15. May 2024

Six Years Of GDPR: Researchers See A Mixed Record In Germany Press release: Six Years Of GDPR: Researchers See A Mixed Record In Germany

• Privacy policies from 75,000 German companies analyzed

Bonn, Mannheim, Germany, 15.05.2024 – The General Data Protection Regulation (GDPR) requires companies to disclose in plain language how they process personal data. A recent study shows that companies in Germany have indeed published considerably more information since then. However, readability - and therefore easy user access to information - has not improved significantly. These study results are published by the EPoS Economic Research Center at the Universities of Bonn and Mannheim in the discussion paper “Regulatory Compliance with Limited Enforceability: Evidence from Privacy Policies”.

Press release: Six Years Of GDPR: Researchers See A Mixed Record In Germany
Press release: Six Years Of GDPR: Researchers See A Mixed Record In Germany © Bernhard Ganglmair
Download all images in original size The impression in connection with the service is free, while the image specified author is mentioned.

“Privacy policies are like the small print in software licenses,” says Bernhard Ganglmair from the EPoS Economic Research Center. “Very few people read them. Nevertheless, German companies have been increasingly complying with their disclosure obligations since the GDPR came into force in 2018. However, many companies are still speaking gibberish from the users’ perspective, especially smaller companies. This is what our study shows. We have analyzed around 585,000 privacy policies published by 75,000 German companies between 2014 and 2021.”

The researchers find that companies neglect the requirement of giving information in “easily accessible form” if they assume that the authority responsible is paying little attention to them. Background: in Germany, GDPR compliance is monitored by different data protection authorities in the 16 federal states. How active these authorities are, depends on their budgets which vary from state to state.

Companies want to stay “below the radar”
“Apparently, companies in federal states where authorities have smaller budgets are hoping that data protection officers are less attentive and that their privacy policies will remain ‘below the radar’,” says Ganglmair. “Conversely, if companies assume increased activity, compliance with readability improves.” Since 2018, all companies are obliged to inform the individual users “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” when personal data is collected.

Readability difficult to enforce
“An obligation to transparency defined in this way is subjective and therefore difficult to verify,” says Ganglmair. According to the researcher, this is not only a problem with the enforcement of the GDPR, but also with other EU legislation that uses similar wording. For example, the Platform-to-Business Regulation or the Digital Services Act could fail to have the desired effect in this aspect for the same reason.

Six years of GDPR – conclusion
The record after six years of GDPR is therefore mixed: the researcher notes that the regulation has indeed led to more transparency in the collection, processing, and use of personal data in Germany. However, communication with the users has only partially improved.

The presented discussion paper is a publication without peer review of the Collaborative Research Center Transregio 224 EPoS. Access the full discussion paper here.
Find the list of all discussion papers of the CRC here.

Discussion paper No. 547
Project B02, B04

Authors:

Bernhard Ganglmair, Professor of Economics, University of Mannheim, Researcher, ZEW – Leibniz Centre for European Economic Research, Mannheim and member of EPoS Economic Research Center
Julia Krämer, PhD candidate, Department of Law and Business, Erasmus University Rotterdam
Jacopo Gambato, Doctoral Student, Graduate School of Economic and Social Sciences, University of Mannheim, Researcher, ZEW – Leibniz Centre for European Economic Research, Mannheim and member of EPoS Economic Research Center

Press Contact
econNEWSnetwork
Sonja Heer
Telefon + 49 (0) 40 82244284
Sonja.Heer@econ-news.de

Contact
Prof. Dr. Bernhard Ganglmair
Department of Economics
University of Mannheim
b.ganglmair@gmail.com

Download

Download