Whenever it comes to data protection in an intra-European context, there is no getting around the General Data Protection Regulation (GDPR). This regulation, adopted at EU level, has been in force since 2018 and replaced in Germany, for example, the “Protection of individuals with regard to the processing of personal data and on the free movement of such data”, which has been the general privacy law here since 1995. [1, 2]
Data protection activists celebrated the GDPR as a milestone in modern privacy legislation when it was adopted. It is based in particular on Title 8 of the Charter of Fundamental Rights of the European Union “Protection of Personal Data”, in which the European Union establishes the right to self-determination and control of one’s own information. [3]
From the corporate side, especially by the global internet corporations that had just taken off a decade ago, the GDPR was already strongly opposed during the debate phase and described as a potentially economically damaging factor. Small and medium-sized enterprises (SMEs), associations and other institutions also initially raised considerable concerns about the introduction of the GDPR. [1, 2, 4]
In view of current technical developments, such as artificial intelligence and international digitisation efforts, the question arises as to whether fundamental principles of the GDPR are already out of date, as the Hamburg State Data Protection Commissioner suggests, or whether, on the contrary, it is becoming even more important than ever. [5, 6]
Almost five years after its entry into force, it is a good time to draw a short interim conclusion. Namely, whether the GDPR is a bureaucratic monster that weakens the economy or whether it strengthens data protection for EU citizens in a sustainable and innovative way in an increasingly digital world.
Goals
First of all, it is necessary to clarify which goals the GDPR was intended to pursue and what has been achieved since its introduction. An important aspect here is that it standardised data protection in general and especially in the digital world within all EU member states. On the one hand, this should strengthen the fundamental rights of all EU citizens across the board, and on the other hand, it considerably simplifies legal certainty for companies that operate in several EU states. [1, 2, 4]
Here, for example, it was defined for the first time for the entire EU what exactly “personal data” comprise. In the GDPR, this includes, for example, name, age, address, occupation, health information and much more. [1, 2, 4]
One of the central points of the GDPR is that it upgrades data protection to an active, rather than passive right. It therefore initially turns the applicable standard around (“Privacy by Design” or also “Privacy by Default”). If personal data is to be processed, this cannot be done without further ado, because the persons concerned must first give their active consent. However, the GDPR goes one step further, because in order to be able to make an informed decision, citizens must be informed about what and for what reason their data is being collected. They must also be informed about how and where it will be stored and with whom it will be shared. [1, 2, 4]
This strong right to information is further strengthened in that EU citizens can ask companies, associations, etc. at any time what information is stored about them (right to information). An objection to consent already given can also be made at any time. This goes hand in hand with the “right to be forgotten”, according to which stored data must be deleted at any time at the request of the persons concerned (unless other legal provisions prevent this). [1, 2, 4]
Similarly, companies, for example, must not only provide information about what information they have stored about a person, but also make it available in a form that technically enables data portability, for example to competitors. This can soften the lock-in effects of digital platforms and thus strengthens digital self-determination on the one hand and is an important building block in the fight against digital monopolies on the other. [1, 2, 5]
Achievements and the future
The introduction of the GDPR was a lengthy and in parts also cumbersome process. Even though it has officially been in force since 2018, the actual legal enforcement is only just taking off recently. [6, 7, 8, 9,10, 11, 12, 13, 14, 15, 16, 17]
The myth of data protection hindering technological progress and economic innovation is not a new phenomenon, but it is still a recurring theme in public discourse even after the introduction of the GDPR and the still high level of social approval for it. Stakeholders from the business world (especially advertising companies), but also some politicians, often use this argument as an excuse for failed digitisation plans. [5, 6]
And of course, in a permanently changing world, there are always new challenges to which our legal situation must be adapted. The GDPR is often still not fully enforced and so data protection unfortunately still too often falls by the wayside. [18]
Just to illustrate an obvious problem of the current GDPR: One area in which we have all already noticed a painful need for improvement is the now omnipresent cookie banners, which have been distributed throughout the web by advertising companies and website operators as an (over)reaction to the GDPR. But here, too, there are finally efforts and concrete legislative proposals for a citizen-friendly solution. [19, 20, 21]
The fact that technical innovation is possible despite (or even because of) strong data protection laws has been demonstrated for many years by a number of Open Source projects that are used by millions of people worldwide every day. One path that, unfortunately, too few platform providers have taken so far is the data minimalism, intelligent data collection and dissemination and information management clearly prescribed by the GDPR. A digital society can only flourish if it is digitally empowered and self-determined.
Data protection and its interpretation is an essentially contested and constantly changing concept, at the end of which, however, stands the self-determination and freedom of entire societies. For this reason, it is worth putting up with seemingly arduous circumstances at first – and perhaps it will turn out in the end that they were not as difficult to implement as expected.
Sources
- Bundesministerium der Justiz (2023): Datenschutz-Grundverordnung. URL: https://www.bmj.de/DE/Themen/FokusThemen/DSGVO/DSVGO_node.html
- European Comission (2016): Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA URL: https://eur-lex.europa.eu/eli/dir/2016/680/oj
- European Comission (2012): Charter of Fundamental Rights of the European Union. URL: https://eur-lex.europa.eu/eli/treaty/char_2012/oj
- Baetz, A. (2020): Was ist die DSGVO? URL: https://www.privacytutor.de/blog/dsgvo/
- Krempl, S. (2023): Hamburger Datenschützer: Prinzip der Datenminimierung “nicht mehr zu halten”. URL: https://www.heise.de/news/Hamburger-Datenschuetzer-Prinzip-der-Datenminimierung-nicht-mehr-zu-halten-8146938.html
- Noyb (2022): Statement on 4 Years of GDPR. URL: https://noyb.eu/en/statement-4-years-gdpr
- Noyb (2023): Austrian DSB: Meta Tracking Tools Illegal. URL: https://noyb.eu/en/austrian-dsb-meta-tracking-tools-illegal
- Noyb (2023): Just € 5,5 Million on WhatsApp. DPC finally gives the finger to EDPB. URL: https://noyb.eu/en/just-eu-55-million-whatsapp-dpc-finally-gives-finger-edpb
- Noyb (2022): Personalized Ads on Facebook, Instagram and WhatsApp declared illegal. URL: https://noyb.eu/en/noyb-win-personalized-ads-facebook-instagram-and-whatsapp-declared-illegal
- Noyb (2022): GDPR Rights in Sweden: Court confirms that authority must investigate complaints. URL: https://noyb.eu/en/gdpr-rights-sweden
- Noyb (2022): Second € 20 Mio Fine for Clearview AI. URL: https://noyb.eu/en/second-eu-20-mio-fine-clearview-ai
- Noyb (2022): Further EU DPA orders stop of Google Analytics. URL: https://noyb.eu/en/update-further-eu-dpa-orders-stop-google-analytics
- Noyb (2022): Data breach in Malta: 65.000 € fine for C-Planet. URL: https://noyb.eu/en/data-breach-malta-65000-eu-fine-c-planet
- Noyb (2021): “Grindr” fined € 6.3 Mio over illegal data sharing. URL: https://noyb.eu/en/ncc-noyb-gdpr-complaint-grindr-fined-eu-63-mio-over-illegal-data-sharing
- Noyb (2021): DPC issues € 225 million fine on WhatsApp. URL: https://noyb.eu/en/statement-dpc-issues-eu-225-million-fine-whatsapp
- Noyb (2021): Austrian DPA has option to fine Google up to €6 billion. URL: https://noyb.eu/en/austrian-dpa-has-option-fine-google-eu6-billion
- Noyb (2020): Wizz Air: €1 for a flight, €35 for your GDPR right. URL: https://noyb.eu/en/wizz-air-eu1-flight-eu35-your-gdpr-right
- Noyb (2023): Data Protection Day: Are Europeans really protected? URL: https://noyb.eu/en/data-protection-day-are-europeans-really-protected
- Noyb (2022): Where did all the “reject” buttons come from?! URL: https://noyb.eu/en/where-did-all-reject-buttons-come
- Noyb (2023): Data Protection Authorities support noyb’s call for fair yes/no cookie banners. URL: https://noyb.eu/en/data-protection-authorities-support-noybs-call-fair-yesno-cookie-banners
- European Comission (2022): European Data Act. URL: https://digital-strategy.ec.europa.eu/en/policies/data-act
Jan is co-founder of ViOffice. He is responsible for the technical implementation and maintenance of the software. His interests lie in particular in the areas of security, data protection and encryption.
In addition to his studies in economics, later in applied statistics and his subsequent doctorate, he has years of experience in software development, open source and server administration.