Opinions differ on the General Data Protection Regulation. Many companies see the rules as an expensive, bulky EU bureaucracy monster. Data protectionists, on the other hand, are celebrating noticeable improvements.
Four years ago, the European Union wanted to send an unmistakable signal with the new General Data Protection Regulation (GDPR).
With the market power of almost 450 million consumers in Europe, comprehensive rights of citizens to information, deletion and correction of data should now be effectively enforced – and this also applies to large Internet companies from the USA.
For many people in Germany, however, the advantages of the GDPR have not yet fully arrived in everyday life. In a representative survey by the opinion research institute YouGov on behalf of the online services GMX and Web.de, which was published in Berlin on Tuesday, only nine percent of those surveyed saw significantly better protection through the GDPR, while 38 percent saw no improvement. Almost a third (31 percent) at least felt a partially better protection than before.
Core issues hardly shape the discussion
To the regret of the EU Commission and data protection officials, it is not core issues such as the “right to be forgotten” or the improved rules for moving personal data from one service provider to another that characterize the discussion about the GDPR. The number one excitement topic is the ubiquity of cookie queries, which have been popping up constantly on the web since the GDPR came into force. According to the survey, 53 percent of people in Germany feel annoyed by the consent banners. 14 percent say: “I don’t care about the consent banners, I just click on something.” Only twelve percent believe that the cookie banners give them a “feeling of self-determination over their data”.
Cookies are small pieces of data stored on the consumer’s online device that help web servers and browsers to communicate with each other. A browser can thus remember a login, for example – or the contents of a virtual shopping cart. Above all, cookies make personalized advertising possible. So-called third-party cookies, which track users across multiple offers and create profiles for advertising purposes, are particularly controversial. After the GDPR severely restricted the use of cookies, the industry is now gradually saying goodbye to this tracking method, not only in Europe.
Supervision and prudence are required
For the Federal Data Protection Officer Ulrich Kelber, GDPR is not only against this background “after four years still the global benchmark in terms of data protection”. However, citizens are not automatically better protected just because there is a law: “This requires data protection authorities, court decisions and responsible handling of data by states and companies. A lot has happened in recent years.”
Even large US corporations can no longer avoid the GDPR, also because the data protection authorities can impose fines of up to four percent of global annual sales in the event of serious violations. The online giant Amazon has been hit the hardest so far. In July 2021, the Grand Duchy of Luxembourg sentenced the US group to a record fine of 746 million euros after a European civil rights organization had previously complained about the processing of personal data.
WhatsApp is in second place on the GDPR list of fines: the messenger operator from California was fined 225 million euros by Irish data protection officials because it had not sufficiently fulfilled its information obligations in Europe. The French data protection authority had previously fined Google €90 million for not having a sufficient legal basis for its data processing.
Too much restraint?
According to an overview of the “GDPR Enforcement Tracker” portal, the data protection officers in Germany are comparatively cautious. Fines totaling 52.1 million euros were imposed for 63 public notices. The energy company Vattenfall was hit the hardest, which, according to the Hamburg data protection officer, had not sufficiently informed its customers about the data comparison. A total of around 500,000 people were affected, so that a fine of exactly 901,388.84 euros was due last September.
The Federal Data Protection Commissioner Kelber does not see the GDPR as just a means of exerting pressure. More and more companies are discovering data protection as a sales argument. This also applies to other countries outside the EU, which have their own laws based on the GDPR. “It is particularly important to me that citizens are aware that their data is worth protecting.”
Digital economy demands «update»
The representatives of the digital economy are consistently critical of the GDPR: “The German version of the General Data Protection Regulation needs an update four years after the regulation came into force,” demanded the President of the Bitom industry association, Achim Berg. So far, the regulation has only partly achieved the aim of standardizing European data protection legislation and data protection practice.
Berg referred to a Bitkom study. 37 percent of the companies state that the GDPR is an international competitive advantage: “But 40 percent see no advantage in it – and 18 percent even see it as a disadvantage. Two thirds (64 percent) report that data protection is a very specific obstacle to the implementation of data-driven business models in their company.» Products or business models that would have gained an international competitive advantage from the particularly strict German interpretation of the regulation are still not known.
Berg emphasized that data protection must be based on real dangers, not on theoretical risks. “If, for example, teachers are banned from using functioning and proven video conferencing systems in schools simply because the providers are based in the USA, then we are chasing a phantom. No US agency will be interested in mathematics classes in a Berlin elementary school.”
