The Internet of Things, Big Data and the use of AI have turned data into an asset. The amount of digital data generated in an industrial or business context is growing exponentially, and legal challenges are increasing. This is because the hunger for digital data is growing not only among companies with data-based business models in the media, telecommunications or sports industries, but above all among companies in the healthcare, transport or finance sectors. The confidential handling, protection, integrity and security of data is therefore becoming increasingly relevant.
There is a great need for advice on the lawful handling of digitized personal data. Innovative digital technologies for data collection and data processing enable companies to improve their services and offerings, analyse customer interests and purchasing behaviour via personal profiles, or personalize advertising.
Any use of personal data is to be made in accordance with the requirements of data protection and information security. The legal framework is essentially provided by the General Data Protection Regulation (GDPR/DSGVO). In addition, the German Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG) are particularly relevant. Progressive digitization and new challenges in international data exchange are also accompanied by constant changes in the legal framework. Legal certainty in the handling of personal data therefore requires special attention to ongoing legislative procedures and case law of the European Court of Justice (ECJ), whose decisions (e.g., in the case of “Schrems II”) can directly confront affected companies with major legal challenges.
Data protection law, on the other hand, has no relevance for the use of digital (mass) data that do not relate to individuals or do not allow such a reference to be made (such as pure measured data). Here, the legal discourse currently includes questions about the possible ownership of data, access to and exchange of data, or how a fair market order in the “data economy” can be legally guaranteed.
The GDPR requires companies to implement data security measures that are suitable for ensuring a level of protection appropriate to the risk of data processing for the rights and freedoms of the data subject. The state of the art must be considered appropriately.
Already in the run-up to applications that serve the processing of personal data, the aspects of data protection must be considered through technology design (privacy by design) or through data protection-friendly default settings (privacy by default). When procuring appropriate IT solutions, it must be checked whether they meet the requirements, such as anonymization, pseudonymization, possible restrictions on processing (e.g., blocking), deletion or certain documentation obligations. This is the only way to ensure the lawful organization of data protection in the company's processing procedures or in relation to existing service relationships.
However, the GDPR has not only redefined the requirements for the lawful and secure handling of personal data, but has also introduced new obligations, such as the right to data potability and, in some cases, more stringent requirements and, above all, severe sanctions for legal violations (fines of up to EUR 20 million or up to 4% of total annual turnover), which has significantly increased the pressure on companies to adapt their processes to the requirements.
In addition, Article 85 (1) and (2) of the GDPR stipulates that Member States must or may provide for specific derogations from the GDPR for journalistic, scientific, artistic and literary purposes in order to ensure freedom of expression and information. The handling of this opening clause on media privilege may, under certain circumstances, make it necessary for media companies to reassess the balance of interests between the protection of personal data and media freedom. The same applies, for example, to the handling of the Art Copyright Act (KUG) regarding the use or publication of photos or moving images.
Meanwhile, the German government has anticipated the ePrivacy Regulation in some respects and moved forward with the new "Telecommunications Telemedia Data Protection Act" (TTDSG), to create more legal certainty and legal clarity to protect privacy in the digital age: The Act transfers sector-specific data protection rules from the Telecommunications Act (TKG) and the Telemedia Act (TMG) into a separate law, while at the same time adapting the provisions to the requirements of the GDPR and the ePrivacy Directive, which is still in force. The TTDSG came into force together with the new Telecommunications Act (amended by the TKModG) on 01.12.2021. It regulates, among other things, the storage of and access to information in the end user's terminal equipment, which is generally only permitted with a GDPR-compliant consent (keyword: cookies).
Despite the uncertain time frame, online merchants, website operators and companies that conduct digital marketing should follow the progress of the EU legislative proceeding closely, as the privacy regulation might bring a number of further changes to business practice, e.g., in the handling of cookies, the tracking or targeting of users or technical (meta) data, and infringements may be subject to substantial fines. The current TTDSG will then have to be adapted to the directly applicable ePrivacy Regulation.
In data protection law in particular, supreme court rulings – especially those of the European Court of Justice – can have legal consequences and require immediate entrepreneurial action. The ECJ rulings in the Planet49 or Schrems II case are examples of this:
In the Planet49 case, the ECJ (in its ruling of 1 October 2019) fundamentally established that the only form of valid consent to the processing of user data by means of cookies in the EU is explicit consent, i.e., a declaration of consent that must be actively and specifically given by the user of the website. This ruling was the first after the GDPR came into force to deal explicitly with consent in relation to cookies and tracking on websites and has far-reaching implications for website operators. In any case, its provisions must be observed until other legal regulations are in place.
Another decision by the ECJ on the admissibility of international data transfers in the "Schrems II" case (ruling of 16 July 2020) poses major legal challenges for the companies concerned: the ECJ declared the EU-US "Privacy Shield", the successor agreement to "Safe Harbour", to be invalid due to the lack of adequate data protection (against state surveillance measures), which previously allowed the transfer of personal data from the EU to certified US companies for commercial purposes.
Although the EU Commission has in the meantime presented new standard contractual clauses that are intended to make international data transfers more legally secure and facilitate data exchange with America, negotiations on a legally secure new agreement with the USA are still ongoing.
With our legal expertise and technical know-how, we advise you on all data protection and data security relevant processes in your company and thus provide you with legal protection.
We work out legal, technical and organizational parameters required for your company and any necessary adjustments with regard to the collection and processing of data. We also represent and negotiate the solutions identified in this way with the relevant data supervisory authorities.
In addition, we support your operational business in all legal issues and pitfalls relating to the establishment and development of data-based business models, the digitization of your processes (the introduction and use of cloud services, Big Data or AI technologies), customer relationship management, the establishment and support of compliance systems or effective notification and information systems for affected parties (customers). Our consulting services also include questions in connection with international data transfers, order processing, in particular the preparation of contracts or the fulfillment of mutual obligations under Art. 28 DSGVO.
Furthermore, we represent your interests vis-à-vis regulatory authorities, consumer and competition associations or in court.
FREY offers – also in cooperation with other experts – ongoing training and company seminars in the field of data protection and data security.
Our clients in the area of data protection on the right come from all industries. They include medium-sized and large companies from the ICT and media industry, the construction industry, personnel service providers, content aggregators, specialized portal providers or startups (such as app developers). We also advise local authorities on data protection issues.