During the negotiations and discussions on the planned EU Regulation on data protection, those responsible are not tired of emphasizing that one principle is to protect the citizens. To protect a right enshrined in the Constitution, the protection of personal data (Article 8 of the Charter of Fundamental Rights of the European Union). On the other hand, the new rules also should facilitate the free flow of data and the economic use of this data for companies.
The ambitious plan of the European Commission must not make the mistake and take legal decisions past the existing reality. The risk of losing sight of reality and fiction, and thereby create hardly enforceable legal requirements consists of two levels. On the side of the economy and businesses and on the other hand that one of users and citizens.
Most of the measures envisaged in the planned EU Regulation are aimed at companies that handle data. A certain level of privacy on the web will be strongly dependent on the observance of these rules by the companies.
It’s the reality that particularly in the area of Web 2.0 and social media services developments often evolve rapidly. Companies respond quickly to consumer habits, offering new services or shutting them down again. It’s a reality that the amount of collected data is constantly increasing. Such problems are not always necessarily related solely to the will of companies to collect as much data as possible. The technical conditions and the habits of people also contribute to this. It is important to recognize, however, that if you want to create a sustainable European data protection law, these processes need to be considered.
Therefore, fiction is made reality, when requirements are imposed on companies in the future, which are already now not fully observed by the market (or just cannot be complied with). One of these is the order of data minimization or that of a fundamental prohibition of dealing with personal data. Such principles already now encounter their actual limits or are simply not observed. Rather, the legislature should focus to impose duties on companies on the level, on which a sole influence and own control and responsibility of the company exists for the processing of data and for the outcome of it. This is the downstream phase of data processing and analysis of data, as well as the very early phase of offering the service on the Internet. The actual first contact with the users. Therefore e. g. it appears fictitious to create a system in which a company has to approach the data protection authority, if it is of the opinion after an impact assessment that the data processing could possibly cause risks for citizens.
But how can a company perform an impact assessment correctly when it can not predict the results of the analysis of data itself? Again, it seems more realistic to concentrate on the level of processing itself. The level of the use of personal information by businesses. Similarly, legislative requirements should be created where it comes to the interaction of users with the services itself. The interface of citizens and businesses.
This is not to say that the legislature should be dictated by individual large and popular services, how to put together privacy laws for the future. Because such services are often only a snapshot. It seems important, however, to respect the fundamental developments in our society and the economy.
The second area that needs to be taken into account for a realistic, effective and prospective data protection law is that of the data source. Now this does not mean that the citizens should be the target of requirements established by the EU Regulation on data protection. Rather it is to recognize about how society behaves on the Internet, so how data is given away and how this can influence legal obligations for companies regarding the planned EU Regulation.
It’s a reality that the people on the Internet on the one hand demand more privacy and tougher data protection laws, but on the other hand align their actual behavior in an opposite way. This discrepancy is also due to the fact that currently in many parts of society, there is still no sense of the value of personal data and for the possibility that the processing of personal data holds ready. Another reason is that people have no idea what happens to their data, but however put aside concerns when it comes to using the Internet and its functions. No one now will read page after page of policies to find information about what a company does with the data when he would like to use the service as soon as possible.
It seems fiction, assuming only the fully informed and technically advanced user will be the target of the processing of personal data. This type of user might exist. But he does not nearly represent the majority. Many users do not know how cookies work, how to delete them, or how tracking works. But it seems also fictitious if legal provisions are made in such a way that data subjects need to be expansively informed in detail about the use of their data before processing begins. It rather seems important, to provide citizens with the opportunity to become aware of the value of their data via legal requirements to companies. In addition, informations and policies should be provided where they are really relevant, before each processing step and not at the start of the installation of a service on five pages or even more.
As a promising approach, the principle of privacy by default and by design should be supported. As long as this real discrepancy between the lack of knowledge of the users regarding the possibilites of the different ways of dealing with data on the one hand and the actual use of Internet services and thus abandoning their own data on the other hand exists, there must be found real effective and appropriate solutions for now but also for the next years. If we stick to the time-honored principles, it will not change the minds of people regarding their relationship to personal data and the existing possibilities of the use and the processing of that data.