The growing importance of data protection in a networked society

At a time when digital technologies and the ubiquitous networking fundamentally change social and economic life, German data protection law faces enormous challenges. The rapid development of information technologies, the spread of mobile devices and the increasing digitization of all areas of life mean that personalData is collected, processed and used to an unprecedented extent. At the same time, the population’s awareness of the importance of protecting one’s own data and informational self-determination is growing. Nevertheless, in many respects, the applicable data protection law lags behind the requirements of the modern information society.

Historical development and structural deficits of data protection law

The current data protection law in Germany is characterized by a large number of individual laws, special regulations and complicated regulations that have developed over decades. The first revision of the Federal Data Protection Act in 2001 turned out to be insufficient: Instead of initiating fundamental reforms, repairs were only made to the surface,without setting the urgently needed course for the future. The legislation thus fell far behind social and technical developments, which have changed fundamentally since the 1970s and 1980s.

Complexity and lack of transparency: An obstacle for users and affected people

Even the first contact with data protection law is extremely difficult for citizens, companies and authorities. The regulations are divided into numerous individual laws, which are supplemented by a large number of special regulations. These are often difficult to reconcile with each other and make understanding considerably more difficult. The Federal Data Protection itself is in its language andStructure so complex that it is hardly understandable for laypeople. Experts also repeatedly encounter problems with interpretation, which makes practical application even more difficult. This confusion means that data protection law is met with little acceptance by the population and is often perceived as a bureaucratic obstacle.

The illusion of voluntariness: consent and de facto compulsion

In many areas of the economy, data protection is effectively circumvented today by obtaining consent that consumers have to give when the contract is concluded. These consents suggest voluntariness and self-determination, but in reality are often associated with considerable coercion. For example, who refuses to agree to the Schufa clause, will not receive anyCredit, no insurance, no cell phone and often no apartment. Likewise, applicants who do not answer unacceptable questions in the interview are often disadvantaged. The supposed freedom of choice turns out to be an illusion, since the rejection of consent is associated with considerable disadvantages. This is the basic right to informational self-determination in practicehollowed out.

Deficits in enforcement and inefficient supervision: The weaknesses of control

Another central problem of German data protection law is the constantly growing deficit of enforcement. Although the tasks of data protection supervision have been continuously expanded in recent years, there was no corresponding increase in resources and personnel. The complicated structure of the supervisory authorities – with the Federal Data Protection Officer, the state data protection officerand other data protection supervisory authorities, which are located in the interior ministries in many federal states – leads to considerable confusion. It is often unclear to those affected who they can contact to enforce their rights. The result is that many data protection violations go undetected or unpunished.

Insufficient sanction mechanisms and lack of deterrence

The legal sanctions mechanisms for data protection violations are incomplete and not very deterrent. Advertisements usually do not lead to any noticeable consequences, since fines are rarely imposed. The facts that can be prosecuted as administrative offenses are incomplete and inconsistently regulated. While the unlawful storage of data can be punished with a fine, theInvalid use of stored data often without punishment – although this is a massive intrusion in personal rights. The statutory fines – a maximum of 25,000 euros for formal violations and up to 250,000 euros for serious material violations – hardly deterrent to large companies. In comparison, fines of up toten percent of the annual turnover can be imposed, which can lead to penalties in the three-digit millions. The low data protection fines send the fatal signal that violations of the right to informational self-determination may be considered trivial. There is therefore hardly any incentive for financially strong companies to take data protection seriously.

Legal disputes and the exclusion of data protection officers

Data protectionists are repeatedly confronted with fundamental legal disputes that affect the central aspects of the information society. For example, it is argued that radio chips only track objects and do not collect any personal data that scoring procedures do not evaluate individual persons, but only statistical probabilitiesdeliver, or that georeferencing only collects harmless geographical data. In truth, however, all of this data is related to people and enables statements about specific people. However, data protection officers are often excluded or pushed back from relevant discussions, rather than looking for solutions in collaboration with business and politics that will protect theensure consumers and the innovative ability of companies.

The need for a comprehensive modernization of data protection law

Although data protection law is a comparatively young legal matter, there is an urgent need for fundamental modernization today. The applicable laws essentially reflect the technical status and the way of thinking of the 1970s and 1980s. Since then, however, the technical infrastructure and procedures have changed fundamentally: The universal networking aboutThe Internet, the miniaturization of IT components and new software technologies have made information technology more decentralized, flexible and ubiquitous than ever before. The old regulations, which were tailored to centralized mainframe and clearly defined data processing processes, are not meeting the requirements of the modern information societymore fair.

Reform discussions and political blockades: The long way to renewal

Since the mid-1990s, the need for a fundamental reform of data protection law has been discussed in specialist circles and at the political level. After taking office in 1998, the red-green federal government initiated a comprehensive modernization project. Experts such as Professors Roßnagel, Garstka and Pfitzmann prepared an expert opinion that was presented in the summer of 2001and included numerous innovative proposals. But the political framework changed fundamentally after the events of September 11, 2001: The Federal Ministry of the Interior withdrew from the data protection reform and the report disappeared into the drawers of the ministerial bureaucracy. Until today it is waiting for its rediscovery and implementation. This became a historical opportunitywasted to make data protection law sustainable and to strengthen the protection of civil rights in the digital society in the long term.

Outlook: The future of data protection in a digital world

The challenges facing German data protection law today are diverse and complex. They range from the lack of clarity and transparency of the regulations to insufficient sanction mechanisms to structural deficits in supervision and enforcement. At the same time, the social pressure to improve the protection of personal data is growing andstrengthen the right to informational self-determination. A comprehensive reform of data protection law is therefore essential in order to meet the requirements of the digital present and future. Only through clear, understandable and effective regulations can the citizens’ trust in the handling of their data be restored and the basis for a responsibleinformation society are created.