Infringements of the General Data Protection Regulation (GDPR), which has become binding since 25 May, are subject to severe penalties. In a brief interview, Thomas Rickert, lawyer and Director of the eco Competence Group Names & Numbers, explains what the status of implementation in Germany is, and how likely sanctions are.
Mr Rickert, the GDPR has been mandatory for a number of days now. What is your subjective impression: Have the majority of companies taken the necessary precautions?
Anyone who has not yet heard of the GDRP must not have much contact with the outside world. My bet, however, is that the majority of companies have started to deal with the requirements of the GDPR, but have not yet completed their implementation.
Do you have the impression that many people were caught off-guard by the scope of the regulation?
Absolutely. However, that’s certainly partly due to the fact that entrepreneurs want to concentrate on their business and tend to put issues which only eat up internal and external resources, but seem to do nothing for their business, on the back burner.
If nothing else, the risk of warnings and penalties will certainly spur companies on to implement the regulation. How do you assess the immediate risk?
We have to assume that two things will happen. On the one hand, data subjects will try – also due to increased information – to exercise their rights and assert these against companies and authorities. What’s also new in the GDPR is that they can take action against the authorities if they fail to act. This will certainly trigger a certain pressure to impose sanctions.
Furthermore, one must assume that, using crawlers, the Internet will be trawled for missing or incorrect privacy policies in order to then systematically issue cease and desist notices, and to ultimately cash in on these.
In your opinion, does the GDPR offer the “cease and desist industry” new fodder – and shouldn’t this business finally be restricted?
In principle, warnings are not a bad thing. The idea is actually to be able to settle infringements out of court. In Germany, however, the problem is that the cautioned party has to reimburse the lawyers’ warning costs. In other jurisdictions, such a notification is not directly associated with costs.
So it is the lawyers’ fees that create unholy alliances between lawyers and alleged competitors of the parties at the receiving end of the written warnings. This requires a fundamental rethink.
What is your view of the Austrian government’s decision to only penalize GDPR violations to a limited extent and to not claim damages?
Data protection officers are independent and data protection in itself is a good thing. I trust that the supervisory authorities will fulfil their legal mandate with sound judgment. Anyone making an effort to comply with the law will certainly not be subject to the full force of the legal framework for fines.
However, anyone who systematically tramples on data protection requirements and thus on the rights of data subjects should be subject to sanctions that hurt. Up until now, we’ve had a major lack of enforcement, which has allowed for the emergence of business models which are largely illegal.
eco offers extensive information and advice on the GDPR in its own online topic focus.