Newsflash IT / Privacy
Stay informed about latest developments, court decisions and news in the IT- and privacy sector.
Data Protection | Need for action under data protection law in the light of current measures by the supervisory authorities and the record fine of EUR 14.5 million
8 November 2019
Berlin supervisory authority sets an example
At this year's Forum Wohnungswirtschaft at the Deloitte Greenhouse in Berlin, our data protection specialist Dr. Söntje Julia Hilberg explained the practical application of the new guidelines for the application and setting of fines in proceedings against companies within the scope of the EU General Data Protection Regulation (“GDPR”). The following article contains further details and our assessment of the recent decision to impose a fine of EUR 14.5 million and the resulting need for action by companies.
50,000 Euros against an online bank, around 200,000 Euros against a delivery service and most recently the highest fine to date in Germany, at 14.5 million Euros, against a real estate company. The Berlin supervisory authority has so far imposed the highest fines for breaches of data protection law in Germany to date in very different cases. According to publicly available information, not only does the amount of the fines vary greatly, but the same also applies to the violations of data protection regulations that companies have been accused of: The content ranged from the processing of customer data on "black lists" to the non-observance of data subjects' rights and the use of archive systems for the storage of personal data.
In the following, we shed light on the background to the recently imposed record fine and then present the need for action for companies in the light of the recent practice of the supervisory authorities.
The decision of the Berlin supervisory authority
A detailed legal examination of the content of the administrative order imposing a fine is currently just as impossible as a final evaluation of its content. This is because the complete and well-founded decision on the fine is not yet available, which is why only a preliminary assessment based on the press release of the Berlin supervisory authority with brief explanations of the background [Link] is possible.
The press release issued by the Berlin data protection commissioner expresses the legal view that the company concerned has stored data without a legal basis.
According to the press release, the imposition of a fine for violations of Art. 25 (1) of the GDPR and Art. 5 of the GDPR was therefore "mandatory". The aforementioned standards contain provisions on data protection through technical design and data protection-friendly default settings (Art. 25 para. 1 GDPR) as well as general principles on the requirements for data processing (Art. 5 GDPR).
Both standards are characterised by the use of indeterminate legal terms which - unlike the "hard requirements" of the GDPR such as the obligation to keep records of processing activities or the appointment of data protection officers - are to be interpreted in individual cases by courts.
The company concerned has announced that it will defend itself against the allegations raised and used as the basis for the decision on fines and that it will have them reviewed by the courts [Link].
In the event that a judicial review actually takes place, it is to be expected that the court called upon to decide will deal with two questions: The first is whether the personal data were stored without a legal basis or whether there were possibly storage obligations that justified the storage. On the other hand, whether and, if so, to what extent violations on the basis of indefinite legal concepts, such as those contained in Art. 5 and Art. 25 para. 1 GDPR, can be the appropriate subject of fines decisions.
Moreover, it would be interesting if the court responsible for the decision were to deal with the statement of the supervisory authority indicating that it is to be taken into account by reducing the fine that no abusive accesses to the archive systems could be proven. This statement by the supervisory authority could be understood as a special focus on technical and organisational measures to protect against unauthorised access (Art. 32 GDPR). Should this be the case, two (further) aspects should become interesting: First, one may ask oneself whether the supervisory authority may attach particular importance to certain regulatory areas, such as technical and organisational measures, and whether infringements can be weighted in a certain order of priority during on-site inspections. In the same way, it will be dogmatically interesting to find out why the supervisory authority, when exercising its discretion, takes into account the non-existence of certain infringements in order to mitigate the fine.
Recognizable practice of the supervisory authorities
In view of the supervisory authorities' practice to date and the concept of the data protection conference on the calculation of fines [LINK] published on 16 October 2019, the following initial findings for further development and future practice emerge.
1st finding: Data protection is no longer only "best practice"
The "GDPR warm run phase" is over. Times in which those affected and the supervisory authorities were benevolent in their "goodwill" are a thing of the past.
We are currently at a stage that can be described as a "transitional phase": It can clearly be seen that compliance with fundamental requirements of data protection law is increasingly regarded as a matter of self-evidence, especially with regard to central data protection issues such as data subjects' rights or deletion.
As a result, supervisory authorities are increasingly turning to systematic reviews of various industries and an array of other data protection issues.
At the same time, however, it can be seen that the supervisory authorities do not as a rule immediately "crack down" on identified deficiencies. In all the cases described above, which led to fines, the supervisory authorities initially examined and objected to the findings with considerable lead time and then issued recommendations for remedying the identified data protection deficiencies. As far as can be seen, a thoroughly cooperative approach was adopted in each case. Only when no measures had been taken by those responsible over longer periods of time were the fines imposed. This step-by-step approach by the supervisory authorities is - to a certain extent - a consequence of the principle of proportionality of executive action and is certainly laid down in law and also indicated in practice.
However, it is conceivable that the "transition phase" that has now been initiated will not last too long. It can probably be assumed that further developments will result in supervisory authorities increasingly reluctant to engage in discussions with those responsible in the event of serious infringements and - also for deterrence reasons - to "take action" more quickly and impose fines.
2nd finding: Use the advice of the supervisory authorities as an aid
If one takes the case of the recently imposed record fine as an example, it quickly becomes clear that the supervisory authorities may (still) carry out on-site inspections and then to a certain extent inform the companies of the deficiencies to be remedied. This "homework" should then be thoroughly analysed by all data-processing companies. Legal opinions expressed by the supervisory authorities should not result in companies taking unthinking measures to remedy the alleged shortcomings. This is particularly true if, after consultation with data protection experts, it turns out that the legal situation in the event of a dispute could be assessed quite differently by the courts called upon to decide. Nevertheless, the information provided by the supervisory authorities should in any case be taken as an opportunity to review data processing - and in this context it is quite possible to continue to coordinate with the supervisory authorities if necessary. This applies all the more if the supervisory authority - as in the recent fine case - indicates that it is assuming a deliberate disregard of data protection principles.
3rd finding: Companies have influence over the calculation of the fine
Finally, it can clearly be seen that the supervisory authorities will in future adhere to the concept for the assessment of fines developed and adopted by the data protection conference and that a systematic sanction practice will develop in this respect.
On the basis of the DSK concept, fines will be calculated schematically on the basis of five parameters (company size, annual turnover, daily rates, severity and adjustment in the event of relieving circumstances).
In the event that a violation is identified and a fine may even be imposed, companies should in general cooperate with the supervisory authorities and pay particular attention to the possibilities of exerting influence on factors that may ease the burden. In the case of the recently imposed fine, the press release showed that the fact that (at least) initial measures had been taken with the aim of eliminating the established infringements had been taken into account in particular to mitigate the fine. To ensure that such circumstances can actually be taken into account "in an emergency" in favour of the addressee of the fine, companies should continuously document the measures they have initiated or taken. It can be seen from the previous cases that already documented efforts to remedy structural organisational problems can work in favour of the company.
A further "adjusting screw" in the most recent case that mitigated the fine was the "formally good cooperation" with the supervisory authority. This may be understood to mean that good cooperation with the supervisory authority can lead to fines being lower, irrespective of the assessment or remedy of the content of the infringements.
It is therefore advisable to ensure constant communication with the supervisory authority and, in individual cases, to structure communication in such a way that it does not lead to fundamental discussions on data protection law - possibly even irrelevant to the specific accusation.
In any case, professional advice and, if necessary, legal assistance should be sought.
Companies should take the current decision of the Berlin supervisory authority as an opportunity to re-examine key data protection issues (e.g. determining the legal basis for data processing, implementing deletion concepts, dealing with enquiries from data subjects and managing data protection documents such as records of processing activities and data processing agreements). It is true that the press releases on the recently published fine do not provide any direct legal clarification, for example on how to deal with "legacy burdens" in archive systems. From a strategic point of view, however, it is advisable for companies to adjust to a new phase in the practice of the supervisory authorities. This includes, in particular, the requirement to thoroughly investigate any deficiencies found, for example in the case of investigations by the supervisory authority, and to contribute through cooperative behaviour to the fact that a fine in favour of the company may possibly be lowered.
Data Protection | European Court of Justice: Usage of Facebook Like-button creates joint data controller relationship and responsibility
23 August 2019
To what extent can a website operator be considered as a controller, jointly with the provider of a social network, when he embeds the Facebook “Like” button (social plugins) on his website and thereby collects personal data, which he then forwards to the provider? Which legal bases can justify such a processing?
The European Court of Justice addressed these issues in its ruling (LINK) of 29th July 2019 in Case C-40/17 (so called Fashion ID-ruling). The starting point for the ECG procedure was a request for a preliminary ruling from the OLG Düsseldorf in a procedure initiated by the Verbraucherzentrale NRW e.V. and aimed at issuing an injunction.
A website operator decided to embed the so-called Facebook “Like” button, a social media plugin, on its website in order to optimize the publicity of his goods by making them more visible on the social network Facebook.
Upon accessing the website of the operator, personal data of the visitor, such as the IP address of the user’s devise (mobile phone, laptop), were automatically collected and transmitted to the operator of the social network, Facebook.
In its decision, following the opinion of the Advocate General, Michal Bobek, the European Court of Justice held that a website operator who integrates a social media plugin into its website and the social media network operator who provides the social media plugin are to be considered joint controllers and, therefore, jointly responsible for data processing which is compliant with the relevant provisions set out in the EU GDPR.
In the Court’s view, however, the responsibility of the website operator is limited to those phases of data processing for which the website operator has control over purposes and means, which in this case concerned the collection and transfer of the website visitors' data to Facebook. The ECJ argues that it is sufficient for a responsibility of the website operator coming into play that the website operator integrates the social media plugin and thus deliberately enables Facebook to collect data.
In addition, the ECJ clarified that the collection of information about the devices used by website visitors initiated by accessing the website was only permissible on the basis of a respective consent declaration by the visitor in question.
While without direct relevance to the decision on the present case, the Court also clarified that, within the context of joint responsibility, Art. 6 para. 1 (f) GDPR requires that all controllers involved must demonstrate a legitimate interest in the processing of the data.
Consequently, if data processing is to be based on the consent of the data subjects, the declaration of consent must include and authorize all companies who are jointly responsible for data processing.
Finally, the ECJ clarified that the information to be provided in case of a joint controllership shall be limited to those phases during which the participating companies actually decide on the purposes and means of the data processing. In the present case, this means that the website operator has to inform about the collection and transfer of the personal data at the time the website is downloaded.
Best practices advice
In its long-awaited ruling, the ECJ has clarified some essential principles relating to the joint controllership. At the same time, the ECJ has given important guidance with respect to the scope of the joint responsibility for the processing of data, which is influenced jointly by the controllers involved.
In accordance with the decision, website operators who use social media plugins, in particular the Facebook Like button, are required to inform their users of the planned data processing before collecting and transmitting data to Facebook, and to obtain their users' consent. The information to be provided in this context and the consent itself must in particular include the joint data processing with the respective social network and the use of the data by it.
Special plugins or so-called 2-click solutions are available as technical solutions. If necessary, special references within the framework of the cookie banners, by means of which the special features and functionality of the social media plugins and the relevant right of objection are pointed out, are also conceivable. If the social media plugin also collects information about the end user devices, the cookie banner must be extended by a possibility to declare the consent to this data collection.
Declarations of consent and data protection notices must be (re)designed in such a way that all responsible parties involved in data processing are named in them and authorized by them.
Although the decision relates to a specific social media plugin, namely the Facebook "Like" button, the principles laid down by the ECJ must also be observed when using other social media plugins. Before their use, it should be carefully checked which user-related data are collected and made available to social networks and for what purposes they are used there.
Based on past experience, in particular Facebook's reaction to the ECJ's June 2018 Facebook Fanpages ruling, it can be assumed that Facebook will soon make a Joint Controller Agreement available. It remains to be seen whether these agreements will then meet the relevant requirements.
Our colleagues, who specialise in advising on digital business models and data protection issues, will be happy to provide you with further information.
Data Protection | The German Parliament brings national law into line with the GDPR
29 July 2019
The General Data Protection Regulation (GDPR) has been applying since 25 May 2018 and is directly applicable across the EU.
In order to bring German law into line with the GDPR and to alleviate the frequently criticized burdens which the DSGVO has brought especially for small and medium-sized enterprises, the German Parliament (Bundestag) adopted (LINK) the so called “2nd Act to Adapt Data Protection Law EU” (2nd DSAnpUG-EU) on 28 June 2019.
The act aims at harmonizing the use of certain key concepts, adjusting the national legal basis for processing of personal data and determining the rules concerning the exercise of the rights of data subjects.
In addition to modifications of purely editorial nature and the adaptation of different legal bases for the processing of personal data, the 2nd DSAnpUG-EU also provides for amendments to the Federal Data Protection Act (BDSG), which have practical impacts for companies.
The conditions relating to the designation of a Data Protection Officer (DPO) have been relaxed with the aim of sparing small and medium sized enterprises.
On the basis of the so-called opening clause contained in Art. 37(4) GDPR, the German legislator obliged controllers and processors up to now to designate a DPO “if they constantly employ as a rule at least ten persons dealing with the automated processing of personal data” (Art. 38(1) sentence 1 of the Federal Data Protection Act). The 2nd DSAnpUG-EU has now set the threshold at 20 persons with the consequence that many companies won´t be obliged to designate a DPO anymore.
Nevertheless, despite this relaxation, it should be recalled that controllers and/or processors still remain subject to other data privacy provisions which provide for an obligation to designate a DPO.
If data processing operations are carried out which are subject to a data protection impact assessment pursuant to Art. 35 of the GDPR, or if personal data is processed commercially for the purpose of transfer, anonymised transfer or for purposes of market or opinion research, a data protection officer must be appointed regardless of the number of persons employed in processing (Art. 38(1) sentence 2 of the Federal Data Protection Act).
An obligation to designate a DPO may also arise from the provisions of the GDPR. In its Art. 37(1), the GDPR provides for situations where a controller/processor has to designate one. This is the case, for example, when the core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale or when the core activities consist of processing on a large scale of data relating to criminal convictions and offences).
Companies should therefore verify if they are obliged, under Art. 37(1) GDPR, to designate a DPO, or assess whether or not it would be advisable to designate one for preventive reasons.
The German Federal Council (Bundesrat) must now give its approval to the final version of the law.
Data Protection | Corporate liability for data protection infringements by employees
7 June 2019
The German Data Protection Conference (DSK) is an association of the independent data protection authorities of the German federal government and the German federal state governments. It regularly publishes guidelines dedicated to promote the uniform application of data protection law in Germany and the European Union.
The DSK has recently published a resolution in which it positions itself on the question of corporate liability for data protection infringements by employees (link) .
According to this resolution, companies, pursuant to Art. 83 of the General Data Protection Regulation (GDPR), shall be liable for data protection infringements conducted by employees, regardless of their position within the company or independent of a breach of supervisory duties by the company owner.
In DSK's view, the addressee of fines imposed in this connection should be the company itself, not the employee concerned.
Exceptions shall only apply where an employee infringes data protection regulations and where this infringement constitutes an “excess”. For example, where employees of hospitals deliberately act in a way contravening the data protections laws shall in general not be attributed to the company. An example would be the sale of patient data by the employee of a hospital with the aim of personal enrichment.
The DSK justified its view by referring to the "functional corporate concept" of the European primary law. According to this concept, companies shall be liable for attributable infringements by all employees.
This understanding deviates from the national regulation in § 41 of the Federal Data Protection Act (BDSG). The provision refers to the Act on Administrative Offences (OWiG) in the context of the sanction of data protection infringements. According to § 130 Abs. 1 OWiG, the owner of a company can be fined for data protection violations committed by employees if these are based on the violation of supervisory duties. This misdemeanour can then be attributed to the company via § 30 OWiG. However, the OWiG differs from the sanction regime of the GDPR in a multitude of issues. The extent to which the (functional) corporate concept used in the GDPR corresponds to that of the OWiG remains controversial, which leads to uncertainties particularly with regard to corporate structures.
The DSK therefore calls on the federal legislator to make appropriate changes when adapting national data protection legislation.
The resolutions of the DSK do not constitute legally binding acts and are therefore more of a recommendatory nature. However, the DSK correctly points out that the coalition agreement between the German government parties (link) already provides for amendments of the penalty law in the area of white-collar crime for companies in line with the above-mentioned interpretation of liability attribution.
A future adaptation of the national provisions on corporate liability to the regulations of the GDPR cannot be excluded.
In order to avoid data protection infringements, it is advisable for companies to familiarise all employees intensively with the current data protection law and keep them informed of the relevant developments.
Data Protection | The German Parliament passes the Act on the Protection of Trade Secrets
4 April 2019
The German Parliament has recently passed the Act on the Protection of Trade Secrets which is expected to enter into force later in April this year (Link).
Thereby, the German legislator has implemented the provisions of the European Directive on the Protection of Undisclosed Know-how and Business Information (Link) into national law and for the first time comprehensively regulates the protection of trade secrets.
The main novelty is the legal definition of trade secrets. Not only the confidentiality of the information is decisive, but also whether appropriate confidentiality measures have been taken in order to protect the information. Whether or whether not the information is protected under the Act will therefore no longer be a matter of the subjective intention of secrecy. Further novelties are extended claims for breach of secrecy: In addition to claims for injunction, damages and information, the companies affected are also entitled to claim for destruction, recall and return of the information.
As regards the specific opportunities that the Act and the underlying Directive may bring along when it comes to the Protection of algorithms in big data applications, we refer to the article published by our colleague Katharina Scheja.
It is recommended that companies examine whether their trade secrets are appropriately protected in order to fall within the scope of the Act.
Data Protection | The German Federal Cartel Office prohibits Facebook from combining user data from different sources
25 February 2019
In a recent decision, the German Federal Cartel Office, the Bundeskartellamt, has expressed its concerns regarding the collection of user data by Facebook. In that context, if first concluded that Facebook holds a dominant position in the market for social networks in Germany. According to the Bundeskartellamt, this market power is violated by Facebook’s unrestricted collection and combination of data from Facebook subsidiaries such as Instagram and WhatsApp or third party pages related to the company (e.g. through the use of "Like" buttons) without the relevant consents of the data subjects having been obtained. Facebook will now within the next twelve months have to adapt its data processing so as to comply with current data protection law, as interpreted by the German FCO.
The decision met great approval from consumer protection organizations. Nonetheless, critical voices questioned the approach of the Bundeskartellamt and denied its competence for such an important data protection decision. These voices also refer to the possibility of lawful data processing based on other legal grounds, such as legitimate interest or the purpose of performing a contract. In such cases, the consent of the data subject is not needed.
The present case shows how difficult the implementation of the provisions of the EU General Data Protection Regulation (GDPR) can be. In particular, the issue of consent repeatedly leads to uncertainties in the daily (digital) business. This is also shown by the result of a data protection audit on digital services carried out by the Bavarian State Office for Data Protection Supervision dated 5 February 2019: Out of forty websites using tracking tools, not even one provided for sufficient tools to obtain valid consent to the use of tracking tools compliant with the GDPR.
Data Protection | Guidance related to declarations of consent and data processing agreements
15 February 2019
Dealing with the requirements of the EU General Data Protection Regulation (“GDPR”) involves considerable effort for many companies. In practice, companies in particular complain that it is not always possible to clearly establish the scope of data protection obligations associated with certain factual circumstances. In view of the fact that certain parts of this piece of legislation may require some interpretation and the differing views held on these issues, many companies often find it difficult to implement elementary legal projects of the GDPR. Against this background, many companies would like to see more clarity with regard to their existing data protection obligations and possibilities.
At the same time, since the attempt to comply with all rules is often associated with considerable effort, templates that provide an initial orientation and take up the elements prescribed by data protection law are often of considerable value to legal department employees and data protection officers.
In this context, it should be noted that the data protection authorities regularly publish helpful information, templates and statements on various data protection issues. For example, the data protection authority of Hessen recently published a German language formulation aid for data processing agreements and the data protection authority of Thuringia recently published an example of a German language form for a declaration of consent to data processing.
Notwithstanding the fact that the use of templates can contribute to an efficient and legally compliant implementation of data protection requirements, it should always be examined on a case-by-case basis whether the templates are suitable for the respective purpose and whether and to what extent they have to be adapted against the background of the respective case constellation.
With regard to consent to data processing, it should in particular be noted that such consent is only effective if it is freely given. Particular attention must therefore be paid to this for example in employment relationships due to the typically existing dependence of the employee on the employer. Particular care should also be taken when obtaining consent for the processing of specific data categories (e.g. health data or bio-metric data). Here, an explicit explanation is always necessary.
In view of these special requirements, it is always advisable to examine whether legal bases other than consent could be used to justify the data processing. Depending on the facts of the case, data processing may be justified, for example, by the fact that it serves to fulfil a contract or is necessary to safeguard the legitimate interests of the data subject or a third party. The latter can, however, be accompanied by increased argumentation and documentation efforts.
Templates for data processing agreements can also serve as helpful guidance and aid for the drafting of contracts. However, it should always be critically examined whether the regulations provided for in the template are appropriate for the individual case in question. Particularly when concluding intragroup data processing agreements, careful consideration should be given to whether the agreement should generally be drafted in favor of or to the detriment of one of the parties or whether balanced regulations are recommendable. Particularly in the case of intra-group agreements, it may also be advisable, for example, to include or adjust regulations on the inspection rights of the controller, on the remuneration of the processor and on the liability of the parties in accordance with internal company practice.