What has the DSGVO ever done for us?

The DSGVO & mail spam

Hip Berlin Fintech people were not even born when the British comedy group Monty Python brought “The Life of Brian” to the cinema. “What has the Roman Empire ever done for us” therein is a biting scene about the perceptions of the new infrastructure of the Roman Empire for their subjugated provinces. After my disappointing experiences with spam emails in the last few days, I ask today in the context of Monty Python: What has the DSGVO ever done for us?

The basic data protection regulation, known as DSGVO, has stood for a rather negative user experience for me from the very beginning:  

  • Annoying clicks and instructions at every visited website
  • Double-Opt-Ins of all anyway “serious” newsletters
  • new carte blanche to say “no” for eternal blockers and preventers
  • Additional costs with many cloud providers for special European DSGVO compliance
  • blocked websites from US sites for Europeans

DSGVO failed in one particular segment

But the DSGVO also stands for relaxed BigTechs, who should actually be “tamed” by the DSGVO, but feel they should continue to do so de facto just as before, while many SMEs, clubs and bloggers without significant budgets and compliance areas groaned under the DSGVO requirements… so what has the DSGVO ever brought us?

Yes, yes, I know: the DSGVO is internationally regarded as a success story in data protection, it is even a model for other laws and it was supposed to give back data sovereignty to end customers, which to some extent worked. But is that really the case in reality on a broad basis?

What has the DSGVO ever done for us? A look at e-mail spam under the DSGVO

I would like to use the example of “spam” to show that the DSGVO has failed in the e-mail segment. A small marginal note: The term “Spam” is also due to Monty PythonActually, the DSGVO should help. Without Opt-In from me as a user, I am not allowed to receive unsolicited e-mail (aka spam). That did not work already once! The bad guys out there, who spam or phish, they are not interested in the DSGVO as well as those who offer my personal data from the various database hacks in Darknet against payment. The DSGVO was/is completely ineffective against spam and phishing! But how does it actually look like with supposedly reputable providers? What has the DSGVO done for us there?

Ineffectiveness of the DSGVO – the example of mail

For a long time it has been annoying me that spam messages, despite DSGVO and spam filters, are becoming more and more. I am annoyed by unsolicited invitations to video conferences from strange B2B providers. I’m annoyed by invitations to any services that “only” need 30 minutes of my time for a call in the next days to pitch their “great” product. Sure, such dubious providers disqualify themselves immediately by their form of address. But how is it with actually respectable providers? Vendors that are even in a regulated business… even in the financial services segment…? The result is similar: My mailbox is filling up with unsolicited advertising, despite the DSGVO. Two concrete examples this week, which show that somehow it hasn’t made any difference with e-mails… this DSGVO.

Smava and the spam-slinging Tricolux

What has the DSGVO ever done for us? A look at e-mail spam under the DSGVO

For some time now, I have been noticing the Irish spam-slinging company Tricolux in a very negative light. Several times a week, they send unsolicited advertising and the spam filter is optimized for a new sender e-mail address. Tricolux is probably the technical service provider, but the advertising comes from well-known consumer goods manufacturers, lottery providers, dating portals and again and again from the Fintech colleagues of Smava. Smava markets its consumer loans through this spam platform. Neither I have given Smava, nor Tricolux my opt-in for the forwarding and storage of my email including address. The opt-out in the mail (unsubscribe from the newsletter), on the other hand, I have pressed so often that I would have to get blisters on my fingertips. It has rather the opposite effect 

In the beginning, I got all x-weeks of advertising only from Smava, but after the opt-out I got more rather than less advertising via Tricolux. Even my direct complaint to Smava via Twitter went unheard. Obviously my colleagues are simply not interested in the DSGVO. Dear Fintech colleagues of Smava with such dubious behaviour only confirms all Fintech critics in their clichéd prejudices that Fintechs/start-ups don’t care about compliance anyway. Unfortunately, even I have no more arguments pro-Fintech, with such a procedure! The question also arises whether the partner banks of Smava agree to the use of their logos in such emails and channels. Since e.g. many DKB colleagues always like to read along. What do you think about this use of your brand?

AWS and the convulsive attempt to get relevance in regulated hosting

The sales colleagues from Amazon Web Services (AWS) in Germany seem to be under extremely high pressure to close the deal. For some time now, they have been attracting attention with an extremely persistent sales approach. For commodity business hosting, with quite comparable products, this is perhaps a comprehensible approach. Less comprehensible, however, is the fact that Amazon in particular, as Bigtech, obviously does not take the DSGVO too seriously. There is one flavor above all, since they want to address more customers in the hosting of regulated financial service providers!

Not a psychic

Some time ago an intro was made to me: The Fintech sales colleague from AWS wanted to talk to me as a blogger. I should help him with tips to identify the future Fintech stars as early startups. Interestingly, the request did not go to my Payment&Banking eMail address but to my Corporate Traxpay eMail. A prankster who thinks evil, because the colleague introduced himself as the relationship manager of Traxpay. I just replied coolly that I lacked the gift of predicting lottery numbers as well as recognizing the future Fintech-Unicorns early – otherwise I wouldn’t do the job I was doing. Another thing that made Traxpay a relationship manager at AWS, without doing business with AWS and without any intention of doing so, was that I couldn’t resist;

A few months later another AWS guy wrote to me and even wanted me to go to Bafin with AWS to lobby for AWS as a hoster for financial services. Nice wish, what are you dreaming? At night I just thought to myself. The tail (AWS) wants to wag the dog (StartUp/Customer). Where is this alleged the radical customer focus the Amazon German boss always talks about? Unfortunately, I can only see an extreme sales closure focus.

“The Amazon Web Services tail wants to jiggle the dog.”

Anyway, we were not interested in AWS Hosting (=Commodity), nor did I see it as a blogger or as the then Traxpay CFO as my job to do the homework for AWS. For me at that time the matter was done, even if I can still get upset about this quite self-confident claim of an exchangeable background service provider.

Now this week I received electronic mail from AWS to the old Traxpay address again. A mass email with the invitation to a virtual Financial Services Forum. The mail came from another AWS distributor. I had never agreed to the “blogger email conversation”, which was actually a sales pitch for Traxpay, being cold spoken, to save the data for advertising purposes. Of course, I had not subscribed to any other AWS newsletters. So the Opt-In is missing at Amazon! In the invitation I also missed the Opt-Out! Basic basics of DSGVO compliance are ignored by the sales department of a hosting provider, who wants to enter so aggressively into business with regulated financial service providers. Exactly my humor :)

I immediately complained to the sender of the AWS email, received an apology and the promise that a “no response” would be added to the database. Isn’t there the next DSGVO faux pas coming around the corner? Since I never agreed to a storage of my data, these data should not be in the sales database at all, right? Shouldn’t the sales colleague have deleted the data? I personally do not blame the AWS sales colleague. There seems to be a fundamental structural problem here, combined with strong pressure on sales contracts in the financial services sector. Nevertheless, with a twinkle in my eye, I ask once again in this context: What has the DSGVO ever done for us?

Bottom line:

Against spammers and criminals the DSGVO has always been a blunt sword. The longer the DSGVO was introduced, the more it seems to be ignored in the daily sales and marketing business. Who takes the trouble to write to overloaded data protection officers? Who even calls in lawyers? What is frightening, however, is that even companies that work close to the regulated financial business, especially when it comes to acquiring new customers, ignore any DSGVO compliance. Samava and AWS, do you really need such a procedure? Do you need or do you want to put your names in the same line as many other really dubious email spammers? What has the DSGVO done to you?

Jochen Siegert
Jochen Siegert ist erfahrener Unternehmer, Investor und Experte für digitale Transformation. Er ist derzeit als Managing Director verantwortlich für die globalen Asset-Platformen der Deutschen Bank. Er schaut zurück auf über 20 Jahre Erfahrung in Einführung und Management von Innovationen /... mehr