Press Release: General Data Protection Regulation: Innovative rules, but no new era of data protection

23. May 2018

The scientific expert committee "Forum Privatheit" has been analysing the origin, the contents and the implementation of the EU General Data Protection Regulation for years. The researchers will summarise their findings when it comes into force on 25 May 2018.

"The most important effect of the Data Protection Basic Regulation (DSGVO) is the enormous attention that data protection currently enjoys. Every data processor, especially if he has so far ignored data protection, suddenly takes note of him and asks him in horror what concerns him and what he has to do", says "Forum Privatheit" spokesman Prof. Dr. Alexander Roßnagel, lawyer at the University of Kassel. "This DSGVO hype is an ideal field of activity for all competent and incompetent advisors. On their advice, many large and small data processors demand consent from their customers, members and business partners - even where this is completely superfluous and counterproductive.
This excitement is related to what is really new in the DSGVO. "For the first time, the supervisory authorities are given effective supervisory and sanction powers," explains Marit Hansen, data protection officer for Schleswig-Holstein and a member of the "Forum Privatheit". "They can give instructions to the data processors on how to proceed in accordance with data protection law. This can go as far as banning data processing. In the event of a breach of data protection regulations, they can impose sanctions, which, depending on the severity of the breach, can amount to up to 20 million euros or up to 4% of the group-wide previous year's sales."
The DSGVO contains a number of innovative regulations for data protection. This is welcomed by the business information scientist Prof. Dr. Thomas Hess, Ludwig Maximilian University Munich and member of the "Forum Privatheit": "This includes the expansion of the geographical scope of application. In addition to EU companies, this also applies from now on to all data processors worldwide if - to put it simply - they process personal data of persons staying in the Union. This will create a level playing field, in particular between the digital groups offering their services on the European market." Also new are a number of obligations for data processors, such as the design of data protection-compliant systems and data protection-friendly default settings, data protection impact assessments and additional documentation. However, these obligations only apply subject to a few reservations.
The DSGVO also strengthens the rights of the data subject. "Although it remains predominantly with the known rights, these are now more clearly defined. What is new is the right to be able to transfer data entered in platforms themselves to other platforms. Also new is the right to complain to the supervisory authorities and the possibility of having the rights concerned represented by an association," says Prof. Dr. Jörn Lamla, sociologist at the University of Kassel and member of the "Forum Privatheit". "On the other hand, only the title of the much-vaunted right to oblivion is essentially new.
Otherwise, the DSGVO does not contain much that is new. It continues many provisions of the previous European Data Protection Directive of 1995. Since German data protection law essentially complied with the Directive, many provisions of the DSGVO are comparable with the previous data protection provisions. "Those who have so far complied with data protection regulations and maintained this practice are well positioned," said a key message from data protection commissioner Marit Hansen. "However, built-in data protection will not automatically become reality, as the past has shown - we must now all urge manufacturers and service providers to make their products and services privacy friendly.
The DSGVO is directly applicable as an ordinance. Its effect is that everyone throughout the Union and the European Economic Area must adhere to the same legal text. However, many regulations are so abstract that they are often interpreted according to the respective data protection culture. As a result, the text will be interpreted differently in the individual Member States and possibly even in different jurisdictions. Until this has been clarified in every detail by highly complex processes for standardising data protection supervision and by rulings of the European Court of Justice, the abstract provisions will continue to create legal uncertainty for years and decades to come.
The DSGVO takes precedence over German law insofar as it contradicts the regulation. However, the DSGVO contains 70 opening clauses according to which the member states may set or retain their own and thus different laws. "Because of these opening clauses, there are clear deficits in the standardisation of data protection law in the Union," explains Roßnagel. "At any rate, Germany has so far used the opening clauses to maintain German data protection law in its entirety. It has only made amendments in order to facilitate data processing and to restrict the rights of the data subject vis-à-vis the DSGVO. This co-regulation of data protection law by the European Union and the Member States makes data protection law unclear and complicated. As a result, the DSGVO actually only regulates the private sector, while the public sector continues to be shaped by German data protection law".
"The DSGVO is underdeveloped when it comes to the protection of fundamental rights against the new and future challenges of technical development - such as big data, artificial intelligence, self-learning systems, cloud computing, search engines, network platforms, context recording, the Internet of Things. It has not regulated any of the foreseeable challenges in a risk-adequate manner. This shortcoming must be eliminated as soon as possible," says Dr. Michael Friedewald, scientist at the Fraunhofer Institute for Systems and Innovation Research ISI and "Forum Privatheit" coordinator.
In the Privacy Forum, experts from seven scientific institutions deal with issues relating to the protection of privacy in an interdisciplinary, critical and independent manner. The project is coordinated by Fraunhofer ISI. Further partners are Fraunhofer SIT, the University of Duisburg-Essen, the Scientific Center for Information Technology Design (ITeG) of the University of Kassel, Eberhard Karls University Tübingen, Ludwig Maximilian University Munich and the Independent State Center for Data Protection Schleswig-Holstein. The BMBF supports the Forum Privatheit in order to stimulate public discourse on the topics of privacy and data protection.


Press Release available for download
Press Release

Speaker„Forum Privatheit“:
Prof. Dr. Alexander Roßnagel
University of Kassel
Project group constitutional technology design (provet)
Scientific Center for Information Technology Design (ITeG)
Tel: 0561/804-3130 oder 2874

Project Coordination„Forum Privatheit“:
Dr. Michael Friedewald
Project Coordinator „Forum Privatheit“
Fraunhofer-Institue for Systems and Innovation Research
Competence Center New Technologies
Tel.: 0721 6809-146

Press and Communication „Forum Privatheit“:
Barbara Ferrarese, M.A.
Press and Communication „Forum Privatheit“
Fraunhofer-Institue for Systems and Innovation Research
Tel.: +49 721 6809-678