The GDPR has restructured data protection law – even if much of it has remained the same in the end. 25 May 2020 will be the fourth anniversary of the adoption of the Regulation by the European legislator and the second anniversary of its application. By then, the EU Commission must submit a report to the European Parliament to review the regulation and publish it. A further review of the GDPR is not scheduled until 2024. In its most recent policy paper, the interdisciplinary German research consortium "Forum Privacy" describes concrete possibilities for improving the GDPR, which are mainly based on a detailed report prepared by "Forum Privacy" scientists Prof Alexander Roßnagel and Dr Christian Geminn for the Federation of German Consumer Organizations.

Lack of risk-adequate rules on profiling
"The GDPR has brought about improvements in the level of data protection in many areas. Nevertheless, deficits remain which may have an adverse effect on the data subjects. Our policy paper identifies a number of problem areas that we believe need to be addressed with particular urgency. These include clarification of the relationship between consent and legal permissions, such as processing for the fulfilment of a contract or legal obligation, the lack of risk-adequate rules on profiling or the concretization of information obligations", says Roßnagel, spokesperson of "Forum Privacy" and Professor of Environmental and Technology Law at the University of Kassel.

In addition, certain data protection-friendly positions were not able to prevail during the negotiations in the process of drafting the GDPR. The data scandals of the last few years since the conclusion of the GDPR negotiations should give cause to re-examine some of the proposals rejected at that time. It would be particularly desirable for an effective protection of fundamental rights, if the principle of data avoidance were to be enshrined in law. In contrast to data minimization, this would have an influence on the (data-avoiding) choice of purpose of the person responsible in favour of the data subjects.

Clarification of the right to data portability necessary
A further problem lies in the abstractness of the GDPR. In many places it is not concrete and therefore leaves room for interpretation. "This must not lead to an interpretation to the detriment of the data subject", says Roßnagel. This applies, for example, to the right to data portability, whose open and sometimes misleading choice of terms invites to misinterpretations.

The GDPR must keep pace with technological development
The examination of the GDPR shows that even small changes to the wording of the GDPR can bring about a significantly higher legal certainty of data protection. In the view of the researchers, these should be addressed in the course of the upcoming evaluation of the GDPR. However, structural problems resulting from the fact that the basic principles of data protection law have remained unchanged since the 1970s cannot generally be eliminated in this way. Both current and foreseeable future technical innovations put data protection law under pressure and sometimes pose a real challenge. "Forum Privacy" therefore calls for a discussion on a comprehensive and continuous development of data protection law in Europe: The task of further developing data protection does not conclude with the upcoming evaluation of the GDPR. The discourse on data protection law must not be allowed to stand still in view of the high pace of transformation and innovation in the field of data processing. Among others, "Forum Privacy" makes the following suggestions for improvement:

- In its current form, the right to data portability under Art. 20 GDPR refers only to personal data that the data subject has "provided" to the controller. No other data is included. When switching from one bank to another or from one e-mail provider to another, this could be understood to mean that, although the transfers and e-mails sent by the data subject himself/herself (outgoing mailbox) may also move, transfers and e-mails from third parties may not (incoming mailbox). This can hardly be meant – such an absurd consequence of the wording of Art. 20 GDPR, which regulates the right to data portability, could be avoided by replacing the term "provided" with "prompted" or "caused".

- The old Federal Data Protection Act knew the imperative of data avoidance. The GDPR does not contain such a rule, but only the requirement to process personal data only to the extent necessary to achieve the purpose of the processing. However, the purpose may already be such that the processing of a large amount of data becomes necessary. A data avoidance requirement would oblige data processors to choose their purposes so as to process as few personal data as possible. The principle of data avoidance should therefore be included in the GDPR.

- In practice, decisions that algorithms make are often taken over by people without being checked – for example, when a bank grants a loan. A score value is obtained from a credit agency before a loan is granted. If the score is too bad, the loan is refused. The decision of the algorithm on the basis of which the score value was calculated is therefore adopted. The bank relies on the correctness of the score value. However, the GDPR regulations on automated individual decisions do not apply in this scenario, because in the end, it is one person - the bank employee – who makes the decision about granting credit. The fact that the bank employee does not actually make the decision himself, but merely takes over the decision of the algorithm, is irrelevant. In the end, therefore, certain rights of the data subject under the GDPR, such as the right to express one's own point of view, do not apply because they are only to apply in the case of a decision based solely on automated processing. This leads to inconsistencies in evaluation and to the possibility of circumventing these rights. The validity of the corresponding provisions of the DPA should therefore be extended in Article 22 to include cases in which an automated decision is adopted by humans without being checked.
Further proposals and a detailed statement by "Forum Privacy" can be found in "Evaluation of the GDPR".

Prof Dr Alexander Roßnagel
Spokesperson of Forum Privacy ITeG,
University of Kassel
a.rossnagel@uni-kassel.de

Dr Christian Geminn
Member of Forum Privacy ITeG,
University of Kassel
c.geminn@uni-kassel.de

Dr Michael Friedewald
Project Coordinator of Forum Privacy
Fraunhofer-Institute for Systems and Innovation Research (ISI), Karlsruhe
michael.friedewald@isi.fraunhofer.de

Barbara Ferrarese, M.A.
Press Officer of Forum Privacy
barbara.ferrarese@forum-privatheit.de
+49 721 6809-678

www.forum-privatheit.de
www.forum-privacy.de
Twitter: @ForumPrivatheit