Google, Amazon, Facebook - Who has a right to my data?

Report on the panel discussion on 13 November 2018 in the Augsburg town hall.

Over 100 interested citizens came to Augsburg's town hall for the panel discussion on 13 November 2018 with the topic "Google, Amazon, Facebook – Who has a right to my data?". The invitations to this event came from the Jean-Monnet Centre of Excellence INspiRE (European Integration – Rule of Law and Enforcement) under the leadership of Prof. Dr. Thomas M.J. Möllers from the law faculty of the University of Augsburg. This Centre of Excellence is funded by the Erasmus+ Program of the European Union and - for this event - worked in cooperation with the Europe-office of the city of Augsburg, the European Union Association Augsburg (Europa-Union Augsburg e.V.) and the adult education centre of Augsburg (Volkshochschule – VHS).

The opening words of the organisers emphasised the surplus value for the citizens of establishing a network between science and legal practice. An impulse-speech of Prof. Dr. Michael Schmidl (lawyer in Munich and honorary professor in Augsburg's faculty of law) then gave an introduction on the basics of European data protection law. He explained that the General Data Protection Regulation (GDPR) is based on the principle, that collecting and processing of data is first and foremost prohibited, unless the law explicitly allows it. Following the transparency principle, is has to be revealed to the person affected, what data is being processed and for what cause. Furthermore, they have a right to information on what personal data is saved and also a right to have the data deleted. But the individually affected person does not have an exclusive right to their own data, as the legitimate interests of third parties to collect the data have to be taken into account. Afterwards, the experts on stage in the areas of politics, science and economy discussed the strengths and weaknesses of data protection law (Prof. Dr. Michael Schmidl, lawyer Munich, honorary professor in Augsburg's faculty of law; Dr. Volker Ullrich, member of parliament, committee for European affairs and for law and consumer protection; Werner Hülsmann, constant chairman of the German association for data protection (Deutsche Vereinigung für Datenschutz e.V. – DVD); Rita Bottler, representative for data protection, Bavarian chamber of industries and commerce (Bayerische Industrie- und Handelskammertag e.V. – BIHK); Werner Stengg, European Commission, Head of Unit „E-Commerce & Online Platforms“ – DG CONNECT; Michael Will, head of ministry department, Bavarian ministry for internal affairs and integration, representative for data protection).

Data has evolved to an economical good, as for more and more companies their economic success is dependent on efficiently collecting and processing data. That is why companies are interested in receiving as much personal data as possible and as comprehensive as possible, in order to use these for their economic growth.

Furthermore, collecting and processing data cannot simply be qualified as a disadvantage for citizens. If used responsibly and meaningful, collecting and processing data can have a large, social benefit. One can, for example, think about analysing traffic data for land-use planning. Also, hosts offer their users free content, if they allow the host to observe their search behaviour. Personal data are therefore often the consideration for providing free internet applications. If users would not supply certain information, many applications would not function properly, be less efficient for the user or more expensive. In many cases the processing of data is plainly necessary or can vastly simplify processes.

Big companies have the power over an enormous amount of digitally collected information – some so personal, that many people in the analogous world would not share them, even with their closest friends. Some hosts are in a monopoly position of power, because their user have to consent into the processing of their data, or they are not able to use the application ("take it or leave it"). The big companies, that collect and process data efficiently, also have a big competitive advantage over their smaller competitors, often causing those smaller companies to not be able to stay active on the market. This networking effect needs to be compensated by an effective cartel and data protection law in order to protect the citizen and the competition itself. There are comprehensive sanctions by public authorities for misuse by companies. But next to interventions by the state, the citizen him-/herself is called upon, to choose responsibly, what data he/she wants to expose. In order to do this, the citizen can already regulate the specific settings for an application. Even the best data protection law is of no use, if the user him-/herself does not handle their personal data in a responsible way.

Therefore, the new GDPR has to be seen as an opportunity for companies as well as for citizens – whose interests are mostly contrary – to facilitate a unified protection standard. The citizen can trust on compliance with this standard, and the prerequisites are identical in the entire European Union. This also leads to a unified and simplified implementation for companies within the European Union.

Finally, especially companies are interested in clarifying the legal situation and, therefore, also clarifying legal questions regarding the GDPR, that first and foremost exist, because data protection is becoming more and more complex in practice. On the side of those, who process data, as well as on the side of those, who supply their data, a sensation of uneasiness arose as the GDPR was introduced, mostly because of a lack of interest and false information as well as insecurity. Citizens really do not know, what is being done with their data and are scared of becoming a person who has no secrets. Associations and companies are afraid of large administrative efforts and high fines. It was criticised, that the GDPR does not differentiate between small associations, middle-class companies and major corporations. The administrative effort (e.g. for the documentation of consents, list of proceedings, etc.) at the beginning seems to be a large hurdle especially for small units, which also leads to high expenditures. The counterargument was  made, that prior to the introduction of the GDPR the national data protection law applied equally to big corporations and small associations with a similar protection standard and that the new European regulation does not change much. Instead, the focus was redirected onto data protection and a sensitivity in this subject was created (which was only weakened in the previous years).

Data protection needs to function globally. It does not help the European citizen, if his/her data is handled responsibly inside Europe, but there is no protection, once the data is transferred into a third country. In this respect, the unification of data protection standards within Europe is definitely a step in the right direction. But international structures also need to be developed even further. The introduction of a European data protection law was necessary to strengthen the European internal market and is an opportunity for large, digital corporations to settle within and connect with Europe, as disadvantages due to location (different law in member states) have been abolished in contrast to other major jurisdictions. The possibilities to enforce data protection, especially against foreign corporations, has not been seen as ideal in the legal reality, even though ­– theoretically – fines amounting to tens of millions can be imposed. Nevertheless, the GDPR is a good and important step to strengthen the enforcement of data protection law. As long as Europe speaks with one voice and has uniform enforcement mechanisms and controlling authorities, enforcement against large, foreign corporations can be successful.

In regard to future developments, it is necessary to constantly evaluate the efficiency and legal enforcement of the GDPR. Gaps and regulatory overreach need to be identified and handled. In order to maintain the positive effect a unified data protection standard has on Europe, it is important that authorities are not afraid of imposing large fines in cases of severe violations. But, especially the sanctions on associations as well as on small and middle-class companies need to be proportional and  made with good judgment.

In summary, the new European data protection law was assessed positively: Corporations do not voluntarily expose themselves to get fined. Handling data responsibly can even have be beneficial for the marketing their own companies. An effective functioning data protection law that includes the citizens’ interests and the companies’ can even be an export model outside of Europe and therefore gain global attention.

The participants did not only attentively follow the discussion of experts with very different opinions, but many of them also participated with own questions and comments. It was  made clear, that data protection law in times of further digitalisation affects every citizen and will keep affecting them in the future. Following this, Prof. Dr. Thomas M.J. Möllers summarised the discussion in this closing words. Afterwards, the participants had the opportunity to exchange views with the experts during drinks.

    13. November 2018