On the Internet, we inevitably leave a lot of data. Companies want to use this data as freely as possible, but consumers protection demands self-determination rights for users.
“Can you give me your postal code?” This is sometimes asked in Germany when paying in shoe shops or fashion shops. The intention behind it is clear – companies want to know from which cities or districts their customers come. This enables them to draw conclusions about the various consumer groups.
Data are, to quote a much-used metaphor, the oil of the 21st century. They are the raw material that fuels entire industrial sectors. This applies particularly to business models on the Internet. Every time you click something online, you leave your tracks behind – and the evaluation of these tracks helps web site operators to get to know their users even better and to address them more purposefully. Tracking and targeting are the corresponding technical terms. Consumption and surfing patterns are established and they can be used to create relatively differentiated profiles. However, many consumers in Germany reject such practices; they do not want to be spied on either online or offline.
The fact that a large number of Germans are sceptical about this non-transparent collecting of data has historical reasons. Both in the Nazi dictatorship, as well as in the GDR, the monitoring of people was an instrument used by the repressive regime. That is why, ever since the Internet triumphantly moved into our lives, there has been a lively public debate about data protection. A lot of Germans attach great importance to the “informational self-determination” of their personal data, a term coined by a court verdict in the early 1980s.
A country-comparison study carried out by the Harvard Business Review from 2015 showed that German users were extremely concerned about their digital privacy – much more worried than users in China, India, the UK and the US. Nevertheless, exceedingly few Germans know anything about the technical details of tracking and targeting. Many users are “confused and would like more orientation and transparency in the digital world,” as the digital association, Bitkom, summed it all up some time ago and demanded that data protection laws be simplified, “so that users can be informed about the processing of their data in a more compact and understandable way.”
The EU data protection reform
Exactly that is what has been going on over the past few years. From 2012 to 2016, the European Union worked on a standardised data protection regulation. The young German MEP, Jan Philipp Albrecht, of the Bündnis 90 / Die Grünen party was the rapporteur appointed by the European Parliament, which means that he has played a decisive role in drawing up the law. Above all, he has tried to limit the influence of company lobbyists. “Data protection is the key to putting the focus back on the human being and to preventing them from becoming a plaything, object or even a victim of technological progress. Contrary to what the term “data protection” suggests, it is not really about the protection of data, but about the protection of people,” as he wrote in a brochure on data protection reform published in 2017.
One of the most important innovations in the EU regulation is that the European Union will no longer allow the use of the “sink or swim” method, which forces the user to consent to a comprehensive processing of his data, otherwise he will be excluded from certain websites or services. The so-called coupling prohibition now bans this practice that has been going on for so long. In addition, users now have the right of access to information. Companies must, when requested, clearly state what data they store and analyse and for what purpose. There is also the need for data economy – on-line services must offer default privacy settings and should be designed in such a way that they require as little personal data as possible.
Standards under pressure
From spring 2018, the EU regulation is to be enforced in all member states. However, it must first be transposed into national law. The German Federal Ministry of the Interior submitted a draft bill in 2016, which was adopted by the Cabinet in February 2017. This draft, however, has been criticised sharply by German data protectionists. While Germany, on a global level, has so far played a leading role in the protection of consumers, now even the new standards of the EU regulation are being undermined. According to the draft bill, the companies do not have to respond to the users' requests, if it involves too much effort on their part.
Florian Glatzner, consultant at the Verbraucherzentrale Bundesverband (Federation of German Consumer Organisations) finds this unbelievable: “How else can consumers exercise their rights?” No way should “too much effort” be either an apology or an excuse. Furthermore, the EU regulation did not provide for the possibility of the Federal Government intervening with such exceptions. “Companies must adapt their systems to the rights of users, not vice versa!” Bitkom, which represents the interests of the IT industry, sees this differently. The right to deletion could, for example, lead to “the structure of the database being compromised or becoming useless as a whole, particularly in complex databases,” as the statement read. The issue of what is going to be done with the digital data of users in Germany is still open. The draft bill is to be discussed extensively in the coming weeks in the Bundesrat (Federal Council) and the Bundestag (German Parliament).