General Protection Regulation (GDPR) comprehensible: what the new EU rules mean for citizens

Data protection concerns the right of a person to informational self-determination, i.e. the protection of the person against unauthorized use of information about him-/herself, for example by intentional or unintentional processing of personal data. Essentially, the concept of processing includes collecting, gathering, organizing, sorting, storing, adapting or modifying, reading, querying, using, disclosing through transmission, dissemination or any other form of providing matching or linking, restriction, deletion or annihilation.

Violations of data protection are violations of fundamental rights – in Germany these include the protection of human dignity and the right to free development of the personality according to Articles 1 and 2 of the German Basic Law („Grundgesetz“). Article 1 of the EU GDPR expressly refers to the protection of the fundamental rights and freedoms of natural persons according to Article 8 of the EU Charter of Fundamental Rights. Violations of these fundamental rights can result in heavy fines.

Protecting the privacy of citizens and the intellectual property of businesses should therefore be very important to us. The most convincing argument for privacy is Edward Snowden’s quote: „To say that you do not care about the right to privacy because you have nothing to hide is something like saying that you do not care about freedom of expression is because you have nothing to say „(see:  https://www.businessinsider.de/edward-snowden-privacy-argument-2016-9).

Unfortunately, privacy and intellectual property are threatened by various attackers for various reasons, such as criminals, activists, religious zealots, mission-oriented idealists, platform companies, intelligence agencies. The attack points are diverse – in addition to the „human factor“ these are e.g. smartphones with their broad variety of sensors (microphones, cameras, GPS, position sensors, fingerprint and face recognition, etc. pp.), computers, interfaces, processors, operating systems, BIOS, data centers, networks and other components. Spying can comprise the use of data that you have stored on your smartphone, computer, or server (including the contact information in your smartphone), as well as data you use while surfing the Internet or communicating via email, SMS, or Messenger Apps. You should understand that unencrypted emails or WhatsApp messages can be read by strangers just as easily as a postcard that you send via the good old paper mail. Some apps have the nasty feature of downloading data from the user’s smartphone during installation and storing it on a central server without asking the user for permission (WhatsApp is a prominent example).

I would like to share with you the following (relatively harmless) example of the violation of privacy from my personal experience:

Between December 2017 and May 2018, I received over 100 phone calls from a foreign financial trading company at whose website I carelessly registered at the end of last year without opening an account with that company or subscribing to newsletters or other services.

The calls came from constantly changing numbers from all possible countries in the EU or Switzerland and were partly made early in the morning or late in the evening. As a freelance IT consultant and interim manager, I also have clients abroad, so I could not afford to let the calls just go nowhere.

The callers were very pushy and tried to sell me service, which I was not interested in. I strangled every caller and told him to delete me from the call list of the company – so far always unsuccessful.

After the GDPR became effective on May 25, 2018, I asked the first caller after for information on the website of his employer and made very clear to him that I will sue his employer on the basis of the GDPR, if I get one more call. At the first time on more than 100 calls it was silence at the other end of the line and I’m curious if my announcement shows lasting effect.

The example shows, however, why the GDPR – despite all criticism (keyword: „bureaucracy monster“) – from the consumer’s point of view brings important and reasonable improvements. Ask the following questions: What’s wrong with informing citizens when companies want to use their data? What’s wrong with citizens having to agree to this usage? What’s wrong with me as a citizen having the right to ask for information about what a company has stored about me and what it does about it? And what’s wrong with the fact that I can demand the deletion of my data if they are no longer needed for the original purpose?

All this is regulated by the GDPR. The fact that companies have to create clear responsibilities for this, including processes, methods and tools, is actually logical. But they already had to do that under the German Federal Data Protection Act. Anyone who has followed the law as a company in the past should be able to implement the additional requirements of the GDPR relatively easily.

Former German Federal Data Protection Officer Peter Schaar published a very worthwhile commentary on May 25, 2018, on Heise.de (see: https://www.heise.de/newsticker/meldung/Analyse-zur-DSGVO-von-Peter-Schaar-Die-notwendige-Zumutung-Datenschutz-4057260.html) under the heading „Analysis to the GDPR of Peter Schaar: The necessary imposition of data protection“, in which he corrects some false allegations, such as „Similar misinterpretations exist in the duty to designate a data protection officer: medical practices and craft businesses report a flood of offers from companies that want to sell themselves as external data protection officers, but in fact only those companies need a data protection officer that regularly have more than ten people dealing with the automated processing of personal data or whose core activity is the processing of extensive periodic surveillance of individuals, which is likely to apply to the least-small companies, associations or practices.“

Everything is therefore far from eaten as hot as it was cooked (as is usually the case in life).

For more detailed information on the grave privacy issues mentioned above, see my blogs below:

• „Digital business models and platform economy“ from November 4, 2017: https://kubraconsult.blog/2017/11/04/digital-business-models-and-platform-economy/
• „How the US government discredits the US IT industry“ from August 20, 2017: https://kubraconsult.blog/2017/08/20/how-the-us-government-discredits-the-us-american-it-industry/
• „The Spy in Your Pocket“ from April 25, 2017: https://kubraconsult.blog/2017/04/25/thy-spy-in-your-pocket/
• „The Digital Disruption of Warfare“ published on June 11, 2017: https://kubraconsult.blog/2017/06/11/the-digital-disruption-of-warfare/

 

The following chart of the Enterprivacy Consulting Group classifies major privacy threats into four categories:

1. Information Processing (e.g. aggregation, insecurity, identification, secondary use, exclusion)
2. Information Collection (e.g. surveillance, interrogation)
3. Information Dissemination (e.g. breach of confidentiality, disclosure, exposure, increased accessibility, blackmail, appropriation, distortion)
4. Invasion (intrusion, decisional interference)

 

 

On May 4, 2018, the German news magazine DER SPIEGEL published a quite good summary of the main GDPR innovations under the heading „GDPR: Finally comprehensible – what the new EU rules mean for citizens“: http://www.spiegel.de/netzwelt/web/dsgvo-das-sollten-sie-zur-datenschutz-grundverordnung-der-eu-wissen-a-1205985.html.

This summary has been designed as a slideshow, where you have to click through 11 pages. Below you will find the content of the summary at a glance. The copyright lies with DER SPIEGEL. At the end of this blog, you will find a sample text that you can use to object to the collection, storage and processing of your personal data with reference to Article 17 of the GDPR („Right to delete“).

<QUOTE START>

„As of May 25, 2018, the EU’s new data protection rules will be applied to learn what that means for your rights as a citizen – and why experts expect warnings.

1. What is the General Data Protection Regulation?

The regulation aims to standardize data protection in the EU and push it into the Internet age. It replaces an EU Directive dating back to the early days of the World Wide Web, namely 1995. The official name of the GDPR is therefore also „Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data data, on the free movement of data and repealing Directive 95/46/EC“. The new regulation is now the same for all, while the directive leaves more room for Member States.

In 99 articles, the new regulation regulates how companies and authorities, but also associations, for example, should deal with personal data. In the German-speaking network, the regulation is mainly discussed under the abbreviation DSGVO, in English the name General Data Protection Regulation, or GDPR for short, is common.

The content of the regulation is not a complete new beginning. Rather, it is based on the previous directive and the national laws, such as the German Federal Data Protection Act. The EU Charter of Fundamental Rights also enshrines data protection rights, which the regulation adopts.

2. What happens on May 25, 2018?

The GDPR will be applied throughout the EU on May 25, 2018, so its requirements will have to be fully implemented, otherwise penalties will be imposed. So far, it has been a long road, with many votes between the countries and real lobbying: The first draft of the EU Commission is dated to January 2012, preceded by two consultation phases. However, the ordinance was only passed by the EU Council of Ministers and the European Parliament in April 2016. It came into force in May 2016.

3. What does the EU want to achieve with the General Data Protection Regulation?

The GDPR can be viewed in general from three perspectives: economy, technology, consumers.

Unlike a directive that is first translated into national law and interpreted quite differently, a regulation applies directly in all Member States. Although so-called opening clauses also allow Member States their own rules, but only to a limited extent.

The technical perspective: A fundamental goal of the GDPR is to replace the outdated current EU directive with modern, technology-neutral regulations. In 1995 there were no social networks like Facebook, no video streaming and no big data applications.

The German Green politician Jan Philipp Albrecht, who played an important role in the creation of the Regulation, is „very confident“ that the Regulation can answer privacy issues around current issues such as deep learning or future techniques. The next fundamental reform, the EU „probably only have to make in 15 or 20 years,“ he tells DER SPIEGEL.

The Consumer Perspective: The GDPR reflects how much data is collected, processed, distributed and commercialized by each individual consumer. It brings users various new rights of information, cancellation and opposition that strengthen the position of consumers.

For example, the right to be forgotten means that EU citizens may, under certain circumstances, require the deletion of their personal data, for example, when storage is no longer necessary or when they have been improperly processed.

Also new is the right to data portability. It states that users of an online service may require the disclosure of their personal information in a structured, machine-readable form in order to transfer it to another provider. In the eye, the legislator had especially social networks. The information obligation of companies after a data breakdown or a hack is also tightened.

The core principles of the regulation are the principles of „privacy by design“ and „privacy by default“ – privacy that is already taken into account when developing a service or product and privacy-friendly presettings.

4. Who are the new rules?

The GDPR has consequences for anyone who processes personal data, including many bloggers and small website operators (see question 6). What is meant by „personal data“ and what is meant by its „processing“ is defined as: Person-related data is data that can be directly or indirectly referenced to an identifiable person. Names are always personal data. Physical characteristics such as gender, skin color or dress size are personal, if they can be assigned to a human. This also applies to car license plates and IP addresses, as far as there are legally permissible ways to identify the persons belonging to them.

Data is processed whenever it is collected, organized, stored, modified, used, read, queried, transferred, linked, reconciled or deleted. Particularly stringent rules apply to the processing of data stating „racial and ethnic origin, political opinions, religious or ideological beliefs“ and health data.

Consequently, many institutions and companies – including, of course, SPIEGEL ONLINE – as well as individuals have to adjust to the GDPR. This is a big challenge because the provisions of the GDPR are very general and the experts are often not sure what will be allowed in the future.

For example, some, but not all, legal experts assume that the GDPR alters the relationship between freedom of art or copyright law and data protection – to the detriment of photographers. Your scenario: Anyone who is not permanently employed for a medium, but for example as a freelance sports, concert or wedding photographer, from May 25, 2018, needs the consent of each person he photographs.

IMPORTANT REMARK FROM MY SIDE: According to the former German Federal Data Protection Commissioner Peter Schaar, the unproven widespread claim that digital photographs or their publication in the future generally only with the express, informed consent of the depicted persons allowed to alarmism, as representatives of the German Federal Ministry of the Interior and the data protection authorities have clarified that the requirements of the Art Copyright Act (KUG) continue to apply. END OF REMARK

Every digital photo of a person is, according to the GDPR definition, a data processing system. In principle, there are exceptions, but how far they go will have to be decided first by the authorities in the Member States, then by the national and, last but not least, the European courts.

Website owners, unless their site is solely for personal or family use, must inform each visitor of the personal information they collect for what purpose and for how long. Landlords have the GDPR also new protection, documentation, information and deletion obligations, as both the German Tenants Association and the owners‘ association „House&Land“ Germany say.

Even bloggers, online shop operators, doctors and hospitals, schools and sports clubs have to meet certain requirements and take action – and of course US companies like Google and Facebook, which operate in the EU and whose business models are based on the exploitation of user data. It will be particularly difficult in the future for companies whose services are explicitly or largely aimed at minors – they must in future seek consent from parents for users under 16 years – or renounce storing data, as it wants to do, for example, Snapchat.

Incidentally, the data of law enforcement and judicial authorities are excluded from the rules of the GDPR when it comes to the detection, prosecution or prevention of criminal offenses. For this data applies the also new, at the same time adopted EU directive for the data protection with police and justice.

5. What will be changed by the regulation for normal internet users?

Basically, the web will not be different after May 25, 2018, at least not on German websites: On the one hand, because many requirements of the GDPR in a similar form already appear in the previous German Federal Data Protection Act. On the other hand, because above all large companies have adapted their offers in the past few weeks or months to the specifications – in some cases within the industry. The Berlin-based mail-order retailer Zalando, who works a lot with personal data, says, for example: „We have a lively exchange with other digital companies to ensure that the General Data Protection Regulation is interpreted in the same way.“

One of the most obvious changes that users might encounter on almost any web site is likely to be a revised Privacy Policy and Terms and Conditions. Many services have long since actively informed their customers: with e-mails or pop-up notices in their apps. From Daimler, which mediate about their car-sharing provider Car2Go rental cars, for example, it is said that the „data protection changes in the terms and conditions“ Car2Go customers were already announced in early April. And further: „Before the changes come into effect, we will again inform all our customers about the adjustments to our privacy and consent statements by e-mail and via our App.“

Basically, online privacy statements should be more detailed and generally understandable in the future. However, this also has an ugly side effect: the lyrics are in many cases a lot longer – and thus perhaps even more unattractive for the user’s bottom line than they already were. It also seems possible that many companies would initially rather surpass GDPR’s duty to provide information for safety reasons .

On the other hand, few providers will point out aggressively the new or strengthened rights GDPR brings to Internet users – because they mean extra work for them. For example, with a standard one-month response period, citizens can now ask not only if and, if so, what information about them is stored there, but also for what purpose and for how long such data is stored.

If citizens do not receive the relevant information or are unable to do so in good time – a maximum extension of three months is possible, however – one can complain to the data protection authority about the company. A template for „data privacy self-disclosure“ can be found in the tech magazine „c’t“ as a Word and Open Document file.

6. What should bloggers and small website owners now pay attention to?

Many website operators and bloggers have to deal with the GDPR – otherwise may threaten warnings. „If I show my cats privately on my blog, for example, then that’s okay, then the GDPR does not apply to me,“ said the IT lawyer Joerg Heidrich on DER SPIEGEL inquiry. „But if I do the same thing as a breeder , if I’m also indirectly promoting my business, I’m leaving the purely private sector and must pay attention to the GDPR requirements.“ This also applies if I have advertising or affiliate advertising on my site. Turn left. “

In general, anyone who processes user data in any way with their online offer (see question 4) – and be it because WordPress plug-ins capture user data or users leave their comments in comments – should assume GDPR to be affected. If in doubt, you can ask your data protection authority if and what arrangements you have to make by May 25, 2018.

People with a need for action advises lawyer Heidrich, first to make the website itself GDPR-compliant – especially as a hedge against any warnings from competitors or warning-letter associations. For example, you should get an overview of which third-party plug-ins are running in the background.

„I would now throw out non-urgently needed plug-ins or social media buttons (in their standard form),“ says Heidrich, „especially if it’s obvious that they collect personal data – even if it’s just IP addresses , because that too is personal information.“

It is equally important, in addition to the imprint, to have a GDPR-compliant privacy policy on the website, which can be accessed from any subpage. When setting up online generators could help, says Heidrich. An example of such a generator, which already takes the GDPR into account, can be found here.

In the case of non-self-hosted offers, a separate order processing agreement must also be concluded with the host provider, ie the provider in which the own blog or website is located. Such a paper – a template can be found here for example – must be sent to one of the providers on request, says Joerg Heidrich. If your own site is located with a US host, it is important that the company participates in Privacy Shield (see question 10), as Google and Automattic – the latter company behind WordPress.com – do.

It should also not be forgotten that a list of processing activities around its own website may still have to be drawn up, for example according to this pattern.

Should despite all adaptations of the own Internet offer nevertheless a reminder with respect to the GDPR arrives, advises Heidrich concerned to turn to a lawyer: „otherwise this can be really expensive under certain circumstances.“

7. Who checks if the rules are respected?

In each EU country, independent supervisory authorities should monitor the implementation of the Regulation. In Germany, these are the data protection authorities of the 16 federal states and the German Federal Data Protection Commissioner, Andrea Voßhoff (CDU), whose term ends in February 2019.

The GDPR gives the supervisory authorities the right to demand information from companies, for example, which the inspectors need for their work. They may also make site visits to the business premises. In addition, the authorities carry out data protection reviews and issue certifications .

Because many international corporations work with data across countries, it has not always been clear which authority is responsible. The GDPR tries to change this with the principle of the „one stop shop“: Every company should have a leading supervisory authority, which is responsible for them, which is determined by the company’s head office.

8. What sanctions are possible in case of infringements?

The GDPR inspectors may issue a warning in case of minor violations and demand that the maladministration be remedied within a time limit. In addition, the Data Protection Authority can ensure that the personal data of a user are corrected, deleted or restricted in their processing – or that a previously granted certification is withdrawn.

In addition, the GDPR supervision can impose fines that are significantly higher than for violations of the previous German Federal Data Protection Act, which threatened a maximum of 300,000 Euros fine. Now, depending on the seriousness of the infringement, up to 20 million euros may be due (Art. 83).

Because big tech companies may also see such sums as small, there is an extra rule: It provides that the fine can be up to four percent of the worldwide sales of the previous fiscal year. It is always the calculation to be applied, which entails the higher penalty amount for a company. Under certain circumstances responsible people are even liable with their private assets .

The German overseers have yet to adapt their work to these new skills. „The GDPR requires a change in the way the supervisory authorities work, since decisions by the supervisory authorities in additional areas will in future also be justiciable,“ says a spokesman for the German Federal Data Protection Commissioner.

9. What is the criticism of the new rules?

While many consumer advocates see the GDPR as positive on the whole, there is also a contradiction: companies whose business model is based on personal data fear for their future. They – as well as operators of small Internet pages – are afraid of the conversion time and the associated legal uncertainty .

Although the GDPR has been prepared for years, in many places even lawyers are not clear what the new regulation demands and how some passages are to be interpreted in everyday life. Observers anticipate that courts will soon have to deal with a number of disputes. As the regulation applies across the EU, disputes could ultimately end up in the European Court of Justice (ECJ), which makes the final decision. Years should pass before the first ECJ ruling on the GDPR.

An example: Article 6 of the GDPR allows companies to process personal data if this is necessary „to safeguard the legitimate interests of the controller or a third party“. But which interests of companies are justified and which are not anymore?

It will still show whether after May 25, 2018, as experts fear, threaten new warning waves. Niko Härting from the German Lawyer’s Association thinks it is conceivable that the citizens‘ claims to information will be misused for mass inquiries.

It is also unclear how well the standardization of the different data protection standards of the EU members will ultimately work. Austria, for example, has already passed a „Privacy Deregulation Act“.

With regard to Germany, some privacy advocates worry that the GDPR is not an improvement at all, but instead draws the country down to an EU-wide lower level of data protection compared to the German Federal Data Protection Act.

10. How does the regulation relate to regulations such as the Privacy Shield and ePrivacy?

The GDPR replaces the 1995 data protection directive at EU level. Unlike it, the GDPR is directly applicable throughout the EU. The reorganization of EU data protection should be flanked by the introduction of the so-called „ePrivacy Regulation“.

This regulation is intended to protect data protection for end devices, so to speak, without the need for personal data. Specifically, it is about the user tracking on websites. The ePrivacy Regulation is still under negotiation. When and in what form it comes into force is therefore difficult to predict.

In addition to the GDPR and the ePrivacy Regulation, the so-called „Privacy Shield“ is another important international data protection policy. The Privacy Shield has been around since 2016. It’s a controversial construct that followed the tilted Safe Harbor agreement. Geographically, the „Privacy Shield“ goes beyond the EU and regulates transatlantic data exchange between the EU and the US. It will continue to exist alongside the GDPR.

IMPORTANT REMARK FROM MY SIDE: The „EU-US Privacy Shield“ agreement, which was described by the US-american specialized press as a „deal“, was under heavy criticism right from the beginning. Maximilian Schrems, the claimant, who overthrow the „Safe Harbor“ agreement, criticized, that from his point of view, the legal situation after the „EU-US Privacy Shield“ agreement became effective, is not much different from the legal situation under the „Safe Harbor“ agreement. Schrems said: „In the EU-US Privacy Shield agreement the supremacy of US law is as well formulated as in the Safe Harbor agreement and if US law determines, that data interception is allowed, then data will be intercepted“. After intensive examination of documentation the „EU-US Privacy Shield“ was declined as well by 27 Civil Liberty Groups and Data Privacy Protection experts. They criticized the missing legal bindingness of the agreement, since it is only a collection of letters. Mass surveillance measures initiated by the US government still remain permissible and the affected individuals and enterprises are still not able to effectively enforce their rights e.g. because they don’t get informed about the surveillance measures. END OF REMARK

In Germany too, national law has to be adapted. The centerpiece is a new German Federal Data Protection Act aligned with the ordinance.

11. What is the significance of the regulation outside Europe?

The GDPR is valid in all 28 states of the EU. But the regulation should, for example, also employ many US-American tech companies: This is ensured by the so-called market place principle. „Companies outside the EU are subject to the regulation if they offer goods or services in the EU or observe the behavior of people in the EU,“ said a spokeswoman for the German Ministry of Economic Affairs.

The fact that international companies simply adopt the new EU rules for their global business is not over. On the contrary: Facebook, for example, will shift its internal user assignment in order to avoid that around 1.5 billion Facebook users from Africa, Asia, Australia or Latin America get the rights and suitability of EU citizens under DSGVO. Other tech companies are apparently planning similar measures.“

<QUOTE END>

Below is a summary of the most important changes resulting from the entry into force of the GDPR on 25.05.2018 (source: https://www.lamapoll.de/Datenschutz-Sicherheit/Die-EU-Datenschutzgrundverordnung ):

 

Your e-mail inbox was probably flooded with emails in May 2018, in which companies claim your consent to the collection, storage and processing of your personal information with reference to the GDPR that entered into force on 25.05.2018.

If you do not agree with this, you will find a sample text with which you can request the deletion of your personal data. Note: Many companies have sent the corresponding e-mails from a „no-reply“ e-mail address. In these cases, you will find an e-mail address in the imprint on the company’s homepage that you can contact.

 

Here is the same text again for copying and pasting:

a) German version:

Sehr geehrte Damen und Herren,

unter Bezugnahme auf Artikel 17 EU-DSGVO „Recht auf Löschung“ (siehe: https://dsgvo-gesetz.de/art-17-dsgvo/) widerrufe ich hiermit meine eventuell gegebene Zustimmung zur Erhebung, Speicherung und Verarbeitung meiner personenbezogenen Daten durch Ihr Unternehmen gemäß Artikel 17, Absatz 1b, bzw. lege Widerspruch gegen die Erhebung, Speicherung und Verarbeitung meiner personenbezogenen Daten durch Ihr Unternehmen gemäß Artikel 17, Absatz 1c, ein. Bitte löschen Sie meine personenbezogenen Daten unverzüglich, spätestens jedoch bis 15.06.2018, und bestätigen mir die Löschung formlos.

Danke und Gruß

Absender

b) English version:

Ladies and Gentlemen,

With reference to article 17 EU-GDPR „right of deletion“ (see: https://gdpr-info.eu/art-17-gdpr/) I hereby revoke my possibly given consent to the collection, storage and processing of my personal data by your company according to article 17, paragraph 1b, or I object to the collection, storage and processing of my personal data by your company according to article 17, paragraph 1c. Please delete my personal data immediately, but no later than June 15, 2018, and confirm the deletion informally.

Thanks&Regards,

Consignor

 

Conclusion: Data protection is not only a fundamental right, it can also be a competitive advantage – especially in the global competition of EU companies with platform companies from the USA (e.g. Google, Apple, Facebook, Amazon and Microsoft) or China (e.g. Alibaba, Tencent, Baidu, Weibo) in view of their dubious practices in handling personal data. In addition, there is the threat to privacy posed by intelligence services from the USA and China, which collect data not only via the aforementioned platform companies, but also via hardware manufacturers such as Cisco, Hewlett Packard, Dell and IBM in the USA and Huawei and Lenovo in China. EU companies can use the GDPR to position themselves as providers that (unlike their competitors from the USA and China) treat their customers‘ privacy and intellectual property respectfully and appropriately.

In the run-up to the (very intense and controversial) discussion in the UK about the so-called BREXIT, in May 2016 I compiled some informative facts about the European Union from various publicly available sources that should be known as mature EU citizens. The updated version from March 18, 2018, can be found here: https://kubraconsult.blog/2018/03/19/facts-and-figures-about-the-european-union-update-12-2017/.

Furthermore, I used the discussion about the establishment of a „Digital Ministry“ in the run-up to the 2017 general election in Germany to develop a high-level concept that illustrates how the digital transformation of a country in the era of digitization and globalization, where speed and Agility are crucial, can be organized effectively and which essential content should be considered in the digitization strategy of a country: https://kubraconsult.blog/2018/02/21/digitalization-strategy-for-countries-using-germany-as-an-example/.