Privacy issues in 2020
Interview with the BfDI office
Last year, in addition to the notorious data leaks, the high fines imposed by the data protection supervisory authorities made the headlines. For the first time, the authorities made use of the stricter sanction options provided by the GDPR. What are the most important issues facing data protection in 2020? We talked about this with Sven Hermerschmidt, Head of Unit for Policy Issues and National Implementation of the GDPR at the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
Robin Data: Even in 2020, the GDPR will remain at the centre of data protection in Europe and Germany. Which activities of the Federal Data Protection Commissioner are affected by the GDPR this year, as far as can be foreseen at the moment?
Hermerschmidt: At the EU level, the meetings of the European Data Protection Board, which brings together the supervisory authorities of the EU member states, are coming up. The committee decides on further guidelines for the implementation of the GDPR. At the national level, the laws implementing the GDPR have been adopted in recent years, so no changes are to be expected here. By the way, this also applies to data protection legislation in general in 2020, at least as far as it concerns companies.
An important date is the publication of the evaluation results of the GDPR on 25.5.2020, two years after its entry into force. This review is provided for in the GDPR. The supervisory authorities of the EU states will jointly publish something on this. The German Data Protection Conference, the conference of independent federal and state supervisory authorities, has already published a Report on the experience with the application of the GDPR adopted.
Robin Data: After the data protection conference has already commented on the evaluation of the GDPR, what other priorities does it set for 2020?
Hermerschmidt: Last year it was artificial intelligence, but this year no focal point is clear yet. But the data protection conference will deal with Windows 10, for example: How can the operating system be used in a data protection-compliant manner, what does the operating system report back to Microsoft? Also on the agenda is the modernization of the register landscape of public authorities, which the Federal Ministry of the Interior is striving for. In future, the exchange of information across registers is to be facilitated, with the data protection authorities pressing for implementation in line with data protection requirements.
Robin Data: What judgements of the European Court of Justice are pending?
Hermerschmidt: The so-called Schrems II judgement is particularly noteworthy here. The Austrian Max Schrems has filed a lawsuit against the Privacy Shield, which concerns the exchange of data between the EU and the USA. Formally, the lawsuit was directed against the Irish supervisory authority responsible for Facebook. The Irish High Court then referred the issues to the CJEU. The ruling is expected in the second quarter of 2020. As the CJEU's first Schrems ruling was far-reaching, Schrems II is eagerly awaited.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Robin Data: The comprehensive use of data by IT groups is repeatedly criticised. What do you want to do about it in 2020?
Hermerschmidt: We have to take action here in the European Data Protection Committee. There is no focal point here, because the range is very wide. It ranges from smart speakers (e.g. Amazon Alexa) to authentication procedures and profile building. We hope that the committee will finally reach decisions on IT companies. The Irish data protection authority is usually in charge, as Google, Apple, Facebook and Microsoft have their European headquarters in Ireland. The problem is that the Irish data protection authority has not yet taken a single decision for a variety of reasons, not least because the government there does not provide its authority with the necessary resources.
Robin Data: What is the impact of Brexit on data protection in Europe?
Hermerschmidt: Until the end of the year, the brexite will initially change little due to the transition periods. If there is no agreement between the EU and Great Britain on further cooperation in 2020 or no decision is taken that the EU considers the level of data protection in Great Britain to be adequate, Great Britain will be a third country from 2021, with the corresponding consequences for data exchange.
Robin Data: High fines imposed by the German regulatory authorities, for example against 1&1 and Deutsche Wohnen, have been stirring up a lot of dust recently. What is to be expected here?
Hermerschmidt: If the companies concerned take legal action, it will still take some time before there are higher court rulings. The supervisory authorities have drawn up a concept for fines. The fines against 1&1 and Deutsche Wohnen were assessed on this basis. For the rest, the federal states set their own priorities. The federal and state data protection authorities have to deal with a five-digit number of complaints. Since the entry into force of the GDPR increased sharply.