Data Protection in Germany – What's New?
The General Data Protection Regulation ("GDPR") contains a number of opening clauses and regulatory mandates which have to be observed by the legislator of each member state of the European Union. As a result, the national legislator is obliged to make sure the applicable federal data protection act complies with the GDPR. In that regard, the German government recently drafted an Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 ("DSAnpUG-EU").
The draft bill provides changes to various standards of the German Federal Data Protection Act ("FDPA") such as video surveillance of public space and processing of special categories of personal data. A significant change concerns the obligation to designate a data protection officer ("DPO"). At present a company with at least 10 employees that are permanently involved with personal data has to appoint a DPO (Sec. 38 FDPA). This threshold will now be raised to 20 employees. It is not certain at this point when the draft will come into force, but it is assumed to be effective shortly.
The data protection conference (Datenschutzkonferenz – "DSK") composed by the 16 authorities of each federal state as well as of the authority of the Federal Republic itself, tries to harmonise the interpretation and applicability of the legislative framework regarding data protection.
Lately, the DSK discussed the issue of when and how personal data of customers is allowed to be transmitted within an acquisition of a company. This issue is not a new topic and has always accompanied us – already before 25 May 2018. The DSK has now agreed on a catalogue of case groups that can be taken into account regarding the balancing of interests pursuant to Art. 6 para. 1 s. 1 lit. f GDPR when assessing the legitimacy of the transmission of personal data. According to that the legitimacy is to be observed differently between the following groups of data: Customer data for existing ongoing contracts, data of existing customers with a contract not older or older than 3 years, future customers when advanced contract initiation has taken place, customer data in case of open claims and especially sensitive customer data. For those case groups the DSK adopted different applying rules. Some data like the sensitive data need explicit consent of the data subject and others can be legitimate on the basis of Art. 6 para. 1 s. 1 lit. f GDPR.
Currently, the DSK is working on a concept for imposing fines for violations according to the GDPR by companies with the aim of ensuring comprehensible, transparent and case-by-case based imposition. Until now, the fines in Germany have been rather moderate. This could change with the new concept which exclusively relies on the turnover of a company as a basis which should help to determine a so-called "daily rate". Depending on the extent of the violation and the nature of the infringement, this daily rate is then to be multiplied by a factor x to be determined and possibly further adjusted in accordance with Art. 83 para. 2 DSGVO. According to the DSK, even though the concept has not yet been officially adopted, it is already being used in order to test its practicability and accuracy.
An example of the application of this concept is the case involving the food delivery service "Delivery Hero" which recently has been under investigation by the data protection authority in Berlin. The authority issued a record-breaking fine of almost EUR 200,000 against the company in the light of several different breaches. Customers of Delivery Hero for example received unwanted emails with advertisement, one customer had objected to the use of his data for advertising purposes and received further 15 emails. In other cases, Delivery Hero disobeyed deletion obligations and finally, requests for information under Art. 15 GDPR had not been properly answered.
Apart from that, the international working group on data protection in telecommuni-cations ("Berlin Group") has recently adopted a working paper on the privacy rights of children. Children spend a lot of time using online services, apps and smart devices and are particularly vulnerable in respect of the protection of their data, as they are mostly unaware of the risks associated with the collection and processing of personal data. Products and services for children must therefore meet high requirements in terms of transparency, validity of consent and privacy by design. The working paper on the protection of children's privacy in particular addresses service providers to ensure transparency and obtain valid parental consent for the processing of children's data. It also provides recommendations for policy makers, developers of online services and regulators.
Based on recordings from whistle-blowers, the media recently reported that Google's Google Home Language Assistant was used to evaluate people's acoustic recordings in order to optimise the speech recognition capabilities of the Google Assistant. During these evaluations, employees of Google or of contracted companies listen to the voice recordings and transcribe them to analyse whether the recorded acoustic information was correctly processed by the AI system behind it. According to the whistle-blowers, the employees commissioned by Google were able to gather personal information from the private and intimate spheres of the persons concerned from the recorded conversations. Furthermore, a considerable part of the recordings was made due to incorrect activation. The Hamburg data protection authority has now opened an administrative procedure to prohibit Google from carrying out such evaluations.
This procedure is particularly about the provision of sufficient information and transparent information for those affected of the processing of voice commands, but also about the frequency and risks of misactivation.
(Johannes Caspar, State Commissioner for Data Protection and Freedom of Information Hamburg)
In our latest kallan newsflash, we reported on the responsibility of Facebook fan page administrators and the view of the data protection authority of Berlin in this regard. The Federal Administrative Court (Bundesverwaltungsgericht - "FAC") now ruled that supervisory authorities may ban fan pages (BVerwG, Judgement as of 11 September 2019 - 6 C 15.18). The FAC had brought the case before the European Court of Justice ("ECJ"). Last year, the ECJ ruled that the operators of a fan page were also to be classified as responsible for data processing. The FAC was now committed to the decision of the ECJ. The verdict essentially says that fan page operators bear legal (co-)responsibility for compliance with data protection. Commissioner for Data Protection and Freedom of Information Schleswig Holstein, Marit Hansen, welcomes the ruling.
This clarification means a tailwind for data protection. I am therefore pleased that the Federal Administrative Court has overturned the appeal decision of the Higher Administrative Court of Schleswig and confirmed our argumentation.
Others, like the industry association "Bitkom" citicise the decision, as it will most likely lead to increased bureaucracy.