1 Data Protection on the EU-Level

If the purpose of this reform was to strengthen people’s control over their personal information and improve enforcement, our governments have achieved the exact opposite.

Anna Fielder, Privacy International

Data protection is no longer a national topic. Due to the digitally closely linked, increasingly merging global village the EU has been authorized by its member states to set the course in this area as well.Footnote 1 Initially, this constituted broad sector-specific targets. In order to regulate data protection comprehensively, the European Parliament subsequently adopted the Data Protection Directive. This directive has been implemented in national law by the individual member states within the limits of the scope granted to them.Footnote 2 Thus, no full but at least a minimum harmonization could be reached. It is problematic though, that the Data Protection Directive dates back to the year 1995, a time when by no means every household had a computer, let alone internet access. One could not speak of smartphones since hardly anyone even owned a cellphone back then. Describing the Internet as “new ground”Footnote 3 would have been appropriate at that time.

In short: The EU-Directive, on which the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) is based, is no longer up to date. Additionally, the different implementation in the 28 member states has led to an uneven data protection level within the EU. Besides low taxes, this is also one reason why Facebook has its European headquarters in Ireland, a member state with comparatively liberal data protection.

Now, everything shall be changed. The passed General Data Protection Regulation (GDPR) shall ensure a full harmonization in the area of data protection law. Insofar, the title “General Regulation” has a legal as well as a symbolic meaning: The difference from a legal perspective is that regulations have direct effect. As opposed to directives, they do not require transposition into national legislation.Footnote 4 Symbolic is the name “General” Regulation: On the one hand, it is supposed to emphasize the aspiration to regulate the topic of data protection comprehensively. On the other hand, member states shall be granted a scope for detailed national rules.

2 Genesis of the General Data Protection Regulation

The serve for the GDPR was made by the European Commission under the leadership of the former Luxembourgish Justice Commissioner Viviane Reding at the beginning of 2012. Subsequently, the LIBE CommitteeFootnote 5 submitted a compromise version to the Parliament, for which more than 3.000 amendments were proposed while only 207 were eventually included in the draft. In summer 2015, the Council, which consists of the minister of the member states, agreed on a common position as well.

Therefore, the way was clear for the negotiations between the three institutions, which are prescribed by the EU Treaties and currently ongoing. However, they did not take place—as so often—according to the officially provided procedureFootnote 6 but as a so-called “informal trialogue” behind closed doors. On the one hand, this approach draws criticism regarding the lack of transparency of the EU’s work, which has been pilloried for its democratic deficit anyway,Footnote 7 and the strong influence of various lobby groups. On the other hand, the hope was fueled to quickly achieve a result after a time of tough negotiations. A conclusion of the negotiations was achieved by the end of 2015. A timely adoption surely had a signal effect, especially regarding the transatlantic data protection debate with the USA which has gained additional significance after the Safe Harbor judgment by the ECJFootnote 8 on October 6, 2015. The GDPR was officially passed in May 2016; it will be applicable two years later.

3 General Criticism of the General Data Protection Regulation

The GDPR is mainly criticized for two issues: Firstly, the General Regulation is said to come closer to a directive in its effect. This argument is based on the numerous opening clauses, thus on the passages in which only broad provisions are given, leaving the exact modalities to the member states. An example for this is the area of employee data protection: The GDPR provides in Art. 88 that “Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. In Germany, there was even a draft law for an Employee Data Protection Act (Beschäftigtendatenschutzgesetz). The initiative was put on ice, however, in order to wait for the Regulation. It is already being debated what is exactly meant by “more specific rules”. Due to this room for interpretation, different rules in the member states can be expected, which was actually meant to be prevented.

Secondly, it is feared that a deficit of legal protection of the citizen could arise. EU law takes precedence over national law. Particularly, the scope of the Regulation affects fundamental rights as well, such as the right to informational self-determination. If a citizen feels that his rights have been infringed, no longer the Federal Constitutional Court (Bundesverfassungsgericht) in Karlsruhe but the ECJ in Luxembourg has jurisdiction. Yet, on the European level, there is no constitutional complaint. In a case coming down to the validity of the Regulation, the citizen would depend on a national court referring the matter to the ECJ.Footnote 9 It is not uncommon that in practice German judges shy away from this procedure, probably also because European Law has not yet played a big role during their own legal training finding themselves on rather shaky ground. Whether this deficit of legal protection actually arises, remains to be seen.

4 Possible Consequences for Big Data

The consequences of the new law for big data innovations can be determined based on a short analysis of the principle of purpose limitation, which is one of the most important German and European data protection principles. This certainly “sharpest sword” of data protection is opposed to the unlimited linkage of large amounts of data.Footnote 10

The principle of purpose limitation states that personal data may only be collected for a precisely specified, clear and lawful purpose and that it cannot later be processed for a purpose incompatible with these provisions.Footnote 11 The data producer therefore has to inform the affected person about the purpose when collecting the data and has to comply with this purpose during the processing. Many big data applications, however, are precisely based on linking data that has been collected from different sources, at different times, in different contexts and for different purposes.Footnote 12 Often, data is simply collected to consider later on what it could be useful for as well. The principle of purpose limitation yet requires that the person responsible for the data collection or processing considers the data use or business model in advance. This requirement thus contradicts big data.

What rules concerning this important principle are provided in the GDPR? Can the accusation by Privacy International cited above be justified?

According to the Council’s proposal, “further processing of personal data for (…) scientific, statistical or historical purposes shall (…) not be considered incompatible with the initial purposes.Footnote 13 The question arises what exactly is meant by these terms, since they are not further defined in the proposal. This also begs the question whether the data analysis through big data analysis tools is not always for statistical purposes.

Furthermore, the Council, of which among others Federal Minister of Justice Heiko Maas (SPD) is a member, wanted to add a further exception to the principle of purpose limitation: “Further processing by the (…) controller or a third party shall be lawful if these interests override the interests of the data subject.Footnote 14 In this regard, it should be noted that a legally imposed balancing of interests always entails a certain degree of legal uncertainty. The same applies to the purpose of the data processing. It is not yet clarified how precise and on which level of abstraction the term “purpose” has to be defined.Footnote 15 According to the legislative proposal, the interests of third parties, such as the economic interests of companies offering big data analysis, could possibly be invoked. It should be noted that the choice of terminology in the draft was very imprecise. That this softening of data protection principles was surely desired by the German negotiating side is proven by the statements made by Chancellor Angela Merkel at the IT Summit 2015.Footnote 16

The approved GDPR clarifies that the outcome of data processing for statistical purposes must not contain personal data or be used for measures against natural entities.Footnote 17 Consequently, many big data applications are not affected by the exception of the principle of purpose limitation.

The balancing of the interests was also not included in the final version of the GDPR. Originally, the council wanted to use this balancing to allow changes of purpose.

However, there are now certain criteria that must be respected by the data processor regarding the question, whether the new purpose is still compatible with the original one. The possible consequences of the intended processing for the data subject are one example for these criteria, Article 6 para 4 lit. d GDPR.

The remaining criteria are ill defined as well and therefore cause different national interpretations.Footnote 18 Ultimately, there still has to be a weighing of interests. The explicit naming of this phrasing was given up on the basis of heavy criticism, but the already mentioned compatibility of the new purpose with the purpose of the collection means exactly the same.

Only an extensive jurisdiction is able to react to these uncertainties. The regulation has direct effect and therefore cannot be differentiated by the national legislators.

5 Conclusion and Outlook

Against this background, the statement by Anna Fielder cited above cannot totally be objected: The Analyzation of the principle of purpose limitation has shown, that people’s control over their personal data and enforcement in this context did not improve, compared to the data protection directive that still is in force. Although, if European governments have actually achieved “the exact opposite” might be an exaggerated statement. It must be examined in the near future, how the numerous opening clauses are going to be filled out by the member states. Especially for German standards, the GDPR does not involve a significant change regarding the central purpose limitation principle. In German law, there also are exceptions for a change of purpose. These exceptions are in fact a bit more restrictive, but quite comparable.

However, data protection can no longer be thought of only within national borders which is proven for example by the practice of cloud computing. In many other European countries, such as Ireland or Romania, the protection level will rise.Footnote 19 Thus, the standardization will eventually still have a positive effect on affected parties in Germany.