The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, changing the European privacy landscape. Q3 / Q4 of 2019 have brought relevant insights into the impact of the regulation on consumers and organizations, mainly on topics such as the ”right to be forgotten” and data protection in electronic communication, and required data management. Companies such as Facebook have had new limitations imposed: amongst them, the prohibition to aggregate user data from different sources owned by the same corporation as well as the evaluation of the use of artificial intelligence in digital marketing.
The GDPR contains special requirements for on- and offline segments and includes customer and employee data protection. In Germany, there are several national legislations that regulate specific measures to ensure nationwide data protection. To comply with the EU requirements imposed by the GDPR, German data protection law was complemented by the second DSAnpUG-Eu (Second Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and the Implement Directive (EU) 2016/680, which raised the threshold for the mandatory appointment of data protection officers (DPOs). With the Second Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680, the legislature has, among other things, raised the threshold for the mandatory appointment of DPOs. According to § 38 I 1 of the BDSG (Federal Data Protection Act), companies and other non-public bodies are therefore only obliged to hire one if they employ at least 20 people who are continuously busy with the automated processing of personal data.
The voluntary appointment of a qualified data protection officer according to Art. 37 IV of the GDPR remains and is appropriate considering that the data protection obligations apply anyway and furthermore since according to Art. 5 II GDPR there is a requirement of accountability. Additionally, with regard to the sanctions resulting from unlawful data processing, the voluntary appointment of a qualified DPO is recommendable as a preventative measure (internal or external). In addition, the implementation of Codes of Conduct complying with Art. 40 GDPR serve as a recommendable self-regulatory and as an assisting instrument in order processing (Art. 28 V GDPR).
The data protection trends of Q3/Q4 2019 showed that the data protection impact assessment according to Art. 35 GDPR is of crucial importance. In particular, with respect to when a data protection impact assessment needs to be undertaken, the question of whether this constitutes the norm or the exception arises. First solution proposals for a practice-oriented risk assessment of processing already exist. The risk orientation of the regulatory authority is also expressed by the fact that the processing of sensible data according to Art. 9 GDPR is tied to restrictive requirements.
Summarized, the most relevant topics discussed in Q3 / Q4 2019 regarding risk assessment are as follows:
ISO/IEC 27701:2019 was published in August 2019. The official title is “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines."As the name implies, ISO 27701 is not an independent standard, but only an extension of data protection aspects to the ISO 27000 (namely ISO 27001 and ISO 27002) standards. The core of certification remains the Information Security Management System (ISMS).
Articles 42 and 43 of the General Data Protection Regulation (GDPR) provide for the conditions under which data protection should be established and the requirements that certification bodies must comply with. A closer look at the Art. 43 GDPR immediately shows that certification of data protection is possible only on the basis of ISO 17065 (certification of products and processes), which is not the case for ISO 27701. Additionally, ISO standards have a significant drawback when it comes to transparency with regard to the scope or criteria applied. Thus, a certificate cannot be used to determine which areas were actually certified. This contradicts the requirements for data protection certificates specified in Article 42 of the GDPR making the certification not GDPR-compliant.
In principle, there are currently no certificates that are fully compliant with the requirements set forth in Article 42 of the GDPR, although they would be a high need of such within the economy. The external impact of certification is useful not only for marketing purposes but also for reducing the liability of the company or management/board of directors in case of possible privacy violations and punishment by the supervisory authorities.
Other than external expectations and marketing needs such certifications could mostly be used for internal purposes such as, for example, relations between a client and a contractor during order processing, the use of subcontractors or submission to the supervisor as evidence of responsibility. In addition to certification, other methods for determining GDPR compliance can be used such as Risk Management and Risk Assessment, Privacy Frameworks and Auditing Standards (attestation). Such attestations of a Data Protection Management System can be implemented as part of an attestation audit of the Compliance Management System (according to IDW PS 980). Attestations of parts of the Data Protection Organization are also possible in accordance with the International Standard for Safeguards (ISAE) 3000 (revised).
The GDPR has inspired many lawmakers in other countries to draft privacy laws, from LGPD in Brazil to CCPA in California. Although many of these laws are consistent with the general terms and conditions of data protection, each of them implements these protections in its own way. These two new regulations are just the beginning: Canada and Australia are also considering new data protection regulations, and the Indian legislature is going to vote on the Personal Data Protection Bill. In the United States, several states, including Nevada, New York, Texas, and Washington, are considering pursuing the lead of California and enacting their own data protection law.
Over the past few years, Brexit has dominated European news, and UK and EU regulators have to create an alternative regulatory framework to protect data in the future. However, this will have a relatively small impact for 2020, at least in terms of data protection. Despite the fact that the UK officially left the EU on January 31, 2020, they will still adhere to all EU standards and rules during this year. This means that the GDPR will still be UK land law.
It seems that the often-delayed counterpart of the GDPR, the ePrivacy Regulation, will be behind schedule. In fact, the Permanent Representatives Committee of the Council of the European Union rejected its proposal in November 2019. This makes it likely that a revised proposal is required this year, meaning that the actual implementation is at least still a year off. The ePrivacy Regulation was to be enforced already in 2017 to replace the current ePrivacy Directive, the current law that governs how cookies are regulated throughout the EU.
In 2015, Max Schrems, an Austrian privacy advocate, filed a complaint with the Irish Data Protection Commissioner, challenging Facebook’s dependence on Ireland on standard contractual provisions as the legal basis for the transfer of personal data to Facebook Inc. in USA. Schrems argued that such Standard Contractual Provisions did not provide an adequate level of protection for EU data subjects. This led to a controversial decision leading to the Schrems II case, which is currently approaching a conclusion.
The basis of the case is Art. 46, which states that a data controller can transmit data internationally or to a third party “only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available."
On December 19, 2019, the Advocate General (AG) to the Court of Justice of the European Union (CJEU) released an opinion stating that standard contractual clauses could be used to transfer data internationally. However, in small print, AG also suggests that the use of such provisions be reviewed on a case-by-case basis. It also raises serious data protection issues in the United States, which cast doubt on data transfers to the United States. Although the opinion of AG is not binding, it is often a preview of the decision of the CJEU. You can expect a final CJEU decision - and start a new fight for data communications - later this year.
For more information with regards to our GDPR services please contact us.