Attorney data protection law
Data protection law – from niche topic to hot topic
In the internet age, where many different types of businesses come into contact with all sorts of different kinds of data (personal data, user data from the Internet, customer data etc.), practically every company, entrepreneur or freelancer is obliged to get to grips with questions relating to data protection law. Frequently, companies are not even aware that the projects they are currently working on are actually affected by data protection law. Consider sentences such as, “Ever since we got a services provider to take over our staff invoices, we’ve been making huge savings,” or, “Last week whilst doing the inventory I was finally able to rid myself of loads of burdensome documents. If the Tax Office doesn’t need it, it can be chucked.” Certainly, if you don’t need to keep something, it can be disposed of, but usually not in the bin. When asked about the contents of these documents, the client mentioned things like “old orders”, “offers”, “contract documents”, “telephone lists” etc. At this point, at the very latest, the alarm bells should be ringing. Have you recently thrown documents containing accessible and readable personal data in the bin? Let us at least hope that a shredder was used beforehand, because if not, the client will now find himself in a problematic situation with respect to data protection law. As he would if he were to report proudly on the success of his website, presenting third-party statistics. Which IP address spent how long on his website; which content was particularly interesting, etc. The technical possibilities are myriad, but so too are the problems that arise here when considered from a data protection law perspective.
Today – this must be spelled out – data protection is no longer a niche topic. A violation of data protection law can quickly become a highly undesirable data scandal, and, in the Edward Snowden age – an age witnessing increased sensitivity to such issues on behalf of the public – such a scandal can quickly have massive consequences for a business’s operating results.
Data protection law – violation can be expensive
In recent years, “data protection islands” have emerged, inviting large and medium-sized business – especially those of online brands – to go forum shopping; Ireland was considered a particular favourite and came under criticism again and again for its weak data protection regulation in comparison with other EU countries. In 2018, when the EU’s General Data Protection Regulation (GDPR) comes into effect, forum shopping should become a thing of the past, since the regulation will be effective in all member states directly – without the need for any implementation in that member state’s national law – and heralds the end of the current patchwork quilt of data protection regulation across the European economic area. Therefore, the regulation, running to over 200 pages, constitutes a sizeable challenge for each and every business that is active in Europe and that processes personal data here. For this reason, then, every business should now be beginning to prepare themselves for the new demands the EU GDPR will make and analyse the data in their possession and their data processing methods with respect to the provisions the regulation makes. If a business violates the regulation, there is the threat of heavy fines far in excess of those seen in Europe and in Germany up until now. In the future, depending on the type of violation, fines of €10 million or 2 percent of annual turnover, or €20 million or 4 percent of annual turnover may be imposed, with the higher of the two values being the amount that applies (Article 79 of the draft). It should be noted that by ‘annual turnover’, it is that of the overall (global) company and not merely that generated by the company within Europe which is meant.
Whom and what does data protection law protect?
The purpose of data protection law is to protect the individual from having their personal rights infringed through the use of their personal data (Section 1 Paragraph 1 German Federal Data Protection Act (FDPA)). The concept of personal data is therefore of crucial importance in the data protection discussion. Section 3 Paragraph 1 of the FDPA defines this as “individual information regarding the personal or objective circumstances of a specific or identifiable natural person”. The individual information must have to do with personal or objective circumstances of the person concerned. In other words, it must be information regarding the person concerned themselves or information regarding a situation affecting the person concerned.
Information regarding the personal circumstances of the person concerned is information regarding the person themselves. To name but a few examples: Name, date of birth, sex, religious denomination, education, profession, buying habits, condition of health, biometric data (DNA) as well as audio and image recordings including X-rays.
Currently, legal persons and partnerships do not come under the protection of the German data protection laws or that of the EU Data Protection Directive. However, this does not mean that the individual members of a partnership or a legal person can at least be granted the protection of the FDPA – and this in their capacity as such. In any case, this is to be assumed if information regarding the legal person or partnership has relevance to the member, i.e. if they carry over to the member. For one-man businesses this is self-evident (see Section 35 Paragraph 3, German Limited Liability Companies Act).
Due to the provisions of Article 8 in the Directive 95/46/EG, particularly sensitive data, being “particular kinds of personal data”, are subject to a special procedure. The law defines these particular kinds of personal data as being information regarding racial and ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health and sex life.
Data protection laws are to be considered when handling data. This handling can take the form of collection, processing or use.
In order to be able to process or use data, the responsible body must first have access to the data. The collection of data is thus a prerequisite. Collection is defined in Section 3 Paragraph 3 of the FDPA as the procurement of data relating to the person concerned. This is thus an active operation through which the responsible body gains knowledge of such data. The term ‘data processing’ is a general term that according to Section 3 Paragraph 4 of the FDPA encompasses five different methods of handling data. These are: saving, altering, transmitting, blocking and deleting personal data. The use of data is defined as any application of personal data not covered by processing. The use of data takes place if the activity in question cannot be classified under the five categories of data processing. For example, the creation of copies or the comparison of the data with other data. The sharing of data with the person concerned also constitutes a use of that data as does passing the data on within the responsible body. In social security data protection, this is expressly stipulated in Section 67 Paragraph 7 of the German Social Security Code X. However, in contrast to this, it is frequently the case that purely statistical analysis of data does not constitute use, since there is a lack of personal application.
Applying data protection law in practice
Knowing your customers is recognised as being one of the basic tenets of successful marketing. For suppliers of goods and services, addressing the consumer personally is therefore one of the most efficient means of gaining and keeping customers. This is why businesses big and small from all commercial areas engage in the administration of customer data – be it to a greater or lesser extent – with the goal of improving their customer orientation. As well as for the conclusion of agreements and services, customer data is increasingly of crucial importance for direct marketing. Advertising carried out in a targeted fashion to a targeted group avoids any scattering effect and allows customer needs to be answered on an individual basis. The objective of the FDPA becomes apparent fairly quickly when you understand that it is not possible to realise everything that is technically possible and of commercial interest without coming into contact with data protection law. Rather, it can clearly be seen that there is a conflict between commercial interest and data privacy provisions. There are countless publications dealing specifically with the problems that arise around so-called “customer privacy”.
II. Sale of address data and the use of it for marketing purposes
The sale of address data is an important tool for the advertising industry, which owes a large portion of its customer contacts to direct marketing. In 2007, around €11.5m was spent on addressed marketing mail. Forty-six percent of this was for retail; 44 percent was for the services industry. The Federal Association of German Mail Order Commerce goes as far as to describe the use of third-party address data as “essential to the survival of certain areas of the economy, allowing companies to respond to the natural loss of customers whilst also informing new customers in a targeted manner about their own range of products”.
In terms of direct marketing to so-called “cold addresses” – i.e. to those telephone and fax numbers or subscribers not already in some commercial relationship with the advertising party or who have not declared their consent for such contact – the regulations of the German Act Against Unfair Practices (AAUP) must be borne in mind, along with those of the FDPA.
In the field of advertising, the FDPA should therefore never be considered in isolation and without the AAUP in mind. After all, the permission to collect the addresses of customers is not worth much if the company is then not allowed to contact them in written form or via the telephone. The FDPA and AAUP have different aims, which come together in advertising. As stated in Section 1 Paragraph 1, the FDPA protects the right to self-determination with regards to information on the part of the person concerned. Each individual has the right to determine for themselves who has knowledge of their personal data and who makes use of it. Data privacy is thus of a preventative nature. In contrast to this, the AAUP protects genuine competition and – alongside this – the individual from harassment. Each individual is entitled to be left alone – i.e. to privacy – and this includes marketing faxes, marketing emails and marketing telephone calls. The protection offered by competition law is therefore a defensive regulation.
If a company wants to process personal data and use it for marketing purposes, then the permissibility for this must be examined from both the data protection law perspective and the competition law perspective.
III. Collection and processing of special categories of personal data
The law grants special categories of personal data special protection. The processing of particularly sensitive data is fundamentally prohibited. There are, however, numerous exceptions to this.
IV. Data protection on the Internet
When using the Internet in any of its numerous forms (from traditional surfing to more targeted information acquisition, online shopping or current Web 2.0 applications etc.) the user leaves behind considerable traces. Just as the possibilities the Internet presents the user with are diverse, so too are the problems that must be considered with regards to use of the Internet from a data protection law perspective.
V. Data protection in the media
It is plain to see that data protection and the right to self-determination of information that is protected by it (Article 2 Paragraph 1 in connection with Article 1 Paragraph 1, German Constitution) is in some conflict with the basic rights of communication (Article 5 Section 1, German Constitution). The same is true for the basic rights and basic liberties that apply on the level of European Union law. The information society and the media landscape made possible by it do indeed have a fundamental significance in democratic societies and represent important and necessary pillars of liberty for the development of personality. However, at the same time, there is an (at least potential) threat to the individual via encroachments in his or her personal rights and privacy. But, in this situation, the so-called “media privilege” (Section 41, Paragraph 1, FDPA) applies, according to which special regulations exist for the use of personal data collected, processed and used by media companies and assisting companies exclusively for their own journalistic, editorial or literary purposes.
VI. The right to information and the obligation to delete, correct and inform
Section 2, Article 8 of the Charter of Fundamental Rights of the European Union states that every person is entitled to be informed regarding the collection of data concerning them and to effect corrections to this data. The right to be informed therefore constitutes a central element of individual data protection law: only someone who knows which personal data concerning them is being stored can exercise their rights regarding correction, deletion and blocking of false or erroneous data and counter unrestricted use of the data effectively. Correspondingly, several special legal regulations standardise comprehensive rights to information on behalf of the person concerned with respect to the personal data stored relating to him or her.
VII. Contractual data processing
It is frequently the case that automated data processing is not carried out by the body responsible for the execution of this task but rather given to an external body. The flexibility associated with such outsourcing practices can be problematic in terms of data privacy – certainly, in situations where personal data are processed as part of such a practice.
VIII. Employee data protection
2009 was a year in which awareness of data protection increased significantly. Once the overall scale of the massive, prohibited surveillance of employees and outsiders by Deutsche Bahn became clear, the chairman of the company was forced to resign. After completing its investigation of the data scandal at Deutsche Bahn, the Berlin data protection authority, being the relevant body, imposed a record fine of €1,123,503.50 on the company. So it can be seen that questions relating to employee protection are becoming more important. Difficulties often arise in connection with so-called compliance procedures or in the fight against corruption.
IX. Exporting and importing data
The on-going globalisation of economic life and the associated increase in information networking and technical communication systems requires regulation in order to protect the personal rights of those affected by the transboundary flows of information and data. As a practical example, it can often come about that the HR department of a holding company is based abroad and that the data of the staff employed in the domestic locations of the company are sent to the corporation’s headquarters. One instance that achieved a high level of public attention was the conveyance of airline customer data to US security agencies following the terror attacks on 11 September 2001. A transfer of data abroad also frequently comes about when tourists’ travel data is passed on to local service providers such as hotels and car rental companies by travel agencies. In all these situations, it is necessary to ensure that the data being transferred is handled with the necessary sensitivity, for it is far from being the case that all countries around the world have data protection laws in place; moreover, even where this is the case, it does not mean that the level of security guaranteed is one that we would consider standard here. Vice versa, one must also ask how one is to proceed with data that has been collected or processed abroad in such a way that would not (easily) be compatible with our legal conceptions and is then transferred to Germany.
The conveyance of data to locations abroad that are not part of the EU or European economic area inner space – typically classified as “third countries” – and that do not (completely) lie in the area of application of European Union law is often particularly problematic. Here, for example, contractual regulation can provide relief. This is principally of importance for internationally active companies with some offices outside the territory of the European Union, although it is not limited to these. The contractual solution must respect the fundamental principles of the Data Protection Directive – in particular the purpose designation of the data transferral and the granting of rights of the persons concerned. It must be guaranteed that the legal system of the state in which the receiving body is located recognises the contractual provisions as formally binding. Due to practical complexities and in order to ease legal application, the European Commission has made use of its right in accordance with Article 26 Section 4 of the Directive 95/46/EG and produced so-called “Standard Contractual Clauses”, which it has published in formal decisions. Sufficient guarantees regarding the protection of personal rights and the exercise of the associated laws for the purposes set out in Section 4c Paragraph 2 Sentence 1 of the FDPA can also be produced through binding corporate rules. Due to a lack of binding force, pure codes of conduct are not sufficient. With binding corporate rules, the core fundamental principles of the Data Protection Directive must also be guaranteed.