There is online and offline data protection

What has changed online and offline since the GDPR?

Germany is outraged about an abuse of data protection: Presumably a 20-year-old has hacked and disseminated private information such as telephone numbers and home addresses of well-known people and German politicians. Some voices are now crying out for more surveillance and stronger controls. Safety is again prayed as a mantra. But security actually already exists: the General Data Protection Regulation.

A regulation is going on in Europe

On May 24, 2016, Regulation 2016/679 of the European Union came into force. Such a declarative act happens frequently and is a very inconspicuous matter. Two years later: on May 25, 2018, the western world will go under. The General Data Protection Regulation is now punishable.

One should have done more educational work, admits Jan-Philipp Albrecht to the "Zeit". The current minister was very active in writing the GDPR in the mid-2010s and was involved in many educational campaigns and discussions about the General Data Protection Regulation until 2016. Today he regrets that after the GDPR came into force in 2016, this was not continued. But what is actually in the General Data Protection Regulation? The video of the WKO gives a good overview:

The requirements and obligations of the GDPR

The regulation applies not only to European companies, but also to all companies outside Europe that process personal data of European citizens. The GDPR regulates how information about people is handled. Article 2 puts it this way:

"This regulation applies to the fully or partially automatedprocessing personal data as well as for non-automated processing personal datathat in one File system are or should be saved. "

Three terms are important here: processing, personal data and file system. Processing means any process carried out with or without the help of automated procedures in connection with personal data, such as the collection, recording or processing of personal data. This includes, for example, the creation of customer files in a company or member lists in libraries as well as a list of participants at an evening event.

Personal data, in turn, is all information that relates to an identified or identifiable natural person. The names are important here, because:

  • natural person only describes real people, compared to legal persons such as companies, authorities, parties or other organizations. The GDPR only applies when real people are affected
  • identified person means that the data of this person are already known
  • Identifiable person means that the data of this person could be known without necessarily being one.

The GDPR also gives a very broad definition of what personal data is. In concrete terms, this means all assignments to an identifier or to one or more special features such as:

  • Names
  • an identification number
  • Location data
  • physical identity
  • physiological identity
  • genetic identity
  • mental identity
  • economic identity
  • cultural identity or
  • social identity

After all, a file system is any structured collection of personal data that is accessible according to certain criteria. It is irrelevant whether this collection is managed centrally, decentrally or according to functional or geographical criteria. Every collection of data points - and this can include notes and slips of paper, but also index cards and encrypted files - fall under a file system. Important: The GDPR applies both online and offline to any collection of information about a person.

Strange consequences of the GDPR

The general public perceives the consequences of the GDPR, which are perceived as negative, i.e. increased administrative effort, less evaluable customer data or the need to become a data protection officer. The changes to the GDPR are not foreseeable for a long time at this point, which also leads to all sorts of strange excesses. Be it doorbell signs in Vienna or the discussion with German state data protection officers about the illegality of Facebook competitions or WhatsApp usage itself. Not all - by no means all - are to be taken seriously. In many cases, the fear of warnings under the GDPR also leads to all sorts of uncertainties and overreactions from those affected (or not even those affected).

Because of the changed legal situation, public bodies as well as individual EU citizens should have a completely different manageability against international corporations like Google or Facebook. Figures from November 2018, however, show Google, Facebook and Co to be the actual winners of the GDPR.

By November 2018, over 1000 complaints had been registered in Austria in accordance with the GDPR. However, so far only three penalties have been imposed. The companies had to pay between 300 and 4,800 euros. A company from Baden-W├╝rttemberg, on the other hand, was unlucky and had to pay the first German fine in accordance with the GDPR in the amount of 20,000 euros in November of last year. A hack had resulted in the loss of over 300,000 customer data. The company turned to the state data protection authority and cooperated with them. However, the investigation turned out - completely independent of the actual case - that the company saved the passwords of its customers in a viewable file. The authorities thereupon issued the fine.

Only twelve percent are GDPR compliant

Unfortunately, many companies are still at the very beginning. A recent Deloitte survey showed that only twelve percent of Austrian companies are GDPR-compliant. Many small and medium-sized businesses in particular regard the workload as disproportionately high.

A positive consequence of the GDPR for the German neighbors is the Schufa. This organization takes care of creditworthiness information, for example for credit inquiries - and data at the Schufa are now free as a result of the GDPR. EU citizens can insist on the surrender of their personal data, which Schufa must follow. So far, this was only possible once a year as a goodwill performance.

In addition, the GDPR explicitly applies not only to companies but also to public authorities in the member states of the EU. Government bodies are therefore explicitly included with this regulation when it comes to data protection violations. A registration office was not allowed to sell any data of its registered persons beforehand, but this has happened. Nowadays, affected citizens would have much better opportunities to take action against government agencies. In this respect, the GDPR can even be an aid for citizens against arbitrariness by the authorities. However: some authorities are sounding the alarm - the burden of data protection inquiries is too much for them.

But the basic regulation could also have a positive impact internationally, because: The GDPR is considered an international model that has also received a lot of praise in the USA. At Mark Zuckerberg's congress hearings, the GDPR was praised several times. Japan is also planning a similar data protection law and specifically wants to orient itself towards the GDPR.

Conclusion: 30 months later

What is the GDPR? Although it haunts a lot through the media, politics and society, hardly anyone really knows it. Partly mocked or feared, this year it has taken on the role of the cucumber curvature ordinance and is seen by many as a symbol of excessive bureaucracy and state control mania. But what is ignorant agitation, what is dangerous half-knowledge and what is justified criticism?

The fact is that the GDPR has a bad reputation. Data protection has now almost become a dirty word. This blog post is not intended to solve the problem either, but calls for prudence and insight. Has life got worse? Is there anything bad in the legal text itself? Is the GDPR to the detriment of the population? All three questions must actually be answered in the negative.

The GDPR complicates some processes. The GDPR doesn't make it any easier for small and medium-sized businesses. But is the regulation corrupted at its core? Data protectionists deny that. The implementation, as is so often the case, has only been poorly handled. (Christian Allner, January 22, 2019)

More posts from the blogger