Is there “data protection tourism” in Germany leading companies to seek out federal states with lax interpretations of the General Data Protection Regulation (GDPR)? This question has been a topic of discussion within the community and featured on the c’t data protection podcast. Dr. Stefan Brink, the founder and managing director of the scientific institute for the digitization of the working world, wida, in Berlin, was recently a guest on the show discussing this controversial subject.
During the podcast episode titled “Auslegessache,” Brink, a former data protection officer of Baden-Württemberg, shared his thoughts on his tenure in the position (2016 to the end of 2022) and his views on the federal system of data protection supervision. He did not hold back in his criticism of the German data protection authorities, the Data Protection Conference (DSK).
Brink expressed his belief that there is legal certainty for companies seeking guidance from data protection authorities if they ask for it. He also stated that any discussions surrounding other supervisory authorities with friendlier views result in a shift from legal certainty to simply “making a wish.” Brink criticized the DSK as an “impertinence for all participants,” saying that it is “an imposition” and that he was not sad to leave his position.
However, Brink did acknowledge that the DSK has improved in recent years and believes that it should be further institutionalized as a higher authority. He also believes that federal legislation should support the strengthening of the DSK to ensure unanimous decisions and the independence of the GDPR-mandated supervisory authorities.
These issues surrounding data protection tourism and the interpretation of the GDPR are of great importance to companies operating in Germany. It is essential that they understand the legal certainty provided by data protection authorities and adhere to the regulations laid out by the DSK. As the debate on this topic continues, it will be interesting to see how it affects the independence of the GDPR-mandated supervisory authorities and what steps are taken to ensure legal certainty for companies seeking guidance.
