EU: Recent Developments in Data Protection Law
Veröffentlicht von Dr. Andreas Kaiser am 09.01.2018
The General Data Protection Regulation (GDPR)
The GDPR entered into force on 24 May 2016 and shall be applicable as from 25 May 2018, with substantial novelties to data protection law. It will replace existing national data protection laws by a set of rules directly applicable in the whole EU. EU and Non-EU undertakings alike must comply with GDPR, when offering their goods or services to customers or monitoring their behaviour in the EU. The GDPR shall enhance consumer trust and recognizes data protection as a fundamental right without impairing the free movement of personal data.
Important novelties at a glance
- New terminology (controller, processor, etc.)
- Accountability duty of the controller
- Right to data portability
- Right to erasure (right to be forgotten)
- Data protection impact assessment
- Risk based approach
- Joint control agreements
- Compensation of physical, material and non-material damage
- New framework for administrative fines
- One stop-shop-mechanism for supervisory authorities
Application of the GDPR on controllers and processors outside the EU
Any processing of personal data of a natural person, whatever their nationality or residence, in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with the GDPR, regardless of whether the processing itself takes place within the Union. A processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to natural persons who are in the Union. A controller or processor not established in the Union should also be subject to the GDPR when it is related to the monitoring of the behaviour of such natural persons (profiling) in so far as their behaviour takes place within the Union.
To take account of the specific situation of micro, small and medium-sized enterprises, the GDPR includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
Person related data
The processing of personal data is only lawful if the identified or identifiable natural person (the data subject) has given his or her consent to the processing for specific reason or the processing is otherwise considered lawful under the conditions specified in Art.6 GDPR.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); and identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as the name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 GDPR).
[...]To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly[…]. (Whereas Clause 26)
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
For indirect identification it is not required that all the information enabling the identification of the data subject must be in the hands of one person. In particular, a dynamic IP address registered by an ‘online media services provider’ (that is by the operator of a website) when its website, which is accessible to the public, is consulted constitutes personal data in respect to the operator if it has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s internet service provider has (Court of Justice of the European Union, 19 October 2016, Judgment in case C-582/14 Patrick Breyer v Germany).
On the other hand, the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (Whereas clause 26).
Entry into force and application
Pursuant to Art. 99 GDPR this regulation entered into force on the twentieth day following the day of its publication in the Official Journal of the European Union (24 May 2016) and shall apply from 25 May 2018. This distinction of a date of entering into force and a date of application seems to cause confusion. Legal acts of the Union normally enter into force on the date specified in them or, in the absence thereof, on the twentieth day following that of their publication. Apparently the GDPR legislator intended to grant two years to comply with the new regulation and did not intent to have it applied before 25 May 2018.
There appeared contrary court opinions in Germany as to whether the GDPR is already applicable before 25 May 2018, where a data protection authority issued measures against a company to protect highly sensible data if the illegality of data processing is clearly outlined by a regulation and this regulation has come into force (contrary Administrative Court Karlsruhe, Judgment of 6 July 2017, 10 K 7698/16; affirming Administrative Court Wiesbaden, Order of 21 September 2017, 6 L 3805/17.WI.A; Financial Court Düsseldorf, Order of 9 August 2017, 4 K 1404-17).
European Court of Human Rights, Grand Chamber judgment in the case of Bărbulescu v. Romania (application no. 61496/08) of 5 September 2017
This decision shows that there are very strict transparency requirements on regulations of ITC controls not only in the GDPR but also under the European Convention on Human Rights.
A Romanian engineer had set up an official Yahoo Messenger account at the direction of his employer, which he should use to communicate with customers. However, he also did private chats with his brother and sometimes intimate conversations with his fiancée. The employer monitored the content of the chats and dismissed the engineer. For the use of official resources for private purposes was prohibited in the company. The Romanian employer had not specifically informed the engineer that he was reading the chats. The Romanian labor courts approved the employer and confirmed the dismissal.
The Grand Chamber held that the Romanian courts failed to determine whether Mr Bărbulescu had received prior notice from his employer of the possibility that his communications might be monitored. They did not address the fact that he had not been informed of the nature or the extent of the monitoring, in particular the possibility that the employer might have access to the actual contents of his messages.
Consequently, Mr Bărbulescu’s right to respect for his private life and correspondence under Article 8 of the European Convention on Human Rights was not adequately protected by the national authorities. The Court awarded costs in the amount of 1,365 EUR but denied (immaterial) damages, the declaration of unlawfullness was sufficient compensation.
Irish High Court, The Data Protection Commissioner -v- Facebook Ireland Limited & Schrems, Judgment 3 October 2017
This case is about the data export from the EU to third countries, namely to the United States of America.
Mr. Schrems is a facebook user who complaint to the DPC in Ireland about the transfer of his personal data by Facebook Ireland Ltd. outside the EU to Facebook Inc. in the US for further processing. He argued that the legal regime in the United Sates does not afford his personal data the same protection to which he is entitled under EU law.
Facebook Ireland Ltd. informed the DPC that it transfers data for processing to Facebook Inc. including Mr. Schrems’ data largely pursuant to an agreement between Facebook Ireland Ltd. and Facebook Inc. which in turn is based upon three decisions of the Commission of the EU on standard contractual clauses for the transfer of personal data to processors established in third countries (“SCC Decisions”). These decisions authorized the transfer of data by exporters from the European Economic Area (“the EEA”) to data importers outside the EEA on the basis of standard contractual clauses.
The DPC brought the proceedings for the purposes of obtaining a preliminary ruling from the Court of Justice on the validity of the SCC Decisions insofar as they apply to data transfers from the EEA to the United States of America.
In its judgment, the court explicitly pointed out that It was not the function of this court to criticise the laws of a sovereign state, in this case, the United States, or to pronounce on the relative merits of the laws of the United States and the European Union and did not purport to do so.
The court affirmed that EU law and the Charter of Fundamental Rights are engaged insofar as this case was concerned with processing consisting of the transfer of data by a private company from a Member State to a private company in a third country and not concerned with the legality of national security surveillance measures in that country which may take place after the transfer. The judge was satisfied that this court had jurisdiction to make a reference for a preliminary ruling to the CJEU for the purpose of considering the validity of the SCC Decisions. And on the basis of Schrems I the judge had a duty to do so if the judge shared the “well- founded” concerns raised by the DPC before the court. The judge was not precluded from so acting by reason of the adoption by the Commission of the Privacy Shield Decision.
The court also stated that it lacks jurisdiction to pronounce upon the validity of the SCC Decisions. The judge concurred with the DPC that there are well founded grounds for believing that the SCC Decisions are invalid and furthermore that it was extremely important that there be uniformity in the application of the Data Protection Directive throughout the Union on this vitally important issue. This required that there be consistency and clarity. On that basis, the judge believed that a reference to the CJEU was necessary and appropriate.
Standing to act of not-for-profit organization
The General Court, in the matter Digital Rights Ireland Ltd v European Commission, Order 22 November 2017, Case T‑670/16, held inadmissible the application of a not-for-profit company incorporated under Irish law which has as its essential object the defence of individual internet freedoms.
The application was seeking annulment of Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207, p. 1).
As the applicant is a legal person and its official title does not identify any natural person, it cannot avail of the protection of personal data, thus it could not make the application in its own name. The Court also denied the applicant to have standing to act in the name of its members and supporters or on behalf of the general public. The applicant could not show that it was an association of members nor that it had been empowered by members or supporters. Moreover, EU law does not, in principle, allow for the possibility of an applicant to bring an actio popularis in the public interest.
Last, so far as concerns the applicant’s argument that its action should be declared admissible pursuant to recital 142 and Article 80(2) of GDPR pursuant to which Member States may provide for any body, organisation or association to have the right to lodge a complaint with the competent supervisory authority in that Member State, independently of a data subject’s mandate, if it considers that the rights of a data subject under that regulation have been infringed as a result of processing, sufficed it to point out that said regulation will apply only as from 25 May 2018.
Proposal of E-Privacy Regulation
The "REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)", in short, the new e-Privacy Regulation, if adopted, will replace the current e-Privacy Directive and will supplement the GDPR as lex specialis regards electronic communications. It will protect also legal entities and not only natural persons. The proposed enforcement date 25 May 2018, however, given many legal hurdles for adoption, seems in the opinion of many very ambitious to realize.
The proposal includes:
- Privacy rules will apply to all electronic communication service providers, including “over-the-top” (OTT) providers, WhatsApp, Facebook Messenger and Skype to ensure the same level of confidentiality of communications as traditional telecoms operators.
- Privacy shall be guaranteed for communications content and metadata, e.g. time of a call and location. Metadata must be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
- Once consent is given for communications data - content and/or metadata - to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses.
- The provisions on cookies and similar tracking technologies will be simplified. The proposal seeks to clarify that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
- Unsolicited electronic communications (spam) by emails, SMS and automated calling machines shall be banned. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
- Enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the GDPR.
Zuletzt geändert am: 02.06.2018 um 17:50