Amazon recently sent a German man someone else's data in response to his personal data request, made in accordance with the General Data Protection Regulation (GDPR). Amazon blamed it on "human error."
By blaming it on human error, Amazon is trying to imply this is an isolated case. But some voices in German politics seized on it as another way to question the GDPR: How can small enterprises succeed with these data protections if a giant like Amazon fails?
Such statements imply enterprises are overtaxed by the GDPR. What it doesn't say, but does suggest, is the EU must loosen or lift the regulations. Meanwhile, Dorothee Bär, the Federal Government Commissioner for Digitization, is openly calling for this in another context. At the end of 2018, she once again publicly demanded a relaxation of the data protection laws in the healthcare system in order to move forward with implementing electronic patient files by the end of 2021.
The Call to Relax Data Protection Laws
Germany has some of the strictest data protection laws in the world and the highest requirements for the protection of privacy. Many argue these laws block developments in the healthcare sector, so we should delete some rules and loosen others. Bär isn't the only person advocating for this approach. More and more stakeholders in the healthcare sector are calling for laws to be relaxed so Germany can remain competitive.
Others compare the threat to data the GDPR handles with the threat of hacker attacks and data leaks. This comparison is weak, as both aspects are extremely relevant and the need for both negates neither. On the one hand, protection and control of the personal data of customers and citizens — or as Americans correctly call it, "data privacy." On the other hand, protection against hackers, hacker attacks or even errors in the company's own IT department.
These specious arguments are just another way for interested parties to fight tougher data protection regulations.
Related Article: An Introduction to the GDPR
GDPR Fans in High Places
Data protectors — no surprise — see it differently. And they get help from unexpected sources. Tim Cook, CEO of Apple, for example, said during a talk in Berlin on Oct. 22: "I am a big fan of GDPR. However, it does not represent yet everything, which must be made." Researchers at the University of Oxford in cooperation with the Reuters Institute for the Study of Journalism released a study stating that the European Union with its new data protection basic regulation drives the "strictest and most farsighted" approach in the area of data protection.
Data protection does not mean innovation grinds to a halt. It can even become a competitive advantage for businesses in Germany (and more broadly in Europe), if the use of data and artificial intelligence is cleverly combined with data protection and data security. Certainly the implementation and the design of the GDPR can and must be improved. Even if the GDPR overshot its reach in places, which I personally do not think is the case, it has fired up the discussion and perhaps also increased the sensitivity around the very important topic of data privacy. And that's a good thing.
Related Article: Is Data Ethics an Oxymoron? Customers Don't Think So
Fear-Mongering at the GDPR Gates
Ulrich Kelber, Germany's new Data Protection Officer, wants to improve public perception of the GDPR. He admits there is room for improvement. But that won't happen by going to extremes — either on the side of complete lock-down of all data or an indiscriminate rejection of any regulations. Arguments about the proper or improper use of our data by businesses will do little to diffuse public fear about our data being used in ways we do not want — which last year's revelations about Cambridge Analytica and Facebook made all too real. Clarification and setting boundaries is clearly an urgent task.
There is room to maneuver: potential penalties should be imposed with a sense of proportion and deadlines could also be extended. However, there should be no question that basic data protection is a fundamental right of every citizen. There should be no question that I can find out what companies are planning on doing or are doing with my data and that I should be able to obtain this information promptly. And above all, there should be no question about a citizen's right to ask that their data be deleted.
Related Article: Marketers Are Missing the Point of GDPR - and the Opportunity
The GDPR Is Here Because Enterprises Didn't Take Care of Data
Businesses neglected data protection for years before the introduction of the GDPR. Excel tables on the hard disk of every salesman, databases and data lakes, uncontrolled and scattered data in different IT systems — that was the reality. Now it's time to repair the outdated IT and data collection systems, introducing proper measures.
Let's not go backwards. Let's not reverse courses on data protection so early and so carelessly. Yes, some companies would enjoy that very much. And while it will take years to cement how we handle data properly, that's all the more reason why we must double down on these protections and work to clarify and improve them now. The GDPR is more chance and opportunity than risk. If necessary, slightly modify the course, but keep the direction!