- 29. 11. 2016
- Museumsquartier / Raum D
- Mag. Georg Markus Kainz, Datenschutzexperte und Präsident von q/uintessenz
- Dr. Lukas Feiler, SSCP, CIPP/E, Rechtsanwalt und Autor
I am currently being invited to seminars and training for the new EU General Data Protection Regulation (EU GDPR) with more and more frequency: Austrian companies should duly inform themselves and react – and naturally also pay for this information; the Austrian consumer will finally be properly protected.
The topic of q/Talk’s November event, held by the q/uintessenz association, was the EU GPDR which enters into force on 25th May 2018. Mag. Georg Markus Kainz from q/uintessenz invited Dr. Lukas Feiler, lawyer at Baker & McKenzie and author, to this information evening. Dr Feiler introduced the new EU GPDR and was afterwards available for questions and discussions.
How certain is the EU GPDR actually?
While some are celebrating the fact that data protection law is finally being harmonised in the EU, the national legislatures could make this significantly complicated.
There are 69 opening clauses in the EU GPDR. Opening clauses offer member states the possibility to individually amend the points in the clauses in the legal implementation of this Regulation, thereby allowing individual national rules in its implementation.
This can – and will likely – lead to the development of diverse legal layers. The problem can be illustrated by an example: an Austrian company whose customers are in Spain and which processes its data in Germany. Which law is applicable in this case? What law does the company have to abide by? Which law can be invoked by the consumer?
While the Regulation mainly deals with requirements, prohibitions and penalties, the legally necessary defintions of terms are lacking. “Public authorities” naturally receive certain attention in the Regulation but it is up to the individual states to define this term.
Fundamental Amendments and Impulses
Nevertheless the EU GPDR contains clear impulses which, in some points, will entail significant changes. At its core, the Regulation per se forbids the transfer and processing of data unless the transfer and processing is explicitly allowed in the GPDR.
For us citizens, above all, the right to be forgotten and the right to data portability is grounded. According to the right to be forgotten, if a person so desires, data about him/her has to be deleted and may not be further transferred. The right to data portability basically requires companies to ensure in the choice of their data format that each person has a right to allow their data to be transferred from one data controller to another at any time.
Moreover, the principles of “privacy by default” and “privacy by design” should also be adopted with this Regulation. This means that companies must ensure that any technical default settings guarantee the best possible data protection (by default) and, at the same time, have to implement appropriate technical and organizational measures to protect personal data and the private sphere of individuals (by design).
Anyone who, for example, uses Google-Analytics to evaluate their website should make sure to activate the checkbox in the settings which shortens the IP addresses of the website’s visitors by 8 Bit before they are analysed. (by so doing, Google cannot undertake an exact assignment of the IP addresses.)
Further interesting aspects of the EU GPDR
- The new Regulation ONLY relates to the data protection of natural persons. Companies cannot claim data protection for themselves. The data of customers and employees who are natural persons are protected by the Regulation.
- Pecuniary fines were obviously a clear concern of the EU. While in Austria’s current data protection law (from 2000) a maximum fine of €25,000 can be imposed, in future the pecuniary fine will amount to 4% of the company’s global turnover with a maximum of €20 million.
- Above all, in the case of groups of companies, this will, however, mean that, in the case of a breach by a subsidiary, the turnover of the entire group will be used as the basis for the fine.
- A significant aspect also relates to questions of liability. From 2018, the management of a company can be held liable for data protection violations. This means that in future the authorities have to decide whether to bring a claim against the company or against the management.
- The EU GPDR could also make law enforcement by NGOs possible. However that has to de facto be decided by the member states in their interpretation of the opening clauses.
- Data subjects can, in future, file a claim in EVERY country in which the data controller or the processor has a subsidiary.
- In future, compensation can also be sought for non-pecuniary damage.
- The duty of companies to register has de facto been abolished. Instead, companies have to independently conduct a privacy impact assessment. If this evaluation reveals a high risk, the supervisory authorities have to be consulted. At the same time, a duty of documentation for data handling processes is introduced.
- The data protection officer, often the subject of media coverage, is only compulsorily required under certain circumstances. For example, if the handling processes make a comprehensive, regular and systematic observation of data subjects necessary.
In an evaluation of the feasibility of this Regulation, Dr. Feiler referred, among others, to the following examples:
- The execution is dependent on an agreement to the data processing.
- The data processing is required for the fulfillment of a contract.
This would prohibit all services, from Facebook to GMX to Google, from offering their services for free. Almost every free service earns its money nowadays with advertising, which is adapted to the user. Even if some are happy about this regulation, it is almost not feasible in practice. You only have to think about how many people currently manage their private emails via a free mail provider.
A further element in the EU GDPR is the age limit. According to the Regulation, this would be 16, which means that the consent of parents would be required for the use of services until the age of 16. Here in Austria, 16-years-old have – thank God – the right to vote and at the same time they would not be considered sufficiently of age to register their own email account.
In the opening clauses, the member states are given the possibly to reduce this age limit to 13.
My conclusion on the General Data Protection Regulation
I am impressed with some of the concepts in the EU GDPR. Above all, the principles of “privacy by default” and “privacy by design” are, in my opinion, long overdue. However, in my view, some things are still lagging behind. Some elements of the Regulation are not practical and are as a result de facto unenforceable.
Independent of this, I think it is a pity that we – generally speaking – have once again taken the usual path of making the Regulation the subject of broader discussion when the development process is de facto over.
My conclusion about the event
The name of q/uintessenz says it all. Despite his tempo, Dr. Feiler was able to clearly provide a general summary of the EU GDPR and explain it in a comprehensive manner. The audience consisted of very interested and informed people, which was almost always evident in the questions to the podium.
To express it in the words of Max Frisch:
Democracy means interfering in one’s own affairs.
With this is mind,
Translation German-English: Donna Stockenhuber
|Wikimedia_Foundation_Servers-8055_13||Victorgrigas||CC BY-SA 3.0|