It should be noted that the GDPR contains no specific provisions regarding the online industry, e.g. regarding the permissibility of cookies, provisions for social media services, etc. For these purposes, the European Commission has developed the proposed new ePrivacy Regulation ((ePR) – cf. 2017/0003 (COD)), which contains significantly stricter rules for the use of cookies, inter alia (cf. Art. 8 (1) ePR). The EU Commission intends for the new ePR to take effect as of 25 May 2018, together with the GDPR. It is unclear whether this can be accomplished since the legislative procedure for the ePR is still ongoing.
Determining when data refer to an identified or identifiable person can be very complex. The key question is whose capabilities and means are relevant in ascertaining whether there is a reference to a person, e.g. those of the processing unit (relative reference to a person) or the entire knowledge of the world (absolute reference to a person). The GDPR takes no clear position. In any case, according to the recitals to Art. 26 Sentence 3 GDPR, the effort needed for the identification must be considered to this determination.
Considering the case law of the ECJ, which recently decided that dynamic IP addresses also constitute personal data (judgment dated 19 October 2016, Case No. C-582/14), the fact that the processor has “legal means” enabling him to identify the person behind the IP address should, in principle, be sufficient to establish a reference to a person. This information can be obtained from the Internet access provider in limited circumstances. To this extent, it can be assumed that there has been an expansion of the definition of “personal data” and thus of the area to which the GDPR applies.
In practice, the data subject’s consent to the processing of his or her personal data remains important, as in the past. Under Art. 6 (1) (a), such consent is to be given “for one or more specific purposes”. In view of the widespread current practice of drafting pre-set, standardised consent forms – which are still subject to review under the standards codified in the laws governing General Terms – EU legislators have sought to strengthen the substantive requirements for consent in the interest of protecting the data subject. Recital 32 of the GDPR states that “…consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement”. As before, this can be accomplished, inter alia, by an opt-in by the data subject or by “selecting technical settings”, e.g. on the Internet browser. There is no longer any space for opt-out solutions, which have been tolerated in German case law in special scenarios.
According to the aforementioned GDPR recital, if the processing is to serve multiple purposes, consent must be given for all such purposes. The term “consent” is defined in Art. 4 No. 11 GDPR: “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Under Art. 7 GDPR, the controller must, as before, be able to prove that consent was given. If the text of the declaration also concerns other matters, the text of the consent must “be presented in an intelligible and easily accessible form, using clear and plain language”, Art. 7 (2) GDPR.
According to GDPR, Art. 7 (3), any consent given under data protection law must be revocable, and the data subject must be advised of this in advance. These significant changes regarding the form of consent under data protection law should induce companies to carefully review and adapt existing standardised consent forms.
The catalogue of information to be provided when collecting personal data, cf. Arts. 13 and 14 GDPR, is significantly expanded. In addition, data subjects are given the right to receive a copy of the personal data used for data processing, Art. 15 (3) GDPR.
According to Art. 16 GDPR, data subjects shall have the right to demand that “controllers”, cf. the definition in Art. 4 No. 7 GDPR, correct inaccurate data or supplement incomplete data. In addition, there is the so-called “right to be forgotten”, which was already recognised in the case law of the ECJ and has now been codified in Art. 17 GDPR. Under Art. 17 GDPR, this right to have information deleted applies, inter alia, if personal data is no longer needed for the intended purposes, if consent is revoked, or in cases of unlawful processing, etc. If personal data subject to deletion have been made public, controllers must take reasonable measures, considering available technologies and cost, to inform third parties that the data subject has requested the deletion of links to this data and copies thereof.
Conversely, under Art. 17 (3) GDPR, there are certain exclusion criteria in favour of the controller with respect to claims seeking deletion of information, e.g. when preservation of the data is necessary to meet one of controller’s legal obligations, e.g. a contractual obligation, or to assert legal claims.
Art. 20 GDPR (data portability) creates another new right for data subjects. Under this Article, data subjects may ask controllers to furnish them with the personal data they have provided in a “structured, commonly used and machine-readable format”. This is primarily aimed at user profiles in social networks or e-mail accounts. However, this right can also relate to customer accounts at companies, including any related personal data, such as that contained in e-mails or photos.
Companies must take suitable technical and organisational measures to ensure that they can process personal data in accordance with the GDPR, cf. Art. 24 (1) GDPR.
Technical data protection under Art. 25 GDPR means, inter alia, developing internal strategies and measures to ensure compliance with data protection principles through technology (data protection by design) and privacy-enhancing system settings (data protection by default). This can include keeping the processing of personal data to a minimum and quickly pseudonymising such data.
For example, if a company is using software to manage customer data, and the system does not allow for such data protection principles, such as data minimisation, to be effectively implemented, then, once the GDPR takes effect and after a transition phase, the company may consider the matter and conclude that it must either appropriately modify the existing IT system or install a new system that conforms to data protection law.
Technical measures to ensure security during the processing of personal data, which are currently covered by §§ 9 BDSG, inter alia, are also being stepped up and will now be covered by Art. 32 GDPR, inter alia. The company’s duty to report data protection violations, cf. Art. 33 GDPR, is being stepped up, and controllers are being required to perform documented data protection impact analyses when the processing of personal data, particularly with the use of new technologies, is likely to result in a high risk to the rights and freedoms of individual persons due to the nature, scope, circumstances and purposes of the processing; cf. Art. 33 GDPR. This could play a role in credit profiling cases, for example.
The extensive new obligations placed on companies by the GDPR will necessitate the introduction of data protection management systems in companies, which, inter alia, must include a data protection organisation with appropriate responsibilities, a revised role for data protection officers, lists of processing activities, contract management, a procedure for the aforementioned data protection impact analyses and processes for protecting the rights of data subjects. Unlike in the past when the competent authorities often punished detected data protection violations with minor sanctions, in the future, after the GDPR takes effect, a permanent, strengthened fine and sanction system will be applied. This system will enable the imposition of very high fines and is intended to raise the consciousness of controllers. This may, in addition, create reason to quickly review and adapt company processes in areas relevant to data protection and bring them into compliance with the new Regulation, which takes effect by the end of May 2018. Be prepared!