GDPR protects fundamental civil rights
Reasons to look forward to the coming years with the General Data Protection Regulation!
May 25, 2019 marked the anniversary of the entry into force of the Basic Data Protection Regulation (DSGVO) for the first time. Across Europe, 200,000 breaches were reported to regulators and €56 million in fines were reported. The largest fines imposed went to Google and a hospital in Portugal. In Germany, a total of 485,000 euros in fines were imposed for 75 very different violations. The flood of notifications is almost unmanageable for the supervisory authorities.
Despite this large number of reported infringements, charges or fines: the motivation for implementing the GDPR should not be based on fear of punishment. The motivation for implementing the GDPR is as follows: It simply makes sense! Why this is the case and why you should start implementing it today rather than tomorrow is explained in the series of articles entitled "Unfortunately, the General Data Protection Regulation has only been available to you for one year - three reasons to look forward to the coming years with the GDPR!
Part 1: The GDPR protects our fundamental civil rights
The concept of data protection is relatively recent, but has not only existed since 25.05.2018.
The idea of comprehensive data protection began in the USA in the 1960s - contrary to the expectations of many. The starting point for the considerations was the rapidly advancing developments in the field of computer technologies and the resulting rapid and uncontrolled dissemination of personal data. The permanent and seemingly unlimited availability and analyzability of data posed a threat to privacy both then and now.
In 1970, a data protection law was written down in Hesse for the first time worldwide. The first Federal Data Protection Act was passed in 1977, the peak year of the RAF terror and the murder of Siegfried Buback.
However, due to the so-called census ruling of the Federal Constitutional Court in 1983, it became clear that the current regulations in the Data protectiondo not meet the requirements of the Basic Law. With the Right to informational self-determination data protection was given a fundamental right character. This right is based on the right of personality and human dignity and is described by the Federal Constitutional Court as follows:
"In this respect, the fundamental right guarantees the right of the individual to decide on the disclosure and use of his or her personal data.
Even then, the danger was recognised that personality profiles could be created on the basis of collected data without the person concerned having any influence on it. This danger is more topical than ever in the age of digital data octopuses.
From this the core of the Federal Data Protection Act was derived: the Prohibition in the case of subject to authorisation for the processing of personal data. Accordingly, the processing of personal data is generally prohibited, unless it is permitted by a legal basis. This is a very restrictive restriction on the processing of personal data for very specific purposes, for example in the context of an employment relationship.
1990 until today
The legal provisions have been amended over the years - for example, in 2009 and 2010 - and most recently culminated in the adoption of the General Data Protection Regulation in the European Parliament in May 2016, which replaced the European Directive on the Data protection replaced. The GDPR then came into force with a transition period of two years on 25.05.2018 binding for all member states.
The GDPR is much more powerful than it seems. Many provisions of the GDPR are similar to the Federal Data Protection Act in force to date. But in one part it clearly goes beyond the Federal Data Protection Act. Chapter three of the GDPR deals with the defined rights of data subjects and can be considered as the central mechanism for the future implementation of informational self-determination.
These rights enable data subjects to
- ...to understand who processes data, how and for what purpose and to whom the data is passed on (Art. 13 GDPR)
- ...if data is collected and processed by third parties without the knowledge of the data subjects (Art. 14 GDPR)
- ...to request information about which data are actually processed (Art. 15 GDPR)
- ...to demand that data be processed correctly (Art. 16 DSGVO), deleted upon request (Art. 17 DSGVO) or that processing be restricted upon request (Art. 18 GDPR)
- ... to take data with us when we want to switch between digital services, for example (Art. 20 GDPR)
- ...to require in individual cases that automated decisions (e.g. when granting a loan) be reviewed by a human being (Art. 22 GDPR).
Since the introduction of the General Data Protection Regulation, discussions on data protection have increased significantly. Some state actors, such as the police or secret services, see data protection as an obstacle to their activities. Large companies such as Google, Facebook and Microsoft are also reacting to data protection when implementing their services and are shifting server capacities from the USA to Europe.
This is a thoroughly positive development, which shows that the GDPR is having an impact. Informational self-determination is strengthened and fundamental civil rights are protected. Nevertheless, there is still a lot of potential for implementation, particularly in the area of the rights of those affected.