[projectvrm] German newspaper on GDPR -- and principle versus rules based regulations

[Tim Walters < >]

Today's (Feb 7) edition of the Frankfurter Allgemeine Zeitung (FAZ) published (finally!) an article about the GDPR. (German: Datenschutzgrundverordnung, or DSGVO -- yeah, I know.) After mostly ignoring the GDPR for the 20 months since its adoption, the main article (paywall) of the FAZ (a conservative, business-oriented newspaper, to say the least) now focuses on the burdens "suddenly" placed on businesses. Subtitle: "Huge fines, lots of bureaucracy, and extreme legal uncertainty: Many firms are now [now!] complaining about what the new data protection laws impose on them."

The article was accompanied by a short commentary, which further and with even less attention to detail complained about the burden the GDPR places on businesses. Noting that Frau Merkel's previous adminstration aimed to reduce the bureaucratic burden, it concluded that the GroKo (the great coalition that the CDU/CSU and the SPD are currently trying to form) will be accompanied by the GroBue -- the great bureaucracy.

Now: I tell you all of this mainly because I want to selfishly socialize the letter to the editors of the FAZ that I wrote in response. (And which I'm positive will never see the light of day, not least of all because I wrote it in English.) But I think that the framing and grounding for the tone of dismay and compliant in the FAZ article -- namely, "legal uncertainty" -- is very important for the fate of the GDPR and perhaps even more so for similar efforts elsewhere, such as that in New York state.

Germans being Germans -- e.g., people who will stand in the rain at a pedestrian crossing even when it is obvious there are no cars within a kilometer -- they naturally seek rules. But most businesses do as well. They learn of a regulation such as the GDPR and simply want to know -- OK, tell me what I have to do (and may not do).

But the GDPR is not that kind of regulation. I've been warned by some of my GDPR advisor fellows not to broadcast that the GDPR is a principle based, rather than a rules based, regulation, mainly because of some unhappy experiences with financial services legislation in the UK. (See here for a discussion of the two approaches, but I'm not endorsing the article.)

The legal uncertainty that businesses complain about is, in my view, largely a result of (and _expression_ of) the principle-based approach. I won't dive further, but just note this comment by the deputy director (I think) of the ICO in the UK:

"Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong."

This is as if you're a factory owner that wants to know about the maximum level of particulates that can be emitted from stacks, and the regulator says, "Think first about the children playing outside downwind from your factory, and you won't go far wrong."

Legal uncertainty, yes. But the trade-off --positive in my view -- is that companies have considerable leeway to determine how they go about satisfying the requirements. The ICO director Elizabeth Denham as often said that the GDPR must not be seen as a "box ticking compliance exercise -- i.e., there are not a strict set of rules that must be adhered to and checked off -- but rather as a way to ensure that companies process personal data "sensitively and ethically."

Anyway, far too long. Here is my letter to the editor of the FAZ:

Thema: Article and Commentary about the GDPR (DSGVO) on 07 February 2018

 

In his commentary on 07 February 2018 about the upcoming introduction of the GDPR, Sven Astheimer asserts that this means the GroKo will be accompanied by the GroBü -- die große Bürokratie. But the shallowness of Herr Astheimer's understanding -- or at least, of his presentation -- of the GDPR rather invites the reader to wonder if his commentary is not the GroDu -- die große Dummheit.

 

Herr Astheimer would have benefited by reading the article by his colleague Susanne Preuß. Her own efforts to toe the FAZ party line -- i.e., express outrage and dismay at the burden suddenly imposed by the GDPR -- is neatly undermined when she (or the editor) reveals in a sidebar that the EU allowed an unusual two-year transition period after the final passage of the regulation. Unfortunately, this opportunity to plan an orderly and relatively easy transition to business practices that accord with the GDPR was ignored as effectively by most businesses as it was by the FAZ and others responsible for informing the citizenry. Moreover, many of the requirements of the GDPR, such as the Verarbeitungsverzeichnis, have been legally mandated for years – but were, as Frau Preuß divulges, widely ignored by businesses.

 

It may come as a surprise to both authors that the EU Charter of Fundamental Rights includes the right to protection of one's personal data. The GDPR exists simply to express and defend that right, which is, of course, desperately necessary in a digital economy that is increasingly powered by personal data without the knowledge, let alone the consent, of the individuals to whom the data belongs.

 

As the EU Data Protection Supervisor recently said in a related context, "There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation” – or, in this case, a lack thereof.