Looking back on four years of the GDPR

12. May 2022

The European General Data Protection Regulation (GDPR) has been in force since 25 May 2018. We sounded out the views of data protection expert Tobias Mielke from TÜViT as to whether the GDPR has proven itself in practice, which changes are noticeable for consumers and companies and where improvements can still be made.

The GDPR has been in force for four years now. What has changed for consumers and companies since then?

Tobias Mielke: The twin aims of the GDPR were to strengthen and standardise data protection in Europe. Both have succeeded in principle, although there are still individual national regulations which can be used to supplement the GDPR, even if they’re not permitted to water it down. The GDPR has strengthened citizens’ rights and made the use of their data more transparent. For example, they have the right to know for what purpose and for how long a company intends to store their data and with whom those data are shared. Companies, on the other hand, have become subject to new or more comprehensive requirements. If a company runs a competition, for instance, it must document and prove that the participants have consented to the processing of their personal data.

Fines running into millions of euros are a regular occurrence. From your point of view, are the sanctions effective and are they working?

Fines, somewhat controversially, are a core element of the GDPR. The scope of the fines ranges enormously, from small violations which are punished with a thousand-euro penalty to fines in the tens or hundreds of millions. For many companies, these examples have a deterrent effect. Whereas data protection sometimes used to be taken less seriously, awareness of it has now grown significantly, including at management level. There’s still room for improvement with some companies, no doubt! But most of them are getting to grips with the regulations and implementing them: if for no other reason, to avoid being fined and suffering from reputational damage among the general public.

In a recent case, a Bremen housing association was ordered to pay a fine of 1.9 million euros because it had stored data on potential tenants regarding their body odour, personal appearance, skin colour, ethnic origin and sexual orientation.  Isn’t the GDPR also supposed to offer protection against discrimination?

Absolutely! After all, information such as ethnic origin comes under the heading of particularly sensitive data and may therefore only be processed under very special conditions and if the individuals concerned expressly agree. Neither criterion was met in this case, of course. It’s to counter such misuse of personal data that the principles behind the GDPR were drawn up: On the one hand, you have the earmarking imperative, i.e. the principle that personal data may only be collected for specified, clear and legitimate purposes and must not be further processed for other purposes. And, on the other, there’s data minimisation: when I’m planning a service, I always have to think about which data are actually required for it. For a competition, for instance, I only need the players to provide their address and to confirm that they’re old enough to take part. I don’t need to know about their hobbies, where they like going on holiday and whether they wear glasses. 

Markus Jerger, the managing director of the German association of small and medium-sized enterprises, has described the GDPR as “well intended but, in some places at least, badly executed.” His main complaint is that the politicians have failed to clearly communicate the provisions of the regulation. What’s your assessment of this criticism?

I don’t share this view as expressed here. After all, the GDPR actually came into force in 2016. There was a two-year transition period, which ended in May 2018, to allow companies to adapt to the new regulations. I can readily see, however, that these are a challenge for small companies, website operators or medical practices. They have to meet the same requirements as large corporations but don’t of course have the same financial and human resources. 

Two years ago, the EU called for assistance and support from national authorities to ease the burden on small and medium-sized enterprises. Are any such measures in place?

You’re right, there are now various templates, handy tips and FAQs on the pages of the supervisory authorities that answer individual specific questions. Some authorities also offer public talks, for example on Germany’s new Telecommunications Telemedia Data Protection Act, which regulates things like dealing with cookies. Companies can also look for guidance to publications from other European supervisory authorities. For example, the French supervisory authority has published a guide to the processing of personal data using artificial intelligence. One of the problems is certainly that there is no one-stop shop. Along with the Federal Commissioner for Data Protection (BfDI), we also have an additional 17 supervisory authorities in Germany which don’t always agree on any given issue.     

The Federal Commissioner for Data Protection has himself called for better cooperation between the state authorities. What changes are needed here?

The idea has already been floated of centralising data protection in Germany, as is already the case in countries like France and Spain. One option would be to have a central data protection authority, which would of course also have to be well positioned in terms of both personnel and finances. Or which might alternatively assume a coordinating and arbitration function, for example, in cases where state data protection authorities give different answers to individual questions. It’s also important, however, to improve the communication and cooperation of data protection across in the EU on the international level.

Where else is there room for improvement?

Awareness and acceptance of data protection is increasingly among the general public. Even so, there are still grey areas and other things that not everyone immediately grasps. For example, under which circumstances may children be photographed in a nursery? So it follows that we should teach media literacy and data protection in schools. Appropriate training is already on offer here too. For example, the Federal Commissioner for Data Protection has published two “Pixi” books that explain data protection to children easily and simply. With developers and companies, on the other hand, you keep seeing the situation arise in which data protection is cited as an excuse not to implement particular digital products. This happened most recently in the discussion about contact tracing in the coronavirus pandemic. Ways and means can always be found to make apps or online services data-compliant without sacrificing functionality. The Coronavirus Warning app is a good example of this.