General Data Protection Regulation: researcher from Fraunhofer ISI explains the changes
The new EU General Data Protection Regulation (GDPR) is intended to strengthen data privacy protection in the European Union and came into force on 25 May 2018. This raises questions about what has changed in concrete terms and what has to be taken into account. Dr. Michael Friedewald, whose research focus at Fraunhofer ISI is on data protection and privacy issues, and who coordinates the Privacy Forum research consortium Forum Privatheit (website in German), answers the most important questions in the following interview.
Data privacy activists, the relevant supervisory authorities and the general public all hope that the EU’s General Data Protection Regulation will result in stronger data protection and privacy in the EU. But are these hopes justified? What do companies need to know about the entry into force of the GDPR? And what are the new regulation’s strengths and weaknesses? Dr. Michael Friedewald from Fraunhofer ISI, who conducts research on data privacy protection among other things, answers 10 key questions in the following interview.
Question (1): The new GDPR came into effect on 25 May 2018. What are the most important innovations?
Dr. Michael Friedewald: Major innovations include extended powers of the data protection supervisory authorities in terms of directives and sanctions, the lex loci solutionis (“law of the place of performance”), and the increased geographical scope of applying data privacy protection as well as more clearly defined rights for those affected.
Question (2): Keyword sanctions: Do companies, public institutions and private individuals have to reckon with harsh penalties if they make mistakes with respect to data privacy protection?
Dr. Michael Friedewald: Even though the possibilities for sanctions and vetoes have been significantly expanded – non-compliance with the data protection regulations can now be penalized with up to 20 million euros or 4% of a company‘s annual turnover of the preceding financial year – an immediate wave of sanctions is unlikely. It is the implementation of the GDPR that matters. Financial penalties are only the very final option; in fact, the supervisory authorities are there to provide help and assistance with where and how companies and other institutions can improve data protection. The current hysteria concerning this issue is therefore completely exaggerated.
Question (3): System operators have to conduct data protection impact assessments in the wake of the GDPR – what are the benefits of these assessments?
Dr. Michael Friedewald: Data protection impact assessments are a really innovative element of the GDPR. On the one hand, they enable better evaluation of the risks resulting from existing data processing. On the other hand, they indicate possible negative consequences for data protection at an early stage. This means that existing data protection failings can be identified in good time and corrected while the technology is still being developed. Data protection can therefore be better integrated right from the outset when introducing new appliances or applications in the sense of “data protection by design and by default” – another innovative element of the new law.
Question (4): And what do data protection impact assessments look like in practice?
Dr. Michael Friedewald: An impact assessment is conducted in four phases: First, it is checked whether an impact assessment is really necessary. If required, the risks are then assessed based on six protection goals (the unlinkability of data, transparency, intervenability, availability, integrity, confidentiality). If risks have been identified, they must be removed using suitable safeguards. All the steps taken are documented in writing so that the supervisory authorities or the general public can get information about the data protection activities of a company or authority.
Question (5): The lex loci solutionis is also new – what does this imply?
Dr. Michael Friedewald: Under the GDPR, it is no longer the location where the data are processed that is decisive for applying the data protection law, but rather whether data of persons residing in the EU is being processed. This means the EU regulation applies to all data processers worldwide. Large companies have already announced they will comply with the GDPR on other markets as well.
Question (6): Does the GDPR strengthen the rights of citizens in general?
Dr. Michael Friedewald: I think the general answer to this question is yes, although a lot of things remain unchanged. In any case, the rights are much more clearly defined. For example, you can now lodge a direct complaint with your regional supervisory authority if you notice any infringement of the data protection law; this was not possible before.
Question (7): Will the GDPR mean a loss of Europe’s competitiveness compared to other countries where the impending data economy is not unduly hindered by too much data protection?
Dr. Michael Friedewald: Of course, the protection of fundamental rights is paramount. But examples from other fields like environmental protection show that ambitious regulations also trigger innovative solutions that have evolved into a competitive advantage for Germany and Europe in the medium to long term. This is why I do not see data protection as an obstacle to innovation; on the contrary, Europe can be a pioneer here.
Question (8): How will the GDPR handle future technology developments such as Big Data or Artificial Intelligence?
Dr. Michael Friedewald: In my view, the technology neutrality is its biggest shortcoming, because it does not distinguish the actual risks of processing. There is not a single regulation concerning the huge challenges posed by modern computing technologies like Big Data, the Internet of Things, cloud computing, self-learning systems, search engines and many other risks to fundamental rights. GDPR also features transparency obligations that are, however, largely restricted by trade secrets or copyright laws and even by German national law.
Question (9): Has the objective of harmonization and standardization of data protection been achieved with an EU-wide regulation?
Dr. Michael Friedewald: Regrettably, the answer to this question is no. There are more than 70 opening clauses that transfer regulations to the EU member states with regard to the admissibility of data processing – particularly in the entire public sector – the rights of the data subject, permission texts, employee data protection, or freedom of expression and information. These regulations remain abstract and the member states and even national judicial districts interpret them based on their legal tradition. Until the details are clarified by processes to standardize data protection supervision and by rulings of the European Court of Justice, these abstract regulations will probably cause legal uncertainty for many years to come.
Question 10: As a private individual, do I now have to worry if I unknowingly do not comply with the GDPR when using social media or blogs?
Dr. Michael Friedewald: The GDPR does not give any cause for concern that we as private individuals could be prosecuted for data protection infringements in the future, for instance, when taking photos, writing a blog or using social media and messenger services like WhatsApp. According to the German Federal Ministry of the Interior, the Kunsturhebergesetz (the German law on the protection of copyright in works of art and photographs), which as a special regulation always takes precedence over the GDPR, will continue to apply to photos. Private blogs are not subject to the GDPR’s regulations due to the exception for households. As for social media and messenger services, their operators are obliged to design processing to comply with data protection requirements. For instance, transferring a user’s entire address book – previously the case when signing up for WhatsApp – will no longer be permissible in the future.
Independent experts from seven scientific institutions and different disciplines address the issues surrounding privacy protection in the Forum Privacy Project. The project is coordinated by Fraunhofer ISI. Other partners include Fraunhofer SIT, the University of Duisburg-Essen, the Research Center for Information System Design (ITeG) at the University of Kassel, the Eberhard Karls University of Tübingen, the Ludwig-Maximilian University of Munich, and the Independent Center for Privacy Protection in Schleswig-Holstein. The Forum Privacy project is funded by the German Federal Ministry of Education and Research (BMBF) in order to stimulate public discourse on the topics of privacy and data protection.
The Fraunhofer Institute for Systems and Innovation Research ISI analyzes the origins and impacts of innovations. We research the short- and long-term developments of innovation processes and the impacts of new technologies and services on society. On this basis, we are able to provide our clients from industry, politics and science with recommendations for action and perspectives for key decisions. Our expertise is founded on our scientific competence as well as an interdisciplinary and systemic research approach.