The EU’s new General Data Protection Regulation isn’t just kicking up a fuss about nothing. They are to be taken seriously.

Since May 25, 2018, the new General Data Protection Regulation (GDPR) has been in force in the EU. UJ discussed it with TUD Junior Professor for Civil Law, Intellectual Property, Media and Data Protection Law, Dr. Anne Lauber-Rönsberg.

UJ: J.Prof. Lauber-Rönsberg, why do we need the General Data Protection Regulation? Isn’t the Federal Data Protection Act (BDSG) enough?

Dr. Anne Lauber-Rönsberg: Before the GDPR, there was a European data protection guideline that was implemented in German law through the BDSG and the state data protection laws. These laws were largely passed in 1995, that is, in a time before social media networks, without big data and clouds, and are therefore outdated. The GDPR is meant to modernize data protection laws and adapt them to technological developments. Furthermore, the GDPR is meant to establish a uniform legal basis across the EU so that companies don’t have to grapple with 28 different data protection laws. However, it can’t be denied that there has been considerable legal uncertainty regarding numerous questions during this transitional phase, until the supervisory authorities have established an administrative practice and clear jurisprudence from the courts has been established.

Who do these new rules apply to? Whose rights does the GDPR protect?

The term ‘data protection law’ is, strictly speaking, misleading: It’s not the data we are protecting, it’s the people. The law protects people from having their data processed by the state or companies without permission. Those affected include everyone that processes personal data – from big companies like Facebook, public institutions like TU Dresden, to bloggers and the smallest website operators.

The aim of data protection is individual data sovereignty: Affected individuals should be able to decide, or at least know, how their personal data is being processed and for what purposes. That’s why the GDPR strengthens the rights of the affected persons, for example, by demanding more transparency and information from the data processors. These increased requirements are also the reason why many companies have informed their customers about their newly rewritten data protection declarations or required new permissions over the past days and weeks. The GDPR has created a new right to data portability, meaning that the user can demand their data from a service provider in a structured, readily available and machine-readable format in order to be able to transmit that data to a new provider when they change providers.

What is ‘personal data’?
Personal data is anything that refers directly or indirectly to an identifiable person. A personal connection can include, for example, a name, portrait, location data or other features that make it possible to identify a person. In 2016, the European Court of Justice decided that dynamic IP addresses from website visitors, which are saved by the website operator, represent personal data when the identity of the visitor can be derived using the IP address and additional information available to the internet service provider.

The GDPR also gives every EU citizen the “right to be forgotten”. What does that mean?
The GDPR regulation that has been rather pompously named the “right to be forgotten” doesn’t really offer anything new. It essentially contains the right to the deletion of data that existed previously. Under it, people can demand that companies or authorities delete their personal data when it is no longer necessary to store them or when they have been unlawfully processed.

As an extension of this right of deletion, the European Court of Justice also agreed with a Spanish EU citizen in 2014 who had sued that old notices of the foreclosure auction of his house from more than 10 years prior should no longer be available through search engines like Google. Since then, the “right to be forgotten” also means that certain notices can no longer be found via search engines when the interest of the individual in protecting his or her privacy outweighs the public’s interest in the information.

What has the GDPR changed for photographers and the publishing of photographs online? Does it displace the previous rules on the rights to one’s own image that permitted e.g. pictures in the field of contemporary history?
The relationship between the new data protection laws and the right to one’s own image is indeed still very unclear. What is clear, however, is that nothing has changed for journalistic uses. Reporting in the press and media is still subject to the same regulations because the GDPR gives national law precedence in this area.

What is disputed, however, is whether data processing as part of publishing for other purposes, e.g. for publicity, advertising or on a private Facebook page, can still be evaluated under the previous rules or the new data protection laws. One way or another, it must be weighed in each case whether a publication containing personal data represents a legitimate public interest in the information or whether the interests of the person in their own privacy should prevail.

By the way, data processing for exclusively personal or family purposes, such as sharing photos with friends or relatives in a closed user group, is not subject to data protection laws.

Aren’t social media buttons on websites, for example linking to Facebook, an easy target for the especially litigious?
It is indeed questionable whether the inclusion of Facebook like buttons on a website is permissible under data protection laws when data from the visitors to the website are thereby transmitted to Facebook without their prior consent. Since the Higher Regional Court of Düsseldorf brought this question before the European Court of Justice in 2017, we have been waiting for clarification – that means that this question is not new since the GDPR came into effect. In principle, it is possible to issue warnings for data protection violations by competitors under certain conditions. However, this was already possible under the old legal circumstances without leading to large waves of litigation. For that reason, I wouldn‘t expect big changes straight away. As a rule, the website operators should maintain an overview of the extent to which plug-ins or social media buttons collect personal data and, if possible, avoid them or ensure they are integrated in a way that complies with data protection laws.

Does the GDPR also include rules for saving data in cloud storage?
The GDPR applies to the processing of data in a cloud as it does to any other data processing.

Who monitors conformity with the GDPR in Germany?
For one, that would be the data protection authorities in the federal states and the Federal Commissioner for Data Protection. Otherwise, affected individuals and, to a certain extent, consumer protection organizations can take legal action against violations of data protection laws.

What consequences for private individuals arise from non-compliance with the GDPR – e.g. as part of a personal web presence?
The GDPR has increased the sanctions for violations of data protection considerably. Supervisory authorities can now impose fines of up to 20 million euros or four percent of global turnover. There can also be damages claims from those affected. Willful data protection violations are even subject to criminal prosecution. However, these sanctions are still subject to the principle of proportionality. It is therefore unlikely that fines would be imposed on private individuals. The authorities will most likely continue to employ warnings here.

Who is responsible for implementation of the GDPR at TUD?
As a matter of principle, everyone who deals with personal data in teaching, research or administration is responsible for the implementation of the data protection requirements. The Data Protection Officer of TU Dresden, Matthias Herber, and the IT Security Officer, Jens Syckor, are available as points of contact in this regard.

Karsten Eckold spoke with J.Prof. Anne Lauber-Rönsberg.

For additional information,please visit: https://dejure.org/gesetze/DSGVO or https://tinyurl.com/bmi-faq-DSGVO

This article was published in the Dresdner Universitätsjournal 11/2018 on June 12, 2018. You can download the whole newspaper as a PDF file for free here. Please contact doreen.liesch@tu-dresden.de to order the Universitätsjournal as a printed newpaper or as a PDF file. For more information, please visit: universitaetsjournal.de.