GDPR compliance – still an important topic for companies in 2024
How is the GDPR being implemented in the German economy?
According to a representative survey by Bitkom, the GDPR has only been partially implemented in just under a third of the companies surveyed. Even in companies where the GDPR has largely been implemented, there is no relief after its introduction. 83% of respondents believe that the introduction of the GDPR will result in "permanently higher costs" for the company. 92% agreed with the statement that GDPR implementation is "never complete". The reasons for this also emerge from the survey: In addition to renewed reviews of GDPR compliance, triggered by the roll-out of new tools, legal uncertainties in the interpretation of the GDPR requirements are one of the most frequently cited challenges.
What were the key legal developments in 2023?
The biggest development in the middle of the year was certainly with regard to international data transfers. According to the Bitkom survey cited above, almost two thirds of companies based in Germany transfer personal data to countries outside the European Union. These are primarily the USA and the UK, for example due to the use of cloud services and communication services or the use of service providers. For data transfers to countries that are not part of the European Economic Area and for which there is no adequacy decision, suitable guarantees are required as a substitute. The EU-US Privacy Shield was declared invalid in July 2020 (Schrems II). This meant that the legal basis for data transfers to the USA was a factor of uncertainty for many years. The new agreement, known as the Data Privacy Framework, has been in force since July 2023. Even though there was some discussion before the new agreement was signed as to when it would be put to the legal test again, companies now formally have greater legal certainty when transferring data to the USA.
An important ruling was issued by the European Court of Justice (ECJ) at the beginning of December 2023. The case concerned a legal dispute between Deutsche Wohnen (now part of Vonovia) and the Berlin data protection authority. In its ruling, the ECJ confirmed that supervisory authorities may impose fines directly on companies – i.e. legal entities – based on proven violations of the GDPR. However, the naming of individual employees whose actions have resulted in breaches of the GDPR will not be necessary for a legally binding fine in future either. Instead, the ruling emphasizes the responsibility of company management to obligate employees to protect personal data and to train them accordingly. However, company management cannot exculpate itself despite all measures with regard to employee obligations and training.
What challenges do companies face?
In the context of international data transfers, the development of data protection standards in the USA and the UK in particular must be observed and a corresponding assessment made from the perspective of the GDPR. There have already been initial attempts to legally challenge the Data Privacy Framework, albeit initially without success. The non-governmental organization noyb also announced a challenge before the ECJ. With regard to the UK, the adequacy decision expires in June 2025. Accordingly, the EU Commission has yet to review whether personal data continues to be adequately protected in the UK.
The ECJ's decision in the Deutsche Wohnen case indirectly reinforces the need for companies to set up their internal data protection organization well. In addition to detailed data protection guidelines, a clear assignment of roles and responsibilities as well as raising awareness among all employees is of central importance. In this context, companies must take all necessary measures to increase the security and protection of personal data.
In addition, the implementation of the European Data Strategy in companies is becoming an increasingly relevant topic. The declared goal of creating a single market for data presupposes that companies have sufficient transparency about their data in general and the need to protect personal data in particular. With the expected increased use of artificial intelligence (AI), the legal and regulatory aspects of data protection must not be neglected. The EU's proposals for the creation of a legal framework for AI include a risk-based approach, which must also be examined from a data protection perspective. The tension between AI and data protection offers both opportunities and risks.
Author: Anne Pinke