Policy Paper on the EU‘s General Data Protection Regulation: Data protection is still mainly a matter for the Member States

May 11, 2016

The new European General Data Protection Regulation that is intended to strengthen data protection in the EU was presented on 4 May 2016. The “Privacy Forum“, which is coordinated by the Fraunhofer Institute for Systems and Innovation Research ISI, published a new policy paper to mark the occasion that addresses the design of the regulation. In this paper, the authors give an estimation of whether the regulation achieves the central objectives of harmonizing and modernizing European data protection laws and leveling the playing field for competition.

Data privacy activists, regulatory authorities and normal citizens are all united in their hope that the European General Data Protection Regulation will strengthen data protection in the EU. Three main objectives are linked to the regulation: it should harmonize data protection regulations in Europe and result in standards that apply across Europe. In addition, it should modernize data protection law, and adapt it to new technology developments. Its third objective is to level the playing field for competition, in other words to strengthen the EU internal market through uniform data protection regulations.

The researchers of the Privacy Forum give their opinion of the regulation in the new policy paper "The new General Data Protection Regulation – is the data protection law equipped for today’s challenges?" With regard to standardizing data protection regulations in Europe, Professor Alexander Roßnagel, co-author of the policy paper and head of the Institute for Public Law at Kassel University, cites two aspects that hinder standardization: "The General Data Protection Regulation contains 70 opening clauses that delegate the responsibility for regulation to EU Member States. These are particularly prevalent relating to processing in the public sector, but also relate to defining data subject rights, ground for legitimizing data processing, processing in the employment context and in relation to freedom of expression and information. On top of this, these regulations remain very abstract and will be interpreted by the Member States based on their own legal traditions." According to Roßnagel, this hinders harmonization of the laws on data protection and creates legal uncertainty instead.

The objective of leveling the playing field for competition in Europe is not met

A second central objective of the regulation is to strengthen the European internal market by harmonizing data protection regulations. The policy paper arrives at the conclusion that this objective will not be met either. The reason is also the different possible interpretations of the abstract data protection regulations by the Member States. However, in future the European data protection board can determine a specific interpretation of the regulation – these decisions are not binding for the courts, they are merely recommendations.

The third objective of modernizing the data protection law is partially met by the basic regulation. The authors of the policy paper see major progress in the geographical scope of application: Accordingly the place where the data is processed is no longer critical for applying the data protection law. Rather, the question is whether EU citizens’ data is processed at all – regardless of where this processing takes place. In addition, the regulation stipulates strict sanctions when data protection is not observed. They can amount to three or four percent of a company‘s global turnover. Dr. Michael Friedewald, coordinator of the Forum Privacy at Fraunhofer ISI and contributor to the policy paper, points out further improvements, “ For example, in future data protection impact assessments provide the opportunity to assess the risks for data protection which primarily arise through data processing technologies and keep them to a minimum.

Risk neutrality is a deficit of the new basic regulation

In addition to these positive aspects the policy paper also indicates weaknesses which hinder modernization of the law on data protection. Personal data may continue to be collected indirectly. In future it will be also sufficient to process personal data if a third party – for example a company- has a legitimate interest. The biggest shortcoming of the regulation, however, is its risk neutrality: It does not contain a single specific regulation on the big challenges of modern information technologies such as Big Data, Ubiquitous Computing, Cloud Computing or many other risks to fundamental rights. The general data protection regulation also contains transparency obligations, which are significantly restricted by fundamental rights, business secrets or copyright.

Due to the many weaknesses of the general data protection regulation the conclusion in the policy paper is unambiguous: Harmonization and leveling the playing field for competition of the EU data protection laws is not achieved at all, modernization only partially. The data protection regulations of the Member States continue to remain valid. All in all many opportunities to strengthen data protection in the EU have been missed. However, there is also progress, as in the case of the extended geographical scope. But before the general data protection regulation can come into effect in two years, Member States, supervisory authorities, associations, the European data protection board and the European legislator need to establish additional legally certain and risk adequate regulations as soon as possible.


The Privacy Forum is funded by the German Federal Ministry of Education and Research (BMBF) and is made up of national and international experts, who address privacy protection issues in an interdisciplinary way. The project is coordinated by the Fraunhofer ISI. Partners include the Fraunhofer SIT, Hohenheim University, Kassel University, the Eberhard Karls University in Tübingen, the Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein and the Ludwig-Maximilian University in Munich. The research results of the Privacy Forum are not only intended as input into scientific discourse but also to inform citizens about issues of privacy protection

The Fraunhofer Institute for Systems and Innovation Research ISI analyzes the origins and impacts of innovations. We research the short- and long-term developments of innovation processes and the impacts of new technologies and services on society. On this basis, we are able to provide our clients from industry, politics and science with recommendations for action and perspectives for key decisions. Our expertise is founded on our scientific competence as well as an interdisciplinary and systemic research approach.