GDPR – What happened so far
Following a short break, we would now like to present you with our latest ITC Newsletter. The primary reason for this break was the many cases we have been dealing with on the General Data Protection Regulation (GDPR). We have all survived the introduction of the GDPR on 25 May 2018 and the world did not stop turning (does anyone remember the Y2K problem?). However, several things have indeed changed; data protection is being taken seriously at all levels. We therefore decided to use our first Newsletter in 2019 to inform you about the various developments connected with the GDPR. By the way, we will be back next week with a newsflash explaining the decision by the German Federal Competition Authority against Facebook to “internally unbundle” various data sets.
1. The first fines 2. What is the legislator doing? 3. What have the courts ruled? 4. What are the authorities doing? 5. What guidelines are available? 6. What ever happened to the wave of warning notices? 7. What are the data subjects doing? 8. Various news with respect to data transfers to third countries
The first fines have been imposed under the drastically increased scope for setting fines. High fines have been reported from other countries, for example the EUR 50 million penalty against Google in France, primarily due to the lack of transparency in the usage and storage term of the user data collected by Google (which Google will oppose) or EUR 400,000 against a Portuguese hospital which did not restrict the access rights to its information system as required.
In Germany, the Federal State Data Protection Officer [Landesbeauftragte für Datenschutz] in Baden-Württemberg imposed a EUR 80,000 fine because health data was publicly retrievable and EUR 20,000 in case of a data breach at the platform “knuddels”. The operator of the social media platform had been the victim of a hacker attack in July 2018, in which the data of a total of 330,000 users – comprising pseudonyms, passwords and e-mail addresses – had been acquired and published in September 2018. According to a survey conducted by the German Commercial Gazette [Handelsblatt, available in German only] the data protection au-thorities have already issued 41 notices of fines throughout Germany under the new regime of the GDPR and countless further proceedings are still pending at the authorities.
In Germany, simultaneously with the GDPR, the new version of the German Data Protection Act [Bundesdatenschutzgesetz, BDSG] entered into force. Only a few of its total of 85 provisions are applicable to enterprises (in particular, the provisions of Secs. 45 et seqq. BDSG only apply to law enforcement authorities).
This does not yet complete the amendment work at the national level, however. The Bundestag is currently advising on the second Data Protection Amendment Act [Datenschutzanpassungsgesetz, available in German only]. On approx. 500 (!) pages, a multitude of specific laws are to be brought into line with the GDPR. The new BDSG may also going to be amended further: the threshold value for the obligatory nomination of a company data protection office, for example, is going to be reduced to fifty employees and it will not be possible to caution data protection breaches as breaches of competition (for the current practice, cf. 6). The precise timing of the adoption of this bill is currently not known.
Upon presentation by the Higher Regional Court [Oberlandesgericht, OLG] of Düsseldorf, the ECJ will soon be ruling on the integration of a social plugin (Facebook’s “Like” button) on its own website. In the opinion of the ECJ’s Advocate General, the website operator is (co)responsible for the transfer of data to third parties if the third party already receives the corresponding data simply through the fact that the user calls up the website, without the user clicking the plugin (in this case: the “Like” button). For this, the operator of the homepage should be required to obtain the user’s consent in advance and notify it of the data transmission.
The OLG Frankfurt a.M. (available in German only) has ruled that the right to deletion in Art. 17 GDPR in case of an impermissible processing of data also encompasses a forbearance claim. Accordingly, the data subject can demand forbearance from the disclosure of search results in a search machine. The appeal on points of law is currently pending with the Federal Court of Justice [Bundesgerichtshof, BGH].
The OLG Cologne (available in German only) and the Regional Court [Landesgericht, LG] of Frankfurt a.M. (available in German only) have ruled on the relationship between the German Art Copyright Act [Kunsturhebergesetz, KUG] and the GDPR with respect to the recording and publication of photographic and video images at events to the effect that the provisions of the KUG are fundamentally applicable alongside those of the GDPR in cases of journalistic, scientific, artistic and literary purposes. Whether this also applies to other purposes has been left open by the courts. Accordingly, it has not been conclusively clarified whether pho-tographic and film recordings only have to be permissible pursuant to the GDPR or must also be permissible under the KUG.
According to the Federal Commissioner for Data Protection and Freedom of Information [Bundesbeauftragter für Datenschutz und Informationsfreiheit, BfDI, available in German only], since the entry into force of the GDPR approx. 27,000 complaints and more than 12,000 notified data protection breaches have been received by the German supervisory authorities. Both the Federal authorities and the Federal State authorities provide online forms for the filing of complaints and notification of data protection breaches by data subjects and responsible officers. From our work with clients we can confirm that the number of queries and requests put to the supervisory authorities has increased quite considerably.
Additionally, the authorities have commenced conducting examinations without the need for any cause. In Lower Saxony (available in German only) 50 enterprises were questioned as to the status of their implementation of the GDPR. The Data Protection Authority of Bavaria for the Private Sector [Bayerisches Landesamt für Datenschutzaufsicht, BayLDA, available in Ger-man only] has recommenced its examination activities with greater intensity and initiated data protection controls. To be examined in particular are the secure operation of online shops, the protection against encoding Trojans at doctors’ surgeries, the fulfilment of corporate accountability requirements at large corporate groups and medium-sized enterprises as well as the implementation of the notification duties in job application proceedings.
Incidentally, data processing at the supervisory authorities also does not always run smoothly: In Lower Saxony, as a result of technical problems, notifications of data protection breaches were not processed and have to be resubmitted.
The supervisory authorities have already published a multitude of guidelines on the imple-mentation of the GDPR. The newly established European Data Protection Committee, as an organ of the European supervisory authorities, has already issued or adopted several guidelines, e.g. on the topics consent, data protection officer and transparency.
At the national level the German Data Protection Conference regularly publishes short papers (available in German only) on key data protection topics. These serve as brief guidelines for topics such as data transmission to third countries, contract data processing and employee data protection. For enterprises using personal data for advertising purposes, the superviso-ry authority’s orientation aid on the topic “direct advertising” could be of help.
The Federal State authorities also give numerous instructions on their websites. The BayLDA, for example, provides orientation aids on current topics of data protection relevance as well as overviews with models (e.g. processing registers) for small enterprises.
Finally, several supervisory authorities provide online tests on the implementation status, for example the BayLDA or Lower Saxony.
There has not yet been the feared wave of mass warning notices of violations of the GDPR. There are reports on warning notices on grounds of the failure to encode the contact form on a home page, the lack of data protection declarations on websites, the integration of Google Fonts and the faulty integration of Google Analytics.
As yet unclear in case law, however, is whether breaches of the GDPR can lead to warning notices at all. The Regional Court [Landgericht, LG] Würzburg (available in German only) declared the permissibility of a warning notice under competition law of a co-competitor on grounds of a breach of the GDPR. The LG Bochum (available in German only) rejected this in possibility for competitors, as the GDPR contains more specific rules on the punishment of violations, however, the court permitted warning notices by the consumer protection associations. The LG Wiesbaden (available in German only) shares this opinion. In a first Higher Regional Court judgement, the Higher Regional Court [Oberlandesgericht, OLG] Hamburg (available in German only) has deemed fundamentally permissible a warning notice concern-ing violations of the GDPR by competitors if the obligation that has been breached is a so-called “market conduct obligation”. On a case-by-case basis, this has to be determined with a view to the specific processing and usage situation.
Thus, until a decision has been reached at supreme court level by the Federal Court of Justice [Bundesgerichtshof, BGH] or until clarification by the legislator, the permissibility of warning notices is currently unclear and, in the event that you are confronted with a warning notice, you should defend yourself against it without undue delay.
We have noticed amongst our clients a severe increase in enquiries by data subjects at en-terprises wishing to assert the rights of Art. 12 et seqq. GDPR. The implementation is in some cases causing enterprises considerable effort, especially the right to receive a copy (Art. 15 (3) GDPR), respectively the right to the transmission of data (Art. 20 GDPR).
In several cases data subjects are trying to use these data protection rights for other pur-poses, in most cases for a commercial dispute with the enterprise. We have also already dealt with cases of a “GDPR nightmare letter” (please find a report by a German online dealer certification body in German), individually listing and asserting all potential claims (independent of whether the data subject really needs the answer).
As the possibility of a No-Deal Brexit still exists, Great Britain faces becoming a third country within the meaning of Art. 44 et seqq. GDPR as of 30 March 2019. All EU enterprises transferring personal data to Great Britain (remote access suffices to establish a transfer) need to have in force from then onwards rules other than the EU model contract clauses. We would be pleased to help you with any such “emergency plan”.
There is still a bit of good news about data transfers, however: in connection with the Trade Agreement with the EU, Japan has been recognised by the EU Commission as a secure third country for the transfer of personal data since 23 January 2018. Any agreements of EU model contracts with Japanese enterprises are therefore no longer required. This naturally does not constitute a release from the obligation to still be able to examine and prove the permissibility of the data transfers.
Jürgen Hartung, Marc Hilber, Mareike Heesing, Hanna Schmidt, Patrick Schwarze