One year GDPR
Exactly one year ago, the EU General Data Protection Regulation (GDPR) superseded Directive 95/46/EC of 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Before the EU Commission evaluates the GDPR in May 2020, we would like to take the first anniversary as an opportunity to review the first year of the GDPR and offer an outlook on future developments. In conclusion, it can certainly be said that since the GDPR came into force, data protection has taken on a completely new meaning throughout Europe. However, the implementation of the new (and partly also old) requirements is still ongoing in most companies.
Effects across Europe
With the GDPR in force on 25.05.2018, two emotions seemed to dominate: Actionism marked by insecurity and on the other hand prudent or careless waiting. With the beginning of the "GDPR-Hypes", myths arose within the business world with regard to the legally threatened fines of the partly new, partly old requirements. Websites were taken offline, bell signs dismantled, craftsmen had to process carpet and room dimensions in accordance with GDPR and faces in photo albums were blackened. Many points have been relativized in the meantime. For example, in the area of people photography, supervisory authorities expressed their reassurance. With judgments of 18 June 2018 (15 W 27/18) and 8 October 2018 (15 U 110/18), the Higher Regional Court of Cologne affirmed that the KunstUrhG was also applicable in the field of journalism. It remains to be seen whether this view can also prevail in higher instances and nationwide. Nevertheless: The "one size fits all" principle of the GDPR still leads to much criticism due to the disproportionately high bureaucracy and documentation effort.
On the other hand, many companies remained and still remain largely inactive. In view of the fact that the supervisory authorities have rarely intervened to raise public awareness and the large wave of warnings has failed to materialise, these companies will probably initially feel confirmed in their approach. In Germany there have so far been less than 100 administrative orders imposing fines, most of which are likely to have been at the lower end of the fine scale. However, the supervisory authorities have already announced their intention to make greater use of the sanctions available to them after a certain grace period has expired. The German data protection supervisors could take the French data protection supervisory authority as a model. At the beginning of 2019, Google was already fined 50 million euros for lacking transparency in the information on the use of the collected data. Despite the - in absolute terms - high sum, however, it can be assumed that this was probably initially a warning shot.
The low level of sanctions imposed by German companies may, of course, be due in part to the fact that, at least in Germany, the old version of the BDSG (Federal Data Protection Act) already guaranteed a solid level of data protection. Compared to the old legal situation, the GDPR has changed only little in terms of the basic data protection provisions. On the contrary, it takes over the concepts contained in Directive 95/46/EC and adds new clarifications. Companies that were already working on their data protection compliance in the pre-GDPR era are likely to have leaned back and relaxed in this respect.
But with the hope that it will continue to affect only the big players, the few idly waiting companies are unlikely to do well in the near future. Admittedly, the focus of the supervisory authorities is and has been on the large-scale personal data processing players of the economy. This supervisory approach is probably justified by the fact that, in addition to overburdening the authorities in the first place, the public's awareness of data protection can also be further raised by taking action against large corporations. Especially companies that have not yet made technical and organizational improvements, process particularly sensitive or special categories of data or do not inform their customers transparently about processes are well advised not to misinterpret the reluctance of the authorities.
From the consultant's point of view, it can already be seen that affected persons have become more critical. This is already shown by the high number of rights asserted by data subjects, in particular in the right to access and the right to erasure, whereby the deletion of data in particular presents many companies with practical problems in practice. In addition to the strong public focus on the topic of data protection, the increased sensitivity of those affected may also be due to the fact that companies are now more transparent (must) show, which in turn leads to critical queries from the data subjects. This shows that consumers are not afraid to go to the supervisory authorities, especially if they do not consider that the claims made by interested parties have been satisfactorily met.
Guidance from the authorities and support from consultants
Even "one year later" there is still a lot of legal uncertainty regarding the practical implementation of the requirements of the GDPR and the new BDSG. Supervisory authorities will therefore continue to be required to provide further support to companies. To assist them, the supervisory authorities have already provided a large number of publications. As regards the level of detail of the handouts and also the need for coordination between the European authorities, there is still room for improvement, at least in our view. In order not to lose track of the large number of (sometimes contradictory) guidelines and judgments and other information provided by the authorities, many companies are dependent on external advice. Consultants can help companies to recognise contradictions and to classify gaps in the available texts that need to be closed with interpretation in order to ensure that the requirements set are largely implemented in a legally compliant manner.
The main objective of the basic Data Protection Regulation was to create transparency. Most companies are likely to have already achieved this to some extent. Now it is a matter of ensuring that the data protection information often created by means of "emergency measures" is again aligned with the technical and organisational reality. The propagated data protection has to be actually lived in the companies.
Software manufacturers who can support companies in the technical implementation of efficient deletion concepts will gain a clear competitive advantage over their competitors. Further developments from case law and submissions by data protection supervisory authorities remain to be seen. And yet many questions will remain unanswered in the near future - also for us consultants. We will be happy to support you in dealing with existing legal uncertainties in the future.