Achilles’ digital heel
For months now, electronic mailboxes have been fuller than usual: the EU General Data Protection Regulation (GDPR) has taken effect and forced companies to demand consent from all their customers and business partners. After 10 years of preparatory work, politics seems to have successfully structured an important area of digitization: data protection. But is that actually true? Does the GDPR solve the problems arising from mass data collections on international platforms? Can we, and the data protection commissioners on our behalf, assess, evaluate, and control who is doing what with our personal data?
Over-regulated data protection
You probably already access your bank account from your smartphone. Surely, you are using one of these apps – the ones in which you store the bank details to your various accounts in one place and access online banking. The app takes care of everything for you: queries checkings, savings, and credit card accounts as well as the account balances of several bonus cards. The result is displayed transparently and is updated on demand. Of course, banking transactions are also possible with such apps.
What about data protection in such an app? Using the example of the market leader, I examined the app’s work step by step in terms of data protection. Above all, one thing is clear: a complete description of all data processing operations, participating institutions, and legal regulations are no longer possible. The app developer, bank, smartphone manufacturer, mobile phone provider, iOS/Android operating system developer – they all handle your personal data when using the app, are subject to different data protection regulations and supervisory authorities, have their own guidelines, and have obtained consent (or not). It is almost impossible to describe it – it is no longer understandable for consumers at all.
In my new book Weak state on the net. How digitization puts the state into question,[i] I reach the following conclusion: while data protection law has exploded, data protection has suffered. In practice, the small-scale approach of data protection law largely evaporates and is no longer capable of protecting citizens effectively, comprehensibly, and transparently from the actual hazards of data processing. On the contrary, the paternalistic data protection legislation lulls people into a false sense of security and virtually encourages them to handle their data with carelessness.
What is worrying: Facebook, Google, and other global platforms have implemented the new EU rules quickly and seemingly without any significant impact on their profitable data trading business models. At the same time, many SMEs are complaining that the GDPR is making it difficult for them to implement new digital business models, and that the speed with which they can do so is suffering. No one knows what medium- and long-term effects the regulation will have in the digital space and in the competition between global economies.
Blurred responsibility in digital realms
Data protection is a particularly prominent example of the fundamental problems faced by the state in dealing with digitization. Yet another is the security of our digital everyday life: Have you ever counted how many digital devices in your household are connected to Wi-Fi? Are you sure that you haven’t forgotten an e-book reader, a thermostat, or a “smart” light bulb? More than twenty digital devices in the local network are not uncommon for an average family. A second question: Do you know where your data is stored – your texts, photos, music, and videos? Which cloud services do you use? Even more important, which ones do you no longer use but still have data stored there? One last question: Do you have an overview of which user accounts you have set up on the Internet? How many login IDs do you have for merchants, magazines, clubs, game providers, transport companies, or travel platforms? By 2015, Internet users already had an average of 90 different accounts; by 2020, there should be over 200 accounts.
Every Internet user now calls a multitude of devices, programs, Internet services, and user accounts “their own,” without still having an overview. Each of these programs has vulnerabilities, each of the devices is vulnerable. Regular maintenance, the installation of updates and patches, the configuration of security settings, reaction to known attacks – all of this is your responsibility. Each individual must take care of the security of their networked digital household, yet is hardly in a position to do so
Little help comes from the state. Politics and law have so far not been able to make a simple distribution of responsibilities in IT security that does not overburden individual citizens, places greater responsibility on manufacturers of hardware and software, and also reflects the special responsibility of providers towards their customers.
Data protection law and the security of the networked household reveal one aspect of the “weak state on the net”: the blurred responsibility in digital space. Policy makers and administrators have not yet found an adequate solution to this problem. Over-complex legislation, such as data protection, is just as unsuitable as the renunciation of responsibility assignment, such as IT security. With the discussion about automated decisions and the use of machine learning in all areas of society, the next field of digitization is emerging in which government will struggle to find solutions.
The weakness of the state in the distribution of responsibilities hits the companies at least as hard as their customers. In data protection law, compliance costs are exploding, and every change to business models and processes requires a great deal of effort in terms of data protection documentation, information, and consent requirements. In the case of IT security, the situation is the other way round, for example with the use of Internet of Things (IoT) devices. Missing minimum security requirements for such devices and constantly new vulnerabilities make their use difficult, especially in medium-sized companies.
Government supply mandate - digitally rethought
While the state is struggling to assign responsibility in the digital space, it is simultaneously facing difficulties in fulfilling its own digital obligations. The poor progress made in digitizing government actions is widely known. But now there is a new challenge. With the digitization of all important areas of life – from health care to energy supply, from logistics to the arts – much more is required of the government than digital public services.
But our public sector has already fallen behind: Health apps are more widespread than digital offerings from the public health system. Google has digitized more books than all German libraries combined. Local public transport timetables are easier to find on global platforms than via local bus companies. Many other examples could be found. Large platforms compete with the state across many areas of public services. This will advance digitalization, but it will also pose a threat to our society, because the private providers are largely out of the control of parliaments and governments. Transport, energy, health, education, and other basic infrastructures are increasingly evading public control, and individual offerings are replacing infrastructure planning.
However, we urgently need digital infrastructures for successful digitization. Even beyond broadband networks, politicians must comprehensively define some kind of “government’s supply mandate” in the digital realm and carry out digital infrastructure planning. Whether it is the digital mirror image of our transport infrastructure – from traffic lights to bus schedules – digital access to health care, patient files, and research-relevant data, the digitization of libraries, or the digital future of public broadcasting, the digital transformation of the state is more than just the information and communication technologies of the government agencies, it’s more like defining new essential utilities.
From weakness to strength
The digital ability of our government to act and to face the future, the overcoming of digital weakness is a complicated and long-term task. Using many further examples, I examine in my book the reasons for the weakness of the state in the digital space and work out five basic approaches to overcome this weakness:
Firstly, we need a new, less-detailed digital law, a well-considered big one, a kind of “civil code” for digital space. It should lay down basic rules for responsibility in the digital realm, such as a minimum-security obligation for manufacturers of networked devices. More than twenty years of experience with legislation on the allocation of responsibility in the digital sphere are sufficient to move away from the many individual laws toward a coherent digital law.
Secondly, we must acknowledge that the global digital platforms, such as Google, Apple, Facebook, and Amazon, create a kind of “town square” in the digital world in which people communicate, cooperate, and do meaningful things together, but also spread illegal content and commit all kinds of crimes. Without digital platforms we can no longer live, while at the same time “life online” may not remain unregulated by the state. We should not simply pass the burden of responsibility to the platform companies. Instead, we should ensure that they are designed in such a way that governments can assume their responsibility for the community, for the protection of security and freedom, for the balance of competing legal interests, and the enforcement of laws – even on digital platforms.
Thirdly, we need a change in the allocation of tasks to our state levels – in Germany, the federal government and the federal states must break free of the interlocking links, define their digital tasks more clearly, and carry them out more independently. The only way for the public sector to achieve greater speed in digitization is to allow the individual institutions to act on their own, without coordinating every step.
Fourthly, we need digital infrastructure planning that goes far beyond fiber-optic networks. It must embrace all state-owned infrastructures, a future digital architecture of the healthcare system, as well as a digital architecture in the field of education or in the public transport sector: What common offerings come from the cloud? Which digital identities are used? What are local authorities responsible for and what are federal and state governments responsible for? What do private companies care for and what does the government retain?
Finally, we need a reorganization of digital politics. All of these issues are cross-cutting issues. It is not about economic or legal issues, national security or financial issues. However, our institutions are not yet properly positioned to deal with the cross-cutting question of digital politics. The German Federal Chancellery's new responsibility for overarching digitization issues is the first step, and a Ministry for Digital Affairs will have to follow suit. A strong digital state is a prerequisite for freedom, justice, and social security in an increasingly digital world.
[i] Martin Schallbruch: Schwacher Staat im Netz. Wie die Digitalisierung den Staat in Frage stellt. Springer: Wiesbaden 2018.