Fines, Penalties and Damages for Data Protection Violations – GDPR Series, Part 2

Bernd Schmidt Data Protection Sanctions, General Data Protection Regulation Leave a Comment

The European Parliament has most recently adopted the General Data Protection Regulation (GDPR). Part of this new data protection framework are dramatically increased sanctions for violations of data protection law. When the GDPR enters into force, the blunt sword for enforcing data protection requirements will suddenly turn razor sharp. Companies must then be prepared for fines amounting to millions of Euros.Read More

Data Protection in Forest and Meadow – Legal Requirements for Operating Camera Traps

Bernd Schmidt CCTV, Privacy Specials Leave a Comment

Digital progress does not stop for hunters. Technical equipment, such as digital camera traps are today part of standard hunting equipment. They are used for observing wild stocks and are typically deployed in areas that are not accessible to the public. Regardless, they are in the data protection authorities focus. Hunters should be aware of applicable data protection requirements.Read More

New Consumer Protection Organisations’ Cease and Desist Claims for Data Protection Infringements

Bernd Schmidt Data Protection Sanctions, Privacy Specials Leave a Comment

Data protection is consumer protection law – infringements may result in consumer protection organisations‘ claims for case and desist. While the requirements for a consumer protecting effect of data protection law has long been subject to debate, the legislator has now implemented a new Section 2 (2) No. 11 into the German Cease and Desist Claims Act (Unterlassungsklagen Gesetz – UklaG). Section 2 (2) No. 11 UKlaG now establishes the consumer protection effect of data protection law and brings new claims for consumer protection organisations. Any company is well advised addressing these new compliance risks.Read More

Boss is Watching! New Data Protection Authorities’ Guidance on E-Mail and Internet Use at Work

Bernd Schmidt Employee Data Protection, Telemedia Leave a Comment

E-Mail and internet at work primarily serve the company’s business purposes. However, in many cases, employers allow or tolerate private use of company e-mailing or internet systems. This may result in severe restrictions for the company’s access to data stored in such systems. Companies are well advised to implement clear rules on (private) use in order to prevent undesired consequences.Read More

From Safe Harbor to EU-US-Privacy-Shield – Future of International Data Transfers

Bernd Schmidt International Data Protection Leave a Comment

The ECJ Safe Harbor Ruling anuls the EU Commissions Safe Harbor Decision and puts the future of transatlantic data transfers at stake. A new approach for data transfers between EU and USA shall bring the solution: The EU-US-Privacy-Shield. Whether or not this will be successful is to the same degree uncertain as the legitimacy of international data transfers from the EU to other third contries.

1.    The Safe Harbor Ruling

My Colleague Bernhard Freund has discussed the key aspects of the Safe Harbor Ruling. Aim of this article (without the claim of giving the comprehensive picture) is to pick up loose ends from his discussion.
The Safe Harbor Ruling has the direct consequence that a justification of transatlantic data transfers ceases to exist and creates a large number of open questions and obstacles for other international data transfers that are far from being solved.

The EU Commissions [PDF] immediate and later the German [PDF in German] governments reaction to the Safe Harbor Ruling may be summarised as “transatlantic data transfers have always been possible and will somehow be possible in the future regardless”. Accordingly, they suggest using EU Standard Contractual Clauses instead of the Safe Harbor justification. The German Data Protection Authorities’ views are more nuanced and differ between the individual Data Protection Authorities.

The Bavarian Data Protection Authority and the Hamburg Data Protection Authority [PDF in German] take the view that data transfers to the USA are possible on the Basis of EU Standard Contractual Clauses while the Data Protection Authorities of Hessen and Schleswig-Holstein see also the legitimacy of EU Standard Contractual Clauses at stake. The Rheinland-Pfalz Data Protection Authority even assumes that data transfers to the USA would with immediate effect require the Data Protection Authorities’ prior approval [PDF in German].

2.    What’s Next?

The EU-US-Privacy-Shield is now supposed to provide the final solution for these obstacles. The EU-US-Privacy-Shield approach is, however, rather uncertain. As of today, there is a mere EU Commission’s press statement, suggesting a mutual political agreement between EU Commission and US Government Representatives on protecting personal data of EU citizens in the USA.

The EU Commission’s expectations are rather high and suggesting the EU-US-Privacy-Shield would provide extensive protection for EU citizens fundamental rights (in particular with respect to their privacy rights) when their personal data are transferred to the USA. Also, the EU-US-Privacy-Shield shall bring legal certainty for affected companies. Both shall be accomplished by:

  • strong obligations on companies handling Europeans’ personal data and robust enforcement,
  • clear safeguards and transparency obligations on U.S. government access, and
  • effective protection of EU citizens’ rights with several redress possibilities.

The USA are now supposed to implement these safeguards into their national regulations while the EU Commission prepares a new adequacy decision in cooperation with the Art. 29 Group and the Member States’ representatives. This process shall be accomplished within three months.

3.    Legal Risks Remain

The aim of the EU-US-Privacy-Shield is providing ultimate legal certainty. Whether this will be achieved remains to be seen as the ECJ’s requirements are rather high. The USA must no less then change the practice of data analysis in the interest of national security, public interest and for executing US laws. Instead of storing and analysing EU citizens personal data without further requirements by US agencies, the USA must now implement statutory justifications considering the principle of necessity and proportionality according to European standards.

It is rather unlikely that the EU-US-Privacy-Shield will last if the USA don’t meet these high standards, because the ECJ has empowered and obliged European Data Protection Authorities to assess these requirements in each individual case and independent from any EU Commissions adequacy decision. Should they come to the conclusion, these standards are not fulfilled they must bring action to the national courts ultimately taking the issue to the ECJ. Recital 57 and 65 of the Safe Harbor Ruling state:

„Thus, even if the Commission has adopted a decision pursuant to Article 25 (6) of that directive, the national supervisory authorities […] must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive […] where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must […] be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.”

Accordingly, whether or not the EU-US-Privacy-Shield in fact fulfils the high expectation to bring legal certainty remains open.

4.    Effects for other International Data Transfers

Following the Safe Harbor Rulings, the Data Protection Authorities would be required to assess also the legitimacy of data international data transfers on the basis of other justifications, e.g. the EU Standard Contractual Clauses in the individual case and independent from any EU Commission’s ruling. Ultimately, they would also be required to bring such data transfers to the courts for review where they have doubts regarding its legitimacy. Where the German Data Protection Authorities confirm the validity of the EU Standard Contractual Clauses for transatlantic data transfers, this is to be supported in the interest of affected companies. It is, however, far from certain this will be their final approach.

Not enough. The USA are by far not the only country being considered unsecure in respect to its data protection regulation for the reason of extensive government agencies’ permissions for acquiring and analysing personal data in the interest of national security- and other public- or governmental interests. This leads to the question of whether or not we may just be at the beginning of a new approach for assessing legal requirements for international data transfers. It may well be possible there will be a new distinction required. In addition to distinguishing secure and unsecure third countries, there may be countries that have so little data protection standards that would under no circumstances permit for transferring personal data there.

It is rather unlikely that respective candidates, such as Russia, China or North Korea would agree to comply with European data protection standards when storing and processing EU citizens’ personal data.

5.    Open Issues

Affected companies shall carefully monitor developments in the legal framework for international data transfers and adopt their legal and risk management strategies accordingly. In order to do so, it is advisable to analyse international data flows and assess whether potentially critical data flows may technically or legally be adjusted in case need be. This includes assessing for commissioned data processing whether fully encrypted processing is possible and whether the provider may be replaced without negative impact for the company.

On short term, it is expected that (German) Data Protection Authorities would focus their supervisory activities to EU-US data transfers. Accordingly, this should be the starting point for any international data flow analysis throughout the process the analysis shall then be extended to other countries following a risk evaluation.

Cookie-Banner – Legally Unnecessary Online Annoyance?

Bernd Schmidt General Data Protection Regulation Leave a Comment

They increasingly appear on websites – Information Banner containing this or similar wording: “This website deploys cookies – in case you continue using this website, you consent to deploying cookies on your browser.” Typically, there would be an additional link to a cookie policy containing more information on deployed cookies. This is not really of interest to any user. It is therefore surprising that most website operators are under no obligation to provide cookie banner or cookie policies under German law.Read More

Copying ID cards is prohibited? That depends…

Bernhard Freund Privacy Specials 1 Comment

Scanning and copying of ID cards is a widespread practice in the German business sector. Copies of ID cards are required as proof of identity, taken to the file or scanned (e. g. by online services, credit agencies, logistics companies, fitness studios). Does this practice violate data protection law or the often claimed “ban” on copying ID cards? In short: In many cases it is – but not always. Read More

Morphing in POV-Ray

Bernhard Freund Various Leave a Comment

A few days ago I created a 3D-animation with POV-Ray. I had played around with this ray-tracer some fifteen years ago, but only scratched the surface. Now I wanted to create a somewhat sophisticated animation including a scene where some text would appear out of a particle cloud. Thus, I needed to transformRead More