When the General Data Protection Regulation (GDPR) officially came into force across the EU in May 2018, the data protectionists had high hopes. A comment from 8com GmbH.
Finally, violations of the protection of personal data should be punished with substantial fines, and digital corporations such as Facebook and Google should be put on the curb. But did the extensive set of rules, which at the time served as a model for data protection laws worldwide, have the desired effect?
Poor enforcement
"The hopes and expectations raised by this flagship law are turning into frustration at the slow implementation," writes civil rights organization Access Now in its report on the third anniversary of the GDPR. "The sweeping improvements in privacy that people have been promised have not yet materialized: many complaints go unresolved, data breaches regularly hit the headlines, and most big tech companies are resisting changes to their data collection business models." GDPR is still in its infancy and it is still far too early to discuss a revision of the law. Especially since many of the tools provided by the set of rules have not yet been used.
3 years: EU-wide over 278 million fines
From May 2018 to March 2021, the data protection authorities of the EU countries would have imposed a total of 596 fines totaling 278.549.188 euros. However, there is a large discrepancy between the individual countries. The Spanish authority was the most active with 223 fines. Other authorities, such as those in Luxembourg and Slovenia, have not yet imposed a single fine under the GDPR. A look at the pure numbers does not show the significant problems that data protection authorities have in enforcing their fines through contestations and appeals. The cooperation with one another does not run smoothly either.
In order to improve the enforcement power of the data protection authorities, Access Now proposes various measures. The more than 40 data protection authorities of the EU countries should work together better, national procedural rules should change and the authorities should be given more resources for their work.
Harsh criticism of the Irish data protection authority
Other prominent data protectionists also criticize the lack of implementation of the GDPR. Johnny Ryan of the Irish Council for Civil Liberties sees the Irish data protection authority, the Data Protection Commission (DPC), as one of the main problems. Although she is responsible for large corporations such as Google, Facebook and Twitter, she is underfunded and suffers from structural problems. The DPC still uses Lotus Notes for complaint management. It's like trying to manage the payroll for many employees with a slide rule, says Ryan. In addition, the authority does not have enough staff. The EU Commission should have initiated infringement proceedings against Ireland long ago, as demanded by the EU Parliament. According to the German Federal Data Protection Officer Ulrich Kelber, the EU Commission must act against Ireland and at least stipulate that every case should end with a draft decision.
Associations and researchers request corrections
The president of the German IT association Bitkom, Achim Berg, calls the European standardization of data protection rules a “right decision”. However, the past three years have also shown that the law has failed to achieve its most important goal of harmonizing the legal framework and application practice in data protection across Europe. Too many opening clauses are to blame, which would allow the EU states special national channels. The coordination between the supervisory authorities works only slowly in practice. The chief lobbyist complains that many companies are still unsure how to implement the requirements of the GDPR.
GDPR could be improved
The research association Forum Privatheit makes 33 suggestions in a book to improve the GDPR, especially for citizens. Alexander Roßnagel, spokesman for the research association and Hessian data protection officer, makes it clear that big data and artificial intelligence in particular have led to an increasing power asymmetry between large data processing companies and those affected. The GDPR does not yet offer an adequate answer. Allotment gardeners or sports clubs would be subject to the same data protection requirements as large global corporations, which have far greater data processing power and thus pose a higher risk to the fundamental rights of citizens.
While some critics see the problem primarily in the lack of implementation of the rules, others argue in favor of reforming the law. Conclusion: After three years nobody seems to be really happy with the GDPR.
More at 8com.de
About 8com The 8com Cyber Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.