps left by the law. Such gaps are exploited primarily by global corporations and other powerful data processors to advance their interests, often at the expense of data subjects. Making up for shortcomings in legislation after the fact causes a great deal of work for supervisory authorities. Progress in data protection practice is most evident where the European Data Protection Board, the Conference of Independent Supervisors of the Federation and the Länder, or individual supervisory authorities have provided legal clarity - but always at the risk that those who disagree will appeal to the courts. This could often have been avoided by a few risk-oriented stipulations by the Union legislator.

"European and German legislators should learn from the experience with the GDPR for future digitization projects," says Forum Privatheit spokesman Alexander Roßnagel.

This wish seems to have reached the European Commission, at least. In its draft regulation for the regulation of artificial intelligence, it has abandoned strict technology and risk neutrality in regulation and regulates area- and application-specific how risks to fundamental rights can be averted by artificial intelligence.

In the Forum Privacy, experts from seven scientific institutions deal with issues of privacy protection in an interdisciplinary, critical and independent manner. The project is coordinated by Fraunhofer ISI. Other partners include Fraunhofer SIT, the University of Duisburg-Essen, the Scientific Center for Information Technology Design (ITeG) at the University of Kassel, Eberhard Karls University Tübingen, Ludwig Maximilian University Munich, and the Independent State­Center for Data Protection Schleswig-Holstein. The German Federal Ministry of Education and Research supports the Forum Privatheit in order to stimulate public discourse on the topics of privacy and data protection.

Speaker "Forum Privatheit":
Prof. Dr. Alexander Roßnagel
Department of Public Law
University of Kassel
a.roßnagel[at]uni-kassel[dot]de
Press photo Alexander Roßnagel

Project coordination "Forum Privatheit":
Dr. Michael Friedewald
Fraunhofer Institute for Systems and Innovation Research ISI
Competence Center New Technologies
michael.friedewald[at]isi-fraunhofer[dot]de

Press and Communication "Forum Privacy":
Barbara Ferrarese, M.A.
Fraunhofer Institute for Systems and Innovation Research ISI
Competence Center New Technologies
+49 (0) 721 / 6809-678
barbara.ferrarese[at]isi.fraunhofer[dot]de

"Forum Privacy and Self-Determined Living in the Digital World"
https://www.forum-privatheit.de/
Twitter: @ForumPrivacy