Heuking March 16, 2016 - Germany EU Has Agreed on Terms of General Data Protection Regulation by Dr. Lutz Martin Keppeler On
15.12.2015 EU Commission, Council and Parliament agreed on the final terms of
the General Data Protection Regulation (GDPR) in their trialogue negotiations.
It is generally expected that the draft will be adopted soon, in any event not
later than summer 2016. This ends the uncertainty about the content of the new
European Data Protection law which will be directly applicable in all Member
States two years after the adoption by Commission, Council and Parliament. We
take this as an opportunity to highlight some essential rules. Due to the complexity of the biggest data protection reform since the establishment of data protection law, we will only report the most important provisions in detail. The essentials may be summarized as follows:
The most serious change in the data protection legislation is the substantially increase of potential fines. So far, in Germany fines up to EUR 300,000 were a possible sanction for unlawful processing of data. The penalty framework of Art. 79 GDPR now includes fines of up to EUR 20 million or, in the case of an undertaking, 4% of its global annual turnover (Art 79, para. 3a GDPR). Thus, data protection compliance in undertakings should have greater weight in the future. It is remarkable that - by the wording of DPRG - the basis for calculating finds is not the worldwide turnover of a group of companies but the infringing entity’s turnover (maybe a subsidiary with significant lower turnover). This is most likely due to the fact that no general permission or exemption for group internal data transfers exist in European data protection law. One stop shop The competent authority for an undertaking which is active in more than one Member States will be the so called “lead supervisory authority” according to Art. 51a DSGVO. The authority, which is responsible for the “main establishment” of a group in Europe, will be the lead supervisor authority for all questions relating data protection in all of Europe. For cross-border cases the lead supervisory authority shall coordinate the activities of the other national data protection authorities (Art. 54a DSGVO). Even in purely national cases, the national supervisory authority must consult the lead supervisory authority and the latter has the right to decide whether it will deal with the case (Art. 51a para. 2c DSGVO). Thus, the forum shopping for international corporations receives a new dimension. Furthermore the concept of “one stop shop” will result in a challenge for the national supervisory authorities, as most of them already have to fight with significant capacity bottlenecks. But new important questions arise also for companies: What is the “main establishment? According to the definition of Art. 4, para. 13 GDPR, not only the administrative headquarters must be taken into consideration, also the seat of the entity or office that has de facto sovereignty over the processing of data in the EU may be the main establishment. Increase of potential fines According to GDPR each undertaking shall designate a data protection officer, if its core activities consist in data processing and/or or if the undertaking processes special categories of data pursuant to Art. 9 GDPR like health data or information about religious affiliation. In both cases, however, the data processing must relate to “a large scale” of processed personal data. Obviously, it was not possible during the trialogue to agree on a specific threshold. In the drafts a certain number of employees or a number of processed records or persons concerned had been proposed. However, specific figures can no longer be found in the final text. The resulting legal uncertainty is even more severe, as a violation of the obligation to designate a data protection officer may result in a fine of up to EUR 10 million in accordance with Art. 79 para. 3 DSGVO. It is therefore advisable to appoint a data protection officer for each company just to avoid any risk. German companies - which usually have a data protection officer - should for now retain it to avoid uncertainty. Transparency obligation Each data processor must to a greater extent than before inform the data subjects. Currently, in most contexts, it is sufficient to inform about the identity of the controller the purpose of data processing. Article 14 GDPR now contains a couple of severe further requirements. For example in the event a controller relies on a “legitimate interest” to justify the data processing it is necessary to explain this legitimate interest in detail. Data protection officer In addition the retention period, an indication of the right of appeal to the competent supervisory authority and an indication of the right to revoke any consent must be given. In addition, the contact details of the data protection officer have to be given to the data subject. Requirements for consent The GDPR does not provide a general requirement regarding declarations of consent to be made in writing, as it is currently the case in Germany according to Sec. 4a of BDSG. Hence in future all declarations of consent may be given by a mere click in the internet or a “touch” on a smartphone. At the same time Art. 7 para 4 GDPR and recitals 32 and 34 demand a high threshold for the voluntary nature of consent. Consent of minors (defined as younger than 16 years) will only be valid in the future, if the consent is authorized or given by a parent or guardian (Art. 8 GDPR). Broad displacement of national data protection law National data protection law will not remain applicable where such law is the GDPR´s scope. Excluded are just a handful of special areas defined in Art. 80 et seq. GDPR like data processing in labour context or for the purposes of science (Art. 83 DSGVO). Furthermore, there is a vaguely worded exemption which allows national regulations if the data processing serves public interest (Art. 6 para. 2 in conjunction with Art. 6 para. 1 (e)). However, in Germany a lot of well-established rules, which permit the data processing of credit bureaus, video surveillance, use of personal data for advertising purposes, scoring, and the general permission to generate pseudonymous user profiles for advertising purposes in the online sector (§ 15 para. 3 TMG) will be inapplicable in the future. While in most drafts regulations regarding "health data" and "genetic data" were intended to remain open for Member States (Art. 81f GDPR), in the final text the clauses that allowed national regulations in this area are missing. Probably in many EU Member States now it has to be analyzed in detail which data protection rule in the social law will be replaced by which provision of the GDPR. The four main permission clauses In place of the existing detailed national rules the GDPR sets basically six general provisions which determine whether data processing is principally permitted (Art. 6 para. 1 (a) -(f) GDPR). In practice, the following four essential permission clauses will be the most important: Data processing is covered by consent of the data subject; Data processing is necessary for the performance of a contract; Data processing is necessary for compliance with a legal
obligation; Data processing is necessary for the purposes of the legitimate
interests of thedata controller.
Many cases will be solved by „legitimate interest“
To assess whether data processing lies in the “legitimate
interest” of the data controller and is not overridden by the interests or
fundamental rights and freedoms of the data subject is a complicated task,
especially since initially there will be no case law available as guidance.
This is even more severe as most of the techniques of the modern world – which
should actually been regulated by the GDPR – like targeting for advertising
purposes, Big Data, Industry 4.0, Smart Home, Connect Car and the Internet of
Things are in the most cases lawful if there is a consent, a respective
contract or – at least – sufficient “legitimate interest” of the data
controller. However this may be an advantage for undertakings after all, as the
important provision of “legitimate interest” opens a broad scope of
interpretation which may be used to justify direct marketing which would not be
allowed under the current national data protection laws. After all, the
recitals contained indications as to when a legitimate interest may exist, such
as in data processing for the purposes of:
While by the latter recital at least an indirect “group
privilege” is implemented in the GDPR, it must be noted, that new technologies,
such as Big Data and Smart Home, are not mentioned as examples of legitimate
interest. It is thus important, to analyze in detail the facts of the case and
carefully balance the interest of the data subjects and the data controller
before apply such technology. Within the frame of the balancing test, the “reasonable
expectations” of the data subjects have to be taken into account (Recital 38).
The “reasonable expectations” are a new indefinite legal term in this context
which has no example in data protection law. The two years until the GDPR becomes affective should be used to
analyze which permissions could apply to existing data processing and whether
there are sufficient valid arguments in favor of an overriding interest of the
data processor, where the legitimate interest shall be the basis. Conclusion The privacy regulation contains too many new provisions to
address all aspects in this Update in detail. From the presented facts the following
conclusion can be drawn: Given the new high fines and the many changes in
substantive law, undertakings should start early to examine which changes will
be needed in the processing of data. Many of the previous guidance of the
national supervisory authorities cannot be of any help within the course of the
examination. As an exception it is likely that some Opinions of the Art. 29
Data Protection Working Party may be used at least as a landmark, as the
Working Party has usually based its Opinions not on the national law but on the
old Directive 95/46/EC with its very similar wording regarding the permission
clauses. It will be interesting to observe if new guidance papers of the data
protection authorities will be published until the applicability of the GDPR.
|