The long road

Prof. Ulrich Kelber, German Federal Commissioner for Data Protection and Freedom of Information (BfDI)//

Recently the General Data Protection Regulation (GDPR) celebrated its second birthday. Nobody expected a wild party even before the Corona pandemic. Instead there were appropriate congratulations from many people for this European “success story with room for improvement”. After all the GDPR became an export hit. Japan and the US-State California are only two examples where the European regulation influenced other data protection laws. The European Data Protection Board (EDPB) has also earned some appreciation for this. The GDPR itself states that Data Protection Authorities should ensure its consistent application.

Together with my European colleagues I am working to meet that aim. It was no surprise that we all have a different approach and different positions. The list of decisions by the EDPB demonstrates that our cooperation is successful anyway: We agreed on guidelines to the interpretation of key terms of the GDPR and released statements with regards to the coherence procedure (e.g. requirements for accreditation). The number of cross-border cases and procedures with mutual administrative assistance together for 2019 is within a medium four-digit range. The cooperation of the European Data Protection Agencies is best described within the EDPB Annual Report from 2019: “In case of conflicting views regarding which authority should act as Leading Supervisory Authority (LSA), the EDPB will act as a dispute resolution body and issue a binding decision. Since 25 May 2018, 807 procedures were initiated to identify the LSA and the CSA in cross-border cases. No disputes on the selection of the LSA occurred.”

Cross-border cases

Despite different mentalities on the subject of data protection there is a willingness for a consistent application of the GDPR. To tell the whole truth, there are still some very important cross-border cases without a draft decision. Especially those cases regarding international IT-companies like Google, Amazon, Facebook, Microsoft and Apple. Obviously those cases show the limits of cooperation. The cases that involve the so called GAFA-companies have massive impact on every day of life for EU-citizens and they distort competition. Essential questions for data protection remain without an answer for more than two years now. Of course there is an immense public interest in these cases. The German Data Protection Agencies are waiting in eager anticipation for the release of the draft decision of our colleagues in charge.

In my agency there are currently several pending procedures regarding different messenger-applications. German citizens have filed complaints, but the responsible agencies have their headquarters in other EU-states, mostly in Ireland and Luxembourg. None of those cases showed any process since the GDPR came into effect in May 2018. This is also due to the fact that some national regulations are very complex and contain extensive and multiple procedures to get the respective companies involved. Many citizens who filed complaints are dissatisfied with the long duration of the procedure and all the small steps on the way. The longer it takes to get to a decision the more likely it is that technological development will make a decision obsolete or the abuse of personal data already caused permanent damage. I am sharing the dissatisfaction without any constraints.

Everything needs to be translated

Some problems are only of practical nature: the reports of some Data Protection Agencies are very extensive. Those documents need to be translated into the respective languages. Both those who filed complaints and the companies have the right to get these translations. This is where two problems meet, because the more steps a procedure has the more frequent documents need to be translated.

Disregarding that problem the entire communication between the data protection agencies has harmonized itself over the last years. Simple questions or the distribution of documents are solved quick by using internal digital platforms. Of course there is still room for improvement. Some data protection agencies share their documents automatically, some others only if there is a request. But while the overall coordination is functioning well, these challenges are perspectively expected be solved. Especially the EDPB demonstrated its competence to handle a crisis situation. Due to the pandemic our monthly meeting in Brussels changed into a secured videoconference taking place once or twice a week. Thus the board was able to react quickly to the important data protection questions regarding the pandemic. One example is the positive impact on the development of tracing-apps, which are now far more privacy friendly due to the influence of the board.

National regulations

The national regulations and procedures remain the biggest obstacles. The EDPB is working on common procedures for the cooperation within the so called cooperation- and coherence procedure. On top there are more detailed procedures regarding the mutual support und joint measures planned.

We need to strengthen the exchange of information. Involved supervisory authorities repeatedly criticize that they do not get all relevant information from the leading supervising authority in time. This complicates the examination of draft decisions for the one-stop-shop-procedure in time especially with a limited amount of personnel. I cannot emphasize the fact often enough that several data protection authorities need considerably more personnel and funding to fulfil their duties. The European Commission also demanded this in the evaluation of the GDPR. It is in the sphere of the national governments and up to their political willingness to appropriately enforce data protection.

Together for basic rights

The European Commission stated in its evaluation of the GDPR that there is a need for immediate action regarding cross-border cases. And the Commission urged the EDPB to find solutions. The big data-companies should not make the basic right to privacy to the plaything of their own economic interests. The current cases need a decision the sooner the better. Because the future challenges for privacy are already there as the Coronapandemic is showing us. If we manage this, we may then celebrate the GDPR a bit more enthusiastic on its next birthday.