Copyright © Media Law International 2018. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
The German Land (federal state) Hesse takes pride in the fact that it was the first jurisdiction to pass a law on the protection of personal data (although limited in scope to the processing of personal data by public authorities), which entered into force in 1970. For more than 35 years already, data protection law has been addressed within the Council of Europe (COE) on an international level and within the then European Communities— now the European Union (EU)— on a supranational level.
After the COE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature in 1981, the first effort to establish a common standard of protection for personal data of individuals across the European internal market came with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).
As is apparent from its full title, its purpose was two fold: protecting the fundamental rights and freedoms of natural persons as well as ensuring the swift cross-border transfer of personal data. The Data Protection Directive contained rather general provisions that defined the framework for national data protection legislation in the Member States.
Subsequently, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), commonly referred to as the ePrivacy Directive, introduced more specific provisions for telecommunications and online services that take preference over the provisions of the Data Protection Directive.
As is often the case, the Member States had implemented the Data Protection Directive quite differently and with various degrees of enthusiasm. For instance, national legislation in Spain and Germany even went beyond the level of detail compatible with the Data Protection Directive and introduced further requirements for the lawfulness of the processing of personal data.
Therefore, the Court of Justice of the European Union (CJEU) ruled in ASNEF and FECEMD (C-468/10 und C-469/10) and Patrick Breyer (C-582/14) that Member States are precluded from passing legislation that is stricter than the standard defined by the Data Protection Directive. Thus, the standard of protection and the scope of obligations imposed on businesses across the EU were somewhat scattered, and there was even uncertainty about the conformity of national laws with the Data Protection Directive.
As technical innovation, especially in connection with the internet, went ahead rapidly in recent years — largely led by players outside of the European Union, most notably in the “Silicon Valley” — it became
more and more apparent that the EU needed to find a more coherent approach to protect their citizens’ personal data.
After years of deliberation, a proposal for a new EU General Data Protection Regulation (GDPR) was released in 2012, and the process of negotiations between the EU Commission, the European Parliament and the Council (representing the EU Member States) took another four years until the final version of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) was adopted.
In order to allow all stakeholders to adapt to the new law, a transition period of two years was provided for in Article 99(2) GDPR and the GDPR will apply from 25 May 2018.
Unlike its predecessor directive, the GDPR is a regulation, which means it does not have to be transposed into national law but is rather directly applicable law in all Member States of the European Economic Area (EEA, i.e.EU plus Norway, Iceland and Liechtenstein).
The GDPR mainly pursues goals to strengthen the rights of natural persons to control the use of their personal data, has a broader territorial scope than the Data Protection Directive and imposes a number of new obligations on controllers of personal data, especially in the field of documentation and transparency.
While the inclusion of no less than 69 opening clauses leaves room for national solutions (or even calls on the Member States to pass national legislation on specific situations of processing personal data) and prevents a full harmonisation, there can be no doubt that the GDPR brings in a new era in EU data
Despite the many new aspects the GDPR brings along, the fundamental principles of data protection law established by the COE Convention and the Data Protection Directive remain largely the same. The guiding principle is now set forth in Art. 6 GDPR: unless explicitly allowed by the GDPR, the processing of personal data —e.g. name, address, gender, age, location, IP address or any other information relating to an identified or identifiable natural person— is unlawful.
Obviously, the main legal basis that can make an otherwise unlawful processing of personal data lawful is the data subject’s consent, given freely and expressly. Other legal bases for the lawful processing of personal data include the necessity for the performance of a contract which the data subject entered into, compliance with a legal obligation, the pursuit of legitimate interests (which can, however, be overridden by the data subject’s interests) etc.
There is no exemption of any kind of personal data that might be argued is per setrivial so that processing it should be innocent in the absence of proof to the contrary. The only exemption reflecting a de minimis principle is the “household exemption” for the processing of personal data in the course of a purely personal or household activity.
Other situations of processing which are excluded from the material scope of the GDPR include law enforcement and national security (e.g. fingerprint databases), which is the subject-matter of another
The guiding principles of data protection law are enshrined in Art. 5(1) GDPR. In detail, the fundamentals of EU data protection law are the following:
— Lawfulness, Fairness, Transparency: Any processing of personal data shall be lawful, fair and transparent in relation to the data subject. This entails the controller’s obligation to provide detailed information to the data subject on the intended purpose of processing of their data.
— Purpose Limitation: Personal data shall only be collected for specified, explicit and legitimate purposes. The purpose does not have to be in the public interest, however. For example, collecting personal data for private advertising purposes or even for enabling a business model entirely based on the processing of personal data (such as a rating platform) is permissible. The controller, however, has to specify those purposes and inform the data subjects.
— Data Minimisation: Only adequate and relevant personal data shall be collected, limited to what is necessary in relation to the purposes for which they are processed. Thus, data minimisation reduces the quantity of the data collected as well as the extent of processing in relation to its necessity for the specified purpose. From this principle derives the requirement that personal data shall be processed in anonymised or pseudonymised form, wherever feasible, i.e. that information relating to data subjects is no longer attributable to a specific data subject without the use of additional information (mapping pseudonyms to specific persons).
— Accuracy: Personal data collected shall be accurate and, where necessary, kept up to date. This is especially relevant for data that is used for profiling or scoring, as incorrect or outdated information on debts, criminal charges etc. can be prejudicial to an individual’s life without that person ever knowing the cause for the decisions made by banks, vendors or employers.
— Storage Limitation: Storing data is one form of the processing of data. Once the specified purpose is fulfilled, the further storage of personal data is no longer justified by that purpose. The necessity of collecting data in relation to the purpose specified by the controller therefore has an impact on the time span during which the data may be stored. The GDPR does, however, provide an exception for archiving purposes in the public interest (e.g. historic or scientific research, statistical purposes) as long as proper safeguards such as pseudonymisation are in place.
— Integrity and Confidentiality: Personal data shall be protected by adequate technical or organisational measures, especially against outside attacks such as hacking, in order to prevent unauthorised alteration or unauthorised inspection or disclosure. Art. 32 GDPR which specifies a controller’s obligation with regard to the security of processing also mentions availability (the third element of the “CIA triad” of information security) and the resilience of processing systems and services, which is a prerequisite to ensure the availability of data processed in servers connected to the internet and thus exposed to the threat of denial-of-service attacks (i.e. bringing down a server by flooding it with requests beyond the quantity that the server can handle).
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, irrespective of where the actual processing takes place, as Art. 3(1)GDPR makes clear. This means that not only European controllers fall within the scope of the GDPR but it has far broader implications.
The term “establishment” had already been used in the Data Protection Directive and was widely defined by the Court of Justice of the European Union (CJEU). A company is not only considered “established” in the member state where it has its headquarters or a corporate branch but also if far less tangible factors connect it to a certain member state.
In Google Spain (C-131/12), the 2014 judgment which also created the “right to be forgotten”, the CJEU held that if a local branch of Google promotes and sells advertising space on the Google website while it does not operate or control the operation of the search engine the processing of personal data is nevertheless “carried out in the context of the activities” of that establishment. In Weltimmo(C-230/14) the CJEU held that “establishment” extends to any real and effective activity, even a minimal one.
Now, however, the territorial scope of EU data protection law, which had already been extended considerably by the jurisprudence of the CJEU outlined above, will even go beyond that. Not unlike the “doing business” standard when it comes to the personal jurisdiction of courts within the United States, Art. 3(2) GDPR connects the applicability of EU data protection law to the offering of goods and services to data subjects within the EU or the monitoring (e.g. tracking of online behaviour or location data) of such individuals.
This expressly includes the offering of “free” services such as Google, Facebook, Twitter, Instagram, WhatsApp and many others where no monetary payment by any data subject is required but customers reward the company’s services with giving away their data instead.
Effectively, the GDPR thereby applies to any company that “does business” involving personal data within the EU. Where such a company does not have an establishment in the EU, it is now required by Art. 27 GDPR to appoint a representative established in one of the Member States where the relevant data subjects are and to mandate it to be addressed — instead of the company or additionally —by supervisory authorities and data subjects in matters of data protection law.
This extension of territorial scope is a significant innovation in European data protection law. Many online service providers, typically headquartered in the United States, now have to decide whether they choose to steer clear of one of the biggest markets in the world or to adapt to a much stricter approach on the privacy of personal data than taken by their home jurisdiction.
This might lead to an effect of the GDPR that even reaches companies neither established nor doing business in the EU, simply because the most advanced regulation in a certain field determines the standard adhered to by companies or aimed at by legislation elsewhere.
This kind of effect has been dubbed the “Brussels effect” after the “California effect” in the United States, where Californian legislation (notably the 1970 Clean Air Act) often sets the standard for other states’ legislation. In the long run, companies doing business internationally are likely to implement the strictest rules they face for their business activities on the whole since this is typically less costly than offering different flavours of their services for different markets.
Beyond its broader reach, the GDPR introduces a number of new innovations.
Genetic data and biometric data have been added to the list of “special categories of personal data” (such as racial or ethnic origin, political opinions etc., already contained in the Data Protection Directive), the processing of which is governed by stricter provisions: unless the data subject gave his or her content to process such data or made them public, processing must be necessary for the purposes enumerated in
Art. 9(2) GDPR. These are much narrower than what would otherwise constitute a legitimate purpose under
Art. 6 GDPR.
All rights of the data subject have been strengthened by introducing a deadline. After the data subject has made a request for the rectification of inaccurate data, for instance, the controller must provide information on action taken within one month at the latest as per Art. 12 (3) GDPR.
The right of access by the data subject now includes the right to obtain a copy of the data which the controller processes along with the other information detailed in Art. 15 GDPR.
The right to erasure in Art. 17 GDPR now includes an extension of the “right to be forgotten”, which the CJEU had developed in Google Spain (after a certain period of time, the data subject’s interest that information which is prejudicial to him or her can no longer be found online through a search engine may override the legitimate interests of the search engine provider; in such a case, the provider must remove hyperlinks to the personal data in question from the search index).
A controller that was requested to erase personal data which had been made public by the controller must now also take reasonable steps to inform other controllers that the data subject’s request includes the erasure of copies and hyperlinks.
The new right to data portability as per Art. 20 GDPR means that a data subject who gave their consent to the processing of personal data or made a contract with the controller and who provided data to the controller has “the right to receive the personal data concerning him or her […] in a structured, commonly used and machine-readable format”; he or she may also request that such data be transmitted directly to another controller, where technically feasible.
This second element is somewhat alien to the GDPR in that it does not enable the data subject to have control over which data is processed by whom for which purposes, i.e. the aim of data protection. Rather it facilitates changing a provider by relieving the user of providing their master data again.
The GDPR requires controllers to notify a personal data breach to the supervisory authority and, where the data breach is “likely to result in a high risk to the rights and freedoms of natural persons” (i.e. where sensitive data is involved), also communicate it to the data subjects.
The notification to the supervisory authority must be made within 72 hours after having become aware of it and must include certain information on the nature and extent of the data breach etc.
Controllers are well-advised to prepare themselves for this situation by appointing a person who is responsible for handling the notification obligation and by collecting the necessary information on their IT infrastructure as well as the data which is processed in the various systems in order to enable the responsible person to make the notification in due time.
Information obligations have been extended considerably compared to the Data Protection Directive by Art. 13 and 14 GDPR. Controllers now have to provide to the data subject not only information on the purposes of the processing but also information on the legal basis of processing, the name and contact details of the data protection officer and information on the rights of the data subject etc.
Where the controller intends to transmit personal data to a “third country” (i.e. outside the EU/EEA) it must inform on the existence of an adequacy decision by the EU Commission, which decides that a certain third country ensures an adequate level of protection.
Switzerland or Argentina are currently deemed to provide such protection, for instance. In the absence of an adequacy decision, reference must be made to the appropriate or suitable safeguards which are required for lawful transmission to third countries lacking an adequate level of protection; the controller has to provide information even on “the means by which to obtain a copy of them [scil. the safeguards] or where they have been made available.”
From the principle of data minimisation two specific obligations are derived in Art. 25 GDPR, namely the principles of “data protection by design” and “data protection by default.”
— The first principle requires the controller to take appropriate measures which are from the very beginning designed to implement the principle of data minimisation when determining the means for processing. Pseudonymisation of personal data is explicitly mentioned as a possible measure. This means that the design of business processes and software has to take into account data minimisation and aim at the solution which limits the amount of personal data and the extent of processing to what is really necessary to achieve a specific purpose. It is therefore not admissible to require the users of a social network or similar online platform to use their real name as their public username.
— The second principle requires that where the data subject has options to choose from with regard to the processing of personal data that “by default, only personal data which are necessary for each specific purpose of the processing are processed”. This applies specifically to making data accessible to the public, for example as part of a profile on a social network or similar online platform.
Sanctions are the aspect of the GDPR that most business owners and managers will have heard of–even if their interest in data protection legislation over the last years has been limited.
Art. 83 GDPR provides for substantially higher administrative fines than those common in current national data protection laws. If personal data is processed unlawfully, the controller may now be fined with up to EUR 20 million or 4 per cent of the company’s worldwide annual turnover, whichever is higher.
Art. 5(2) GDPR states that the controller “shall be responsible for, and be able to demonstrate compliance with” the fundamental principles of data protection law explained above. The provision introduces the term “accountability” for this overarching obligation.
This means that a controller must have sufficient documentation for all measures taken to comply with its various obligations under the GDPR, e.g.by archiving consent forms, documenting the decisions made with regard to data security, the storage limitation for personal data etc.
Together with the extended obligation to provide information, the principle of accountability means a lot of new red tape for companies. Especially small and medium enterprises will have to weigh the cost for compliance and documentation against the risk of sanctions for non-compliance — even if non-compliance consists only in a lack of full documentation.
As mentioned above, the GDPR contains a considerable number of opening clauses for legislation on the national level. This applies to many opening clauses with limited scope for details in the context of specific provisions of the GDPR as well as to a few opening clauses for broad areas of data protection law.
The most important opening clauses relate to processing in the context of employment and the reconciliation of data protection with the freedom of expression and information, especially in journalism.
The impact of data protection law on media law might therefore prove to be rather different in different Member States. Because of this opening for diverse approaches by individual Member States the GDPR falls short of the aim to provide a uniform standard of data protection in the EU/EEA internal market and especially media outlets operating internationally will continue to be forced to deal with a large number of jurisdictions.
Also, many questions remain open. The language of the GDPR is sometimes rather vague and new concepts and new terminology have been introduced, which now have to be developed in the case law of national courts and ultimately the CJEU.
Extensive powers for delegated acts by the EU Commission that were intended to fill gaps and spell out the principles in order to translate them into specific instructions for controllers were contained in the Commission’s original proposal for the GDPR, but were cut back to a minimum during the legislative process in exchange for the many opening clauses.
It was further criticised that the EU was not able to pass an ePrivacy Regulation as the successor to the ePrivacy Directive in time to go along with the GDPR. The original aim was to have the ePrivacy Directive in place before the GDPR entered into force.
The “accompanying” Directive addresses questions such as cookies (opt-in or opt-out? how to prompt users for active consent and avoid the ubiquity of “cookie banners”?), the processing of usage data by online service providers etc. This would have helped service providers to a comprehensive and coherent legislative approach on data protection at the same point in time.
The EU Commission submitted its proposal to the European Parliament in January 2017, but it took until summer before the European Parliament even adopted its position on the proposal. Even later, the Member States weighed in. The ePrivacy Directive is now expected to enter into force in early 2019. For the time being, service providers will have to deal with the GDPR and existing national legislation transposing the older ePrivacy Directive, which leads to further questions of interpretation and doubts.
In the first few months after 25 May 2018, all parties involved — controllers, data subjects, supervisory authorities and courts — will have to learn how to cope with the new law in practice. Legislation will continue on the EU level with the ePrivacy Regulation and on the national level based on the opening clauses. It also remains to be seen if all Member States will have implemented the GDPR into their national laws in time by passing at least the national legislation demanded by the obligatory opening clauses and repealing national law incompatible with the GDPR. According to a statement by EU justice commissioner Vera Jourova made at the end of January 2018, Austria and Germany were the only Member States so far to have laid the ground work for the GDPR.
Towards Uniform EU Data Protection Law: A Sweeping Reform Brings Challenges to the Business World in Europe and Beyond
After a few decades of European data protection legislation, the General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018, is
a new milestone. It reaffirms the principles underlying previous data protection legislation by the EU and its member states, extends the reach of European Data Protection law far beyond EU borders, widens a number of existing obligations for data controllers and introduces some completely new ones, the most important being the principle of accountability.
Frank M. Höfinger
Marco Jung studied law in Mainz and studied a masters program at Columbia University in New York. Worked for an entertainment law firm in Berlin and in-house for a large European producer of live entertainment in Hamburg. Mr Jung joined Lausen Rechtsanwälte in 2014 and focusses in entertainment, media and copyright law for the musical theatre, events, film and TV industry. He is regular a guest lecturer at Columbia Law School and Columbia University School of the Arts, and teaches International Theatre Law and Theatrical Producing.
Frank M. Höfinger studied chemistry, philosophy and law in Munich. He worked as a tutor, research assistant, initially at the chair for criminal law, IT law and legal informatics at the LMU Munich. Mr Höfinger later worked in the area of IT law and legal informatics at the Max Planck Institute for criminal law in Freiburg i. Br. and worked as a lawyer for a media law firm in Munich. Mr Höfinger has worked with Lausen Rechtsanwälte in Cologne since 2008, focussing on data protection law, e-commerce law, copyright and media law. He is an expert speaker for the Akademie der Deutschen Medien.