The GDPR is based on concepts of data protection law that are no longer problem-adequate:
► The GDPR is linked to the processing of individual data (Art. 4 No. 1 GDPR). However, the individual date is irrelevant for many data processing operations (such as big data).
► The GPDR is linked to processing by a single controller (Art. 4 No. 7 GDPR). This is not adequate for cloud computing, the Internet of Things, platforms and other complex actor networks. The legal institutions of the GDPR that regulate the responsibilities when several actors are involved (Processor according to Art. 28; Joint Controller according to Art. 26) are insufficient.
► The GDPR links to processing in a central, local processing facility. This is outdated by global networking, cloud computing and blockchain. In many cases, data processing can no longer be assigned to a fixed physical resource.
► The principle of purpose limitation [Tile PC.09] excludes chance discoveries in the field of science (for example, the discovery of correlations).
► The principle of data minimisation [Tile PC.11] excludes from the outset processing that is in the public interest and relies on data retention.