Germany has been and still is the forerunner on privacy and data protection law. In 1970, the German state of Hesse enacted the world's first Data Protection Act. The other states soon followed, and on 1 January 1978, the first German Federal Data Protection Act (BDSG) entered into force. These acts established basic principles of data protection, such as the requirement of a legal permission or the data subject's consent for any processing of personal data. In 1983, the German Federal Constitutional Court held that the individual even has a constitutional right to 'informational self-determination'. The background of this groundbreaking verdict was a census planned for the year 1983, which essentially focused on the census of the entire German population by the means of electronic data processing. The people of Germany were anything but pleased with this idea and – as a consequence – more than 1,600 complaints were filed at the Federal Constitutional Court against the census law that had been specifically adopted for the census by the German parliament. Finally, in December 1983, the German Federal Constitutional Court declared certain provisions of the Census Act to be unconstitutional.
Over time, the German Federal Data Protection Act was subsequently amended to meet the requirements of a society in which data processing has grown more important. Especially, digitalisation raised a lot of questions, which needed to be handled. Keeping this in mind, among other things the legislator passed the German Telemedia Act (TMA) in 2007, which stipulated the duty to safeguard data protection during the operation of telemedia services. However, since data protection law and telemedia law got increasingly intersected by the internet, it was planned by the European legislator that the ePrivacy Regulation replacing the TMA would also come into force at the same time as the General Data Protection Regulation (GDPR). Whereas the GDPR has been applicable from 25 May 2018, the ePrivacy Regulation is still subject to negotiations at the European level and will probably be applicable in 2023. For this reason, the following text provides an overview of the current legal situation in Germany, presenting the changes and the challenges of a new era of data protection in connection with digitalisation.
II THE YEAR IN REVIEW
The past year – like the year before – was characterised by compensating the legal uncertainties caused by the new provisions of the GDPR. For this, the German data protection authorities published several working papers to give companies guidance on adjusting to the new data protection rules. Although the GDPR is directly applicable and does not have to be implemented into national law, it contains numerous 'opening clauses' so Member States can introduce additional national provisions to concretise provisions of the GDPR for specific issues (e.g., in connection with employees) within its legal framework.
The German legislator used this leeway and adopted a Data Protection Adaption Act which introduced in particular a new version of the BDSG and is applicable since the 25 May 2018. In the meantime, a second Data Protection Adaption Act was passed and mainly adapted the provisions governing the processing of employees data and the necessity to appoint a data protection officer. The threshold from when data controllers are obliged to designate a data protection officer was raised from 10 to 20 persons being constantly employed in automated data processing activities.
Before the GDPR went into force, the mass media often reported about the high fines Data Protection Authorities (DPAs) are authorised to impose when infringements occur. In the case of serious data protection violations, DPAs can indeed impose fines of up to €20 million or 4 per cent of annual global turnover, whichever is higher. Up from 2019, controllers have seen that these were not empty promises. The German DPAs agreed on a fining model – Bußgeldmodell2 – which, inter alia, takes into account the violating company's yearly turnover and the level of severity. In line with this calculation, in 2019 a German telecommunication provider was fined €9,550,000 for insufficient technical and organisational measures; and a housing association had to pay €14,500,000 for using an archiving system for the retention of personal data of tenants that did not provide for the possibility of deleting data that was no longer required. These fines clearly showed that the informal period of grace is over and effective law needs to be obeyed.
Although the GDPR maintains the main concepts of data protection as we knew them before, or amends details of them (e.g., data processing is still prohibited if not explicitly permitted by the data subject or a law, the legal bases for the transfer of personal data into non-EU countries or the obligation to designate a data protection officer), the new rules also bring some important changes. Small companies and non-profit organisations, in particular, are unsure about how to implement the GDPR, even after the regulation has been applicable for several months.
First and foremost, the GDPR extended its territorial scope, which means that non-European companies may also fall within its scope, making it the first worldwide data protection law due to globalisation. It applies to (1) all companies worldwide that target European markets and in this context process the personal data of European Union citizens (irrespective of where the processing takes place) and (2) those that process the data of European citizens in the context of their European establishments.
Since the GDPR has tightened the requirements for obtaining valid consent to process personal information, in practice, the relevance of the consent as legal basis has decreased and shifted to the legitimate interest of the data controller. Companies will therefore have to assess their processes to make sure they process personal data lawfully, and to review whether it is advisable to refrain from seeking consent but to switch to legal justification with fewer prerequisites and no possibility of being revoked at any time.
As a consequence, upon request of DPAs, companies have to provide prove that they fulfil their obligations under the GDPR. The authorities do not need to investigate and prove the infringements by themselves anymore. The GDPR also introduced mandatory privacy impact assessments (PIAs). It requires data controllers to conduct PIAs where privacy breach risks are high in order to minimise risks to data subjects. This means that before organisations can begin projects involving special categories of personal data, such as health, they will have to conduct a PIA and work with the data protection offices to ensure they are in compliance with data protection laws as projects progress. For minimizing the uncertainty whether a PIA should be performed the German DPAs issued 'blacklists' that contain processing activities that always require a PIA.3
Additionally, the GDPR expanded liability beyond the data controllers. In the past, only data controllers were considered responsible for data processing activities, but the GDPR extended liability to all organisations that process personal data. The GDPR also covers any organisation that provides data processing services to the data controller, which means that even organisations that are purely service providers that work with personal data will need to comply with rules such as data minimisation.
To sum it up, the increase of obligations and fines are also likely to force previously idle organisations to rethink their positions.
IV REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The GDPR defines personal data as 'any information relating to an identified or identifiable natural person'. This definition applies to all personal data handled by electronic information and communication (telemedia) service providers.
ii General obligations for data controller
The privacy provisions of the GDPR address data controllers, namely entities that process personal data on their own behalf or commission others to do the same. Telemedia service providers as data controller may collect and use personal data only to the extent that the law specifically permits pursuant to Article 6 GDPR.
One relevant legal basis is still the consent according to Article 6(1)(a) GDPR which may be given electronically, provided the data controller ensures that the user of the service declares his or her consent knowingly and unambiguously, the consent is recorded, the user may view his or her consent declaration at any time and the user may withdraw consent at any time with effect for the future. These principles accord with Article 7 GDPR, which requires consent to be based on the voluntary and informed decision of the data subject. Consent, however, is not always required.
As mentioned before, the focus to justify data processing activities has shifted towards the legitimate interest basis pursuant to Article 6(1)(f) GDPR. For this, the data controller must perform a three-part test and identify the legitimate interest, explain the necessity of achieving it and balance the interest against the data subject's interests, rights and freedoms. As long as the data subject would reasonably expect the respective processing activities and they have a minimal impact on the individual's privacy, no consent is needed. However, similar to the consent, the data subject has the right to object to processing activities based on the legitimate interest at any time according to Article 21(1) GDPR. The important difference is that the data controller may continue its processing activities despite the data subject's objection when the data controller can demonstrate compelling legitimate grounds which override the individual's interests, rights and freedoms.
Moreover, personal data may only be collected for specified purposes the data controller has determined before the collection took place. They must not be used for secondary purposes that are incompatible with the collection purpose. When verifying the compatibility between the primary collection and the secondary processing purpose, the criteria named in Article 6(4) GDPR are of paramount importance.
For ensuring the transparency of data processing activities the data controller is obliged according to Articles 13 and 14 GDPR, inter alia, to inform the user of the extent and purpose of the processing of personal data. Although the DPAs in Germany were hesitant in the beginning to allow a layered approach in providing the legally prescribed information, a change is emerging. Regarding video surveillance the German Data Protection Conference permits the distribution into essential information that must be provided onsite and other information that can be looked at online.4 Single DPAs follow the layered approach as suggested by the European Data Protection Board in general.5
iii Technological innovation and privacy law
In the end, the preliminary ruling was taken over by the Federal Court of Germany by a decision dated 28 May 2020.8 Still, it remains unclear whether a technically non-necessary cookie is always non-necessary, for example, it is debatable whether cookies that only measure the reach of a website require consent. In any case, according to the German Data Protection Conference, prior consent is required for the use of tracking mechanisms, which monitor the behaviour of data subjects on the internet and create user profiles. Thus, an informed consent within the meaning of the GDPR is required in the form of a declaration or other clearly confirmatory action taken prior to data processing (i.e., before cookies are placed on the user's device).9 For example, the legitimate interest or the performance of a contract cannot constitute a valid legal basis for the use of Google Analytics.10
The reason for this discussion and the legal uncertainty is not only the insufficient implementation of the updated ePrivacy Directive, but especially the fact that the ePrivacy Regulation did not enter into force on time and has not even been passed. So far, it may be advisable to fulfil all the requirements of the GDPR, which means that consent has to be sought before tracking the user.
Social media becomes more popular each day as the number of users grows. The same applies to the opportunities and smart solutions offered by using these media. Most social media platforms are free of charge. Users pay with their personal data, even though many of them are not even aware of this fact. That is why the European legislator stipulated in the principles of processing in Article 5 GDPR that processing has to be transparent and the controller shall be responsible for obeying this principle.
An important part of the transparency principle is providing understandable information about the division of roles when involved parties are processing personal data, as the ECJ on Facebook fanpages has shown (ECJ, 5 June 2018 – C-210/16). In this case the ECJ stated that the fanpage operator and Facebook are acting as joint controllers. Although the main responsibility for data collection lies with Facebook, it is theoretically possible for the page operators to place cookies on the visitor's device, even if the visitor does not have a Facebook account. According to the ECJ, this in addition to the fact that fanpage operators receive the visitor's user data (even if anonymised) and can use these for parameterisation lead to joint responsibility of the site operators. This is particularly because of the fact that the collection of this data cannot (yet) be deactivated. Until Facebook grants this option to its users, the common fanpage operator remains jointly responsible for the collection of user data. Even the ECJ takes account of the significant imbalance in the use of data between Facebook and the operators of the respective fan page insofar as the degree of responsibility can be assessed differently in individual cases; however, in the court's opinion, Facebook and the fanpage operators are still joint controllers.
Facebook reacted and published a Page Insights Controller Addendum to fulfil the requirements established by the ECJ regarding joint controllership. Nevertheless, the German Data Protection Conference found these adjustments insufficient and therefore in violation of the GDPR. In particular, Facebook grants itself the sole decision-making power in respect of the processing of insights data and this is in conflict with the joint controllership pursuant to Article 26 GDPR. Furthermore, Facebook does not describe the processing activities regarding the fanpage in a transparent way.11
While the ECJ confirmed its findings in respect of the joint controllership in the Jehovah's Witnesses decision (ECJ, 10 July 2018 – C-25/17), they will be relevant in another dispute before the ECJ involving Facebook. The Düsseldorf Higher Regional Court has asked the ECJ, inter alia, whether a German online retailer that includes the 'Facebook Like' button on its website is a joint controller alongside Facebook. The Advocate General confirmed joint controllership and set a low threshold for assuming joint controllership (Opinion of Advocate General Bobek, 19 December 2018 – C-40/17).
However, this decision and the German Federal Court's decision regarding the obligation of Facebook to provide heirs with access to the digital postbox of the decedent (BGH, 12 July 2018 – III ZR 183/17), clearly show that social media is now being regulated more strictly.
V INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
The international transfer of personal data is regulated within the framework of Articles 44–50 GDPR. There is a general distinction between transfers within the EU and EEA or to one of the 'trusted countries' for which the European Commission has confirmed by means of an 'adequacy decision' that these countries ensure an appropriate level of data protection on the one hand and transfers to third countries on the other. For an international data transfer to be lawful, it must comply not only with the aforementioned articles, but must also be in compliance with the general provisions pertaining to the legality of processing operations involving personal data.
i Data transfer within the EU or EEA
In contrast to the former legal situation, the GDPR does not explicitly stipulate that there is no difference between transfers within Germany or within EU or EEA. Therefore, the only distinction is made between domestic transfers (within the EU or EEA) and those outside the EU or EEA.
ii Data transfer to countries outside the EU or EEA
If a private entity intends to transfer personal data internationally to another entity located outside the area of the EU or EEA (a third country), Article 44 GDPR specifies the requirements for such a transfer. In this respect, personal data shall not be transferred when the data subject has a legitimate interest in being excluded from the transfer. A legitimate interest is assumed when an adequate level of data protection cannot be guaranteed in the country to which the data are transferred.
An adequate level of data protection exists in certain third countries that have been identified by the European Commission. These are Andorra, Argentina, Guernsey, the Isle of Man, Canada (limited), the Faroe Islands, Israel (limited), Guernsey, Jersey, New Zealand, Japan, Switzerland and Uruguay. Any transfer of personal data to these countries will only have to satisfy the requirements of domestic data transfers.
Uncertainty currently surrounds data transfers to the United States. After the ECJ declared the Safe Harbour principles of the Commission invalid, the Commission enacted the EU–US Privacy Shield. Under the protection of the new principles of the Privacy Shield the United States was found to have an adequate level of data protection until the ECJ invalidated this transfer mechanism on 16 July 2020.12 Also, the ECJ ruled that standard contractual clauses are only valid, when the data exporter positively assesses that the data importer is in the position to obey the requirements stipulated in these clauses under the importer's national legislation. This requirement in particular may be problematic to fulfil if governmental organisations do not need a judicial order to access data.
Data transfers to any other non-EU country may be justified by the derogation rules of Article 49 GDPR. Accordingly, the international transfer of personal data is admissible if:
- the data subject has given his or her consent;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract that has been or is to be concluded in the interest of the data subject between the controller and a third party;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;
- the transfer is necessary to protect the vital interests of the data subject; or
- the transfer is made from a register that is intended to provide information to the public, and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law are fulfilled in the particular case.
The most relevant grounds are those given in (b), namely if the transfer is necessary to perform a contract between the data subject and the controller. This includes international monetary transactions and distance-selling contracts as well as employment contracts. All transfers in this respect have to be essential for the purposes of the contract.
Any consent within the meaning of (a) will only be valid if the data subject was informed about the risks that are involved in data transfers to countries that do not have an adequate standard of data protection. In addition, the consent has to be based on the data subject's free will; this may be difficult if employee data are involved.
If none of the aforementioned exceptions applies, the transfer of personal data to third countries with an inadequate level of data protection is nonetheless possible if, among other requirements, the competent supervisory authority authorises the transfer. Such an authorisation will only be granted when the companies involved adduce adequate safeguarding measures to compensate for a generally inadequate standard of data protection, see Article 49(1)2 GDPR. However, the primary safeguarding measures are the use of standard contractual clauses issued by the European Commission and the establishment of binding corporate rules.
The free flow of data between the EU Member States and the United Kingdom (UK) depends on whether the UK and the EU can reach an agreement covering data protection before the UK leaves the EU or whether the UK, after Brexit, has created a legal situation that meets European data protection requirements and is thus able to be seen as adequate. The current Withdrawal Agreement13 between EU Member States and the UK has created the basis for a 'soft Brexit'. This will not initially change anything for companies. According to Article 127 Paragraph 1 in conjunction with Article 126 of the Agreement, Union law continues to apply for a transitional period until 31 December 2020, which includes the GDPR. Thus, the UK will not be qualified as a third country for the time being. However, it remains questionable how the data transfer can be performed after the transition period expires. Depending on the negotiations in 2021, the UK could be treated as a third country equivalent to, for example, India or China from a data protection perspective. In that case, personal data could only be transferred to UK once companies have implemented the above-mentioned safeguards, namely standard contractual clauses or binding company rules, if no derogation pursuant to Article 49 GDPR is applicable. In the end, it remains a purely political decision to attest that the UK has an adequate level of data protection, because it is probable that the UK will stick with GDPR requirements as this law was applicable for a few years and companies have already implemented it.
VI PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
Germany has a Federal Data Protection Agency and 17 state data protection agencies. These often act in concert when making recommendations on how customers can navigate safely through the internet. In addition, German experts often discuss the data protection problems that arise from the widespread collection of data by search engines and social media, and the use of these data to profile the data subject for commercial purposes.
The state data protection agencies are authorised to supervise the data privacy compliance of state entities, as well as all non-public entities whose principal place of business is established in the particular state and that are not subject to the exclusive jurisdiction of the federal supervisory authority. In states that have enacted a freedom of information act, the state supervisory authorities are typically also charged with supervising the act's application by state entities.
The heads of the supervisory authorities are typically appointed by the federal and state parliaments respectively, and are required to report to their respective parliaments.
ii Material enforcement cases
One of the most discussed amendments specified by the GDPR and the new BDSG is the dramatic increase of the framework for fines. Before, the fines for data protection breaches were up to €300,000 per breach. Now, fines are up to €20 million or, in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher. This massive increase is directly addressed to Big Data companies, which are often suspected of processing data in an unlawful way, and can be used as sharp sword to ensure conformity with GDPR. Especially the dynamic and the dependency on the turnover aims to achieve a deterrent effect even on the most be wealthiest companies worldwide.
As stated above, the German DPAs started to make use of their fining range and imposed a few fines that exceeded the million euro mark. Not only were telecommunications providers and housing entities asked to open their wallets, but a German health insurance company was fined €1.24 million for accidentally sending advertisements to data subjects without having asked them for prior consent. Furthermore, some minor fines in the six-digit amount were imposed as well. Mostly, infringements are caused by insufficient internal compliance activities of companies where the responsible management carelessly contravened the high standards of data protection law (e.g., through video surveillance or keylogging). Another source of data protection breaches is the lack of employee training, which shall ensure that everybody in the company has the necessary knowledge to handle personal data in a lawful way.
iii Information obligations in context of private litigation
The GDPR obliges the data controller to provide the data subject with certain information about the data processing (see Articles 13 and 14 GDPR). It must inform the data subject about the identity and the contact details of the controller, the contact details of the data protection officer, if applicable, the purposes of the processing and its legal basis, the source of the data, where applicable, to whom they are disclosed, the duration of processing and the retention policy. Additionally, the data subject must be informed regarding all his or her rights granted by the GDPR. In detail, this notification has to contain information concerning the right to information, right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object and the right to lodge a complaint with a supervisory authority. This clearly shows that the data subject is being given numerous rights, but also that the controller will have to invest more effort in satisfying the requests in a proper way, which is a question of time and expense.
The privacy rights and remedies of telemedia users are governed to a large extent by Article 77 GDPR (the right to lodge a complaint with a supervisory authority) and Article 82 GDPR (the right to compensation). Data subjects may enforce their rights through the judicial remedies provided in civil law. Injunctive relief as well as damages can be claimed. In particular, damages for pain and suffering from data protection violations can be claimed under civil law.
In Germany, the DPAs are not necessarily involved in enforcing the rights of individual data subjects. Instead, complaints against domestic controllers can first be lodged with the company's in-house data protection officer.
However, in the event of unsatisfactory contact with the company data protection officer, the supervisory authority and the civil courts can, of course, be called upon.
In addition, some market participants started to take legal action against their competitors for violating data protection laws. So far, the Federal Court of Germany has not ruled whether a breach of the GDPR or other data protection laws may constitute unfair conduct according to the German Unfair Competition Act. Recently, an increasing number of higher regional courts have confirmed the admissibility of the GDPR infringements under this Act. If a market participant fails to inform about the processing of personal data in accordance with Article 13 GDPR within the scope of its internet presence, they face the threat of being admonished by a competitor. Other courts believe that the GDPR and other data protection legislation cannot be understood as rules that protect fair competition as well. Thus, they declined claims under the Unfair Competition Act. That is why many companies and their advisors await the supreme decision in order to breathe out or to start immediately checking their policies and actions.
VII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
As data protection gradually becomes a question of technical measures, especially cybersecurity, Article 32 GDPR determines that pseudonymisation and encryption has to be applied to lower the risk of damaging the data subject in case of data breaches. A considerable number of fines imposed in 2019 in Europe were grounded on inappropriate technical measures.
That is why it is always worth emphasising that the implementation of technical and organisational measures may safeguard the controller from notifying a data breach to the relevant authority as the risk to the rights and freedoms of natural persons had been reduced from the start. As Article 33(1) GDPR stipulates that data breaches, where feasible, shall be notified by the controller to the supervising authority within 72 hours. Therefore, controllers have to implement an effective data protection management system to be able to meet the deadline. Otherwise, a violation of this provision alone can be punished with a fine of up to €10 million or in the case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year.
Even two years after its introduction, the GDPR is still not fully understood and can often only be interpreted teleologically. There are 18 data protection authorities in Germany, which follow slightly different interpretations of the GDPR. This makes consultation in data protection matters even more difficult. Therefore, it will be interesting to see how the new laws are interpreted by German and European courts to bring consistency and legal certainty. In a recent report, the European Commission highlighted the successes of the GDPR, because it is open to new technologies and has proven its worth during the covid-19 pandemic. In the future, it will also constitute the basis for the European Artificial Intelligence and Data Strategy. The European Commission still sees problems with more efficient and coherent cooperation between national authorities. It should therefore remain exciting to see whether this will be more successful in the future. We are also looking forward to watching the continuing impact of the GDPR on companies, especially on social media operators, and how European and national legislation and case law will further develop European data protection standards.
1 Olga Stepanova is an associate and Julius Feldmann is a scientific researcher at Winheller Attorneys At Law & Tax Advisors.
4 DSK, Kurzpapier Nr. 15, https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_15.pdf.
5 LDA Bayer, 8. Tätigkeitsbericht, https://www.lda.bayern.de/media/baylda_report_08.pdf#page=45; EDPB, Working Paper 260, https://datenschutz-hamburg.de/assets/pdf/wp260rev01_en.pdf.
8 https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020067.html (currently, only press release available).
9 DSK, Orientierungshilfe der Aufsichtsbehörden für Anbieter von Telemedien, https://www.datenschutzkonferenz-online.de/media/oh/20190405_oh_tmg.pdf.
11 DSK, Positionierung zur Verantwortlichkeit und Rechenschaftspflicht bei Facebook Fanpages, https://www.datenschutzkonferenz-online.de/media/dskb/20190405_positionierung_facebook_fanpages.pdf.