Data protection – Quo Vadis?
Author
Dr. Jana MoserFrom the business with data to the business with data protection
The year is already in full swing and trend predictions are superfluous. However, it is even more worthwhile to comment on recognisable developments. This is especially true when adjustments to the economy and its business models can be identified. And that’s exactly what I see in data-driven business models and data protection. In the following article, I explain where exactly the effects of this trend can be seen and what they lead to.
The reaction was substantial when Google announced at the beginning of March 2021: “No more advertising based on individual surfing behaviour!” Some people may have rubbed their eyes in disbelief: Google is voluntarily giving up the lucrative business of data? No! There can be no talk of voluntariness.
The pressure on the giants of California has simply become too great. One of the strongest adversaries of the profiling expert was not a company but the French data protection regulator CNIL. For example, at the beginning of 2019, they issued a fine of EUR 50 million against Google for non-transparent, non-comprehensive data protection information. At the end of 2020, the CNIL went one step further and issued another fine for EUR 100 million for secretly placing cookies. Unlike the company’s balance sheet, the group's reputation suffers significantly from these high-profile reprimands – both among Google’s business customers and consumers.
The pressure on companies like Google, whose business is based on data collection and analysis, is increasing not only because of the consent requirements but above all because of the obligation to inform consumers transparently, comprehensively, and correctly (!). “Natural persons should have control over their own data”, says recital 7, sentence 2 of the GDPR. Because only then can they also make use of their rights.
That is the reason for the GDPR and the battle of the data protection supervisory authorities. But how does the consumer deal with his newly won rights and all the information?
This is shown by the currently most present example: cookie banners. They are packed with information. Regardless of whether you “make them pretty” or not: most people are annoyed, quickly click away from the banners without reading the often very detailed and highly technologised information. This is why I question the sometimes high acceptance rates of cookies that are sometimes conveyed. After all, clicking (away) does not mean consent or – and this is what matters – understanding what is happening with the data.
And it is precisely here that the development “away from comprehensive data processing and towards more transparency” encounters a new trend: education instead of information and concrete, practical applications for implementing one’s own rights. Good examples of this are companies like Increase Your Skills, which offers an e-learning and information security awareness platform for companies, or Itsmydata, a startup that gives consumers control over their data in the area of creditworthiness checks.
Another example is the German Corona-Warning-App. There has been a substantial amount of talk about it. An incredible number of experts have spoken out about the legality, data economy and the benefits of data processing. There is very detailed and simple information on the data processing, which is sparse compared to advertising tracking on websites or in apps. Moreover, hardly any other data protection topic has reached so many sections of the population in recent years.
Nevertheless, the acceptance and actual use of the app is sobering. In my opinion, this is neither due to the app’s lack of data protection nor to a lack of information. Consumers simply lack the knowledge necessary to understand the data protection information and the consequences.
Developments in recent years, exemplified by the examples above, show that information about a data processing operation and the rights associated with it are not enough. Consumers need to understand both the content of the data processing and the context, the real-life implications, and have them implemented concretely for their everyday lives. This is more important than spelling out details of data processing in terms of cookie IDs and URLs.
This is a very exciting development that I hardly thought was possible a few years ago when I was the data protection officer at studiVZ. But legal constraints and reputational and competitive pressures make it possible for a business model to be built on data protection. This is shown not least by the million-euro investment in Usercentrics, a startup that makes consent management easier for companies. Being data protection compliant and thus also “GDPR compliant” and being able to provide complete proof of this, as Akarion offers, for example, has become a clear competitive advantage.
About the author
Dr Jana Moser is a data protection expert and a regular speaker at national and international events. She is the Managing Director of DATAREALITY VENTURES and has invested in Increase Your Skills GmbH. She also works as Senior Business Development and Key Account Manager at Akarion AG.