GDPR
Since 2018, the European Union has been regulating data protection at EU level by means of the General Data Protection Regulation (GDPR). For consumers, this means above all more options for deciding to what extent personal data may be further processed. The EU is thus also reacting to the increasing challenges of digitalisation. All relevant news on the General Data Protection Regulation is available from the Europe.Table editorial team.
GDPR: What is the current status in 2021?
Until 2018, data protection was regulated very differently in the individual EU states. The GDPR, which consists of a total of 99 articles, replaced the Data Protection Directive, which had already been in force since 1995. The adoption of the GDPR not only ensured a uniform regulation in the individual member states and the respective companies, but also an adaptation to digital changes. For non-EU countries of the European single market (Iceland, Liechtenstein and Norway), the GDPR is also binding.
The revised General Data Protection Regulation is based on the principles of “purpose limitation and data minimisation“, just like the Data Protection Directive that applied until then. Personal data may therefore only be processed for the purpose of the service and not, for example, for independent services such as advertising (purpose limitation). In addition, the content and extent of the data collected is also limited to a defined purpose: additional information may not be collected for the purposes of data minimisation.
What does the GDPR change for consumers?
There are fundamental changes in the GDPR, especially with regard to the privacy of consumers. The principles of “Privacy by Design” and “Privacy by Default “ regulate the greatest possible data protection through default settings. For this purpose, consumers must be informed in advance which data processing is irrelevant, for example, for the performance of the contract. For any further processing of the data, consent must be given, which can be revoked at any time.
At the same time, consumers must be informed about the purpose of the data collection and can demand correction and deletion in the event of unlawful or incorrect data processing. Consumers can also object to improper data processing. So-called data protection authorities and consumer centres help with the implementation and enforcement of data protection rights. There, data subjects can also obtain information rights and assert claims for damages.
GDPR: Current status in the EU
The GDPR applies to all service providers and suppliers of goods operating on the European market. This includes, among others, companies without a registered office in the EU. For data processing in non-EU countries, the rights to information, disclosure, correction, deletion if necessary, objection and complaint will then continue to apply.
The European Court of Justice (ECJ) ruled in 2020 that US companies may not transfer personal data of EU citizens to the US. An Austrian data protection activist had filed a lawsuit against the transfer of Facebook data to the parent company in the US and was proven right. With this ECJ ruling, the so-called “Privacy Shield Agreement” was declared invalid, after the predecessor agreement “Safe Harbor” had already been overturned in 2013. However, US companies can continue to use the standard contractual clauses created by the EU.
A core element of the GDPR is the use of data protection authorities in the individual member states. However, the authorities in Ireland and Liechtenstein are always the focus of criticism. Due to the favourable tax situation, many (digital) companies are based there and the authorities are often stretched to the limit in terms of staff. Data protection activists accuse the states of too often allowing standard contractual clauses to apply to the legal data situation of large corporations instead of examining data protection legal guidelines.
Data processing outside the EU: US Privacy Shield
Originally, by complying with the Privacy Shield, companies only undertook to process personal data outside the EU if comparably strict data protection laws applied there. Following the ECJ ruling, this is now no longer possible without further ado in the USA. Accordingly, the court ruling has consequences under data protection law for multilateral corporations such as Facebook or Google, which have their headquarters in the USA. According to data protection experts, this increases the pressure on data protection guidelines worldwide. If the ruling is violated, there is a threat of fines. According to Article 83(5) of the GDPR, the amount of the fines can be up to 20 million dollars or four percent of the global annual turnover.
In the course of the Brexit, the United Kingdom (Great Britain and Northern Ireland) will also be understood as a third country under data protection law in the long term. However, a transition period is currently still in effect, which will end with the EU Commission’s equadence decision. Data transfers remain possible on a transitional basis. Both the ECJ and national courts are dealing with questions of interpretation.
DSGVO: Implementation in Germany
With the decision of 25 May 2018, the Regulation also applies in Germany. Previously, the Federal Data Protection Act (BDSG) regulated data protection in this country on the basis of the fundamental right to informational self-determination. In addition, until May 2018, each federal state had its own state data protection law.
A significant and immediate change of the EU-wide General Data Protection Regulation is, for example, significantly higher fines. Another concrete change is that, with the entry into force of the GDPR, data protection officers must be appointed in all companies. Exceptions are small companies in which less than 20 persons are involved in the processing of personal data. In Germany, the authorities responsible for data protection violations and the corresponding fines include the Federal Commissioner for Data Protection and Freedom of Information and the individual state commissioners for data protection.
Seeing the DSGVO as an opportunity
In a report on the implementation of the GD PR, the EU Commission concludes that the directives are difficult to implement, especially for small and medium-sized enterprises. Above all, additional costs would arise due to employee training. In addition, the EU member states would have to strengthen the national data protection authorities in their work and support particularly burdened countries such as Ireland and Luxembourg. Basically, however, the EU Commission celebrates the GDPR as a success and an opportunity for global standards of data protection. By strengthening the rights of data subjects, it points the way for the regulation of the digital economy.
Will the GDPR be reformed further?
However, even if the EU Commission’s assessment is positive, there are still calls for an amendment of the GDPR. Data protection activists are demanding that the declarations of consent be made more transparent and that the so-called cookie banners in particular be simplified. The relatively harsh treatment of small businesses is also criticised by lobby groups.
The EU Commission counters that the GDPR proved its worth in special times of crisis during the Corona pandemic. However, recurring lawsuits and legal disputes with corporate giants such as Facebook and Google show, in the view of activists, that the standards need to be improved. The ECJ rulings against the Privacy Shield and its predecessor Safe Harbour also suggest this. All relevant news on the development of the GDPR is available from the Europe.Table editorial team.