It’s been five years since the General Data Protection Regulation, now better known as GDPR, came into force in the EU. It triggered similar regimes around the world. Reflecting on this milestone, Alexander Filip, Managing Director at the Bavarian Data Protection Authority for the Private Sector, highlights the growing importance of personal data protection, the progress already made and the challenges to come.
According to Alexander Filip, we can be forgiven for thinking that GDPR regulates almost anything interesting these days. Undoubtedly, it is the most impactful data privacy and security law in the world right now. At least until the AI Act is introduced.
Data protection in Germany
Munich attracts businesses from across the data-driven economy. This concentration of tech translates into a particular high number of data-protection complaints in Bavaria compared to other places in the EU. The Bavarian Private Sector Data Protection Authority handles around 12,000 cases a year, with around 6,000 complaints from individuals among them.
Due to the high number of cases, the authority has had to scale back its GDPR compliance advice to companies. "The additional workload gets in the way of our ability to meet our mandatory obligations such as handling of complaints lodged by individuals and of notifications of personal data breaches" explains Alexander.
Complaints about alleged data protection infringements are not limited to big tech companies and online platforms. They cover a range of issues, including video surveillance with individuals captured on camera, as well as cookie banners, internet tracking, advertising and data transfers to non-EU countries, which illustrate the breadth of the authority’s tasks in enforcing data protection legislation.
Individuals and also NGOs are taking it upon themselves to monitor data protection compliance, sometimes even where an alleged infringement does not directly involve their own data. Once a complaint is filed under GDPR, the authority is obligated to investigate provided the alleged infringement concerns personal data relating to the complainant.
While the GDPR includes lists of the data protection authorities’ tasks and powers, a number of details still seem to require further clarification. This is in particular the case with regard to the role of the complainants. But further clarification can soon be expected. The Advocate General at the European Court of Justice (ECJ), ruling on alleged infringements by German credit-rating agency Schufa, stated that a complainant has a right to a full substantive judicial review of a data protection authority’s decision issued upon a complaint which alleges an infringement of that complainant’s right to data protection.
Alexander is concerned about the authority’s staffing levels, which already hinder its ability to handle an existing heavy workload, let alone extra responsibilities that will come with more formal and rigorous procedures. He wants stricter criteria to determine the validity of GDPR complaints at the outset, so that the authority can prioritise the most urgent cases.
Ongoing challenges with third-country data transfer
The ECJ, in its Schrems II judgement, emphasises the need for robust due diligence before transferring personal data to a third country. The case was brought by Max Schrems, an Austrian lawyer, privacy activist and founder of None of Your Business (NOYB). The ruling states that it is not sufficient for a data exporter to rely on Standard Contractual Clauses for data transfers and that the level of data protection in the third country must also be assessed.
US surveillance programmes, in particular, have been found by the ECJ to fall short of meeting the requirements of the GDPR. As a result, efforts are underway to draw up a successor to the Privacy Shield framework, to ensure the lawful transfer of personal data from the EU to the US.
Meanwhile, in late 2022, German regulators published a report raising concerns about data processing in Microsoft 365’s cloud-based productivity products. Although the report does not constitute a product evaluation or ban, it highlights potential data-protection breaches. It identifies, among others, a lack of clarity regarding the purposes of the processing and the categories of the processed data, which could potentially compromise the protection of personal data relating to EU residents.
The European Data Protection Board clarified its interpretation of the notion of a transfer of personal data to third countries in a February 2023 guidelines paper, but challenges persist.
Cookies under scrutiny
Cookie banners, crucial for GDPR compliance, must be transparent and user-friendly. Any website that targets the EU market, regardless of its location, is legally required to obtain valid consent from users in most cases where the users’ personal data is processed using cookies or trackers.
However, according to Alexander, NOYB has filed 226 complaints, which gave raise to investigations by several data protection authorities in relation to the design and effectiveness of the cookie-consent mechanisms implemented by the respective website owners.
In response to such concerns, EU data protection authorities have jointly established common standards to assess the legal requirements relating to the use of cookie banners and ensure that users get an effective choice on the personal data that websites can collect.
The right to information
Individuals have the right to demand information (“access”) from entities about their personal data and how it is processed. As Alexander explains, “This right to access has become a battleground. Companies must have processes in place to respond appropriately and promptly. They have one month to respond to an access request. Failure to do so is likely to unleash individuals’ complaints to data protection authorities and investigations carried out by the latter.”
Now, a new ECJ ruling, effective 4 May 2023, grants individuals the right to access excerpts from documents or extracts from databases that hold their personal data under GDPR. Companies will find it difficult to turn down requests unless they can clearly demonstrate conflicting rights. The ruling aims to enhance transparency in data processing and empower individuals.
AI challenges
Responsibility for enforcing the AI Act is yet to be determined. However, Alexander believes that data protection authorities have got to be involved one way or another where cases involve processing of personal data.
Large language models, like ChatGPT, are not per se considered excessively high risk, yet action is already being taken at national level by several data protection authorities. In April 2023, Italy became the first Western country to suspend ChatGPT. Under orders from the local data protection authority, which had identified potential unlawful use of Italians’ personal data, developer OpenAI was obliged to temporarily disable ChatGPT. The authority required OpenAI to inform users about the methods and logic behind its data processing and provide tools for correcting or deleting erroneously generated personal information. The suspension was lifted once data privacy conditions were met.
Spain’s data protection authority is investigating ChatGPT for possible rule violations, while the French authority has initiated a control procedure.
To address growing concerns, the European Data Protection Board has set up a taskforce. It will promote cooperation and information exchange between authorities for enforcing EU laws.
Unfinished business
Five years after its introduction, GDPR has made an undeniably significant impact on data protection globally. But the job of the data protection authority is certainly not getting any smaller. Challenges persist, not least staffing limitations, the need for clearer guidance and interpretation, and more robust data protection behaviour and compliance by companies.
As the data privacy landscape evolves, and the forthcoming AI Act comes into force, the need for vigilance will remain constant. Data protection authorities must work together, foster cooperation and exchange information on how to enforce laws effectively.
.jpg?crop=300,495&format=webply&auto=webp)
