The Privacy, Data Protection and Cybersecurity Law Review: Germany

Overview

Germany has been and still is the forerunner on privacy and data protection law. In 1970, the German state of Hesse enacted the world's first Data Protection Act. The other states soon followed, and on 1 January 1978, the first German Federal Data Protection Act (BDSG) entered into force. These acts established basic principles of data protection, such as the requirement of a legal permission or the data subject's consent for any processing of personal data. In 1983, the German Federal Constitutional Court held that the individual has a constitutional right to 'informational self-determination'. The background of this groundbreaking verdict was a census planned for the year 1983, which essentially focused on the census of the entire German population by the means of electronic data processing. The people of Germany were anything but pleased with this idea and – as a consequence – more than 1,600 complaints were filed at the Federal Constitutional Court against the census law that had been specifically adopted for the census by the German parliament. Finally, in December 1983, the German Federal Constitutional Court declared certain provisions of the Census Act to be unconstitutional.

Over time, the German Federal Data Protection Act was subsequently amended to meet the requirements of a society in which data processing has grown more important. Especially, digitalisation raised a lot of questions, which needed to be handled. Keeping this in mind, among other things the legislator passed the German Telemedia Act (TMA) in 2007, which stipulated the duty to safeguard data protection during the operation of telemedia services. However, since data protection law and telemedia law got increasingly intersected by the internet, it was planned by the European legislator that the ePrivacy Regulation replacing the TMA would also come into force at the same time as the General Data Protection Regulation (GDPR). Whereas the GDPR has been applicable from 25 May 2018, the ePrivacy Regulation is still subject to negotiations at the European level and is not expected to come into force before 2023. The German legislator intends to eliminate the legal uncertainty resulting from this by means of the new Telecommunications Telemedia Data Protection Act (TTDPA), which implements the requirements of the European ePrivacy Directive. The TTDPA is scheduled to come into force at the end of 2021.

The following text provides an overview of the current legal situation in Germany and presents the changes and the challenges of a new era of data protection in connection with digitalisation.

The year in review

The past year was characterised by compensating the legal uncertainties caused by the decision of the European Court of Justice (ECJ) as of 16 July 2021 (Schrems II). In this case, the ECJ declared the EU–US-Privacy Shield invalid, so this adequacy decision could not serve as transfer mechanism anymore. As the main argument against an adequate level of data protection in the US, the court stated the rights of US authorities to access the personal data of EU citizens secretly and without effective legal remedies. Although the court confirmed the European Commission's standard contractual clauses in its ruling, it also called for additional protective measures to ensure secure data transfer.2 How exactly the additional protective measures must be designed depends on the specific individual case.

The assessment of whether secure data transfer to the US can be guaranteed constitutes a big challenge for many companies. On the one hand, they are still busy with meeting the requirements of the GDPR and the corresponding new case law (e.g., obtaining the consent of data subjects when using tracking cookies for marketing and analysis purposes). On the other hand, they lack the possibility to check whether the requirements for a lawful data transfer are met, as there is often an absence of cooperation by the US service providers whose services they use. Smaller companies are simply overwhelmed because they do not know what to do. This became very apparent by the increased need for digital networking due to the covid-19 pandemic, for example, through the use of videoconferencing tools. What is particularly problematic about this is that the companies themselves are responsible for compliance with the GDPR requirements.

They need to take this responsibility very seriously, as the German Data Protection Authorities (DPAs) have started to check the lawfulness of third-country data transfers, especially to the US. For this purpose, the DPAs send out questionnaires in which they ask companies to disclose such transfers and to comment on the necessary security measures. An additional aggravating factor is that the German DPAs do not shy away from imposing high fines for serious data protection violations.

Regulatory framework

i Privacy and data protection legislation and standards

The GDPR defines personal data as 'any information relating to an identified or identifiable natural person'. This definition applies to all personal data handled by electronic information and communication (telemedia) service providers.

However, all of these data are now subject to the GDPR, as the German Data Protection Conference presented a paper in March 2019, which states that Article 95 GDPR has to be interpreted in a way that the provisions of TMA governing the data protection shall not be applicable anymore. The legislator intends to clarify the relationship between the GDPR and the German TMA by repealing the data protection provisions of the TMA and introducing the new TTDPA.

ii General obligations for data controller

The privacy provisions of the GDPR address data controllers, namely entities that process personal data on their own behalf or commission others to do the same. Telemedia service providers, as data controllers, may collect and use personal data only to the extent that the law specifically permits pursuant to Article 6 GDPR.

One relevant legal basis is still the consent according to Article 6(1)(a) GDPR which may be given electronically, provided the data controller ensures that the user of the service declares his or her consent knowingly and unambiguously, the consent is recorded, the user may view his or her consent declaration at any time and the user may withdraw consent at any time with effect for the future. These principles accord with Article 7 GDPR, which requires consent to be based on the voluntary and informed decision of the data subject. The information obligations for data controllers are stipulated in Articles 13 and 14 GDPR, according to which they must inform the user, inter alia, about the scope and purpose of the processing of personal data.

Since the GDPR has tightened the requirements for obtaining valid consent to process personal information, in practice, the relevance of the consent as legal basis has decreased and shifted to the legitimate interest of the data controller pursuant to Article 6(1)(f) GDPR. For this, the data controller must perform a three-part test and identify the legitimate interest, explain the necessity of achieving it and balance the interest against the data subject's interests, rights and freedoms. As long as the data subject would reasonably expect the respective processing activities and they have a minimal impact on the individual's privacy, no consent is needed. However, similar to the consent, the data subject has the right to object to processing activities based on the legitimate interest at any time according to Article 21(1) GDPR. The important difference is that the data controller may continue its processing activities despite the data subject's objection when the data controller can demonstrate compelling legitimate grounds which override the individual's interests, rights and freedoms.

Moreover, personal data may only be collected for specified purposes the data controller has determined before the collection took place. They must not be used for secondary purposes that are incompatible with the collection purpose. When verifying the compatibility between the primary collection and the secondary processing purpose, the criteria named in Article 6(4) GDPR are of paramount importance.

For ensuring the transparency of data processing activities the data controller is obliged according to Articles 13 and 14 GDPR, inter alia, to inform the user of the extent and purpose of the processing of personal data. Although the DPAs in Germany were hesitant in the beginning to allow a layered approach in providing the legally prescribed information, a change is emerging. Regarding video surveillance the German Data Protection Conference permits the distribution into essential information that must be provided onsite and other information that can be looked at online.3 Single DPAs follow the layered approach as suggested by the European Data Protection Board in general.4

iii Technological innovation and privacy law

Advertising ID

An advertising ID is an identifier consisting of a sequence of letters and numbers. Smartphones that use Apple's iOS operating system and Google's Android operating system have such an advertising ID. This advertising ID makes it possible to assign certain information to the smart phone, or more precisely to its user, for example by creating a profile of the user. By querying the advertising ID, app providers or advertising companies can access and evaluate the information collected in the profile. This enables them to personalise advertising and then display it within the apps.

This procedure is comparable to the advertising tracking of cookies. In the Planet49 case, the German Federal Supreme Court passed a fundamental ruling on the use of cookies for the purpose of advertising tracking. According to this ruling, the controller must obtain the consent of the users before placing non-necessary cookies on their end devices.5 In doing so, the court followed a decision of the ECJ, which preceded the decision of the Federal Supreme Court, now known as the 'Cookie Consent II' decision. The ECJ ruled that active behaviour by the user is required for explicit consent. This requirement is not fulfilled in the case of a box that has already been ticked and that the user must untick to refuse consent.6

Because of the comparability of the situations, a European consumer protection organisation lodged two complaints against Apple's advertising ID, the Identifier for Advertisers (IDFA). One complaint was addressed to the Commissioner for Data Protection and Freedom of Information of Berlin and the other to the Spanish data protection supervisory authority (AEPD). The reason given by the complainant was that Apple's operating system would create the IDFA without the knowledge or consent of the users. The tracking of user behaviour and consumption preferences for the purpose of offering personalised advertising, however, would require the users' informed and explicit consent, according to Article 5(3) ePrivacy Directive. The organisation based the complaint on Article 5(3) of the old ePrivacy Directive and not on the GDPR so that the authorities could fine Apple directly.7 The decisions of the supervisory authorities are still pending.

However, Apple has already acted. After installing iOS update 14.5, users received a tracking notice and were asked for explicit consent for advertising tracking before app providers or advertising companies can access the IDFA. By doing so, the technology company not only implemented current case law, but also the privacy by default principle that is stipulated in Article 25 (2) GDPR. According to this, the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. The regulation aims to protect users who are not particularly knowledgeable about technology by requiring the controller to set up systems, devices or products from the beginning in such a way that they have the most data protection-friendly settings.

It remains to be seen whether Apple is taking the path to data protection-compliant advertising or merely trying to expand its strong market position under the pretext of data protection, as the company is accused of by a French start-up organisation.8

International data transfer and data localisation

The international transfer of personal data is regulated within the framework of Articles 44–50 GDPR. There is a general distinction between transfers within the EU and EEA or to one of the 'trusted countries' for which the European Commission has confirmed by means of an 'adequacy decision' that these countries ensure an appropriate level of data protection on the one hand and transfers to third countries on the other. For an international data transfer to be lawful, it must comply not only with the aforementioned articles, but must also be in compliance with the general provisions pertaining to the legality of processing operations involving personal data.

i Data transfer within the EU or EEA

In contrast to the former legal situation, the GDPR does not explicitly stipulate that there is no difference between transfers within Germany or within the EU or EEA. Therefore, the only distinction is made between domestic transfers (within the EU or EEA) and those outside the EU or EEA.

ii Data transfer to countries outside the EU or EEA

If a private entity intends to transfer personal data internationally to another entity located outside the area of the EU or EEA (a third country), Article 44 GDPR specifies the requirements for such a transfer. In this respect, personal data shall not be transferred when the data subject has a legitimate interest in being excluded from the transfer. A legitimate interest is assumed when an adequate level of data protection cannot be guaranteed in the country to which the data are transferred.

An adequate level of data protection exists in certain third countries that have been identified by the European Commission. These are Andorra, Argentina, the Isle of Man, Canada (limited), the Faroe Islands, Israel (limited), Guernsey, Jersey, New Zealand, Japan, Switzerland and Uruguay. Any transfer of personal data to these countries will only have to satisfy the requirements of domestic data transfers.

As mentioned above, uncertainty surrounds data transfers to the United States since the ECJ invalidated the EU–US Privacy Shield on 16 July 2020.9 Also, the ECJ ruled that standard contractual clauses are only valid, when the data exporter positively assesses that the data importer is in the position to obey the requirements stipulated in these clauses under the importer's national legislation. This requirement in particular may be problematic to fulfil if governmental organisations do not need a judicial order to access data.

Data transfers to any other non-EU country may be justified by the derogation rules of Article 49 GDPR. Accordingly, the international transfer of personal data is admissible if:

  1. the data subject has given his or her consent;
  2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request;
  3. the transfer is necessary for the conclusion or performance of a contract that has been or is to be concluded in the interest of the data subject between the controller and a third party;
  4. the transfer is necessary for important reasons of public interest;
  5. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;
  6. the transfer is necessary to protect the vital interests of the data subject; or
  7. the transfer is made from a register that is intended to provide information to the public, and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law are fulfilled in the particular case.

The most relevant grounds are those given in (b), namely if the transfer is necessary to perform a contract between the data subject and the controller. This includes international monetary transactions and distance-selling contracts as well as employment contracts. All transfers in this respect have to be essential for the purposes of the contract.

Any consent within the meaning of (a) will only be valid if the data subject was informed about the risks that are involved in data transfers to countries that do not have an adequate standard of data protection. In addition, the consent has to be based on the data subject's free will; this may be difficult if employee data are involved.

If none of the aforementioned exceptions applies, the transfer of personal data to third countries with an inadequate level of data protection is nonetheless possible if, among other requirements, the competent supervisory authority authorises the transfer. Such an authorisation will only be granted when the companies involved adduce adequate safeguarding measures to compensate for a generally inadequate standard of data protection, see Article 49(1)2 GDPR. However, the primary safeguarding measures are the use of standard contractual clauses issued by the European Commission and the establishment of binding corporate rules. This is indicated by the fact that the European Commission has released a new version of the standard contractual clauses. The new standard contractual clauses are adapted to the requirements of the GDPR and in line with Schrems II of the ECJ. Another novelty is that contractual clauses can be adapted according to modules. Companies must have replaced all previously concluded standard contractual clauses for data transfers to third countries with the new version by the end of 2022.

iii Brexit

By now, the United Kingdom (UK) has left the EU. The transitional period also ended on 31 December 2020. Although the EU and the UK agreed on a Brexit deal just in time, no final solution was found regarding data protection. Therefore, a further grace period was agreed until 30 April 2021, which was later extended by two months.

After a resolution in the European Parliament failed in May 2021 due to concerns about data security regarding subsequent transfers from the UK to other third countries and the extensive surveillance rights of British secret agencies, an adequacy decision was eventually adopted by the EU on 28 June 2021. As a result, the UK is now considered a 'safe third country' in terms of the GDPR, and has avoided the fate of an unsecure third country, as suffered by the US. However, the adequacy decision does not apply to data transfers for immigration control purposes. In this regard, data controllers must comply with the requirements of Article 46 et seq. GDPR.

The adequacy decision is valid until June 2025, at which point the EU Commission must review whether the adequacy of the UK's level of data protection is still guaranteed.

Public and private enforcement

i Enforcement agencies

Germany has a Federal Data Protection Agency and 17 state data protection agencies. These often act in concert when making recommendations on how customers can navigate safely through the internet. In addition, German experts often discuss the data protection problems that arise from the widespread collection of data by search engines and social media, and the use of these data to profile the data subject for commercial purposes.

The state data protection agencies are authorised to supervise the data privacy compliance of state entities, as well as all non-public entities whose principal place of business is established in the particular state and that are not subject to the exclusive jurisdiction of the federal supervisory authority. In states that have enacted a freedom of information act, the state supervisory authorities are typically also charged with supervising the act's application by state entities.

The heads of the supervisory authorities are typically appointed by the federal and state parliaments respectively, and are required to report to their respective parliaments.

ii Material enforcement cases

Before the GDPR went into force, the mass media often reported about the high fines DPAs are authorised to impose when infringements occur. In the case of serious data protection violations, DPAs can indeed impose fines of up to €20 million or 4 per cent of the annual global turnover, whichever is higher. Under the old law the fines for data protection breaches were up to €300,000 per breach. This massive increase is directly addressed to Big Data companies, which are often suspected of processing data in an unlawful way, and can be used as sharp sword to ensure conformity with GDPR. In particular, the dynamic and the dependency on the turnover aims to achieve a deterrent effect even on the most be wealthiest companies worldwide.

The German DPAs agreed on a fining model – Bußgeldmodell10 – which, inter alia, takes into account the violating company's yearly turnover and the level of severity. In line with this calculation, a German telecommunication provider was fined €9,550,000 for insufficient technical and organisational measures, and a housing association had to pay €14,500,000 for using an archiving system for the retention of personal data of tenants that did not provide for the possibility of deleting data that was no longer required. But the record holder is the fine of €35 million imposed on the well-known fashion chain H&M for unlawful surveillance of several hundred employees at a service centre in Nürnberg. These cases show that the initial excitement about the increase in the framework of fines was justified.

Mostly, infringements are caused by insufficient internal compliance activities of companies where the responsible management carelessly contravened the high standards of data protection law (e.g., through video surveillance or keylogging). Another source of data protection breaches is the lack of employee training, which shall ensure that everybody in the company has the necessary knowledge to handle personal data in a lawful way. This illustrates the importance of a comprehensive data protection management in companies, which is implemented both technically and organisationally and has been made clear to the employees.

iii Information obligations in context of private litigation

The GDPR obliges the data controller to provide the data subject with certain information about the data processing (see Articles 13 and 14 GDPR). It must inform the data subject about the identity and the contact details of the controller, the contact details of the data protection officer, if applicable, the purposes of the processing and its legal basis, the source of the data, where applicable, to whom they are disclosed, the duration of processing and the retention policy. Additionally, the data subject must be informed regarding all his or her rights granted by the GDPR. In detail, this notification must contain information concerning the right to information, right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object and the right to lodge a complaint with a supervisory authority. This clearly shows that the data subject is being given numerous rights, but also that the controller will have to invest more effort in satisfying the requests in a proper way, which is a question of time and expense.

The privacy rights and remedies of telemedia users are governed to a large extent by Article 77 GDPR (the right to lodge a complaint with a supervisory authority) and Article 82 GDPR (the right to compensation). Data subjects may enforce their rights through the judicial remedies provided in civil law. Injunctive relief as well as damages can be claimed. In particular, damages for pain and suffering from data protection violations can be claimed under civil law. The majority of German courts require a substantial violation for the compensability of such non-material damages. If the substantiality threshold is not met, no damages will be awarded.

In Germany, the DPAs are not necessarily involved in enforcing the rights of individual data subjects. Instead, complaints against domestic controllers can first be lodged with the company's in-house data protection officer.

However, in the event of unsatisfactory contact with the company data protection officer, the supervisory authority and the civil courts can, of course, be called upon.

In addition, some market participants started to take legal action against their competitors for violating data protection laws. So far, the Federal Court of Germany has not ruled whether a breach of the GDPR or other data protection laws may constitute unfair conduct according to the German Unfair Competition Act. Recently, an increasing number of higher regional courts have confirmed the admissibility of the GDPR infringements under this Act. If a market participant fails to inform about the processing of personal data in accordance with Article 13 GDPR within the scope of its internet presence, they face the threat of being admonished by a competitor. Other courts believe that the GDPR and other data protection legislation cannot be understood as rules that protect fair competition as well. Thus, they declined claims under the Unfair Competition Act. That is why many companies and their advisers await the supreme decision in order to breathe out or to start immediately checking their policies and actions.

Considerations for foreign organisations

As data protection gradually becomes a question of technical measures, especially cybersecurity, Article 32 GDPR determines that pseudonymisation and encryption must be applied to lower the risk of damaging the data subject in case of data breaches. Since 2019, a considerable number of fines in Europe were grounded on inappropriate technical measures. This was also the case with a German health insurance company, which was fined €1.24 million for accidentally sending advertisements to data subjects without having asked them for prior consent.

That is why it is always worth emphasising that the implementation of technical and organisational measures may safeguard the controller from notifying a data breach to the relevant authority as the risk to the rights and freedoms of natural persons had been reduced from the start. As Article 33(1) GDPR stipulates that data breaches, where feasible, shall be notified by the controller to the supervising authority within 72 hours. Therefore, controllers must implement an effective data protection management system to be able to meet the deadline. Otherwise, a violation of this provision alone can be punished with a fine of up to 10 million euros or in the case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year.

Outlook

Even three years after its introduction, the GDPR is still not fully understood and can often only be interpreted teleologically. There are 18 data protection authorities in Germany, which follow slightly different interpretations of the GDPR. This makes consultation in data protection matters even more difficult. Therefore, it will be interesting to see how the new laws are interpreted by German and European courts to bring consistency and legal certainty. The European Commission highlighted the successes of the GDPR, because it is open to new technologies and has proven its worth during the covid-19 pandemic. In the future, it will also constitute the basis for the European Artificial Intelligence and Data Strategy. The European Commission still sees problems with more efficient and coherent cooperation between national authorities. It should therefore remain exciting to see whether this will be more successful in the future. We are also looking forward to watching the continuing impact of the GDPR on companies, especially on social media operators and technology companies, and how European and national legislation and case law will further develop European data protection standards.

Footnotes

Get unlimited access to all The Law Reviews content