181225 the emperors new clothescent of the excitement about the emperor's new clothes in hans...

1

Dr. Winfried Veil*

The GDPR: The Emperor’s New Clothes

- On the Structural Shortcomings of Both the Old and the New Data Protection Law -**

And so off went the Emperor in procession under his splendid canopy. Everyone in the streets and the windows said, "Oh, how fine are the Emperor's new clothes! Don't they fit him to perfection? And see his long train!" Nobody would confess that he couldn't see anything, for that would prove him either unfit for his position, or a fool. No costume the Emperor had worn before was ever such a complete success. "But he hasn't got anything on", a little child said. "Did you ever hear such innocent prattle?" said its father. And one person whispered to another what the child had said, "He hasn't anything on. A child says he hasn't anything on.”

I. Introduction ....................................................................................................................... 3 II. Structural shortcomings in data protection law ................................................................ 4

1. Utopia of informational self-determination ............................................................. 4 2. Ineligibility of consent ............................................................................................. 7 3. "Präventives Verbot mit Erlaubnisvorbehalt" (= precautionary principle) ............. 8 4. Disregard for the freedoms of communication ...................................................... 10 5. The unanswered question: what is protected? ....................................................... 12

a) Germany ....................................................................................................... 13 b) European Union ........................................................................................... 14 c) Council of Europe ........................................................................................ 14 d) OECD ........................................................................................................... 14 e) Multitude of "Schutzgüter" .......................................................................... 14

6. "One size fits all" approach and "all or nothing" approach ................................... 19 III. Limiting and specifying the scope of data protection law .............................................. 21

1. Clarifying the fundamental rights foundation of data protection law ................... 21 2. Limiting the purposes of data protection (= solving the "Schutzgut" question) ... 23 3. Abandoning the precautionary principle ............................................................... 25 4. Balancing of interests ............................................................................................ 25

IV. Summary ......................................................................................................................... 26

Electronic copy available at: https://ssrn.com/abstract=3305056

2

Abstract

The General Data Protection Regulation (GDPR) has many fans and supporters: politicians, supervisory authorities, data protection officers, lawyers, consultants, IT specialists, academics, privacy activists and last but not least, the European Commission – all sing the hymn of the new data protection law. For them data protection law made by the EU is the global "gold standard", the EU is the "trust centre of the world", and the GDPR is like a “cathedral”.

On the other hand, many complain about the bureaucratic, costly, small-parts and unrealistic specifications of the GDPR. However, they usually lack the language to transform their justified objections into a critique of fundamental principles. In taboo-laden, ideologically led confron-tations over data protection only few dare to become heretics by stating that data protection threatens to become an end in itself or by calling the GDPR a "Frankenstein monster", the "greatest catastrophe of the 21st century", a "digital counterrevolution" or the "perfection of a dead end".

This paper summarises the various currents of fundamental criticism of data protection law, in particular the utopia of informational self-determination, the ineligibility of the legal instrument of consent, the precautionary principle, the GDPR’s disregard for the freedoms of communica-tion, the unanswered question of what should be protected at all, the "one size fits all" approach and the "all or nothing" approach.

For now we have to live with the GDPR. It is, however, so incoherent, inconsistent in its inter-pretation and incompleteness (with simultaneous prescriptiveness), that fundamental criticism is useful in the further future development of the law through jurisprudence and practice. And finally, it is worthwhile to prepare for a "day after" scenario, following the not entirely unlikely event of GDPR’s failure in practice.

Until then, we are still waiting for the moment, when the little child appears and everyone realises that the emperor is naked.

This paper is written from a German perspective (without disregarding non-German literature). This means, for example, that the right to informational self-determination and the data protec-tion lobby, which is strong in Germany, are given a lot of space. It could therefore help to clarify German peculiarities (not to say explain German "Sonderwege"). In particular, however, it should also be a contribution to intercultural dialogue on the basic principles of data protection.


3

I. Introduction

The hype surrounding the General Data Protection Regulation (GDPR) is somewhat reminis-cent of the excitement about the emperor's new clothes in Hans Christian Andersen's fairy tale.1 Politicians, supervisory authorities, data protection officers, lawyers, consultants, IT specialists, academics, privacy activists and last but not least, the European Commission – all sing the hymn of the new data protection law. There are some lonely hecklers who call it a "Franken-stein’s monster"2, the "greatest catastrophe of the 21st century"3, the "digital counterrevolu-tion"4 or the "perfection of a dead end"5. But we are still waiting for the moment, when the little child, realizes that the emperor is naked.

Data protection, just like the emperor’s new clothes, is in fact, a tabooed, ideological subject. Those who question its basic principles, quickly become heretics. This may be partly due to the fact that many do not earn badly from data protection law. But it is probably also due to the now deeply rooted belief in its meaningfulness. If the president of the French data protection supervisory authority, CNIL, thinks that the GDPR is like a "cathedral"6, then it is no coinci-dence that this comparison has religious undertones.

Even if it is the case that with the GDPR, the final triumph in this particular regulatory idea is presented, thereby becoming the global "gold standard" (Jan-Philipp Albrecht), and deeming Europe the "trust centre of the world" (Paul Nemitz), it is worth taking a look at the fundamental criticism of the current, supposedly optionless system and viewing possible alternatives. On the one hand, the number of those who consider the chosen way to be a mistake is not quite so small.7 On the other hand, GDPR is so open, incoherent, inconsistent in its interpretation and * The author is a Referent at the Federal Ministry of the Interior, Building and Community of the Federal Republic of Germany. He was involved on behalf of the German Government in the negotiations on the GDPR in the Council working group DAPIX and is co-editor and author of a commentary book on the GDPR. The article reflects exclusively the personal opinion of the author.

** The article was first published (in German) here: Winfried Veil (2018). „Die Datenschutz-Grundverordnung: des Kaisers neue Kleider - Zu den Strukturdefiziten des alten wie des neuen Datenschutzrechts.“ In Neue Zeitschrift für Verwaltungsrecht 10: 686-696. Available on-line: https://rsw.beck.de/cms/?toc=NVwZ.root&docid=405844.

1 Only after the completion of this article did the author realise that Schulzki-Haddouti also felt reminded (albeit with a slightly different focus) of this fairy tale: Christiane Schulzki-Haddouti (2016). „Des Kaisers neue Kleider – Wie sieht eine angemessene Datenschutzkontrolle aus?“ In Zukunft der informationellen Selbstbestimmung: 111-126 (125). Edited by Stiftung Datenschutz. Berlin: Erich Schmidt.

2 Caspar Bowden (2014). https://twitter.com/CasparBowden/status/546367811715870720 (accessed 19 December 2018).

3 Thomas Hoeren (2016). https://www.heise.de/newsticker/meldung/Rechtsexperte-Datenschutz-Grundverordnung-als-groesste-Katastrophe-des-21-Jahrhunderts-3190299.html (accessed 19 December 2018).

4 Christoph Kucklick (2017). https://www.youtube.com/watch?v=f0jgwITdNqc&t=1915s (at 3 h 51 min; accessed 19 December 2018).

5 Niko Härting / Jochen Schneider (2015). „Das Ende des Datenschutzes - es lebe die Privatsphäre. Ein Rückbesinnung auf die Kern-Anliegen des Privatsphärenschutzes.“ In Computer und Recht 12: 819-827 (820).

6 Isabelle Falque-Pierottin (2016). https://iapp.org/news/a/how-to-build-a-cathedral-in-two-years/ (accessed 19 December 2018).

7 See only Hans Peter Bull (2011). Informationelle Selbstbestimmung - Vision oder Illusion? Second Edition. Tübingen: Mohr Siebeck; Hans Peter Bull (2015). Sinn und Unsinn des Datenschutzes. Tübingen: Mohr Siebeck; Hans Peter Bull (2017). „Fehlentwicklungen im Daten-schutz am Beispiel der Videoüberwachung.“ In Juristenzeitung 17: 797-806; Thomas Giesen (2007). „Das Grundrecht auf Datenverarbei-tung.“ In: Juristenzeitung 19: 918-927; Thomas Giesen (2012). „Imperiale und totalitäre Züge des Kommissionsentwurfs für eine europäi-sche Datenschutzverordnung.“ In Computer und Recht: 550-556; Thomas Giesen (2013). „Kurzes Plädoyer gegen unser Totalverbot: Deine Daten gehören Dir keineswegs!“ In Privacy in Germany 2: 62-64; Thomas Giesen (2014). „Für ein verfassungsgemäßes Datenschutzrecht in Europa.“ In Computer und Recht: 550-556; Härting / Schneider, see footnote 5; Woodrow Hartzog (2018). “The Case Against Idealising Control.” In European Data Protection Law Review 4: 423-432. https://edpl.lexxion.eu/article/edpl/2018/4/5 (accessed 19 December 2018); Bert-Jaap Koops (2014). „The trouble with European Data Protection Law.“ In Tilburg Research Paper No. 04/2015: 1-14. https://ssrn.com/abstract=2505692 (accessed 19 December 2018); Karl-Heinz Ladeur (2009). „Das Recht auf informationelle Selbstbestim-mung: Eine juristische Fehlkonstruktion?“ In Die Öffentliche Verwaltung 2: 45-55; Franziska Leucker (2015). „Die zehn Märchen der Daten-schutzreform“ In Privacy in Germany 5: 195-202; Bernd Lutterbeck (2010). „Das informationelle Selbstbestimmungsrecht auf dem Prüf-stand.“ http://lutterbeck.org/data/uploads/lutterbeck_isr-28092010-1.1.pdf (accessed 19 December 2018); Bernd Lutterbeck (2011). „Kom-plexe Texte - einfache Regeln. Zwischen Liberalität und Paternalismus - Wo fördert, wo beschränkt der Datenschutz Bürgerrechte.“ In Staat, Verwaltung, Information. Festschrift für H. P. Bull zum 75. Geburtstag: 1017-1028. Edited by Mehde / Ramsauer / Seckelmann. Berlin: Duncker & Humblot. http://lutterbeck.org/data/uploads/Lutterbeck_FSBull2011.pdf (accessed19 December 2018); Bernd Lutterbeck (2013).


4

incompleteness (with simultaneous prescriptiveness), that fundamental criticism is also useful in the further future development of the law through jurisprudence and practice. And finally, it is worthwhile to prepare for a "day after" scenario, following the not entirely unlikely event of GDPR’s failure in practice.

II. Structural shortcomings in data protection law

1. Utopia of informational self-determination

In Germany the idea of informational self-determination has been for a long time predominant in the data protection discourse. In fact, there is a widespread notion that informational self-determination and data protection are identical. Informational self-determination as a human right had been developed by the German Federal Constitutional Court in its "Volkszählung" (= census) judgement in 1983. The Court said that everyone should in principle be able to know and decide for themselves who collects and processes which data about him.

However, the possibility of controlling the fate of "personal data", which the Court presupposes, is already doubtful.8 Many data protection activists believe in it.9 Among judges and legal ex-perts, there are only a few sceptics who consider the court's approach "unsuccessful"10, calling it a "Sermon on the Mount of Data Protection"11, a "wrong course-setting", a "half-hearted formula of compromises" and even a piece of "Grundrechtstheologie" (= theology of funda-mental rights).12 In fact, the comprehensive claim to guarantee the individual informational self-determination, is neither compatible with legal nor social reality, nor is it desirable:

From a legal point of view, you cannot assume a general rule of self-determination, if every individual has to accept as many restrictions which the law provides for. The GDPR alone names (non-exhaustively) some 30 different public interests which may justify a restriction to

„Was würde Wilhelm Steinmüller heute als ein gutes Datenschutzkonzept akzeptieren?“ http://lutterbeck.org/data/uploads/lutterbeck-2013_steinmueller-memorial.pdf (accessed 19 December 2018); Johannes Masing (2012) „Herausforderungen des Datenschutzes.“ In Neue Juristische Wochenschrift 32: 2305-2311; Johannes Masing (2012). „Ein Abschied von den Grundrechten.“ In Süddeutsche Zeitung of 9 January 2012; Johannes Masing (2014) „Datenschutz - ein unterentwickeltes oder überzogenes Grundrecht?“ In Sonderveröffentlichung zu Recht der Datenverarbeitung 2/2014: 3-9; Lokke Moerel (2014). „Big data protection: How to make the draft EU Regulation on Data Protec-tion Future Proof”. Tilburg: Tilburg University. https://research.tilburguniversity.edu/en/publications/big-data-protection-how-to-make-the-draft-eu-regulation-on-data-p (accessed 19 December 2018); Lokke Moerel / Corien Prins (2016). “Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things.” https://ssrn.com/abstract=2784123 (accessed 19 December 2018); Alexander Roßnagel (2016). „Wie zukunftsfähig ist die Datenschutz-Grundverordnung?“ In Datenschutz und Datensicherheit 9: 561-565; Rainer Stentzel (2015) „Das Grundrecht auf …? Auf der Suche nach dem Schutzgut des Datenschutzes in der Europäischen Union.“ In Privacy in Germany 5: 185-190; Rainer Stentzel (2016) „Der datenschutz-rechtliche Präventionsstaat. Rechtsstaatliche Risiken der ordnungsrechtlichen Dogmatik des Datenschutzrechts im privaten Bereich.“ In Pri-vacy in Germany 2: 45-49; Edzard Schmidt-Jortzig (2018) „IT-Revolution und Datenschutz“ In: Die Öffentliche Verwaltung 1: 10-15; Fried-rich Schoch (2012) „Das Recht auf informationelle Selbstbestimmung in der Informationsgesellschaft.“ In Der grundrechtsgeprägte Verfas-sungsstaat. Festschrift für Klaus Stern zum 80. Geburtstag: 1491-1512. Edited by Michael Sachs/Helmut Siekmann. Berlin: Duncker & Humblot; Winfried Veil (2018) „21 Thesen zum Irrweg der DS-GVO.“ https://www.cr-online.de/blog/2018/05/23/21-thesen-zum-irrweg-der-ds-gvo/ (accessed 19 December 2018).

8 Bull (2011), see footnote 7, p. 34; with further evidence: Hartzog, see footnote 7.

9 J.C. Buitelaar (2012). “Privacy: Back to the Roots.” In German Law Journal 13/3: 171-202; Antoinette Rouvroy / Yves Poullet (2009). “The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy. Reinventing Data Protection?”: 45–76. https://www.academia.edu/7754419/The_Right_to_Informational_Self-Determina-tion_and_the_Value_of_Self-Development_Reassessing_the_Importance_of_Privacy_for_Democracy (accessed 19 December 2018).

10 Marion Albers (2005). Informationelle Selbstbestimmung: 238. Baden-Baden: Nomos.

11 Herbert Meister (1986). „Schutz vor Datenschutz? Wirtschafts- und rechtspolitische Anforderungen in einer Zeit ökonomischer Spannun-gen.“ In Datenschutz und Datensicherheit 3: 173-178 (175).

12 Karl-Heinz Ladeur (2000). „Datenschutz – Vom Abwehrrecht zur planerischen Optimierung von Wissensnetzwerken. Zur ‚objektiv-recht-lichen‘ Dimension des Datenschutzes“ In Datenschutz und Datensicherheit 24: 12-19 (15); Ladeur, see footnote 7, p. 45.


5

the right to informational self-determination by state authorities.13 And in the private sphere (i.e. in the relationship between citizens or between citizens and companies), fundamental rights of the controller and fundamental rights of third parties constantly justify restrictions on the informational self-determination of the data subject.

Also, social reality is different. Since man does not live alone in the world, autonomy and het-eronomy alternate between each other constantly. In any case, self-determination cannot be seen as the default rule.14 Especially those who enter the public domain lose control over their image and their appearance.15

The German Federal Constitutional Court recognized this in its judgement on the census when it wrote:

"Information, even if related to individual persons, represents a reflection of soci-etal reality that cannot be exclusively assigned solely to the parties affected. "16

Accordingly (and in accordance with Art. 4 No. 1 GDPR), the subject of data protection law is not data, but information. Data only becomes information if there is someone who transmits and someone who receives it. The "data” can never be attributed to a single individual.17 Rather, every piece of information is communication. And, that is the dilemma of the idea of self-determination: it has its justification as a right of defence against the state; between private individuals, however, it is anti-communicative.

The voluntary nature, which must form the logical basis for self-determination and which is explicitly required for consent (Art. 4 No. 11 and Art. 7 (4) GDPR; Rec. 32, 42 and 43 GDPR), is also generally an illusion. Anyone who wants a loan does not volunteer for a credit check.

Koops is right to ask, in what world do people live in, who claim that individuals can exercise control over their personal data.18 Within the digital context in particular, it is naïve to assume that individuals have a realistic possibility of controlling the processing of information related to them. The loss of control is not only an observable fact,19 a considerable proportion of Inter-net users don’t even think anymore in categories of deterministic models of privacy which un-derlie the ideas of informational self-determination.20

Nevertheless, the German Federal Constitutional Court formulates:

13 Overview at Winfried Veil (2018). https://www.flickr.com/photos/winfried-veil/39501609474/in/dateposted-public/ (accessed on 19 De-cember 2018).

14 Bull (2011), see footnote 7, p. 46.

15 ibid, p. 49.

16 Bundesverfassungsgericht. Judgement dated on 15 December 1983 - BVerfG, 15.12.1983 - 1 BvR 209/83, 1 BvR 269/83, 1 BvR 362/83, 1 BvR 420/83, 1 BvR 440/83, 1 BvR 484/83. BVerfGE 65, 1, 44.

17 Dietmar Kammerer (2017). „Das mehrfache Selbst der Selbstbestimmung im Kontext elektronischer Kommunikation.“ In Informationelle Selbstbestimmung im digitalen Wandel: 73-87 (85). Edited by Friedewald/Lamla/Roßnagel. Wiesbaden: Springer.

18 Koops, see footnote 7, p. 3.

19 Michael Seemann (2016). „Informationelle und andere Selbstbestimmungen. Wie das Internet unsere Freiheiten umsortiert.“ In Zukunft der informationellen Selbstbestimmung: 127-136 (129 et seq.). Edited by Stiftung Datenschutz, Berlin: Erich Schmidt.

20 Ricarda Moll (2017). „Die Zukunft des Rechts auf informationelle Selbstbestimmung aus medienpsychologischer Sicht.“ In Informatio-nelle Selbstbestimmung im digitalen Wandel: 49-64 (53 et seq.). Edited by Friedewald/Lamla/Roßnagel. Wiesbaden: Springer.


6

"Those who are unable to assess at least some knowledge of possible communica-tion partners, can be substantially restrained in their freedom. "21

These are the so-called "chilling effects"22 that might derive from other people’s knowledge about a data subject. However, everyone asks themselves the extent of knowledge their com-munication partner has over them, and whether or not this inhibits their freedom. The image of man, which embodies the thesis of inhibition (as a result of intimidation effects), is that of a risk-averse person, and is not the image of a courageous freedom fighter.23

It is not imperative to make this image of man, the representative guiding principle for an entire information legislation. The individual and societal assessment with regard to the consequences of public access to personal data, has already undergone massive changes in just a few years. Internet users constantly make conscious decisions about their respective audiences on the basis of uncertain assumptions and probabilities.24 In addition to the concept of spheres with tiered steps of protection, there is the idea of contextual integrity.

And finally, self-determined action is the rule rather than the exception, even when the com-prehensive knowledge of who knows one’s own personal information is unavailable. We also do not know how a nuclear power station, a motor vehicle or a refrigerator works, nor do we need to know. Ignorance (i.e. the state of not knowing) as the opposite of informational self-determination hast to be acknowledged. Just as individuals must be empowered to make in-formed and well-founded decisions themselves, the reality must also be acknowledged that in-dividuals make uninformed decisions in certain areas and situations of life due to scarcity of resources, lack of time and lack of expertise.25

An example of the danger in treating the idea of self-determination as an absolute, is provided by the right of access in Art. 15 (1) and (2) GDPR. The legislator does not provide for any exceptions here, so that, for example, controllers’ trade and business secrets or public security interests, cannot be invoked against the right of access.26

Von Lewinski is therefore right to replace the term "informational self-determination" with that of "informationelle Fremdbeschränkung" (= restricting the informational heteronomy). This re-flects reality much better. The data subject has a say in the processing of one’s personal data but does not always have the last word.27 And it makes clear that the individual's claim to pri-vacy or confidentiality is only one of many factors which may or may not outweigh and prevail over controllers’ or third parties’ interests – depending, for example, on the processing context,

21 Bundesverfassungsgericht, see footnote 16, BVerfGE 65, 1 (43).

22 Recommendable for this: Telemedicus. “Themenseite Chilling Effects”. https://www.telemedicus.info/tag/Chilling+Effects (accessed on 19 December 2018).

23 Bull (2011), p. 47.

24 Moll, see footnote 20, p. 55 et seq.

25 Moerel/Prins, see footnote 7, p. 84.

26 For this in detail see Winfried Veil (2017). Article 15 GDPR. In Kommentar Datenschutz-Grundverordnung: marginal number 162 et seq. Edited by Gierschmann / Schlender / Stentzel / Veil. Köln: Bundesanzeiger.

27 Kai von Lewinski (2017). Einführung. In: DSGVO – BDSG: marginal number 27. Edited by Eßer/Kramer/von Lewinski. Fifth Edition. Köln: Heymanns.


7

the need for protection of the data subject, and the degree of importance of controllers’ or third parties’ interests.

2. Ineligibility of consent

Closely linked to the idea of informational self-determination is the myth28 which builds itself around the legal instrument of consent. Informed consent is not only regarded as a "cornerstone of data protection law"29 and a "genuine expression of the right to informational self-determi-nation".30 Sometimes it is even demanded that consent should have priority over all other legal grounds for legitimate data processing ("primacy of consent").31

The GDPR does not follow this line of thought. Instead, the six legal grounds for processing in Art. 6 (1) GDPR stand side by side on equal footing. However, the draft e-privacy regulation is largely based on consent.32

Responsibility of the data subject is only apparently strengthened by consent. Companies shift their responsibility to data subjects through dozens or even hundreds of pages of privacy poli-cies, and general terms and conditions. Of course, nobody reads them:

"No one has ever read a privacy notice who wasn't paid to do so."33

Especially in digital contexts, consent has become a formalized act that gives the user the illu-sion of control over "their" data and further nourishes the belief that they actually have influence on the data being processing. Instead, consent is an expression of a "take it or leave it" situa-tion34 in which the data subject has no possibility of negotiating at all. Checking the box re-gresses to a "mechanical proceduralism"35. It is a "simulation of sovereignty".36 The approval effect of consent is based on legal fiction.

According to behavioral research, consent is in fact often based on subconscious affect deci-sions and not on conscious and concrete cost-benefit calculations.37 In addition, the requirement


29 Jan Philipp Albrecht (2018). “#DSGVO, Teil 2: Klare Einwilligung als Eckpfeiler”. https://www.janalbrecht.eu/2018/01/2018-01-16-klare-einwilligung-als-eckpfeiler/ (accessed 19 December 2018).

30 Alexander Roßnagel / Andreas Pfitzmann / Hansjürgen Garstka, Modernisierung des Datenschutzrechts: p. 15. Edited by Bundesministe-rium des Innern. Berlin. https://pdfs.semanticscholar.org/fa68/4e56317983fb6c379f29de8f61b4e22d3087.pdf (accessed 20 December 2018).

31 ibid, p. 72.

32 Compare in particular Art. 6 of the proposal of the European Commission of 10 January 2017 (COM(2017) final 2017/0003 (COD).

33 Paul M. Schwartz / Karl Nikolaus Peifer (2017). “Transatlantic Data Privacy”. https://ssrn.com/abstract=3066971 (accessed 20 December 2018), p. 36.

34 Frederik J. Zuiderveen Borgesius / Sanne Kruikemeier / Sophie C. Boerman / Natali Helberger (2017). „Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation.“ In European Data Protection Law Review 3: 353-368. https://pa-pers.ssrn.com/sol3/papers.cfm?abstract_id=3141290 (accessed 20 December 2018).

35 Moerel/Prins, see footnote 7, p. 8.

36 Martin Rost, “Neun Thesen zum Datenschutz”. http://www.maroki.de/pub/privacy/2014-05_Fundationes.html (accessed 19 December 2018).

37 Nikolai Horn / Anne Riechert / Christian Müller (2017). Neue Wege bei der Einwilligung im Datenschutz - technische, rechtliche und öko-nomische Herausforderungen: p. 49. Edited by Stiftung Datenschutz. Leipzig. https://stiftungdatenschutz.org/filead-min/Redaktion/Bilder/Abschluss_Studie_30032017/stiftungdatenschutz_broschuere_20170611_01.pdf (accessed 20 December 2018).


8

of consent strengthens established companies who already have the data subject’s consent, or due to their market power can easily obtain it.

The dilemma of consent cannot be solved by making consent more practical (for example with short texts and symbols) and more informative (for example through simple language and tech-nical tools): actually, the simpler the consential procedure is, the less users will understand what they are actually consenting to. On the other hand, the way out cannot be to make consent more informed, deliberate, and binding: the more meaningful the consent procedure, the more im-practical the consent becomes.38

Although all these shortcomings within the legal institution of consent have been sufficiently analysed, only few have come to the conclusion that consent is not a good legal basis for legit-imate data processing in online contexts.39 It would be better not to ignore the fact that consent actually is the worst legal instrument for ensuring informational self-determination.

3. "Präventives Verbot mit Erlaubnisvorbehalt" (= precautionary principle)

According to Art. 6 and 9 GDPR, personal data may only be processed if the data subject has consented or if a special authorization is legally provided. In German law terminology this concept is named "Präventives Verbot mit Erlaubnisvorbehalt" which means that the default rule is that processing personal data is forbidden unless there is an exception that has to be found in the law (or can be provided by data subject’s consent). Thus, before starting with processing personal data you always have to look for a legal ground that may justify your pro-cessing activities.

This precautionary principle dates back to the time when the primary aim of data protection was to protect individuals against data processing by state authorities. The principle was then, however, transferred from the state-citizen relationship to the citizen-citizen relationship. When used against the state the precautionary principle aims to restrict the power of the state. How-ever, when used against citizens or companies, the ban on data processing heavily reduces the freedom of all those who would like to process personal data.

This regulatory technique is anti-processing. Together with the other preventive requirements of data protection law, it establishes an entire “Vorfeldschutz-Kaskade”40 (i.e. an overarching cascade of preventive protection measures). It has to be stated that the basic idea is behavioral control. Ranging from the principles of purpose limitation and data minimisation, to regulations such as "data protection by design" and "data protection by default", and through to legal con-sent requirements and other paternalistic instruments41, it becomes clear that the automated processing of personal data, is inherently regarded as undesirable behaviour.


39 Helen Nissenbaum (2011). “A Contextual Approach to Privacy Online.” Daedalus 140 (4): 32-48 (34 et seq.). https://pa-pers.ssrn.com/sol3/papers.cfm?abstract_id=2567042 (accessed 20 December 2018); Koops, see footnote 7, p. 3.

40 Von Lewinski, see footnote 27, marginal number 17.

41 Christoph Krönke (2016). „Datenpaternalismus - Staatliche Interventionen im Online-Datenverkehr zwischen Privaten, dargestellt am Beispiel der Datenschutz-Grundverordnung.“ In: Der Staat 55, 319-351 (319).


9

The ban on processing personal data is monitored by state authorities with extensive powers of intervention and rights to sanction. Data protection authorities have the powers to provide any information, to carry out investigations, to obtain access to any premises of the controller, to issue warnings and to issue reprimands to citizens and companies, to order to comply with the law, to impose limitation including a ban on processing, to impose administrative fines, to order the suspension of data flows, and much more. Art. 58 GDPR contains 26 individual powers which the supervisory authorities hold.

These powers would be suitable to turn data protection law into an exhaustive state control instrument. Astonishing in this context is the trust in the State by many data protection advo-cates, who in principle believe that authorities are capable of every possible abuse of their pow-ers, but in the case of data protection law assume that the supervisory authorities are from the outset "good" authorities who always favour fundamental rights. With its overreaching zeal for prevention, data protection laws would provide a perfect totalitarian surveillance matrix which the state could use against its citizens – and this within the area of informational access, which is generally used as an indicator to gauge the amount of freedom or paternalism allowed in a particular society.42

In addition, supervisory authorities are completely independent. There is no legal supervision by any other administrative bodies, nor any subject-specific supervision and no parliamentary responsibility. The question is, who then overseas the work and also the processing of personal data (!) by the supervisory authorities.

But one does not have to think in categories of abuse, in order to consider the foundational pillars of the ban on processing personal data (borrowed from the state-citizen relationship) as questionable in the citizen-citizen relationship. In a free society, everyone is both a controller and a data subject.43 Private individuals stand facing each other freely. Their actions do not require explanation or justification and the processing of personal data also belongs to this free-dom. 44 However, data protection law requires that citizens seek a legal ground and fulfil nu-merous other obligations before the fundamental user rights can be exercised and the processing of personal data is allowed. Accordingly, the exercising of fundamental rights by private indi-viduals is therefore subject to a similar “Gesetzesvorbehalt” (= reservation of statutory powers) as any action by the state. In this way, private individuals are bound by fundamental rights (namely the right to protection of personal data) although fundamental rights are addressed directly only to the institutions and bodies of the state45 (which in German is called “mittelbare Drittwirkung” (= indirect third-party effect). In fact, this is an encroachment on the freedom of the controller to process personal data.46

42 Compare Giesen (2014), see footnote 7, p. 553; Stentzel (2016), see footnote 7, p. 49.

43 Giesen, ibid, p. 551.

44 Masing, „Herausforderungen …“, see footnote 7, p. 2307; Dieter Grimm (2013). „Der Datenschutz vor einer Neuorientierung.“ In Juris-tenzeitung 12: 585-592 (587 et seq.).

45 The fundamental rights of the Charter of Fundamental Rights are binding only Union, its bodies and the Member States (Art. 51 (1) CFR); detailed analysis of the topic: Sophie Victoria Knebel (2018). Die Drittwirkung der Grundrechte und -freiheiten gegenüber Privaten - Regu-lierungsmöglichkeiten sozialer Netzwerke. Baden-Baden: Nomos.

46 Von Lewinski, see footnote 27, BDSG Einleitung, marginal number 35.


10

This is a construction which endangers fundamental rights.47 Some GDPR provisions even ex-plicitly prescribe that data protection shall take precedence over other fundamental rights in general. If one takes provisions such as Art. 25 (2) GDPR ("data protection by default"), for example, which obliges data protection to take precedence over other fundamental rights in its basic settings, it no longer appears to be merely a polemic to speak of data protection as a “Supergrundrecht” (= super fundamental right).

It is true that the economic or social power of a private individual/company can lead to funda-mental rights being threatened, creating a special need to protect the personal freedom of other private individuals against this exceptionally powerful individual/company. 48 This may strengthen the indirect obligation of this powerful individual/company deriving from funda-mental rights in such a way that it comes close to the direct fundamental right obligation of the state (= “mittelbare Grundrechtsbindung”).49

Considerable risks of this kind are especially assumed for data subjects who face the infor-mation power of certain Internet companies, insurance companies, credit enquiry agencies, etc. However, Art. 8 CFR and the GDPR require all controllers to fulfil the same preventive obli-gations. At no point in the GDPR is there an indication that the existence of an informational asymmetry between controller and data subject is important.

4. Disregard for the freedoms of communication

There is a specific tension between data protection and the freedoms of communication.50

Under the GDPR every Internet user is a controller. Anyone who processes personal data on his publicly accessible website, or tweets about others, is subject to all rights and obligations of data protection law and supervision by the data protection authorities. This concerns for exam-ple almost every blogger and many website operators.

Whoever uses personal data for communication purposes by exercising his or her freedom of expression, freedom to hold opinions and to receive and impart information, freedom of the media, and freedom of the art and sciences must seek a legal basis in the GDPR. Even if these freedoms may be used for legitimate interests within the meaning of Art. 6 (1) (f) GDPR, it is still constitutionally questionable that exercising these freedoms of communication is initially prohibited, and that a weighing of interests (preferably documented), must be carried out before any said expression of opinion. However, GDPR not only requires a legal basis for processing 47 Compare Holger Greve (2013). „Drittwirkung des grundrechtlichen Datenschutzes im digitalen Zeitalter.“ In Beharren. Bewegen. Fest-schrift für Michael Kloepfer zum 70. Geburtstag: 665-677 (672) with further evidence. Edited by Franzius et al. Berlin: Duncker & Humblot.

48 Greve, ibid, p. 672 et seq.

49 Bundesverfassungsgericht. Judgement dated on 22 February 2011 - 1 BvR 699/06. BVerfGE 128, 226 (249); Alexander Hellgardt (2018). „Wer hat Angst vor der unmittelbaren Drittwirkung? Die Konsequenzen der Stadionverbot-Entscheidung des BVerfG für die deutsche Grundrechtsdogmatik.“ In Juristenzeitung 73: 901-910; Fabian Michl (2018). „Situativ staatsgleiche Grundrechtsbindung privater Akteure. Zugleich Besprechung von BVerfG, Beschluss vom 11.4.2018 – 1 BvR 3080/09.“ In Juristenzeitung 73: 910-918.

50 Compare Thomas Stadler (2018). “Schränkt die Datenschutzgrundverordnung Meinungsäußerungen im Internet ein?” http://www.internet-law.de/2018/03/schraenkt-die-datenschutzgrundverordnung-meinungsaeusserungen-im-internet-ein.html (accessed 20 December 2018); Ben-jamin Horvath (2018). “Das Ende der freien Veröffentlichung von Personenbildnissen – für die meisten von uns” https://www.cr-on-line.de/blog/2018/03/09/das-ende-der-freien-veroeffentlichung-von-personenbildnissen-fuer-die-meisten-von-uns/ (accessed 20 December 2018); Jan Mönikes (2017). “#NetzDG und #DSGVO – droht der Meinungsfreiheit in Deutschland ein ‘perfekter Sturm’?” https://www.tele-medicus.info/article/3191-NetzDG-und-DSGVO-droht-der-Meinungsfreiheit-in-Deutschland-ein-perfekter-Sturm.html (accessed 20 Decem-ber 2018); Winfried Veil, “Angriff auf Meinungsfreiheit und Internet.” https://www.cr-online.de/blog/2015/12/14/angriff-auf-internet-und-meinungsfreiheit-teil-i/ (accessed 20 December 2018).


11

data. Every controller must also fulfil dozens of accompanying obligations: he or she has to inform, to notify, to communicate, to ensure, to demonstrate, to verify, to document, and to be accountable.

The use of the Internet for private purposes is not excluded from this (at least on the basis of the "Lindqvist" ruling of the European Court of Justice51). If the GDPR’s canon of obligations were also taken seriously in this area, this would have a strangling effect on freedoms of com-munication.

This imbalance, which costs one’s freedom of communication, is reflected in many detailed GDPR regulations:

- The GDPR does not know the category of generally accessible personal data, which could be processed under often simplified conditions, for example, according to the old version of the German Federal Data Protection Act.52

- The household exemption according to Art. 2 (2) (d) GDPR is too narrow.53

- An unsolved problem is that every Internet publication is also a transfer of data to third countries. It is simply not possible to fulfil the requirements for third country transfers under Art. 44 to 50 GDPR.54

- By law, Member States shall reconcile the right to the protection of personal data with the freedoms of communication (Art. 85 (1) GDPR) and shall provide exemp-tions or derogations in favour of the freedoms of communication (Art. 85 (2) GDPR). So far, however, at the federal level, the German legislator has remained inactive and the state legislators seem to have only partially recognized the prob-lem.

- The problems55 created by the "Google" ruling of the European Court of Justice on the "right to be forgotten"56 are also unsolved. Through de-listing, information is constantly being removed from the Internet – to the detriment of those who are looking for the information. However, those who are adversely affected most by de-listing are those whose legally published information can no longer be found on the Internet. Such third parties include press organizations, portal operators, website operators, host providers, bloggers and any actual person who has published an opinion or factual statement. Third parties do not have a custodian holding their

51 European Court of Justice. Judgement dated on 6 November 2013 - C-101/01 (“Lindqvist”).

52 The old version of the German Federal Data Protection Act allowed the processing of generally accessible personal data under simplified conditions, for example, if those data were processed for own business purposes (§ 28 I No. 3), for the purpose of transfer (§ 29 I No. 3), for modifications (§ 30 II No. 2), for purposes of market or opinion research (§§ 30a I No. 2 and II 2), or for further processing (§ 14 II No. 5). For the processing of generally accessible sensitive data (§ 3 IX) there were special provisions insofar as the data concerned had been evidently made public by the data subject (§ 13 II No. 4, § 28 VI No. 2). In many cases, the controller was not obliged to inform the data subject in case the processing concerned data that had been taken from generally accessible sources (§§ 33 II No. 7a, 8a, 9). § 35 VI 1 contained an exception to the obligation to correct, block or erase data if they had been taken from generally accessible sources. The restrictions for automated retrieval procedures (§ 10 I - IV) did not apply to the retrieval of generally accessible data (§ 10 V 1).

53 In detail see Max von Grafenstein (2017). Article 2 GDPR 2. In Kommentar Datenschutz-Grundverordnung: marginal number 33 et seq. Edited by Gierschmann / Schlender / Stentzel / Veil. Köln: Bundesanzeiger.

54 Veil, see footnote 50.

55 Compare Julia Rieder (2014). “Datenschutz und Meinungsfreiheit - zwei unvereinbare Gegensätze?” https://politik-digi-tal.de/news/datenschutz-und-meinungsfreiheit-zwei-unvereinbare-gegensaetze-142314/ (accessed 20 December 2018).

56 European Court of Justice. Judgement dated on 13 May 2014 - C-131/12 („Google“).


12

interests. They are neither substantively nor procedurally involved in the decision on the question of de-listing. And this despite the fact that the publication of the information itself is lawful. The "right to be forgotten" turns search engines into private arbitration bodies that decide which publications can be found on the Inter-net. And the third parties concerned do not even have to be granted legal hearing. Google, in particular, is sitting on a huge "blackmail database" (Lorena Jaume-Palasi) with 754,943 applications for the delisting of 2,898,891 URLs.57

- The obligation of Internet intermediaries arising from Art. 18 GDPR ("right to re-striction of processing") which makes content immediately inaccessible, without further examination, at the request of the data subject, is highly problematic and has hardly been discussed so far.58

Ultimately, the GDPR leads to a far-reaching "Kommunikationsregulierung im Internet” (= regulation of communication on the Internet). A general priority of the right to data protec-tion over the freedom of expression, threatens to override to a large extent the judicial achieve-ments – some of which have been painstakingly enforced in a conflict riddled process – which have made potentially critical open debate and public discussion possible, even in comparison with conventional concepts of honour, moral concepts and claims to social validity.59

5. The unanswered question: what is protected?

One of the great mysteries of data protection law is the question: what is protected?60 German law knows a term for this missing thing that is difficult to translate: it is the term “Schutzgut” (which means the legal asset that is protected by a certain law).

The “Schutzgut” of data protection law is completely unclear.

German data protection advocates usually see informational self-determination of the individ-ual as the aim of data protection. According to another view, data protection law has an instru-mental characteristic61 which serves to ensure the protection of other civil liberties. Data pro-tection would then be first and foremost "Risikovorsorge" (= risk precaution).62 Granting data protection the status of a fundamental right ought to counteract dangers to the free development

57 Google, Transparency Report. https://transparencyreport.google.com/eu-privacy/overview (at the time of 18 December 2018).

58 Daphne Keller (2015). “Series Conclusion and Summary: Intermediaries and Free Expression under the GDPR, in brief.” http://cyber-law.stanford.edu/blog/2015/12/series-conclusion-summary-intermediaries-and-free-expression-under-gdpr-brief (accessed 20 December 2018); in general on the liability of intermediaries: Daphne Keller (2017). “The Right Tools: Europe's Intermediary Liability Laws and the EU 2016 General Data Protection Regulation.” https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2914684 (accessed 20 December 2018).

59 Johannes Masing (2014). “RiBVerfG Masing: Vorläufige Einschätzung der ‘Google-Entscheidung’ des EuGH.” https://verfas-sungsblog.de/ribverfg-masing-vorlaeufige-einschaetzung-der-google-entscheidung-des-eugh/ (accessed 20 December 2018).

60 Attempts at systemisation: Daniel J. Solove (2008). „Understanding Privacy.“ GWU Legal Studies Research Paper No. 420. https://ssrn.com/abstract=1127888 (accessed 20 December 2018); Helen Nissenbaum (2010). „Privacy in Context. Technology, Policy, and the Integrity of Social Life.“ https://crypto.stanford.edu/portia/papers/privacy_in_context.pdf (accessed 20 December 2018); Kai von Lew-inski (2014). „Die Matrix des Datenschutzes. Besichtigung und Ordnung eines Begriffsfeldes.“ Tübingen: Mohr Siebeck.

61 Gabriele Britz (2010). „Informationelle Selbstbestimmung zwischen rechtswissenschaftlicher Grundsatzkritik und Beharren des Bundes-verfassungsgerichts.“ In Offene Rechtswissenschaft: 561-596 (568). Edited by Hoffmann-Riem. Tübingen: Mohr Siebeck.

62 Matthias Bäcker (2012). „Grundrechtlicher Informationsschutz gegen Private.“ In Der Staat 51: 91-116 (96); Grimm, see footnote 44, p. 586.


13

of personality.63 Others see the protection of privacy as a secondary, if not outdated, protec-tionary goal and instead, see the purpose of data protection law above all to be a defence against surveillance, which only could be achieved through the "Nichtverkettung" (= unlinkability) of information.64 Others are mainly concerned with combating power asymmetries between or-ganisations (state, company, service provider) and individuals (citizen, customer, patient, cli-ent).65

A simple survey of the legal bases to date provides a highly heterogeneous picture:

a) Germany

In the judgement on census taking, the German Federal Constitutional Court derived the fundamental right to informational self-determination from the "Allgemeines Persönlich-keitsrecht" (= general right to personality) (Art. 2 (1) in conjunction with Art. 1 (1) of the German Constitution).66 This right is intended to guarantee the right of the individual to de-cide for oneself, in principle, on the disclosure and use of one’s personal data. A certain tra-ditional line of German data protectionism sees informational self-determination as the aim of data protection law.67 It is anchored in the constitutions of Berlin, Brandenburg, Rhineland-Palatinate, Saxony and Thuringia. In addition, most state data protection laws saw their pur-pose to be the protection of the right to informational self-determination.

However, the former German Federal Data Protection Act stated explicitly that its purpose was "to protect individuals from being affected in their right to personality by the handling of their personal data". This was also the view of the data protection laws of Bavaria, Baden-Württemberg, Saxony-Anhalt and Thuringia. The right to respect and protect right to person-ality and the right to private life is also enshrined in Thuringia's constitution.

In addition, there is the fundamental right to guarantee the confidentiality and integrity of in-formation technology systems, which was also issued by the German Federal Constitutional Court from the general right to personality.68 This specific IT right supplements the technology-related protection of the secrecy of telecommunications (Art. 10 of the German Constitution) by a new form of information and infrastructure protection.69

The constitutions of Brandenburg, Bremen, Mecklenburg-Western Pomerania, North Rhine-Westphalia, Saarland, Saxony, Saxony-Anhalt and Thuringia have a right to protect personal data.

63 Matthias Cornils (2015). „Der grundrechtliche Rahmen für ein (trans-)nationales Datenschutzrecht im digitalen Zeitalter“ In Datenschutz im digitalen Zeitalter - global, europäisch, national.“: 11-51 (32). Schriftenreihe des Instituts für Rundfunkrecht an der Universität zu Köln. München: Beck.

64 So e.g. Kirsten Bock speaks of „Privatsphärengedöns“ (= privacy hullabaloo), https://twitter.com/privacyDE/status/965271054322163713 (accessed 20 December 2018).

65 Rost, see footnote 36.

66 Bundesverfassungsgericht, see footnote 16.

67 So e.g. explicity Roßnagel/Pfitzmann/Garstka, see footnote 30, p. 14 (thesis 7).

68 Bundesverfassungsgericht. Judgement dated on 27 February 2008 - 1 BvR 370, 595/07. BVerfGE 120, 274.

69 Wolfgang Hoffmann-Riem (2008). „Der grundrechtliche Schutz der Vertraulichkeit und Integrität eigengenutzter informationstechnicher Systeme.“ In Juristenzeitung 2008: 1009-1022; von Lewinski, see footnote 46, marginal number 29.


14

b) European Union

The EU recognises the right to data protection in Art. 8 CFR70 and in Art. 16 TFEU.

In addition, Art. 7 CFR protects the right to respect for private and family life, home and com-munication.

According to Art. 1 (1) Directive 95/46, Member States shall "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data".

c) Council of Europe

Art. 8 of the European Convention of Human Rights contains a right to privacy similar to Art. 7 CFR.

Convention 108 of 1981 sees its purpose in securing respect for the rights and fundamental freedoms of the individual, in particular the right to privacy, with regard to automatic pro-cessing of personal data relating to him.71 In its current revised version, Convention 108 con-tinues to emphasize the "right to privacy", but also refers in its preamble to the right to exer-cise control over personal data.72

d) OECD

The OECD "Guidelines governing the protection of privacy and transborder flows of personal data", adopted in 1980, see their purpose in the protection of "privacy and individual liberties" in the processing of "personal data".73 The revision of the guidelines in 2013 did not change this direction of protection.74

e) Multitude of "Schutzgüter"

As follows, with regard to the processing of personal data at the level of international, union and national law the following “Schutzgüter” have therefore been considered:

70 On the contouring of Art. 8 CFR through the case law of the ECJ: Jörn Reinhardt (2017). „Konturen des europäischen Datenschutzgrund-rechts.Zu Gehalt und horizontaler Wirkung von Art. 8 GRCh.“ In Archiv des öffentlichen Rechts 142: 528-565.

71 Art. 1 Convention 108 of the Council of Europe: “The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (‘data protection’).”

72 No. 9 “Draft Explanatory Report – Convention 108 modernised” (24. August 2016), https://rm.coe.int/16806b6ec2 (accessed 20 Decem-ber): “Accordingly, the Preamble expressly refers to the right to personal autonomy and the right to control one’s personal data, which stems in particular from the right to privacy, as well as to the dignity of individuals.”

73 No. 2 OECD Guidelines: „These Guidelines apply to personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liber-ties.” – No. 6 OECD Guidelines: “These Guidelines should be regarded as minimum standards which are capable of being supplemented by additional measures for the protection of privacy and individual liberties.”

74 New version of No. 6 OECD Guidelines: „These Guidelines should be regarded as minimum standards which can be supplemented by additional measures for the protection of privacy and individual liberties, which may impact transborder flows of personal data.”


15

- the right to data protection (EU Charter of Fundamental Rights, TFEU, some Ger-man state constitutions),

- the right to personality (old version of German Federal Data Protection Act, data protection laws by some German state constitutions),

- the right to informational self-determination75 (German Federal Constitutional Court, constitutions and data protection laws by some German state constitutions),

- the right to guarantee the confidentiality and integrity of information technology systems (German Federal Constitutional Court),

- the right to respect for private life (EU Charter of Fundamental Rights, ECHR),

- the right to privacy76 (Data Protection Directive 95/46, Council of Europe Conven-tion 108, OECD Guidelines),

- all fundamental rights and freedoms (Data Protection Directive 95/46),

- the concept of e-privacy77.

The content and range of coverage of these rights are far from being clear – and their relation-ship to each other even less so.78 It is therefore unclear whether and to what extent the protection of privacy (Council of Europe, OECD) and the protection of private life (ECHR, CFR) are congruent. It is uncertain whether the right to personality of the German Constitution includes the other rights mentioned. It is also uncertain to what extent the right to informational self-determination (derived from the German Constitution by the German Federal Constitutional Court) still has a future - with regard to the fact that the Charter of Fundamental Rights of the EU “only” contains the right to the protection of private life and the right to data protection. At any rate, the right to informational self-determination was hardly received internationally on a dogmatic level.79 The succinct assertion that there are "congruent standards in European law"80 for informational self-determination does not do justice to the complicated relationship between the fundamental rights of national constitutions and those of the Charter of Fundamental Rights.

75 Fundamental: Wolfgang Hoffmann-Riem (1998). „Informationelle Selbstbestimmung in der Informationsgesellschaft. Auf dem Weg zu einem neuen Konzept des Datenschutzes.“ In Archiv des öffentlichen Rechts 123: 513-540; Albers, see footnote 10.

76 Fundamental: Ruprecht Kamlah (1969). Right of Privacy. Köln: Heymanns; Ernst Benda (1974). „Privatsphäre und ‚Persönlichkeitspro-fil‘.“ In Menschenwürde und freiheitliche Rechtsordnung. Festschrift für Willi Geiger zum 65. Geburtstag: 23-44. Edited by Leibholz / Faller / Mikat. Tübingen: Mohr Siebeck. James Q. Whitman (2004). "The Two Western Cultures of Privacy: Dignity versus Liberty.". Faculty Scholarship Series 649. https://digitalcommons.law.yale.edu/fss_papers/649/ (accessed 20 December 2018); Härting / Schneider, see footnote 5; Barbara Sandfuchs (2015). Privatheit wider Willen? Verhinderung informationeller Preisgabe im Internet nach deutschem und US-amerikanischem Verfassungsrecht. Tübingen: Mohr Siebeck; Bert-Jaap Koops / Bryce Clayton Newell / Tjerk Timan / Ivan Škorvánek / Tom Chokrevski / Maša Galič (2016). “A Typology of Privacy.” In: University of Pennsylvania Journal of International Law 38(2): 483-575. https://ssrn.com/abstract=2754043 (accessed 20 December 2018).

77 Compare Christoph Gusy / Johannes Eichenhofer / Laura Schulte (2016). „e-privacy. Von der Digitalisierung der Kommunikation zur Digitalisierung der Privatsphäre.“ In Jahrbuch des öffentlichen Rechts 64: 385-409.

78 Ebenso Marion Albers (2017). „Informationelle Selbstbestimmung als vielschichtiges Bündel von Rechtsbindungen und Rechtspositio-nen.“ In Informationelle Selbstbestimmung im digitalen Wandel: 11-35 (22). Edited by Friedewald/Lamla/Roßnagel. Wiesbaden: Springer.

79 Stentzel (2015), see footnote 7, p. 186; Kai von Lewinski (2016). „Die Matrix des Datenschutzes als Glaskugel. Vorhersage über die zu-künftige Bedeutung der informationellen Selbstbestimmung.“ In Zukunft der informationellen Selbstbestimmung: 75-82 (76). Edited by Stif-tung Datenschutz. Berlin: Erich Schmidt.

80 Udo di Fabio (2016). Grundrechtsgeltung in digitalen Systemen: p. 48. München: Beck.


16

In the context of the GDPR, any national fundamental rights are only likely to play a role to the extent that the GDPR’s opening clauses give Member States autonomous scope for regulation.81

A side question: Why is the determination of a “Schutzgut” important at all? Here an example: Art. 5 (1) (d) GDPR requires that personal data shall be "accurate and, where necessary, kept up to date". In a particular case, it is necessary for the provision to be interpreted, in order to find out what is meant by "where necessary". A company in the advertising industry, for in-stance, has to ask itself whether it must check the accuracy of its data stock on a constant basis. How often the data subject has to be asked whether the stored address is still up-to-date, depends very much on the aim of this provision:

- If the accuracy of the data were an end in itself, the company would need to actively ensure this accuracy on a constant basis (actually at every second of processing).

- However, if the purpose of the provision were to protect the right to personality, the company would not have such a strict duty for accuracy. Rather, the addressees of the provision would be controllers who publish personal data (such as press com-panies) or who must avoid damages to the reputation of the data subject – and not an advertising company.

- If the provision were to prevent discrimination, the advertising company would, as well, not belong to the main target group of controllers. In this case, companies that make decisions with the possibility of ensuing negative effects for data subjects (e.g. credit agencies), would be the primary focus for the provision.

- If the primary purpose of the provision were to protect the quality of data analysis82, the advertising company would not be affected either.

One would think that the GDPR would clarify the central question of its purpose in view of these unclear situations. However, the GDPR neither defines nor designates a specific “Schutz-gut”.83 It no longer even mentions the right to personality or the right to privacy as protected rights. Rather, it protects "the fundamental rights and freedoms of natural persons, and in par-ticular their right to the protection of personal data" (Art. 1 (2) GDPR).

The recitals of the GDPR hardly provide any more information. According to the recitals the principles and rules of the GDPR should respect the fundamental rights and freedoms of natural persons (Rec. 2 p. 1). There is only one place in the text where the right to respect for private and family life is mentioned – but only in the sense that the GDPR respects all fundamental rights recognised in the Charter, including the right to respect for private and family life (Rec. 4 p. 3). Moreover, the processing of personal data should be designed to serve mankind (!) (Rec. 4 p. 1). One recital recalls the informational self-determination (Rec. 7 p. 2):

"Natural persons should have control of their own personal data."

81 Holger Greve (2017). “Das neue Bundesdatenschutzgesetz.” In Neue Zeitschrift für Verwaltungsrecht 2017, 737-744 (744).

82 In this direction: Thomas Hoeren (2016). “Thesen zum Verhältnis von Big Data und Datenqualität. Erste Raster zum Erstellen juristischer Standards.” In MultiMedia und Recht 2016: 8-11.

83 On the lack of consensus on the question of what is the aim of data protection law, see also Centre for Information Policy Leadership (2014). „A Risk-based Approach to Privacy: Improving Effectiveness in Practice.“ https://www.informationpolicycentre.com/up-loads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf (accessed 20 Decem-ber 2018).


17

In other recitals only political objectives are mentioned, but not individual rights. According to Rec. 2 p. 2 the GDPR is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to an internal market and to the well-being of natural persons.

The fact that the entire GDPR will not decide on its own devices what “Schutzgut” it is based on, is emblematic of the inaptitude or unwillingness of the legislator to agree on protection targets for data protection.84 As far as we know, in the Council, EP and trialogue negotiations a discourse regarding the GDPR’s aims and goals did not take place.85

However, Rec. 75 quotes certain damages which may arise from the processing of personal data:

- discrimination,

- identity theft or fraud,

- financial loss,

- damage to the reputation,

- loss of confidentiality of personal data protected by professional secrecy,

- unauthorised reversal of pseudonymisation,

- any other significant economic or social disadvantage,

- deprivation of rights and freedoms,

- deprivation of control over personal data.

Furthermore, Recital 75 lists further risky processing situations:

- processing of special categories of personal data,

- evaluation of personal aspects in order to create or use personal profiles,

- processing of personal data of vulnerable natural persons,

- processing of large amounts of personal data,

- processing that affects a large number of data subjects.

And Art. 32 (2) GDPR lists the classical risk categories for data security:

- accidental or unlawful destruction of personal data

- loss of personal data,

- alteration of personal data,

- unauthorised disclosure of personal data,

- unauthorised access to personal data.

84 Also in this direction Stentzel (2015), see footnote 7.

85 The author was involved in the negotiations on the GDPR in the Council working group DAPIX on behalf of the German government.


18

These lists of possible damages and risk categories leave no detectable limitations as to the question of which rights are protected by the law. They confirm the analysis that the protection of the right to personality and the right to privacy no longer seem to be the primary objective of data protection law. Only damage to the reputation, unauthorized reversal of pseudonymisa-tion and deprivation of control over personal data is directly relevant to the right to personality. Apart from that, the purpose of data protection law appears to be much more encompassing.

But what does this "more" mean? The above mentioned lists are so broad that the purpose of data protection law could be interpreted as preventing physical, material and immaterial dam-age. And what does it mean when the purpose of data protection law in general is to prevent any damage? Data protection law thus associates itself more along the lines of civil and criminal law, the purpose of which, among other things, is to prevent damage.

Civil and criminal law, however, only contain case specific and limited prohibitions and not a general prohibition (like data protection law). In addition, they only apply if infringements of rights or damages have actually occurred. And not every violation of the law nor every damage may be attributed to a particular liable person. For this purpose, numerous "Zurechnungskrite-rien" (= criteria of attribution) have been developed which limit the responsibility or liability of the individual (e.g. "Äquivalenztheorie", "Adäquanztheorie", "Theorie vom Schutzzweck der Norm", "Rechtswidrigkeit", "Verschulden", "Notstand", etc.).

The "Recht der Gefahrenabwehr" (= law on danger prevention) is also familiar with such rest-ricting criteria (namely "Zustandsstörer", "Verhaltensstörer", "Theorie der unmittelbaren Ver-ursachung", "Zweckveranlasser", etc.).

However, data protection law does not contain criteria that limit responsibility or liability. This adds more weight in the case of data protection law, because data protection law – also in con-trast to civil and criminal law – demands compliancy with a large number of preventative measures and contains high fines. Even the violation of the "principles relating to processing of personal data" is subject to a fine of up to EUR 20 000 000 or up to 4 % of a company's total annual worldwide turnover (Art. 58 (5) (a) GDPR), a provision which most likely violates the principles of legal certainty.

As a result, a controller simply has no clear way of knowing which risks for which rights can be assessed with any matching degree of exactness. This is astonishing in a field of law in which the importance for the protection of human dignity and freedom of behaviour is supposed to be of high value.

In the absence of a clearly defined legal purpose of protection, data protection threatens – de-spite all assurances86 – to become an end in itself:

- For legal laymen such an interpretation is too tempting in view of the wording of Art. 8 CFREU and the notion of the right to data protection as a fundamental right.

- For the legislator, it is tempting to leave unanswered the difficult and controversial political questions of which data usages should be allowed and to which extent it

86 See e.g. Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, 23. Tätigkeitsbericht 2009-2010, p. 21.


19

should be forbidden. Instead, it is easier for them to set up a "cordon sanitaire" around the data itself.

- The "every date is dangerous" lobby for this kind of data protection is too strong. They see data protection law as the new environmental law and therefore place an overall suspicion on all data processing to cause collective damage.

- For many politicians and activists, it is an easy game: just sell people the idea that personal data – irrespective of their nature – belong to the data subject ("Meine Daten gehören mir." = "My data belong to me.").

- For the controller, it is too difficult and treacherous to develop their own standards for data usage themselves, so the reliance on a data-focused interpretation seems to make it the most manageable in order to fulfil the numerous obligations of GDPR (keyword: "privacy compliance management systems").

Uncertainty about the aim of data protection law is inversely proportional to the prescriptive-ness of data protection obligations. Maybe, this can be explained by the fact that the uncertainty which comes with all those balancing of interest tests and risk assessments has to be replaced by something which is certain. However, preventative technical and organisational measures that have to be taken, merely give the process of data protection a false sense of certainty.

6. "One size fits all" approach and "all or nothing" approach

The regulatory claim of data protection law is total. There is hardly any other area of law that contains micro regulations like this and at the same time covers all aspects of life. Instead of regulating specific problematic situations in life or data processing, a general law and (in Ger-many) numerous sector-specific laws seek to cover the entire "life cycle" of data (a strange term for information) – from collection, to use, to deletion.

The GDPR treats all controllers ("one size fits all") and all personal data ("all or nothing"), equally:

"One size fits all":

Under GDPR, every controller basically has the same obligations. The same rules apply to public authorities as to private companies. Anyone who earns money with data is treated in the same way as someone who only keeps an address book. The same rules that apply to big US companies such as Amazon, Google, Facebook, Apple, Microsoft, and Yahoo, also apply to small startups, craft businesses and sports clubs. Data processing for scientific purposes, ar-chives, internal corporate communications, bloggers and website operators, crowdsourcing platforms or the International Red Cross in missing persons searches; all must observe the same rules (with a few exceptions that privilege some of the above-mentioned controllers).

However, the regulations which might be necessary for a relationship between state and citizen, may not be appropriate for the relationship between companies and consumers. And, regula-tions that may be necessary between large institutions and consumers may not be appropriate


20

for the relationship between individual Internet users. The GDPR apparently directs itself to-wards (large) companies that collect and process information via the Internet.87

In the GDPR controller’s and processor’s obligations are not usually context-dependent. Most GDPR obligations exist regardless of whether or not a high risk for data subjects is caused by the specific data processing. Internal company communications seldom behold special consid-erations.

"All or nothing":

The sheer variety of protectional needs for each individual are hardly taken into account when the concentration on "the data" is the focus. Only for data of children (Art. 8 GDPR) and for special data categories (Art. 9 and 10 GDPR) do stricter processing rules exist, which, however, only measure different protection requirements in very rough outlines.

Although, the information that, for instance, a person happens to have a cold, is considered a specifically protected health-related data point, credit card data on the other hand, is not. The GDPR does not take sufficiently into account, the processing context and the concrete pro-cessing risk. The information that an individual happens to be short-sighted becomes high risk if this person is refused a job as a pilot, however, not if an optician sends him advertisements. Nevertheless, both cases are treated equally by Art. 9 GDPR. If personal data is publicly avail-able (e.g. in the Internet or in a public register), that data is generally treated on the same pro-tection level as data that may reveal intimate details about one’s sex life.

As soon as data qualifies as personal, all rules of data protection law apply. Under the conditions of today's information processing, however, the criterion of identifiability (see Art. 4 No. 1 GDPR) becomes less and less meaningful. Besides pure machine, sensor and weather data there is no non-personal data any more.88 Therefore, the distinction between personal and non-per-sonal data can no longer be a meaningful criterion used to differentiate. In particular, however, Big Data questions the concept of personal data, since Big Data analytics enable the identifica-tion of individuals even without using personal data.89

Data protection advocates justify those two approaches ("one size fits all" and "all or nothing") by the verdict of the German Federal Constitutional Court that – under the conditions of auto-matic data processing – there would no longer be "belanglose Daten" (= insignificant data).90 It is derived from this, that all personal data is equally worthy of protection. As a result, a whole legal system has been created to treat personal data as if it were radioactive material.

In view of the data explosion of the Internet age, this approach leads to an overregulation in most areas of business and private life. The numerous obligations (among others:

87 Niko Härting (2013). „Datenschutzreform in Europa: Einigung im EU-Parlament.“ In Computer und Recht 2013: 715-721.

88 Härting/Schneider, see footnote 5, p. 821.

89 Paul Ohm (2010). “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.” In UCLA Law Review, Vol. 57, p. 1701; https://ssrn.com/abstract=1450006 (accessed 20 December 2018); 1701; Ira S. Rubinstein (2013). „Big Data: The End of Privacy or a New Beginning?“ In International Data Privacy Law: 74-87 (77).

90 Bundesverfassungsgericht, see footnote 16, marginal number 152.


21

documentation, demonstration, accountability, information, erasure, notification91) can hardly be fulfilled completely. In addition, the filing of accompanying checklists, tempt controllers at best to blindly follow a set of rules, or to put together a band-aid camouflaged cover argument, and in the worst case, to simply remain willfully ignorant. It is a delusion to believe that more rules can ensure righteous behaviour. It could lead to the GDPR becoming a zombie: it seems to be alive because human compliance robots do the paperwork, but the formal observance of the rules fail to achieve the intended protection effect.92

III. Limiting and specifying the scope of data protection law

The GDPR makes enormous efforts to subject every single piece of data to an elaborate set of protection rules with the idea that comprehensive prevention is necessary ("every piece of data is potentially dangerous"). In addition, the data protection regime is seen as essential for pro-tecting all rights and freedoms of the data subject. This includes a general precautionary ban on processing personal data, with the illusion of informational self-determination and the undif-ferentiated “one size fits all” and “all or nothing” approaches. Taken together, this leads to an abstract data protection law with no discernable shape. This formless law is then the responsible agent for all dangers of digital data processing posed. This results in excessive demands on controllers, who have to protect all conceivable rights and freedoms of individuals, and in the disappointments of data subjects, who are fueled by the unattainable expectation that data pro-tection law alone can protect them from the dangers of data processing.

Instead, data protection law needs to be specified and restricted in several respects. This can be achieved partly de lege lata through an appropriate interpretation of the law, but also partly only de lege ferenda.

1. Clarifying the fundamental rights foundation of data protection law

The consequences deriving from the fact that data protection is rooted in Art. 8 of the Charter of Fundamental Rights of the European Union, must be clarified. The fundamental rights rhet-oric used in many public debates, blurs the actual challenges faced. This rhetoric leads to the false assumption that any processing of personal data is a legal problem of enormous sensitivity that is beyond the political decision-making process.93 As a result, everyday life becomes "law-driven" (= “Verrechtlichung des Alltäglichen”).94 It is therefore necessary to understand that not every detailed issue of data protection law affects fundamental rights.

91 According to the author's counting, there are 68 obligations which every controller in principle has to fulfil: Winfried Veil (2018). „GDPR: 68 Obligations of the Controller.“ https://www.flickr.com/photos/winfried-veil/25437610017/in/dateposted-public/ (accessed 20 December 2018).

92 Koops, see footnote 7, p. 8; Sven Türpe / Jürgen Geuter / Andreas Poller (2017). „Emission statt Transaktion: Weshalb das klassische Da-tenschutzparadigma nicht mehr funktioniert.“ In Informationelle Selbstbestimmung im digitalen Wandel: 227-248 (246). Edited by Friede-wald/Lamla/Roßnagel. Wiesbaden: Springer.

93 Bull (2011), see footnote 7, p. 2.

94 Hoffmann-Riem, see footnote 75, p. 528.


22

To this end, the meaning of Art. 7 CFR (right to respect for private life) and Art. 8 CFR (right to data protection) and their relationship to each other must be clarified.95 According to one viewpoint, Art. 8 CFR represents an (important) part of the right to privacy.96 Another line of thought argues however, that the protection of privacy should be withdrawn from Art. 8 CFR and only play a supportive role as a point with which to weigh a balanced consideration, or "supplementary guarantee for data protection".97 An even more radical view states that Art. 8 CFR is a stand-alone fundamental right.98 This view claims, that the ECJ “unfortunately” re-views the two fundamental rights under Art. 7 and 8 CFR always jointly, but that the ECJ is supposed to be "on the road to improvement", because, even though it still examines them par-allel to each other, at least the examinations are done independently.99

This point of view cannot explain what standard should apply to restrictions of the fundamental right to data protection by other fundamental rights. The distorted consequences of this view are that it is impossible to determine the likelihood of a risk, since the raw data protection right is adversely affected by any data processing. The likelihood of an occurrence of risks is there-fore always 100 %.100 The risk-based approach of the GDPR101 would then be without scope of application.

It makes more sense to see Art. 8 CFR as an objectively designed mandate for the legislator to enact data protection rules that are configured in accordance to fundamental rights.102 Between private actors the right to data protection is only an “Abwehrrecht” (a defensive right that is enforceable in court), if it is combined with another fundamental right (in particular with the fundamental right to the protection of private life in accordance with Art. 7 CFR). The right to data protection should therefore be seen as an accessory to other fundamental rights.103 It can therefore been described as a “Kombinationsgrundrecht” (= a fundamental right that needs to be combined with another fundamental right).104 The consequence of this view is that data pro-cessing should only be relevant under fundamental rights if they specifically impair freedom or constitute a particular risk of impairing freedom.105

Furthermore, the relationship between the right to data protection and the conflicting funda-mental rights of controllers and third parties has to be clarified as well. During practically every

95 In depth on the history of the origins and effects of the fundamental right to data protection of Art. 8 CFR: Gloria González Fuster (2014). The Emergence of Personal Data Protection as a Fundamental Right of the EU. Cham: Springer. 96 Jürgen Kühling / Johannes Raab (2018). „Einführung.“ In Datenschutz-Grundverordnung/BDSG - Kommentar: marginal number 26. Sec-ond Edition. Edited by Kühling/Buchner. München: Beck; Benedikt Buchner (2018). „Article 1 GDPR.“ In ibid: marginal number 10. 97 Heinrich Amadeus Wolff (2017). In Das neue Datenschutzrecht: marginal numbers 31 and 34. Edited by Schantz/Wolff. München: Beck. 98 In this sense e.g. Hans D. Jarass (2016). „Article 8 CFR.“ In Charta der Grundrechte der EU: marginal number 4. Third edition. Edited by Jarass. München: Beck. 99 Wolff, see footnote 97, marginal number 38. 100 So explicitly Felix Bieker (2018). „Die Risikoanalyse nach dem neuen EU-Datenschutzrecht und dem Standard-Datenschutzmodell.“ In Datenschutz und Datensicherheit 1: 27-31 (29). 101 In detail see Claudia Quelle (2017). “The ‘Risk Revolution’ in EU Data Protection Law: We Can't Have Our Cake and Eat It, Too.” In: Data Protection and Privacy: The Age of Intelligent Machines. Edited by Leenes / van Brakel / Gutwirth / De Hert. Hart Publishing. https://ssrn.com/abstract=3000382 (accessed 20 December 2018); Winfried Veil (2018). „Accountability - Wie weit reicht die Rechen-schaftspflicht der DS-GVO? Praktische Relevanz und Auslegung eines unbestimmten Rechtsbegriffs.“ In Zeitschrift für Datenschutz 1: 9-16 (13). https://rsw.beck.de/rsw/upload/ZD/ZD_01-2018_-_Beitrag_Veil_1.pdf (accessed 20 December 2018); Winfried Veil (2015). „DS-GVO: Risikobasierter Ansatz statt rigides Verbotsprinzip - Eine erste Bestandsaufnahme.“ In Zeitschrift für Datenschutz 8: 347-353. 102 Bäcker, see footnote 62, p. 98. 103 Britz, see footnote 61, p. 573. 104 Nikolaus Marsch (2018). Das europäische Datenschutzgrundrecht. Grundlagen – Dimensionen – Verflechtungen. Tübingen: Mohr Sie-beck. 105 Britz, see footnote 61, p. 581.


23

processing of personal data by private individuals, a conflict of fundamental rights can arise. The GDPR only indicates this in Rec. 4 p. 2:

"The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.“

In particular, freedom of expression and information (Art. 11 (1) CFR), freedom of the media (Art. 11 (2) CFR), freedom of the arts and sciences (Art. 13 CFR) and freedom to conduct a business (Art. 16 CFR) are dependent on the processing of personal data and may therefore come into conflict with data protection law. Informational self-determination carries within it-self this very conflict. One cannot perceive free self-determination as a member of a free society without the knowledge and understanding of one’s social environment. It must therefore be possible for one to collect and process information about one’s community.106

The Internet provides the ability for people to inform themselves better and faster, allows them to communicate more with one another in a more diversified way, and makes it easier for them to organize themselves and create networks. Information, communication and organization are forms of informational self-determination as well. And these forms of informational self-deter-mination have been tremendously strengthened by digitalisation.107 Consequently, the pro-cessing of data by private individuals must also be regarded as exercise of fundamental rights – even if it is the processing of personal data concerning other individuals. The recognition that the processing of personal data is also protected by fundamental rights is not provided for by the one-sided data subject’s perspective of data protection law.108

In any case, the GDPR hardly provides controllers and processors with standards on how to resolve the conflicts of fundamental rights and interests that arise in the numerous cases in which they have to do balancing of interest tests (e.g. in Art. 6 (1) (f) GDPR), compatibility tests (e.g. Art. 6 (4) GDPR), necessity tests (e.g. Art. 17 (3) (a) GDPR), risk assessments (e.g. Art. 24 (1) GDPR), and data protection impact assessments (Art. 35 GDPR). It is just not helpful for legal practitioners if scholars describe the redesigning of informational self-determination as a "multi-layered bundle of legal obligations and legal positions".109

2. Limiting the purposes of data protection (= solving the "Schutzgut" question)

The protectional aims of data protection law have to be specified and limited. Of course, it would be desirable if the aim of data protection would be to return to the general protection of privacy and personality rights.110 However, de lege lata the GDPR, which declares itself re-sponsible for "all fundamental rights and freedoms", cannot be ignored. But even de lege lata the risk-based approach can be made fruitful for limiting the purposes of protection. Guiding

106 Giesen (2007), see footnote 7, p. 918.

107 Seemann, see footnote 19, p. 131 et seq.

108 Giesen (2007), see footnote 7, p. 918.

109 Ebenso Albers, see footnote 78, p. 32.

110 Giesen (2014), see footnote 7, p. 554 et seq.; Stentzel (2015), see footnote 7, p. 189; Härting / Schneider, see footnote 5.


24

principle could be the question of whether the risk in question is a risk typically associated with the processing of personal data.

Based on an analysis of international law, EU law and German law, Drackert distinguishes the following typical data processing risks111:

- Increased individual vulnerability to crime: the handling of personal data is risky if it increases the likelihood of crimes.

- Shaming and damage to public image: the publicity of information threatens the data subject with a loss of public respectability.

- Selective targeting damages: through the use of legally or politically undesirable information targeting (e.g. in selection processes) the data subject is threatened by discrimination or stigmatisation.

- Informational permanence: the capabilities for timeless storage, availability and retrievability of information enables for the constant reconstruction of individual behaviour and thereby reduces the chances for a collective social amnesia.

- De-contextualisation: the transfer of information from one aspect of life to another may negatively affect the individual.

- Emergence of information: new dangers arise from the possibility of automati-cally gaining new knowledge from diverse sources, for example about personal as-pects of the data subject.

- Information inaccuracy: unstructured data sources, uncontrolled and non-trans-parent processing procedures and data falsifications entail the risk of poor data qual-ity, which in turn can cause different risks.

- Treatment of human beings as mere objects: in particular, through exclusively automated individual decisions, there is the danger of human beings being degraded to objects.

- Heteronomy: the manipulation of individual behavior can, at the micro level, neg-atively influence human freedom of behaviour as well as political processes at the macro level.

- Disappointment with reasonable expectations of confidentiality: the expecta-tions of the data subject are a relevant criterion both from the point of view of the individual and from the point of view of the community (in the sense of a (con-sumer) criterion of confidence necessary for collective living).

A further connecting point for limiting the protection purposes of data protection law ambitions could be the “Sphärentheorie” (= theory of spheres), which differentiates between the intimate, secret, private, social or public sphere of the individual, for the magnitude of harm caused by

111 Stefan Drackert (2014). Die Risiken der Verarbeitung personenbezogener Daten: p. 291 et seq. Freiburg: Max-Planck-Institut für auslän-disches und internationales Strafrecht.


25

data processing to that individual. This theory could be enriched and further differentiated by aspects of "contextual integrity".112

3. Abandoning the precautionary principle

The question arises whether there are not many cases in which the prohibitions of civil tort law and criminal law are sufficient to protect the data subject.113 A partial relinquishment of the precautionary ban on processing personal data (for example with regard to everyday data pro-cessing or non-commercial communication) would be a first step towards a realistic data-infor-mation law system, since in these areas, the supervisory authorities will (hopefully) hardly im-plement it anyway.

This was already proposed by unsuspecting data protection experts in their 2001 report on the modernisation of data protection law:

"In order to simplify data protection and avoid absurd results [sic!], a general jus-tification should always declare data processing admissible if obviously no impair-ment of the data subject is to be expected."114

Other proposals move in the direction of a more open general clause with reference to “Treu und Glauben” (= fairness), or refer to the principle-based approach of the OECD guidelines.115

4. Balancing of interests

Similarly, there is a proposal to make the legitimate interest test the central legitimising ground for processing personal data. This balance of interests must not only take into account the in-terests of the data subject and those of the controller, but also the social significance of certain data processing (i.e. a possible public interest benefit116, or also possible disadvantageous col-lective effects of data-based decisions117).118 According to this proposal, consent and contract would no longer be independent legal instruments in their own right, but would still play a considerable role in weighing up all interests.119

The criteria for the legal grounds according to Art. 6 and 9 GDPR overlap. Each legal ground requires a context-related evaluation of the processing activities concerned. The GDPR imposes additional requirements, in particular with regard to consent, performance of a contract, or the 112 Nissenbaum, see footnote 39, p. 32.

113 Affirmatively Giesen (2014), see footnote 7, p. 555.

114 Roßnagel / Pfitzmann / Garstka, see footnote 30, p. 15.

115 von Lewinski, see footnote 27, Einführung, marginal number 12.

116 CIPL, see footnote 83, p. 9.

117 See e.g. Julia Manske / Tobias Knobloch (2017). Datenpolitik jenseits von Datenschutz: p. 31 et seq. Edited by Stiftung Neue Verantwor-tung. https://www.stiftung-nv.de/sites/default/files/datenpolitik_jenseits_von_datenschutz_0.pdf (accessed 20 December 2018); Brent Mittel-stadt (2017). “From Individual to Group Privacy in Big Data Analytics”, https://link.springer.com/content/pdf/10.1007%2Fs13347-017-0253-7.pdf (accessed 20 December 2018); Wolfie Christl / Sarah Spiekermann (2016). Networks of Control - A Report on Corporate Surveil-lance, Digital Tracking, Big Data & Privacy. Wien: facultas.

118 Moerel / Prins, see footnote 7, p. 85; Sebastian Golla (2018). “Mehr als die Summe der einzelnen Teile? Kollektiver Datenschutz.” In Privacy in Germany 1: 2-6.

119 Moerel / Prins, ibid.


26

processing of sensitive data. If one considers these requirements, in addition to the requirement calling for a risk assessment for each data processing (Art. 24 (1) GDPR), plus a data protection impact assessment for each high-risk data processing (Art. 35 GDPR), one must conclude that the different prerequisites for justification converge anyway. The safest and therefore legally most applicable working method in which all these requirements would be met, is to use a single protocol to contextualize the impact with which the use and re-use of data can be assessed.120

IV. Summary

With the GDPR, the idea of prescriptive and preventive data protection has reached perfection. Unfortunately, the foundations of this idea have fundamental deficits:

- The right to informational self-determination creates an unfulfillable illusion of control. Consent is a legal instrument that cannot fulfil the aspirations it aims for: the safeguarding of informational self-determination.

- The general ban on processing personal data forces private actors to justify behav-iour, which is in itself protected by fundamental rights. It is the collateral damage of data protection law that the protection of those other fundamental rights is under the proviso of the right to data protection. Data protection law follows the logic of bulkheading, which unilaterally comes at the expense of freedom of expression and information (Art. 11 (1) CFR), freedom of the media (Art. 11 (2) CFR), freedom of the arts and sciences (Art. 13 CFR) as well as freedom to conduct a business (Art. 16 CFR). The danger that data protection law will become a “Super-grundrecht” (= super fundamental right) if it is incorrectly interpreted, cannot be dismissed.

- There is no clear definition of the aim of data protection. This leads to great legal uncertainty, especially in the application of risk-related obligations, because those concerned cannot know for which protected “Schutzgut” (= right or interest) they must assess the risks for.

The GDPR does not solve these structural deficits. On the contrary, it applies all rules equally to all controllers. This neglects the processing context and is not proportional or risk-adequate. The structural deficits are compounded by "extras" from the US legal sphere: high penalties, the strong role of data breach notifications and the accountability principle. There is also the transparency dilemma121 and the imperfect insertion of enforced self-regulation. All in all, the GDPR is a hodgepodge of all regulatory ideas ever conceived in the field of data protection/pri-vacy, all put into one simple pot of legislation.

However, those structural deficiencies are only the tip of the iceberg. They lead to a fully reg-ulated digital life, to incomprehensible and unmanageable bureaucratic burdens, to the diver-sion of questions which belong to the political sphere and not the legal one, to the sheer impos-sibility to follow the rules, to the lack of enforcement, and in the end, to the erosion of legal

120 Moerel / Prins, see footnote 7, p. 86.

121 Bettina Robrecht (2015). EU-Datenschutzgrundverordnung: Transparenzgewinn oder Information-Overkill. Oldenburg: OLWIR.


27

awareness. And the structural deficiencies prevent us from dealing with viable solutions to fu-ture problems of Big Data, the Internet of Things, blockchain, algorithms, artificial intelli-gence.122

Unfortunately, the structural deficits are not just the sacred cows of data protection law. They are also the elephants in the room whose presence few dare to address. In addition, some raise expectations of data protection with the undertones of class-struggle (combating "data power in asymmetric informational relationships"123 or establishing an "informational separation of powers" to prevent the controllability of the individual124). Since the regulation of access and use of information is synonymous with the regulation of social relations, and since data protec-tion law follows the paradigm of “all or nothing”, the nervousness of public debate can even be understood to some extent.

However, one should also and precisely for this reason, not try to press all the various and colourful, fluctuating social lives, which consist almost exclusively of communication and in-formation, into an all-embracing state regulation. An area-specific approach is much more promising; as is shown by the examples of regulating tax and telecommunications secrecy, the confidentiality obligations of public officials and certain professionals, public registers, testi-monial duties and inadmissibilities of evidence in criminal proceedings and statistical secrecy. All these cases deal with the question of how to adequately balance conflicting interests in the handling of information.125 Data protection is about nothing more, but also nothing less.

Data protection law should not be a jurisdiction to restrict technology, but a jurisdiction to use information.126 Therefore, we are arguing for a departure from the widely held view that danger derives from personal data. Rather, it makes sense and is desirable "to leave the overly small-scale level of 'data' and seek out a much more powerful level of regulation".127 It is not the data that is dangerous, but its misuse. Data protection should be attributed to the defence against undesirable effects that "information" (as the meaning of "data") can have.128 This presupposes taking a closer look at the usage of data and their effects.

Thinking in this direction brings with it the accusation of speaking out in favour of the suppos-edly lax "harm-based approach". This harm-based approach is regularly attributed to US culture and opposed to the EU's rights-based approach. It relies mainly on self-regulating market mech-anisms to prevent inappropriate data processing activities. The regulatory idea is to encourage companies to observe privacy interests on their own behalf and for their own good, in order to

122 Compare Tristan Henderson (2017). “Does the GDPR Help or Hinder Fair Algorithmic Decision-Making?” LLM dissertation, Innovation, Technology & The Law. University of Edinburgh. https://ssrn.com/abstract=3140887 (accessed 20 December 2018

123 Kai von Lewinski (2008). „Grenzen von Datenmacht aufgrund von Sicherheit, Freiheit und Öffentlichkeit – Geschichte des Datenschutz-rechts von 1600 bis 1977“: p. 1. http://www.mpil.de/apps/assoer/pdf/tp_vonlewinski.pdf (accessed 20 December 2018).

124 Bull, (2011), see footnote 7, p. 22.

125 Bull, ibid, p. 37.

126 Bull, ibid, p. 39.

127 Lutterbeck (2013), see footnote 7, p. 2.

128 Compare Bull (2011), see footnote 7, p. 3.


28

prevent the threat of high penalties and the threat of loss of reputation.129 For many data pro-tectionists, this harm-based approach is a red flag.130

In this paper, we advocate the risk-based approach as a golden mean between the EU rights-based approach and the US harm-based approach. The rights-based approach focusses on input (i.e. under which conditions is it allowed to collect data). For controllers this has a warning effect which in many cases is desirable and should not be completely abandoned. The rights-based approach, however, prevents a reasonable risk gradation for the obligations of the con-troller. And, it prevents a political debate on the question of which consequences of data pro-cessing should be recognised as desirable and which should be regulated and/or penalised as inadequate.

The risk-based approach is anchored in the GDPR.131 This means that the structural shortcom-ings of data protection law could even be remedied by corresponding interpretation and making this approach manageable. So far, however, hardly anyone – as far as can be seen at least in Germany – has rendered outstanding services to its further development. In particular, only eloquent silence is to be heard in this regard from the data protection authorities. This fuels the suspicion that they have no interest in further developing data protection law in this direction.

However, if the current state of this data protection law is not further developed, the story could go beyond it – because it is not without alternatives.

129 See in detail: Moerel, see footnote 7, p. 25-36; see also Hielke Hijmans (2016). „The European Union as a constitutional guardian of in-ternet privacy and data protection: the Story of Article 16 TFEU“: p. 298. https://dare.uva.nl/search?identifier=c9db9f1d-3759-44b0-8501-fb2e69fc1dd6 (accessed 20 December 2018); Sophie Stalla-Bourdillon / Alison Knight (2017). “Anonymous Data v. Personal Data — A False Debate: An EU Perspective on Anonymization, Pseudonymization and Personal Data” In: Wisconsin International Law Journal, 2017: p. 25. https://ssrn.com/abstract=2927945 (accessed 20 December 2018); fundamental to the concept of “privacy harm”: Ryan Calo (2010). “The Boundaries of Privacy Harm.” In Indiana Law Journal, Vol. 86, No. 3, 2011. https://ssrn.com/abstract=1641487 (accessed 20 December 2018).

130 Compare Art. 29 Data Protection Working Party (2014). “Statement on the role of a risk-based approach in data protection legal frame-works.” WP 218: p. 4 (No. 11); Quelle, see footnote 101, p. 7.

131 In detail see Veil (2015), see footnote 101.


181225 the emperors new clothescent of the excitement about the emperor's new clothes in hans...

Documents