The General Data Protection Regulation (GDPR) came into force in May 2018. It is intended to standardise and modernise data protection law in the European Union. The provisions of the GDPR directly oblige companies in the member states of the European Union to comply with certain legality requirements for data processing and also strengthen the rights of data subjects to information and access. Companies must expect processing bans or fines if they violate the provisions of the GDPR.

Iris Duch, MLE, Lawyer & Chief Privacy Officer, and lawyer Dr Andreas Pagiela have worked a lot with the GDPR over the years. To mark the anniversary of the GDPR, they give us a personal review of their experiences and the development of the GDPR.

An initial assessment:Where does the GDPR stand on its 5th birthday?

Dr. Andreas Pagiela: I would say that the GDPR has arrived in the economy. It has indeed raised data protection to a new level and made companies highly aware of these issues.

Iris Duch, LL.M.: I definitely agree with that. Difficulties often arise when it comes to implementing the numerous rights of data subjects. Smaller companies in particular are often surprised at what citizens are entitled to under the GDPR. For large companies, it is more likely to be the additional work that causes considerable administrative costs.

When the regulation came into force, there were fears of waves of fines for companies that were unable or unwilling to comply with the regulations.Did the feared complaints really increase?

Iris Duch, LL.M.: The 1.2 billion euro fine for the Meta Group is currently on everyone’s lips. However, this should not detract from the fact that most fines are moderate – i.e. in the region of less than € 10,000.00. Apart from individual cases, of course – and these individual cases increase the risk for companies as a whole. The ECJ’s Schrems II judgement in particular has caused uncertainty with regard to data transfers outside the EU and especially in exchange with the USA. It will be interesting to see whether the EU will finally make things easier for companies with a new adequacy decision. Otherwise, fines similar to those imposed on Meta cannot be ruled out.

Dr. Andreas Pagiela: The amounts, which tend to be lower in the majority of cases – for companies – are indeed stated throughout. However, this should be seen in the context of other fine proceedings: How many fines are imposed in other areas of the regulatory system? As a rule, the GDPR is not an outlier.

Iris Duch, LL.M.: On the other hand, this raises a fundamental question for me: does the European Union really want to place even more burdens on companies? Aren’t there other ways to secure and implement data protection? I fear that companies may become more risk-averse and adopt an attitude of doing without as the burden of EU compliance obligations increases. True to the motto: “If I can’t do it right, then I won’t do it at all”.
Of course, this would not be appropriate, but it is not just the GDPR that demands considerable effort and resource commitment from companies. I would like to cite the Supply Chain Due Diligence Act as an example. The GDPR is justified, but care must be taken to ensure that data protection as a whole is not done a disservice by unclear implementation and excessive rigour.

Were the companies really predominantly burdened or did you also notice positive reactions and consequences?

Iris Duch, LL.M.: The importance of data protection has virtually permeated the DNA of many companies. If you used to “simply” send an e-mail with an open distribution list, today this only happens by mistake. In the meantime, emergency concepts for data protection breaches have been implemented for the most part, and they work very well.

Dr. Andreas Pagiela: Citizens now have a set of tools at their disposal that they can use to put pressure on companies to handle their data. Unlike in civil law, citizens can appeal to the data protection authorities of the federal states or the federal government if their rights are not respected. In addition to the courts, they have a strong advocate at their side.

Iris Duch, LL.M.: Companies have also recognised that the protection of personal data is also the protection of corporate interests. I’m thinking here of satisfied customers and falling numbers of claims due to data misuse.

What legal issues are currently arising in connection with the processing of personal data and the GDPR?

Dr. Andreas Pagiela: A lot! It must be recognised that a legal regulation is always the result of interaction between legislators, case law and social developments. It can take years for the courts to finally decide open questions. At five years old, the GDPR is still a very young law; it will take a long time for all questions of interpretation to be clarified.

Iris Duch, LL.M.: Many questions are still unanswered. Apart from many individual issues, this is the fundamental question of how the GDPR interacts with other areas of law. In criminal law, the iron principle of not having to incriminate oneself applies – to what extent do companies have to report their data protection violations? In civil law, there is a ban on the use of evidence: each party is responsible for providing its own evidence. With the GDPR, this can theoretically be overridden by requesting data disclosure. However, the extent and detail of the right to information is also controversial and has been shaped by recent case law.

That does sound like there is room for improvement.Do you have any specific suggestions for making the GDPR even more practical?

Iris Duch, LL.M.: The major challenge of the GDPR is to strike a balance between effective law enforcement for citizens and practicable solutions for businesses. Ultimately, citizens also benefit from the latter.

Dr. Andreas Pagiela: Example cookie banner: In terms of the approach, it is absolutely right to provide information about data processing at the point of access and to grant freedom of choice. However, if in practice the banners are mostly just “clicked away” – then a different, better solution is needed.

Iris Duch, LL.M.: ​​​​​​ That’s a good example. Here I would like to encourage the EU parliamentarians to look at the GDPR from all angles – the protection of EU citizens and the perspective of the economy. But above all: finding creative solutions. Case law can and may only interpret the legal text. When it comes to really new approaches, it is always the legislature, the EU Parliament, that is called upon.

In your opinion, what can we expect from the development of European data protection?

Dr. Andreas Pagiela: For the time being, the countries of Europe and the EU should concentrate on the further implementation of the GDPR and the corresponding case law. As is so often the case in the legal system, there are calls for new regulations – when all that is needed is to apply the existing ones comprehensively.

Iris Duch, LL.M.: I think that protecting the personal data of children and young people will become an increasingly important issue in the future. The developments surrounding the TikTok platform have shown the market power – but also the social influence – that exists in the area of media for young people. The big challenge here is to develop ways of modern, effective youth protection. Companies that use social media channels for marketing are currently treading on thin ice for these and other reasons.

What is your personal "birthday wish for the GDPR"?

Dr Andreas Pagiela: Keep up the good work, but always remember that behind every piece of legislation there are people who have to implement it.

Iris Duch, LL.M.: All the best for the next 5 years – and more courage for practical solutions. Cheers!

Your personal contact

Matthias SchulzSenior Sales Manager

You might also be interested in these articles

Passgenaue Erweiterung der Beratung
CLARIUS.LEGAL AG expands its consulting services in data protection, IT security and occupational safety.
Learn more
Attack through mobile storage media
Learn more