display
Sanctions must be “effective, proportionate and dissuasive”.
This is not a creed of black pedagogy from the "Struwwelpeter", but an arrangement of the General Data Protection Regulation (GDPR).
It relates to fines that companies face in the worst case for data protection violations.
In order for a fine of up to four percent of a company's annual turnover to be due, one has to violate the law very severely.
Facebook recently did that.
Data from 530 million people from 106 countries, including phone numbers, names and birthday dates, was lost because Facebook did not protect them adequately.
How frightening would be the highest feared fine for Facebook?
Let's do the math.
Facebook's annual turnover in 2020 was 72.23 billion euros.
If the maximum fine of four percent were imposed, it would amount to 2.89 billion euros.
That's a lot of money.
But is it also a deterrent in a specific case?
display
Here is a comparison with Volkswagen.
Annual sales in 2020 amounted to 223 billion euros.
A fine for a serious data protection breach, which could be charged with four percent of sales, would therefore amount to 8.92 billion euros.
Because the fine is tied to sales, it would be three times higher at Volkswagen than on Facebook.
This is unfair, because higher sales do not necessarily mean higher profits.
While Facebook recorded a profit of 24.49 billion euros in 2020, it was only 8.8 billion euros at Volkswagen last year, despite the much higher sales.
That means: While Facebook would still have a big plus of 21.6 billion euros for 2020 in the event of a data protection disaster and a maximum fine, Volkswagen's profit would be more than skimmed off in the same situation.
The automotive group would be in the red with 0.12 billion euros.
display
If one compares the sanctions effect, four percent of the annual turnover on Facebook is hardly a deterrent, but on Volkswagen it threatens the existence of the company.
For Facebook, the maximum fine of almost 2.9 billion euros with a profit of almost 24.5 billion euros is more of the order of magnitude of a tax that the company, based in Ireland, hardly pays due to special tax laws.
If you look at it that way, data protection violations could be part of the business model for Facebook.
The comparison of fines reveals a birth defect in European data protection law.
Its sanctions are as good as ineffective for the US data multinational, while they can bring European companies to their knees.
Facebook and Co. are not deterred from committing data protection violations.
Perhaps there are claims for damages, which those affected can also assert under the GDPR for data protection violations, are a more effective means.
In any case, data protection law does not provide a fundamental concept for fair competition in the data business.
So you have to go beyond the GDPR.
display
In Germany, the Bundestag is currently considering setting an important course in this direction in the Telecommunications-Telemedia-Data Protection Act (TTDSG).
By anchoring a so-called consent management system (privacy management system, PIMS) in this law, state-recognized services can be established as independent trustees between users and digital services.
Bundestag must act
You could manage consent and access to online services (log-in) according to open standards.
You would connect customers with companies and only forward the user data requested by the customer to an online service in accordance with the intended purpose.
Important: You should not monetize this data.
Anyone who uses the single sign-on service (editor's note: authentication procedure in which users can log in to multiple applications and websites but only enter their access data once) would no longer need to log in from Google or Facebook , Amazon and Apple depend and no longer feed their data pools.
That would not only be important for competition, but also a decisive step towards data protection.
The idea is based on a recommendation by the Federal Government's Data Ethics Commission.
She recommended this solution in 2019.
The Bundestag can now anchor them in the TTDSG and thus ensure an innovative and effective solution in Germany that can provide an important impetus for European regulation.
Media lawyer Rolf Schwartmann
Source: TH Köln
Professor Rolf Schwartmann is head of the research center for media law at the Technical University of Cologne.