Experts take stock of the GDPR
The EU Commission must evaluate the GDPR by 25 May 2020. It came into force on the same day two years earlier. The obligation to carry out this evaluation is set out in Article 97 DSGVO standardized. The European Academy for Freedom of Information and Data Protection (EAID) in Berlin took the upcoming review as an opportunity to have several experts take stock of this fundamental body of legislation for data protection at a panel discussion on 27 January 2020.
A number of organisations have already commented on the GDPR in advance of the review. "In December 2019, the Council expressed itself surprisingly tame", said Peter Schaar, EAID Chairman and former Federal Data Protection Commissioner. At the beginning he gave an overview of the main demands of the statements, most of which came from Germany.
It calls for more harmonisation and fewer opening clauses, better cooperation between supervisory authorities, and easier documentation and reporting requirements for small companies and associations. The organisations criticised that the DSGVO does not sufficiently address the issue of rampant profiling and that there are no rules on the liability or at least responsibility of hardware and software manufacturers.
"Club treasurers must comply with GDPR, Facebook does not"
Most of the panelists confirmed these demands. Moritz Körner, member of the Liberal Group in the European Parliament, explained the Brussels perspective in his statement. There the evaluation is not yet a topic of discussion. Although the GDPR has a direct effect in contrast to the previous EU Data Protection Directive of 1995, it has not yet been implemented nationally by Greece, Portugal and Slovenia.
France has imposed the highest fines, with Germany in second place. The problem is that the EU Commission has no overview of the fines. The citizens' perspective, on the other hand, is characterised by the "feeling that as club treasurer you have to comply with the GDPR, but not Facebook", said Körner. The FDP politician therefore called for the regulation to become more efficient and less bureaucratic.
GDPR as world law and criticism of the Irish data protection supervisory authority
The Federal Data Protection Commissioner, Professor Ulrich Kelber, stressed that more than 100 countries have already adopted data protection rules, many of them in Africa. The fact that California has oriented itself to the GDPR has attracted particular attention in the IT world. "The GDPR has become world law," concluded Kelber. This is in contrast to the deliberate misinformation in the run-up to May 2018 and the panic at the time, which is fuelling a wave of warnings from law firms. "A more welcoming culture would also be desirable for data protection," he said. Neither Kelber nor the other panelists expected major changes to the legal text after the evaluation. He saw a need for action on profiling and scoring: "Both are legally up to the level of the 1990s and technically up to the level of the 1980s. By the way, they are also given if a person participates in them, for example by signing the law.
Kelber criticised the Irish data protection supervisory authority for its inaction in dealing with IT companies. There was still no draft decision on major cases such as WhatsApp, Facebook and Microsoft. "The pressure on the Irish authority is like that on the Federal Motor Transport Authority in the Dieselgate affair," he said. We must therefore consider whether the one-stop shop principle can remain as it is. According to the GDPR, the lead supervisory authority is the sole point of contact for responsible parties in cross-border data processing. Kelber would like to see more room for manoeuvre for German supervisory authorities.
Germany wants to promote data protection in the EU
The Parliamentary State Secretary in the Federal Ministry of the Interior, Stephan Mayer, predicted that the EU Commission would be interested in a positive evaluation report. There would be changes especially in the application instructions for opening clauses and facilitations for associations. He would like to see a harmonisation of the levels of fines. With regard to Brexit, he spoke in favour of a decision to assess the British level of data protection as adequate. "Otherwise, the bureaucratic standard contract clauses will come." For the German Council Presidency in the second half of 2020, he demanded: "It would be good for us to make data protection an issue there. The GDPR was not pushed forward with the same enthusiasm everywhere as in Germany. But as a role model it strengthens the EU's market power.
"GDPR [...] strengthens the EU's market power as a role model"
Parliamentary State Secretary in the Federal Ministry of the Interior, Stephan Mayer
According to Klaus Müller, Chairman of the Federation of German Consumer Organisations (vzbv), the high number of complaints from users already shows that the GDPR was "an important and correct step" towards better data protection. But its enforcement must become more efficient. "In some states, the supervisory authorities only take action after years. The reason is often poor staffing," said Müller. Kelber also took the same line, pointing out that the low number of staff in the state authorities also meant that they were unable to advise companies on how to comply with the regulations and avoid sanctions.
Rebekka Weiß, Head of the Trust and Security Department at Bitkom, appealed: "We have to think about evaluation and all the upcoming data rules together, for example the ePrivacy Regulation. Everything must be coherent with each other." One must also ask when it is unethical not to use data. That is the case with health data. As a major problem of the GDPR, she mentioned the legal uncertainty of companies who did not know how the abstract rules would be interpreted by the authorities and courts. "Every sixth data-driven project of companies is therefore left behind," she criticised.