q/Talk: The EU General Data Protection Regulation

Wikimedia_Foundation_Servers-8055_13

Event data

Datum
29. 11. 2016
Host
q/uintessenz
Location
Museumsquartier / Raum D
Event-type
Informationsabend
Participants
Mag. Georg Markus Kainz, Datenschutzexperte und Präsident von q/uintessenz
Dr. Lukas Feiler, SSCP, CIPP/E, Rechtsanwalt und Autor

I am currently being invited to seminars and training for the new EU General Data Protection Regulation (EU GDPR) with more and more frequency: Austrian companies should duly inform themselves and react – and naturally also pay for this information; the Austrian consumer will finally be properly protected.

But is this really the case? How will every individual benefit from this Regulation? Will companies now finally be put in their place or is that once again one of these feared illusions?

The topic of q/Talk’s November event, held by the q/uintessenz association, was the EU GPDR which enters into force on 25th May 2018. Mag. Georg Markus Kainz from q/uintessenz invited Dr. Lukas Feiler, lawyer at Baker & McKenzie and author, to this information evening. Dr Feiler introduced the new EU GPDR and was afterwards available for questions and discussions.

How certain is the EU GPDR actually?

While some are celebrating the fact that data protection law is finally being harmonised in the EU, the national legislatures could make this significantly complicated.

There are 69 opening clauses in the EU GPDR. Opening clauses offer member states the possibility to individually amend the points in the clauses in the legal implementation of this Regulation, thereby allowing individual national rules in its implementation.

This can – and will likely – lead to the development of diverse legal layers. The problem can be illustrated by an example: an Austrian company whose customers are in Spain and which processes its data in Germany. Which law is applicable in this case? What law does the company have to abide by? Which law can be invoked by the consumer?

While the Regulation mainly deals with requirements, prohibitions and penalties, the legally necessary defintions of terms are lacking. “Public authorities” naturally receive certain attention in the Regulation but it is up to the individual states to define this term.

Fundamental Amendments and Impulses

Nevertheless the EU GPDR contains clear impulses which, in some points, will entail significant changes. At its core, the Regulation per se forbids the transfer and processing of data unless the transfer and processing is explicitly allowed in the GPDR.

For us citizens, above all, the right to be forgotten and the right to data portability is grounded. According to the right to be forgotten, if a person so desires, data about him/her has to be deleted and may not be further transferred. The right to data portability basically requires companies to ensure in the choice of their data format that each person has a right to allow their data to be transferred from one data controller to another at any time.

Moreover, the principles of “privacy by default” and “privacy by design” should also be adopted with this Regulation. This means that companies must ensure that any technical default settings guarantee the best possible data protection (by default) and, at the same time, have to implement appropriate technical and organizational measures to protect personal data and the private sphere of individuals (by design).

It is important that privacy by design is the responsibility of those who use software, e.g. for a website and is NOT obligatory for the software developer himself/herself.

Anyone who, for example, uses Google-Analytics to evaluate their website should make sure to activate the checkbox in the settings which shortens the IP addresses of the website’s visitors by 8 Bit before they are analysed. (by so doing, Google cannot undertake an exact assignment of the IP addresses.)

Further interesting aspects of the EU GPDR

  • The new Regulation ONLY relates to the data protection of natural persons. Companies cannot claim data protection for themselves. The data of customers and employees who are natural persons are protected by the Regulation.
  • Pecuniary fines were obviously a clear concern of the EU. While in Austria’s current data protection law (from 2000) a maximum fine of €25,000 can be imposed, in future the pecuniary fine will amount to 4% of the company’s global turnover with a maximum of €20 million.
  • Above all, in the case of groups of companies, this will, however, mean that, in the case of a breach by a subsidiary, the turnover of the entire group will be used as the basis for the fine.
  • A significant aspect also relates to questions of liability. From 2018, the management of a company can be held liable for data protection violations. This means that in future the authorities have to decide whether to bring a claim against the company or against the management.
  • The EU GPDR could also make law enforcement by NGOs possible. However that has to de facto be decided by the member states in their interpretation of the opening clauses.
  • Data subjects can, in future, file a claim in EVERY country in which the data controller or the processor has a subsidiary.
  • In future, compensation can also be sought for non-pecuniary damage.
  • The duty of companies to register has de facto been abolished. Instead, companies have to independently conduct a privacy impact assessment. If this evaluation reveals a high risk, the supervisory authorities have to be consulted. At the same time, a duty of documentation for data handling processes is introduced.
  • The data protection officer, often the subject of media coverage, is only compulsorily required under certain circumstances. For example, if the handling processes make a comprehensive, regular and systematic observation of data subjects necessary.

Feasibilty

In an evaluation of the feasibility of this Regulation, Dr. Feiler referred, among others, to the following examples:

If the EU GDPR were fully implemented legally, this would imply a de facto prohibition of all free services. According to the Regulation, free services are only those which can be considered as “free”. Services are considered as “not free” when:
  • The execution is dependent on an agreement to the data processing.
  • The data processing is required for the fulfillment of a contract.

This would prohibit all services, from Facebook to GMX to Google, from offering their services for free. Almost every free service earns its money nowadays with advertising, which is adapted to the user. Even if some are happy about this regulation, it is almost not feasible in practice. You only have to think about how many people currently manage their private emails via a free mail provider.

A further element in the EU GDPR is the age limit. According to the Regulation, this would be 16, which means that the consent of parents would be required for the use of services until the age of 16. Here in Austria, 16-years-old have – thank God – the right to vote and at the same time they would not be considered sufficiently of age to register their own email account.

This aside, the primary question naturally concerns the feasibility: How can a provider establish the real age of a user? Regarding this, the Regulation merely states that companies have to take “suitable measures” to safeguard the age limit of users.

In the opening clauses, the member states are given the possibly to reduce this age limit to 13.

Conclusio

My conclusion on the General Data Protection Regulation

I am impressed with some of the concepts in the EU GDPR. Above all, the principles of “privacy by default” and “privacy by design” are, in my opinion, long overdue. However, in my view, some things are still lagging behind. Some elements of the Regulation are not practical and are as a result de facto unenforceable.

Independent of this, I think it is a pity that we – generally speaking – have once again taken the usual path of making the Regulation the subject of broader discussion when the development process is de facto over.

With this modus operandi we as a society are standing in our own way. I am also aware that the infrastructure is lacking for my vision of democracy, which is pro-active and which enables us in a “user-friendly” manner to participate in the development process of new laws.

My conclusion about the event

The name of q/uintessenz says it all. Despite his tempo, Dr. Feiler was able to clearly provide a general summary of the EU GDPR and explain it in a comprehensive manner. The audience consisted of very interested and informed people, which was almost always evident in the questions to the podium.

I personally am extremely grateful for the work of associations such as q/uintessenz. We need autonomous and proactive members of society who familiarise themselves with complex topics and who become involved in decision-making processes. People who, in the interests of society, intervene in these processes and unsolicitedly protect the interests of citizens. You all deserve respect!

To express it in the words of Max Frisch:

Democracy means interfering in one’s own affairs.

With this is mind,

Yours

Christian

Translation German-English: Donna Stockenhuber

Credits

Image Title Author License
Wikimedia_Foundation_Servers-8055_13 Wikimedia_Foundation_Servers-8055_13 Victorgrigas CC BY-SA 3.0