Over 100 interested citizens came to Augsburg's town hall for
the panel discussion on 13 November 2018 with the topic "Google, Amazon, Facebook – Who
has a right to my data?". The invitations to this event came from the Jean-Monnet Centre of
Excellence INspiRE (European Integration – Rule of Law and Enforcement) under the leadership
of Prof. Dr. Thomas M.J. Möllers from the law faculty of the University of Augsburg.
This Centre of Excellence is funded by the Erasmus+ Program of the European Union and - for this
event - worked in cooperation with the Europe-office of the city of Augsburg, the European Union
Association Augsburg (Europa-Union Augsburg e.V.) and the adult education centre of Augsburg
(Volkshochschule – VHS).
The opening words of the organisers emphasised the surplus value for
the citizens of establishing a network between science and legal practice. An impulse-speech of
Prof. Dr. Michael Schmidl (lawyer in Munich and honorary professor in Augsburg's
faculty of law) then gave an introduction on the basics of European data protection law. He
explained that the General Data Protection Regulation (GDPR) is based on the principle, that
collecting and processing of data is first and foremost prohibited, unless the law explicitly allows
it. Following the transparency principle, is has to be revealed to the person affected, what data is
being processed and for what cause. Furthermore, they have a right to information on what personal
data is saved and also a right to have the data deleted. But the individually affected person does
not have an exclusive right to their own data, as the legitimate interests of third parties to
collect the data have to be taken into account. Afterwards, the experts on stage in the areas of
politics, science and economy discussed the strengths and weaknesses of data protection law (Prof.
Dr. Michael Schmidl, lawyer Munich, honorary professor in Augsburg's faculty of law;
Dr. Volker Ullrich, member of parliament, committee for European affairs and for law and
consumer protection; Werner Hülsmann, constant chairman of the German association for
data protection (Deutsche Vereinigung für Datenschutz e.V. – DVD); Rita
Bottler, representative for data protection, Bavarian chamber of industries and commerce
(Bayerische Industrie- und Handelskammertag e.V. – BIHK); Werner Stengg, European
Commission, Head of Unit „E-Commerce & Online Platforms“ – DG CONNECT;
Michael Will, head of ministry department, Bavarian ministry for internal affairs and
integration, representative for data protection).

Data has evolved to an economical good, as for more and more
companies their economic success is dependent on efficiently collecting and processing data. That is
why companies are interested in receiving as much personal data as possible and as comprehensive as
possible, in order to use these for their economic growth.
Furthermore, collecting and processing data cannot simply be
qualified as a disadvantage for citizens. If used responsibly and meaningful, collecting and
processing data can have a large, social benefit. One can, for example, think about analysing
traffic data for land-use planning. Also, hosts offer their users free content, if they allow the
host to observe their search behaviour. Personal data are therefore often the consideration for
providing free internet applications. If users would not supply certain information, many
applications would not function properly, be less efficient for the user or more expensive. In many
cases the processing of data is plainly necessary or can vastly simplify processes.
Big companies have the power over an enormous amount of digitally
collected information – some so personal, that many people in the analogous world would not
share them, even with their closest friends. Some hosts are in a monopoly position of power, because
their user have to consent into the processing of their data, or they are not able to use the
application ("take it or leave it"). The big companies, that collect and process data
efficiently, also have a big competitive advantage over their smaller competitors, often causing
those smaller companies to not be able to stay active on the market. This networking effect needs to
be compensated by an effective cartel and data protection law in order to protect the citizen and
the competition itself. There are comprehensive sanctions by public authorities for misuse by
companies. But next to interventions by the state, the citizen him-/herself is called upon, to
choose responsibly, what data he/she wants to expose. In order to do this, the citizen can already
regulate the specific settings for an application. Even the best data protection law is of no use,
if the user him-/herself does not handle their personal data in a responsible way.
Therefore, the new GDPR has to be seen as an opportunity for
companies as well as for citizens – whose interests are mostly contrary – to facilitate
a unified protection standard. The citizen can trust on compliance with this standard, and the
prerequisites are identical in the entire European Union. This also leads to a unified and
simplified implementation for companies within the European Union.
Finally, especially companies are interested in clarifying the legal
situation and, therefore, also clarifying legal questions regarding the GDPR, that first and
foremost exist, because data protection is becoming more and more complex in practice. On the side
of those, who process data, as well as on the side of those, who supply their data, a sensation of
uneasiness arose as the GDPR was introduced, mostly because of a lack of interest and false
information as well as insecurity. Citizens really do not know, what is being done with their data
and are scared of becoming a person who has no secrets. Associations and companies are afraid of
large administrative efforts and high fines. It was criticised, that the GDPR does not differentiate
between small associations, middle-class companies and major corporations. The administrative effort
(e.g. for the documentation of consents, list of proceedings, etc.) at the beginning seems to be a
large hurdle especially for small units, which also leads to high expenditures. The counterargument
was made, that prior to the introduction of the GDPR the national data protection law applied
equally to big corporations and small associations with a similar protection standard and that the
new European regulation does not change much. Instead, the focus was redirected onto data protection
and a sensitivity in this subject was created (which was only weakened in the previous years).
Data protection needs to function globally. It does not help the
European citizen, if his/her data is handled responsibly inside Europe, but there is no protection,
once the data is transferred into a third country. In this respect, the unification of data
protection standards within Europe is definitely a step in the right direction. But international
structures also need to be developed even further. The introduction of a European data protection
law was necessary to strengthen the European internal market and is an opportunity for large,
digital corporations to settle within and connect with Europe, as disadvantages due to location
(different law in member states) have been abolished in contrast to other major jurisdictions. The
possibilities to enforce data protection, especially against foreign corporations, has not been seen
as ideal in the legal reality, even though – theoretically – fines amounting to
tens of millions can be imposed. Nevertheless, the GDPR is a good and important step to strengthen
the enforcement of data protection law. As long as Europe speaks with one voice and has uniform
enforcement mechanisms and controlling authorities, enforcement against large, foreign corporations
can be successful.
In regard to future developments, it is necessary to constantly
evaluate the efficiency and legal enforcement of the GDPR. Gaps and regulatory overreach need to be
identified and handled. In order to maintain the positive effect a unified data protection standard
has on Europe, it is important that authorities are not afraid of imposing large fines in cases of
severe violations. But, especially the sanctions on associations as well as on small and
middle-class companies need to be proportional and made with good judgment.
In summary, the new European data protection law was assessed
positively: Corporations do not voluntarily expose themselves to get fined. Handling data
responsibly can even have be beneficial for the marketing their own companies. An effective
functioning data protection law that includes the citizens’ interests and the companies’
can even be an export model outside of Europe and therefore gain global attention.
The participants did not only attentively follow the discussion of
experts with very different opinions, but many of them also participated with own questions and
comments. It was made clear, that data protection law in times of further digitalisation affects
every citizen and will keep affecting them in the future. Following this, Prof. Dr. Thomas M.J.
Möllers summarised the discussion in this closing words. Afterwards, the participants had
the opportunity to exchange views with the experts during drinks.

|