Data as a resource.

Data (Protection Law)

The Internet of Things, Big Data and the use of AI have turned data into a valuable asset. The amount of digital data generated in an industrial or business context is growing exponentially, and legal challenges are increasing. This is because the hunger for digital data is growing not only among companies with data-based business models in the media, telecommunications or sports industries, but above all among companies in the healthcare, transport or finance sectors. The confidential handling, protection, integrity and security of data is therefore becoming increasingly relevant.

There is a great need for advice on the lawful handling of digitized personal data. Innovative digital technologies for data collection and data processing enable companies to improve their services and offerings, analyze customer interests and purchasing behavior via personal profiles, or personalize advertising.

Any use of personal data is to be made in accordance with the requirements of data protection and information security. The legal framework is essentially provided by the Basic Data Protection Regulation (DSGVO). In addition, the German Federal Data Protection Act (BDSG) and related legal areas of relevance to data protection, such as TMG, are also relevant. Special attention must be paid to ongoing legislative procedures and the case law of the European Court of Justice, whose decisions (e.g. in the case of "Schrems II") can directly confront affected companies with major legal challenges.

Data protection law, on the other hand, has no relevance for the use of digital (mass) data that do not relate to individuals or do not allow such a reference to be made (such as pure measured values). Here, the legal discourse currently includes questions about the possible ownership of data, access to and exchange of data, or how a fair market order in the "data economy" can be legally guaranteed.

EU BasicData Protection Regulation (DSGVO)

The DSGVO requires companies to implement data security measures that are suitable for ensuring a level of protection appropriate to the risk of data processing for the rights and freedoms of the data subject. The state of the art must be taken into account appropriately. Already in the run-up to applications that serve the processing of personal data, the aspects of data protection must be taken into account through technology design (privacy by design) or through data protection-friendly default settings (privacy by default). When procuring appropriate IT solutions, it must be checked whether they meet the requirements, such as anonymization, pseudonymization, possible restrictions on processing (e.g. blocking), deletion or certain documentation obligations. This is the only way to ensure the lawful organization of data protection in the company's processing procedures or in relation to existing service relationships.

However, the DSGVO has not only redefined the requirements for the lawful and secure handling of personal data, but has also introduced new obligations, such as the right to data potability (link) and, in some cases, more stringent requirements and, above all, severe sanctions for legal violations (fines of up to EUR 20 million or up to 4% of total annual turnover), which has significantly increased the pressure on companies to adapt their processes to the requirements.

DSGVO on media privilege

In addition, Article 85 (1) and (2) of the DSGVO stipulates that Member States must or may provide for specific derogations from the DSGVO for journalistic, scientific, artistic and literary purposes in order to ensure freedom of expression and information. The handling of this opening clause on media privilege (link to special) may, under certain circumstances, make it necessary for media companies to reassess the balance of interests between the protection of personal data and media freedom. The same applies, for example, to the handling of the Art Copyright Act (KUG) with regard to the use or publication of photos or moving images.

ePrivacy Regulation - further tightening of data protection

The ePrivacy Regulation is intended to supplement the DSGVO and regulate data protection law in relation to electronic communications and specifically to replace the currently applicable data protection directive on privacy and electronic communications (ePrivacy Directive, (2002/58/EC)) and the so called Cookie Directive (2009/136/EC). Since its presentation in early 2017, the draft has been subject of controversial discussion and many changes in the EU Parliament and Council. The necessary trilogue procedere between the EU Commission, Parliament and Council are not expected to begin until 2021 at the earliest - after the evaluation of the DSGVO. Nevertheless, the German Government is working in the Council to ensure that the legislative procedure continues. At the same time it is presenting a new draft for a "Telecommunications Telemedia Data Protection Act" (TTDSG), which is intended to standardize and modernize the provisions on privacy for online services from the

DSGVO, TMG and TKG for Germany.

Despite the uncertain time frame, online merchants, website operators and companies that conduct digital marketing should follow the progress of the proceedings closely, as they will bring a number of changes to business practice, e.g. in the handling of cookies, the tracking or targeting of users or technical (meta) data, and infringements may be subject to substantial fines.

ECJ case law - economic consequences

In data protection law in particular, supreme court rulings - especially those of the European Court of Justice - can have legal consequences and require immediate entrepreneurial action. The ECJ rulings in the Planet49 or Schrems II case are examples of this: In the Planet49 case, the ECJ (in its ruling of 01.10.2019) fundamentally established that the only form of valid consent to the processing of user data by means of cookies in the EU is explicit consent, i.e. a declaration of consent that must be actively and specifically given by the user of the website. This ruling was the first after the DSGVO came into force to deal explicitly with consent in relation to cookies and tracking on websites and has far-reaching implications for website operators. In any case, its provisions must be observed until other legal regulations are in place.

Another recent decision by the ECJ on the admissibility of international data transfers in the "Schrems II" case (ruling of 16 July 2020) poses major legal challenges for the companies concerned: the ECJ declared the EU-US "Privacy Shield", the successor agreement to "Safe Harbour", to be invalid due to the lack of adequate data protection (against state surveillance measures), which previously allowed the transfer of personal data from the EU to certified US companies for commercial purposes.

With our legal expertise and technical know-how, we advise you on all data protection and data security relevant processes in your company and thus provide you with legal protection.

We work out legal, technical and organizational parameters required for your company and any necessary adjustments with regard to the collection and processing of data. We also represent and negotiate the solutions identified in this way with the relevant data supervisory authorities.

In addition, we support your operational business in all legal issues and pitfalls relating to the establishment and development of data-based business models, the digitization of your processes (the introduction and use of cloud services, Big Data or AI technologies), customer relationship management, the establishment and support of compliance systems or effective notification and information systems for affected parties (customers). Our consulting services also include questions in connection with international data transfers, order processing, in particular the preparation of contracts or the fulfillment of mutual obligations under Art. 28 DSGVO.

Furthermore, we represent your interests vis-à-vis regulatory authorities, consumer and competition associations or in court.

FREY offers - also in cooperation with other experts - ongoing training and company seminars in the field of data protection and data security.

Our clients in the area of data protection on the right come from all industries. They include medium-sized and large companies from the ICT and media industry, the construction industry, personnel service providers, content aggregators, specialized portal providers or startups (such as app developers). We also advise local authorities on data protection issues.

  • National and European data protection Law
  • ePrivacy regulations
  • Interstate Treaty on Media and Broadcasting
  • State media and state press laws
  • Telemedia Law
  • Telecommunications Law
  • Right to own picture