- eco formulates 5 points for the revision of the GDPR
Since May 2018, the European General Data Protection Regulation (GDPR) has regulated how public authorities, companies, associations, organizations or, for example, hospitals may handle citizens’ data. The GDPR thus affects large telecommunications companies as well as local sports clubs. Now the first official evaluation of the much-discussed regulation is due. Despite great initial concerns, the GDPR has established itself after about two years as a basically suitable regulatory instrument. At the same time, eco – Association of the Internet still sees too many unresolved legal questions and practical problems arise during implementation. This applies in particular to developers and providers of AI-based systems.
eco Managing Director Alexander Rabe says:
“The creation of a uniform European legal framework with the General Data Protection Regulation was the right step towards responsible data policy: bureaucratic obstacles and legal uncertainties in data protection can only be overcome by a holistic European approach. However, the GDPR can only become a game changer for Europe if a precise and uniform legal framework is in place. Uncertainties, such as those that currently still arise in the processing of AI training data and transparency and information obligations in automated decision-making, must be eliminated. Too many bureaucratic obstacles currently ensure that the GDPR in its current form is neither innovation-friendly nor in line with market requirements.”
The EU Commission’s report on the application of the GDPR and its evaluation, as required by the regulation, is due on 25 May 2020. The Association of the Internet Industry demands that the following five points of criticism be taken into account in the current evaluation:
1. Application of the GDPR must be uniform and proportionate
The GDPR places excessive demands on small companies and non-commercial players in particular and burdens them with its enormously high fine rules. Despite the high degree of harmonization in the area of data protection, questions concerning various details, such as the minimum age of consent, are still not harmonized uniformly throughout Europe.
2. Bureaucratic hurdles must be removed
Groups and large organizations in particular are currently facing data protection hurdles in the internal design of their data protection rules and in the exchange of data – for example with subsidiaries. The bureaucratic burden currently represents an additional burden for all companies and should be simplified in future.
3. Data exchange outside of Europe must be simplified
Currently, exchanges with third countries, which are likely to include the United Kingdom at the end of the transitional period, are problematic for businesses. Reliable, sustainable, and comprehensive rules for the international exchange of data with third countries are needed in the long term.
4. Right to data portability must be clarified
The right to data portability – i.e. data transferability for persons – still poses a challenge two years after the adoption of the GDPR. eco calls for a dialogue process that further discusses a solution to the open questions regarding data portability at the pre-legislative level, for example in the form of standards.
5. Purpose limitation for the use of data must be practicable
The GDPR requires that the use of collected data be closely tied to a specific purpose. What is basically intended to be an effective means of data protection often poses major problems in practice, particularly within a company, and must therefore be specified more precisely.
The complete eco key points paper on the evaluation of the German Basic Data Protection Regulation (GDPR) is available online here.