Scientific study proves innovation potential of the GDPR

A legal study on the EU General Data Protection Regulation by a researcher at the Alexander von Humboldt Institute for Internet and Society (HIIG) shows that the new regulation is a suitable regulatory instrument for innovation processes and can even create competitive advantages if properly implemented.

Berlin, 14 May 2018 – Since the negotiations on the EU General Data Protection Regulation (GDPR) began in 2012, the new law has often been criticised as an obstacle for companies. The “principle of purpose limitation” would, it was argued, stand in the way of innovation processes. Shortly before the regulation becomes applicable on 25 May, Dr. Maximilian von Grafenstein, a researcher at the Alexander von Humboldt Institute for Internet and Society (HIIG), shows that innovative companies in particular can benefit from the GDPR. His doctoral thesis “The Principle of Purpose Limitation in Data Protection Laws” argues that the regulatory approach of the GDPR leaves personal data processing companies a significant leeway for its concrete implementation. This enables them to adapt the specific risks of their innovation processes to the legal requirements, which gives them a competitive advantage.

The GDPR replaces the current EU data protection directive on the processing of personal data and adapts the regulatory approach to the challenges of the internet age. The aim of the GDPR is to protect data subjects more effectively against the risks of data processing. For some observers, this is in conflict with the competitiveness of companies. With reference to case studies with start-ups conducted at the HIIG, the scientific work of Maximilian von Grafenstein proves that this does not have to be the case. “The work thus lays an important foundation, especially in the innovation area of data-based business models,” says Prof. Dr. Thomas Schildhauer, Director of HIIG.

The purpose limitation principle, which is an essential element of the GDPR, can serve as a proof of concept. The principle of purpose limitation requires data controllers to specify the intended purpose of its data processing before it is collected. To these indicated purposes, data controllers are bound, in principle, at all later stages. “At the beginning, however, it is often not yet clear where innovative companies in particular are heading and therefore they can only state the purposes of subsequent data processing with limited precision,” explains von Grafenstein, “My question was therefore how the principle of purpose limitation should actually be interpreted and whether it can be brought into line with innovation processes.”

The surprising result of his study, published by Nomos Publishing house, is that – contrary to the usual expectations – the principle of purpose limitation is not only open to innovation, but can even promote innovation. Von Grafenstein explains: “This is because the principle of purpose limitation leaves, as a legal principle, considerable leeway for its implementation and the data controller can reduce the high level of legal uncertainty, which results from that leeway, by means of co-regulation procedures. Such procedures are provided for in the GDPR primarily in the form of certification mechanisms and codes of conduct. In this way, a data controller can specify, together with the competent data protection authority, the concrete implementation of the principle. This is advantageous for the company in question because it increases legal certainty, which in turn can have a positive effect on innovation processes”. Thus, the principle of purpose limitation not only protects those affected by data processing, but also enables data controllers to use their specific implementation of this principle as a competitive advantage in their innovation processes. This innovation-promoting mechanism applies not only to the principle of purpose limitation, but basically to all other requirements of the GDPR. In sum, the doctoral thesis shows that if businesses, consumers and data protection authorities use these mechanisms in the aforementioned way, the innovation potential of the GDPR will develop to its full potential.

Further information: Open access to the dissertation

Press contact: Florian Lüdtke | phone: +49 30 200 760 82 | presse@hiig.de 

About the HIIG

The Alexander von Humboldt Institute for Internet and Society (HIIG) researches the development of the internet from a societal perspective. The aim is to better understand the digitalisation of all spheres of life. As the first research institute in Germany to focus on on internet and society, HIIG has established an understanding that emphasises the embeddedness of digital innovations in societal processes. As node in the Global Network of Interdisciplinary Internet & Society Research Centers, an initiative of scientific institutions worldwide in the field of interdisciplinary research on internet and society, the institute is trying to develop a European perspective on digital transformation.

The HIIG was founded in 2011 by the Humboldt-Universität zu Berlin, the University of the Arts Berlin and the Social Science Research Center Berlin, in alliance with the Hans-Bredow Institute for Media Research in Hamburg as an integrated co-operation partner. The research directors of the institute are Prof. Dr. Jeanette Hofmann, Prof. Dr. Dr. h.c. Ingolf Pernice, Prof. Dr. Björn Scheuermann, Prof. Dr. Dr. Thomas Schildhauer and Prof. Dr. Wolfgang Schulz.