Am 25.5.2018 trat die gesamteuropäische Datenschutzgrundverordnung (kurz: DSGVO) in Kraft. Diese Verordnung gilt für alle Staaten in der EU und sieht hohe Strafen für Verstöße vor. Unternehmen und Privatpersonen können Strafen bis zu 20.000.000€ oder 4% des Jahresumsatzes erhalten. Zusätzlich sind die Dokumentationsvorschriften für Unternehmen, Organisationen und Vereine enorm gestiegen. Die Konsumenten erhielten durch diese Verordnungen klar definierte Rechte gegenüber datenverarbeitenden Instanzen. Nach 2 Jahren DSGVO ist es nun an der Zeit, eine Bilanz zu erstellen. Welche Änderungen sollten an der DSGVO durchgeführt werden?
Die Änderungsvorschläge
The main complaint is the lack of distinction between large global corporations and SMEs (small and medium-sized enterprises). Both have the same documentation and retention requirements. In addition, a relaxation of the regulations for data exports to unsafe third countries is being discussed. Technicians object to the lack of regulations related to AI. There is also debate about major hurdles to sharing data for research purposes.
Should the GDPR be changed? Is there a faster way?
The GDPR is a pan-European regulation, so any changes will have to go through a lengthy process. But maybe the GDPR doesn’t need to be changed at all. The GDPR already provides in its original version of 25.5.2018(Article 97) that on 25.5.2020 and every four years thereafter, the Commission will submit a report to the European Parliament with assessments and reviews of the GDPR. Parliament is then supposed to review the reports and push through any necessary changes. This year, however, the review will be delayed due to the global pandemic. Additionally, the GDPR offers a quick method to adapt parts of the GDPR. Associations that “represent categories of controllers or processors”, such as the Chamber of Commerce, can draw up rules of conduct and have them confirmed by the supervisory authority.
Another approach would be to introduce a certification system that allows companies that care about data protection to demonstrate additional data protection measures and be certified for them.