Greetings from Brussels!

It has been a busy couple of months for the German regulatory community. In November, a report on the state of play of GDPR implementation — and the experience thus far — was drawn up by the Conference of Independent German Federal and State Data Protection Supervisory Authorities and adopted at its 98th Conference. The Datenschutzkonferenz (or DSK, as it is better known) is the umbrella structure that comprises all the state regulatory authorities in Germany, as well as the federal authority, and is tasked with issuing uniform and official resolutions, guidance and statements reflecting national and European law.

The publication of this report is quite the task as it needs to encompass a high level of consistency, as well as consensual opinion on the evaluation and review of GDPR implementation to date. This must be done across a large group of regulatory bodies as required in accordance with Article 97 of the GDPR. Moreover, the aim of such a review is ultimately to derive suggestions and recommendations for improvements to ensure a more optimal implementation of the regulation. I am happy to say, that for all the non-Germanophone privacy pros out there, this report now exists in English and can be found here. The findings are too many to mention here, but the DSK broadly shares the opinion that the GDPR’s regulatory concept and objectives have been largely successful to date in the pursuit of enhancing the protection of fundamental rights and contributing to the creation of the Digital Single Market in the EU.

Interestingly, in annex to the GDPR report, there is also the Hambach Declaration on Artificial Intelligence, a resolution also adopted at the 97th DSK Conference. It basically treats seven key data protection principles when addressing data protection in the field of artificial intelligence and automated decision-making: informing the debate; informing a digital future.

This report also comes on the heels of the DSK releasing GDPR fining guidelines in late October. All this at a time when there has been a growing entrenched public perception centered around the potential for high fines associated with GDPR enforcement. Raising privacy and data awareness comes with an imperative for both regulatory authorities and businesses alike; the work must be done. German authorities have already started to apply the DSK-fining methodology. The Berlin data protection authority — which also took the lead in developing the fining framework — recently issued a fine of 14.5M euros using the five-step process design. The case itself relates to excessive retention of personal data by a real estate company and its failure to implement privacy-by-design principles. What is generally accepted is that the DSK framework is aggressive in that the current model will almost certainly impose higher fines than expected and controversially more so for organizations with high revenues.

From an EU perspective, the EDPB is tasked with ensuring the consistent application of the GDPR throughout the EU. Importantly, it is expected to adopt a harmonized fining methodology, but no timeline has been identified as yet for this. In the interim, national frameworks — German and other — will remain the relevant methodologies in their jurisdictions. This may lead to some very colorful enforcement actions and maybe some testy legal challenges, too.