General Data Protection Regulation: "The most important effect is attention".

"The most important effect of the General Data Protection Regulation (GDPR) is the enormous attention that data protection is currently enjoying. Every data processor, especially if they have ignored data protection up to now, is suddenly taking note of it and asking in horror what concerns them and what they have to do," says "Forum Privatheit" spokesman Prof. Dr. Alexander Roßnagel, a legal scholar at the University of Kassel. "This GDPR hype is an ideal field of activity for all competent and incompetent consultants. On their advice, many large and small data processors are demanding consent forms from their customers, members and business partners - even where this is completely unnecessary and counterproductive."

This excitement is related to what's really new in the GDPR. "For the first time, supervisory authorities are given effective supervisory and sanctioning powers," explains Schleswig-Holstein's data protection commissioner Marit Hansen, a member of the Privacy Forum. "They can issue instructions to data processors on how to proceed in accordance with data protection. This can go as far as banning data processing. In the event of a breach of data protection requirements, they can impose sanctions that, depending on the severity of the breach, can range up to 20 million euros or up to 4% of the previous year's group-wide turnover."

For data protection, the GDPR brings some innovative regulations. This is welcomed by business informatics expert Prof. Dr. Thomas Hess, Ludwig Maximilian University of Munich and member of the "Forum Privatheit": "These include the expansion of the geographical scope of application. In addition to EU companies, this will from now on also apply to all data processors worldwide, if - to put it simply - they process personal data of persons residing in the Union. This will create a level playing field, especially among digital groups offering their services on the European market." Also new are some obligations on data processors, such as on data protection-compliant system design and data protection-friendly default settings, data protection impact assessment, and additional documentation. However, these obligations only apply with some reservations.

The GDPR also strengthens the rights of the data subject. "It remains predominantly with the known rights - but these are now more clearly structured. New is the right to be able to transfer data posted in platforms themselves to other platforms. Also new is the right to complain to the supervisory authorities and the possibility of having the rights of data subjects represented by an association," says Prof. Dr. Jörn Lamla, a sociologist at the University of Kassel and a member of the "Forum Privatheit." "In contrast, essentially only the heading is new in the much-vaunted right to be forgotten."

Otherwise, the GDPR does not contain much that is new. It continues many regulations of the previous European Data Protection Directive of 1995. Since German data protection law essentially corresponded to the directive, many of the provisions of the GDPR are comparable to the previous data protection regulations. "Those who have been data protection compliant up to now and maintain this practice are in a good position," says a key message from data protection officer Marit Hansen. "However, built-in data protection will not become a reality on its own, as the past has shown - we all now need to push manufacturers and service providers to design their offerings in a data protection-friendly way."

As a regulation, the GDPR applies directly. Its effect is that everyone throughout the Union and the European Economic Area must adhere equally to the same legal text. However, many regulations are so abstract that they are often interpreted according to the respective data protection culture. As a result, the text will be interpreted differently in each member state and possibly even in different jurisdictions. Until this is clarified in all details by highly complex processes for the standardization of data protection supervision and by rulings of the ECJ, the abstract regulations will continue to cause legal uncertainty for years and decades.

The GDPR takes precedence over German law to the extent that it conflicts with the regulation. However, the GDPR contains 70 opening clauses, according to which the member states may set or maintain their own and thus different law. "Because of these opening clauses, there are clear deficits in the unification of data protection law in the Union, " Roßnagel explains. "Germany, in any case, has so far used the opening clauses to retain German data protection law in its entirety. It has only made changes to facilitate data processing and to limit the rights of the data subject compared to the GDPR. This co-regulation of data protection law by the European Union and the member states makes data protection law confusing and complicated. As a result, the GDPR really only regulates the private sector, while the public sector continues to be shaped by German data protection law."

"The GDPR is underdeveloped as far as fundamental rights protection against the new and future challenges of technological development - such as Big Data, artificial intelligence, self-learning systems, cloud computing, search engines, network platforms, context sensing, Internet of Things - is concerned. It has not regulated any of the foreseeable challenges in a risk-adequate manner. This shortcoming must be remedied as soon as possible," says Dr. Michael Friedewald, a scientist at the Fraunhofer Institute for Systems and Innovation Research ISI and "Forum Privatheit" coordinator.

In the Forum Privatheit, experts from seven scientific institutions deal with issues concerning the protection of privacy in an interdisciplinary, critical and independent manner. The project is coordinated by Fraunhofer ISI. Other partners include Fraunhofer SIT, the University of Duisburg-Essen, the Scientific Center for Information Technology Design (ITeG) at the University of Kassel, Eberhard Karls University of Tübingen, Ludwig Maximilian University of Munich, and the Independent Centre for Data Protection Schleswig-Holstein. The BMBF supports the Privacy Forum in order to stimulate public discourse on the topics of privacy and data protection.

Speaker "Forum Privatheit":
Prof. Dr. Alexander Roßnagel
University of Kassel
Project Group for Constitutionally Compatible Technology Design (provet)
Scientific Center for Information Technology Design (ITeG)
Tel: 0561/804-3130 or 2874
E-Mail: a.rossnagel[at]uni-kassel[dot]de