Many Companies Still Uncertain One Year into the GDPR

  • eco Association welcomes the initiative of the German federal government to protect companies from discretionary warning penalties
  • Authorities’ period of grace for imposition of heavy fines will soon draw to a close

As of 25 May 2019, the GDPR will have been applicable in Europe for one year. During this time, both the Data Protection Conference (DSK) of the German federation and the federal states and the European Data Protection Committee have published a steady flow of new information sheets and orientation aids intended to give companies more certainty in implementing the GDPR. But Europe is still a long way from a position of legal certainty for all companies and a standardized interpretation of the regulation. “We urge the data protection officers in Germany and the supervisory authorities throughout Europe to interpret these rules in a standardized manner in order to protect companies from bureaucratic arbitrariness,” says Alexander Rabe, Managing Director of eco – Association of the Internet Industry.

Too little clarity in matters concerning the GDPR

In particular, when looking at the German picture, Rabe argues that small and medium-sized enterprises (SMEs), associations, or companies that were already well-positioned under the German Federal Data Protection Act (BDSG) in terms of data protection law must be shielded against high warning penalties and fines arising from the GDPR. Rabe therefore welcomes a draft Law to Strengthen Fair Competition, which the German federal cabinet has now published. “The current cabinet draft offers the grounds for further legal clarification, in order to protect SMEs, citizens, and associations from really massive penalties. Nevertheless, we should still take a closer look at the fines which are being imposed by the data protection authorities and put a stop to excessive fines,” says Rabe.

Although initial fines have been imposed in the last twelve months, the German supervisory authorities still seem to be showing restraint, with no deluge of fines having thus far occurred. However, this could soon change as data protection authorities increase their staffing levels, leading to more controls and consequently more fines for companies. As developments in France show, fines of up to 50 million Euro are not being ruled out.

However, experts from the industry are calling for a sense of proportion: “The GDPR is not so much about punishment as about giving companies the chance to elevate their security practices and strategies to a level more appropriate to the time at hand. IT security and data protection are now an integral part of digital business models and the GDPR gives companies the opportunity to gain the trust of customers and demonstrate that they are aware of their responsibility to protect data in the digital age,” says Hans-Peter Bauer, Vice President Central Europe at McAfee.

Industry-specific best practices take time

The fact that there are still very few court rulings on the GDPR – and, in particular, no supreme court rulings – is undoubtedly also a factor creating uncertainty. It will probably take some time for industry-specific best practices to become established. The fact that the ePrivacy Regulation is still not in place also means uncertainties in the interpretation of the GDPR, especially when contemplating questions such as how to deal with cookies.

“Companies must continue to address the issue of data protection and stay on top of developments in areas which directly concern them,” says Rabe. Even though fines have so far been treated sparingly, no-one should not rely on its remaining that way.

Many Companies Still Uncertain One Year into the GDPR