Even after five years, data protection is still a big topic. Since May 25, 2018, the European General Data Protection Regulation has been taking effect and the five-letter abbreviation has been frightening: The "GDPR" has become synonymous with excessive bureaucracy and a permanent justification for the sluggish digital progress in the country.

Five years ago, the rules were rightly seen as a major breakthrough for uniform European legislation to contain large Internet companies, which neither the United States nor the EU had had much to oppose until then. By using the services of supposedly free online platforms, their citizens often unconsciously revealed floods of data that Mark Zuckerberg & Co use profitably. The GDPR pulled in rules.

The rules work

The recent record fine against Zuckerberg's Meta empire shows that they work: The company will have to pay a whopping 1.2 billion euros for data protection violations if courts confirm the penalty. This does not leave the Internet giants unimpressed. They are now working with the authorities with such meticulousness that it is difficult to ignore the positive consequences of the GDPR.

But that's only part of the truth. The law affects not only large Internet companies that deserve no other way, but also a number of small and medium-sized companies in which there is still great uncertainty about the requirements.

Many questions are still unanswered. The polyphony of the data protection authorities has become a deafening roar. Germany alone has 18 such jobs.

One lesson from the past five years is that uniform rules are of little use if the state authorities interpret them differently. More clarity is needed for this. The European Data Protection Board and the European Court of Justice could ensure this with a good deal of pragmatism.

The sooner he succeeds in setting uniform standards that do not overwhelm companies, the better. Otherwise, data protection will do more harm than good.