1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

EU data privacy rules have no impact

September 28, 2016

The new EU data protection law aims to improve consumers' legal situation when it comes to their personal information. But experts question whether the laws will have any real impact.

Symbolbild Datenschutz
Image: picture-alliance/dpa/P. Pleul

Privacy and data protection activists cheered whendata protection regulations went into effect in May in the European Union. The laws were created to give European consumers more rights. For example, Internet users would be able to take legal action against companies they suspect are violating data privacy rights. Before the new law, anyone who wanted to report a breach of rules on Facebook had to deal with Irish data protection authorities since that's where the company maintains its European headquarters. Now users in the EU can to turn to authorities in their own country - meaning regulatory bodies from the two countries have to cooperate to resolve an issue. If they disagree, then a joint European committee is called in to make a ruling.

Another reform concerns other social network users: If they change platforms, they must be able to export e-mails or images to their new site. Also, Internet companies cannot use or distribute data for a purpose that has not been approved by a customer. And, the right to be forgotten must be preserved.

According to the European Commission, businesses will also benefit from the new regulations. Just the fact that there will be only one supervisory authority will save the industry more than 2 billion euros ($2.2 billion), the Commission estimated.

The German E-Commerce and Distance Selling Trade Association (bevh) predicted that cross-border online trade will improve. In the past, it has fallen short of expectations as consumers have always suspected security problems or loopholes in guarantees could leave without international legal recourse.

Many businesses are waiting

Right now, an EU world of expanded cyber-rights exists only in principle. Although the data protection regulation went into effect in May, EU member states have two years to adjust their national laws. In Germany, 300 administrative laws are affected by the EU regulation.

Many businesses are also not prepared for the changes. A survey commissioned by Bitkom, Germany's digital association, showed that almost every other business in Germany is not concerned about data privacy. Some 32 percent of businesses with more than 20 employees are aware of what steps they need to take, but they also said they are putting of dealing with the reforms. Twelve percent of businesses have never even heard of the new laws.

Susanne Dehmel, head of data protection and security at Bitkom, has urged companies not to wait too long before beginning the adjustment process.

"After the end of the transition period in May 2018, companies that do not adhere to the regulations face severe penalties," she said, adding that businesses should not scoff at the fines as the maximum penalty is 4 percent of global sales.

Symbolbild Cloud Computing
Was cloud computing too complicated for regulators to get their heads around?Image: picture-alliance/dpa

Cloud computing not mentioned

At the same time, other problems are looming. A legal study carried about by the University of Kassel has revealed that key Internet services are not covered in the new legislation.

"All modern challenges in data privacy, like social networks, big data, search engines, cloud computing, ubiquitous computing and other technical applications are completely ignored in the written regulation," said professor Alexander Roßnagel, who led the university's project group.

He added that this oversight will lead to legal uncertainties "because the distinction between German laws is unclear, the legal situation in Germany will become more complicated and possibly even worse."

The EU regulation actually strives to achieve unified, modern and improved data privacy as well as create equal competitive conditions for IT providers across the 28-member bloc. Roßnagel said these aims have not been achieved because the regulations are too abstract and allow too many exceptions.

As Europeans spent a long time preparing the regulations, no changes can be expected on the EU level. And since the EU data protections regulation does not nullify German laws, legal challenges are sure to be in store - at the latest when the regulations come into force in May 2018, Roßnagel said.

"In many cases, it will be unclear or disputed which regulation must be applied to an individual case," he said. "This is where German lawmakers must formulate new, adjusted legal provisions."