5 years DPOblog.eu

“Turnig Point“ was the title of one of the first articles on DPOblog.eu at 25th April 20181: “With 25th of May 2018 we are reaching a turning point in data protection. The EU sets a worldwide standard which will generate a broad effect on the global economy. This standard applies to all companies that provide services to EU citizen.“ Since April 2018 once per month, DPOblog.eu has published more than 60 articles on key topics of data protection. The focus lies on GDPR and international privacy. The main audience comes from the USA and Europe.

DPOblog.eu commented on new technological developments with AI as the current key technology in IT. The EU provides a new regultory framework with the AI act2 and sets rules for liability3. The ban of ChatGPT by the Italian DPA is remarkable. However, other technologies – like video surveillance4 and cross webside tracking5 – are remaining relevant for data protection and containing a high risk for European citizen.

DPOblog.eu has anaylised that the GDPR has a significant effect on the international development of data protection.6 GDPR sets a worldwide benchmark on data protection.7 From an international perspective it is significant that several countries initiated an update of data protection legislation – like the US8 and Japan9. In addition, the G7 sees privacy as part of the Global World Order.10

The two key topics in global politics were reflected on the blog: the corona pandemic and the Russian invasion of Ukraine. In Germany, employers had to check the vaccination of their staff. Employees were required to notice an infection with the virus to their employers. This sensitive health data can only be processed in times of pandamic and on a specific legal basis.11

With the Russian invasion of Ukraine the companies and public bodies had to exclude the data access by Russian service provider.12 The threat of cyber crime by Russia will shift the weihing between IT security requrirements and data processing in favor of new IT security measures.

Data protection shall focus to the most vulnerable groups of our society: e.g. children and young people. Children’s rights must be guanranteed in the digital space.13 TikTok collects the personal data of young people in our Western Society.14 Can we trust TikTok to prevent an access to this data by the Chinese government?

“Too much information – too little competition“ was the headline of an article on the interplay between competition law and GDPR.15 Some authors elaborated additional legal fields which are connected to GDPR – like the Digital Markets Act (DMA).16

Several articles provided an analysis of specific topics of GDPR: right of access17, consent18, joint controllership19, data processing on behalf20 and double opt-in. In particular, GDPR describes the new role of the data protection officer. The DPO was not madatory under the old data protection directive 95/46. Apart from the legal setting, the DPO is often “the messenger of bad news“ since a data processing which is technically possible may not be legally admissable. The DPO needs to communicate this “bad message“ to the top management.21 The DPO is central to the blog in another way. The appreviation of the term data protection officer similarly gave the name of my blog: DPOblog.eu. In addition, the focus on founded arguments with relevance for the legal praxis is the general approach for the articles on this blog.

In my view, the key topic of data protection within the EU is whether “Big Tech“22 will be compliant with GDPR or not in the near future. GDPR is a strong law. But the archilles heel is the weak implementation.23 The oversight still lies with national DPAs. In theory, the cross border cases are to be resolved in cooperation with the lead authority which is responsible with the main establishment of the controller. In praxis, the cooperation starts at the end after the lead authority has drafted the final decision. In addition, the Irish DPC which is lead authority for many Big Tech companies – like Facebook (Meta) and Google – is not willing to take its responsibility to monitor the implementation of the GDPR. For example, not any single other national DPA shared the legal evaluation of the Irish DPC in its decision on Meta (Facebook). The best way to heal the archilles heel of the GDPR is the establishment of a central European DPO which is responsible and has the resourses to deal with with Big Tech. However, no political player within the EU seems to be motivated to change GDPR in this direction. At least, the EU-Commission is not likely to reopen the intensive discussion about data protection which took place before GDPR became into force. Therefore, the EU commission has started an initiative to harmonise the legal procedures for the DPAs.24 However, this initiative will not be the break through for the poor implementation.

The CJEU has drafted many key decisions in the last five years on data protection. “Schrems II“ was the most significant for the IT industry since the data transfer to the US was regarded not admissable. The EU-Commission will most likely conclude a final adequacy decision on the “Trans-Atlantic Data Privacy Framework“ with the US.25 It is remarkable that the EDPB similarly welcomed the new framework. However, Max Schrems will most likely challenge this new agreement for a third time in a new proceeding “Schrems III“.26

At 4th of May 2023, the CJEU is expected to provide landmark decision on the specific requirements and the amount of damages. One key topic is whether a breach of GDPR is a sufficient precondition for a compensation or whether an immaterial damages deriving from the infringement is required. An additional aspect is whether the damages have to be of a certain gravity or seriousness. The Advocate General takes a restrictive view on any aspect.27 In a different proceeding before the CJEU the German Federal labour court28 takes the opposite opinion. However, the Advocate General emphasizes the profit arising from the infringement of GDPR might be part of the compansation granted to the plaintiff. The decision of the CJEU will have a significant effect on the risk evaluation by private companies and public bodies. In combination with the European directive on representative actions – the European form of class action – this decision can strengthen the legal options for consumer agencies.

I dedicate this article and the first 5 years of the DPOblog.eu to Prof. Dr. Spiros Simitis who died in March 2023.29 Prof. Simitis was the most influential scholar for data protection in Germany and in Europe with a deep influence on privacy in the US.30 He was the editor of the leading commentary, a key architect of European data protection law31 and a brilliand intellectual with a fine sense of humour. It is a great honor that Prof. Simitis was the mentor of my thesis.

I am grateful for the privilege to coordinate a team of sophisticated lawyers for the DPOblog.eu which is open to new members: thank you very much, dear learned friends and authors!32 Let us keep writing for data protection as part of our open society – in the best sense of Spiros Simits.


1 Thomas Kahler, Turning point, DPOblog.eu, April 25, 2018

3 Behrang Raji, The liability regime for AI systems, DPOblog.eu, December 31, 2022

9Toshihiro Wada, Data Protection in Japan, DPOblog.eu, November 16, 2019

10Thomas Kahler, Privacy, Democracy and World Order, DPOblog.eu, January 2, 2022

13 Sarah Kunz von Hoyningen-Huene and Jutta Oberlin, Children’s Rights in the Digital Space, DPOblog.eu, March 31, 2023

19 Jutta-Sonja Oberlin and Lukas Lezzi; Joint Controllership within a group of entities*, DPOblog.eu, February 1, 2019;
Thomas Kahler, Fan pages jointly liable with Facebook – landmark of ECJ, DPOblog.eu, June 11, 2018

21 Thomas Kahler, The DPO and the messanger of bad news, DPOblog.eu, September 21, 2019

22Like Meta (Facebook), Google, Microsoft, Apple, Amazon.
Thomas Kahler, In the face – of Facebook, DPOblog.eu, February 8, 2019

23Prof. Ulrich Kelber, The long road, DPOblog.eu, August 13, 2020

24EU Commission, Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation, https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13745-Further-specifying-procedural-rules-relating-to-the-enforcement-of-the-General-Data-Protection-Regulation_de

26Euractiv, https://www.euractiv.com/section/data-privacy/news/eu-us-data-transfer-framework-european-privacy-authorities-put-forth-caveats/

27 Opinion of Advocate General Campos Sánchez-Bordona, C 300/21, 6 October 2022,



29Prof. Simitis was born in 1934. Spiros Simitis – Wikipedia

30Universität Frankfurt, Forschungsstelle Datenschutz; https://www.jura.uni-frankfurt.de/47000118/Forschungsstelle_Datenschutz

31Prof. Simitis was advicer of the EU Commission.

32AUTHORS of the DPOblog.eu