The GDPR is celebrating its fifth anniversary. The European General Data Protection Regulation has been in force since May 25, 2020. Even though it cost those responsible a lot of nerves when it was introduced, it can be considered a success story. For example, it has brought about extremely positive results: namely, it has raised general awareness of data protection issues.
This has been ensured not least by the many headlines about the hefty fines imposed for violations of the GDPR. Even powerful US players have no option but to pay it the attention it deserves. This was also recently felt by the Meta Group, which was ordered to pay a record fine of 1.2 billion euros for passing on European Facebook user data to the USA.
The success story of GDPR
The fact that the GDPR is a success story is also shown by the fact that it has found many global imitators. Australia, Brazil, South Korea, Thailand and even U.S. states like California have adapted it as a model for their data protection laws. On September 1, 2023, the new Data Protection Act (nDSG) will come into force in Switzerland. It will strengthen the rights of Swiss citizens in the digital age and raise data protection in the Swiss Confederation to a level comparable with the EU states – also by taking the GDPR as a model.
It practically goes without saying that companies should adhere to the requirements of the European General Data Protection Regulation. In addition to the many good moral, legal and financial reasons, another good reason has now been added after five years: in the future, companies will also have to be prepared for claims for compensation for non-material damage in the event of violations. In a landmark ruling at the beginning of May 2023, the European Court of Justice confirmed that victims of infringements can claim damages for immaterial harm such as exposure, similar to damages for pain and suffering in cases of bodily injury. It is therefore more important than ever for companies to implement clean processes to fulfil their obligations.
The way ahead for GDPR
For the European Commission, the fifth anniversary would actually be the ideal occasion to take another look at itself. It is currently in the process of making the same mistake a third time. In recent years, the European Court of Justice has already overturned two agreements between the Commission and the United States. First “Safe Harbor” and then “Privacy Shield” were supposed to guarantee secure data transfer from Europe to America, but the highest European judges pulled the emergency brake both times. Because of the extensive access rights of the American intelligence services, they argued, the personal data of European citizens was not sufficiently protected by US companies in the sense of the GDPR.
Recently, the EU Commission and the U.S. government agreed on a new regulation that threatens the same fate. Indeed, there is nothing to suggest that anything will change in the U.S. surveillance laws – and thus in the fundamental problem. Data protection experts therefore assume that the European Court of Justice will also annul this “Privacy Shield 2.0” agreement. Companies will then be threatened with further years of legal uncertainty when using U.S. cloud solutions.
To prevent this, the European Commission should use the occasion of the anniversary to reflect on what it really needs: a “No Spy” agreement with the USA that guarantees the renunciation of intelligence activities. Until such an agreement is reached, it is true that the clouds of US providers cannot be used for personal data in a legally secure manner. Fortunately, alternative digitally sovereign solutions are available.
Learn how ownCloud ensures compliance with data protection regulations in your enterprise.
Read original press release (German)