Data Protection Law 4 IREWI Skript 2024 PDF
Document Details
Uploaded by InnovativeAntigorite3039
2024
Tags
Summary
This document discusses data protection law, particularly focusing on the General Data Protection Regulation (GDPR) and its application. It details various aspects affecting businesses, and outlines the rights and responsibilities of data subjects and controllers related to personal data processing.
Full Transcript
40 4. Dealing with personal data Dealing with personal data 41 Selma and Sebastian know from their own experience with digital services that they are often confronted with ‘privacy notices’ and the like an...
40 4. Dealing with personal data Dealing with personal data 41 Selma and Sebastian know from their own experience with digital services that they are often confronted with ‘privacy notices’ and the like and prompted to confirm that they have read the terms and give their consent. Like most of their friends, Selma and Sebastian have never in their lives read any of those documents, which are usually in incomprehensible legalese, and click ‘OK’ or ‘Accept all’ on the button that is placed in the most convenient location. After all, they want to have the service, and not bother with this data stuff, which their parents and some of their friends are so concerned about … … but now they are on the other side, and may be forced to deal with it. 4.1. Which activities are affected by data protection law? Data protection law affects more or less any activity by a business, from setting up a trading website to sending an invoice to a customer to making a contract with a cloud provider or bookkeeping company. 4.1.1. General data protection law The most important source of data protection law for the private sector is the General Data Protection You will study data protection law Regulation (GDPR) which became applicable in May in BA CM 7 (Digital Law) 2018, replacing the 1995 Data Protection Directive. While and in CM 9 (Civil Law) the GDPR is, as a regulation, directly applicable in the Member States and not in need of implementation by the national legislator, it leaves leeway to the Member States for a broad range of issues. This is why there is also a host of national data protection law. Most of these national rules are included in the Data Protection Act (Datenschutzgesetz, DSG), but others are scattered across very different statutes. Traditionally, data protection law has, in Austria, enjoyed the status of constitutional law and has protected natural as well as legal persons. Article 1 § 1 DSG, which enshrines the constitutional rank of the law and refers to ‘every person’, is still in place but has lost much of its significance. Material scope Any economic activity, and in fact more or less any other activity, must nowadays comply with the rules of data protection law. Data protection law applies to the processing of personal data. Both the notions of ‘processing’ and of ‘personal data’ are extremely broad. ‘Personal data’ means any information relating to an identified or identifiable natural person. It is immaterial whether a natural person is acting as a business or as a consumer. To determine whether a natural person is identifiable, account is taken of all the means reasonably likely to be used, considering, inter alia, the costs and amount of time required for identification, the available technology and future technological developments. With exponential increase of computing power and of data stored globally, (re-)identification of individuals has become easier and cheaper. Personal data that has undergone pseudonymisation, i.e. which could be attributed to a natural person by the use of additional information (such as a matriculation number or an IP address) are personal data, given that the identification of a student is easily possible by matriculation number, and as you can also identify the user of a device behind the IP address. Only where it is impossible to trace data back to some natural person by way of means reasonably likely to be used, data counts as anonymous and thus as non-personal data. 42 Starting an E-Commerce Business in Austria ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, storage, alteration, retrieval, transmission, making available to others, or erasure. It transpires that there is hardly any activity that does not, in some way or another, include the processing of personal data. What is excluded is activities by a natural person in the course of a purely personal or household activity (e.g. entries in a personal diary, unless that diary is made available to a wider audience). Also, the GDPR does not apply to processing that occurs neither by automated means nor as part of a filing system (e.g. scribbling names on a piece of paper is not included, as long as the paper is not scanned, or made part of paper files in a way that the information is accessible for future reference). The protagonists: Data subjects, controllers, and processors The ‘data subject’ (betroffene Person) is the identified or identifiable natural person to whom information recorded in the data relates. That person must be still alive to enjoy protection under the GDPR (without prejudice to protection of ‘post-mortal personality rights’ recognised under national law). The ‘controller’ (Verantwortlicher) is the natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of personal data. This means that the controller is the person ‘holding’ the data and having the (at least de facto) power to decide whether and how the data is collected, used, disclosed to others, erased, etc. In contrast, a ‘processor’ (Auftragsverarbeiter) means a person that processes personal data on behalf of a controller and is subject to the controller’s directions. It is often not easy to draw a clear line between controllers and processors, but the distinction is of vital importance, not least because many obligations under the GDPR are primarily on the controller (see below p. 48). Territorial scope Already from what they have read so far, Selma and Sebastian are quite upset. Why do they, just because they are in Europe, have to bother with all this, while probably their friend Xu’s parents in China do not have to observe anything of the kind… The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU/EEA, regardless of whether the processing takes place in the EU/EEA or not. It applies, however, also to the processing of personal data of data subjects who are in the EU/EEA by a controller or processor not established in the EU/EEA, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU/EEA; or the monitoring of their behaviour as far as their behaviour takes place within the EU/EEA. So as far as Xu’s parents in China are marketing goods or services to customers in Europe they have to comply with the whole set of requirements set up by the GDPR. Needless to say, infringements in China are even more difficult to detect than they are in Austria, and the law is significantly more difficult to enforce against someone in China… 4.1.2. E-privacy law There exists another body of data protection law, e-privacy law. Initially, the European legislator had planned to replace the 2002 E-Privacy Directive with a new E-Privacy Regulation at the same time as the Data Protection Directive was replaced by the GDPR. However, only in early 2021, Member States reached an agreement in the Council, and the Regulation has not yet passed the legislative Dealing with personal data 43 procedure. Generally speaking, e-privacy law particularises and complements general data protection law by specifically dealing with the processing of electronic communications data and electronic communications services and equipment within the EU/EEA. In Austria, the E-Privacy Directive has mostly been implemented in §§ 160 et seq. of the Telecommunications Act (Telekommunikationsgesetz, TKG). While most of the rules are relevant only for communication service providers (such as a mobile network operators), some few rules are relevant also for online shops (see above p. 35 and below p. 44). 4.2. What can you do with data? For Selma and Sebastian, all this is still quite abstract. It is interesting to learn about the scope of the GDPR, and about basic notions of data protection law, but what does it all mean for their daily work? At the end of the day they want to sell goods, not data … 4.2.1. Requirement of a legal ground One of the most distinctive features of data protection law is that any sort of processing activity requires a legal ground for being lawful. This comes into play at two levels: Article 6 applies to any kind of data processing activity; and Article 9 applies specifically to the processing of sensitive categories of data, such as health data or biometric data, but also e.g. data revealing ethnic origin, political opinions, philosophical beliefs, or sexual orientation. While even an online shop cannot exclude that some data it is processing belongs to a sensitive category (e.g. an individual’s name may reveal ethnic origin, and the books ordered by a person may reveal that person’s political opinion) it is in practice close to impossible to take that into account, so the average online shop will normally ignore Article 9 and focus on Article 6. In the private sector, the most relevant (but not the only) legal grounds under Article 6(1) are the following: the data subject has given consent to the processing of his or her personal data for one or more specific purposes (a); processing is necessary for the performance of a contract to which the data subject is party or in order to prepare for a contract at the request of the data subject (b); processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests of the data subject (f). Contract In the first place, an online shop will rely on the legal ground of contract, i.e. on Article 6(1)(b), for the processing of any transactional data and any data necessary to deal with a customer request or order. For instance, a customer’s name, delivery address, billing address, payment data etc. and the items ordered by a customer are all clearly necessary for the performance of the contract. It is important to note that (b) justifies processing of data only to the extent this is really necessary for the main purpose of the contract, i.e. an online shop that trades in goods, services or digital content cannot simply ‘invent’ personalised ads and news feeds as an ‘additional service’. 44 Starting an E-Commerce Business in Austria Legitimate interests In the second place, an online shop will rely on (f) for ‘legitimate interest use’ of personal data. This is to be construed narrowly, but would include, for instance, age verification (given that contracting with a minor can be very dangerous for a business, but also for the minor), fraud prevention and in- house quality control procedures. It also covers direct marketing, but only within the narrow confines set by the E-Privacy Directive and TKG, i.e. to one’s own customers and for one’s own similar products or services (see above p. 35 and 44). Furthermore, unless the grounds are really compelling (such as age verification or fraud prevention), processing based on (f) is still subject to the data subject’s right to object under Article 21 GDPR. For direct marketing, the E-privacy Directive and TKG provide additional details. Consent Selma and Sebastian are wondering whether maybe the safest way for them is to act like all the big players on the Internet: Put any kind of possible data use into one long consent form, and then force anyone who wants to contract with them to click the box ‘I agree’. After all, this is their shop, and anyone who wants to make a contract with them has to abide by their rules … or is this maybe a bit too simplistic? Any use that goes beyond what has just been described must normally be justified by the data subject’s consent. This concerns, in particular, any direct marketing to individuals who are not already customers, or any direct marketing of a third party’s products, or any sharing of data with other controllers for commercial purposes (i.e. the ‘selling’ of customer data). Consent is often problematic because the data subject is overwhelmed by the decision, not being able to estimate the potential implications (e.g. for future personalised offers) and inclined to click on ‘OK’ without further reflection. Consent as a legal ground is, however, also difficult for the business because the threshold for valid consent is – at least theoretically – very high. In particular, consent must be ‘freely given’, ‘specific’, ‘informed’, ‘unambiguous’ and by an ‘affirmative act’. This could include ticking a box when visiting a website or choosing from a menu of different technical settings. Silence, pre-ticked boxes or inactivity do not constitute consent. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters. It is particularly important to stress the prohibition of ‘tying’ or ‘bundling’ consent with the provision of a service (Koppelungsverbot). According to Article 7(4) GDPR, such ‘tying’ or ‘bundling’ may mean that consent is not freely given. An online shop must therefore avoid in any case to make consent to data processing activities a condition for the conclusion of a contract. Prior to giving consent, the data subject must be informed that they have the right to withdraw consent at any time without giving reasons. It must be as easy for the data subject to withdraw as to give consent, and the data subject must not suffer any detriment as a consequence of exercising that right. Withdrawal of consent means the business may no longer rely on this legal ground, but the lawfulness of processing based on consent before its withdrawal is not affected. 4.2.2. Purpose limitation Selma and Sebastian now realise that consent is not a panacea for everything. At least not if you really take the law seriously. But certainly, once Selma and Sebastian have collected their customers’ data based on contract or on legitimate interests, these data belong to Selma and Sebastian and they can even sell them to other companies? No, this is not quite what the law says. Dealing with personal data 45 Even where the initial collection of data was based on a valid legal ground and occurred for one or several legitimate purposes, it is essential that the data are not further processed in a manner that is incompatible with those purposes. Whether processing for another purpose is compatible with the purpose for which the personal data were initially collected is to be ascertained by considering, inter alia, any link between the purposes, the context in which the personal data were collected, the nature of the personal data, and the possible consequences of the intended further processing for data subjects, considering the existence of appropriate safeguards (e.g. encryption or pseudonymisation). Further processing for, e.g., scientific or historical research purposes is normally considered to be compatible with the initial purposes. 4.2.3. Data subjects’ rights Sebastian remembers from the company he ran together with his father that they were once confronted with a customer’s request to transmit any data they had about this customer to another company. His father and he were quite at a loss at the time, but then the company went insolvent and they never followed up on this. Now that Sebastian remembers that incident he is wondering whether this could happen again in the new business … Another important cornerstone of the GDPR are the data subjects’ rights. Where the data subject exercises any of those rights the controller must react without undue delay and normally within one month of receipt of the request. Any actions taken must be provided free of charge, but where requests from a data subject are manifestly unfounded or excessive, the controller may either charge a reasonable fee or refuse to act on the request. Under the right of access afforded by Article 15 GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not their personal data are processed, and, where that is the case, access to the personal data and to a broad range of items of information. These include, by and large, the same or similar items as must already be provided under Articles 13 and 14 (see below p. 46). The controller must provide a copy of the personal data undergoing processing. Where the data subject makes the request by electronic means the information must be provided in a commonly used electronic form, but the data might be provided, e.g., in one huge text file. Under the right of data portability enshrined in Article 20 GDPR, a data subject has the right to receive personal data which they have provided to a controller in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller, or to have the data transmitted directly from one controller to another, where technically feasible. This concerns all data collected by the controller on the basis of either consent or contract and where the processing is carried out by automated means. It is important to note that, as the right currently stands, it only includes raw data, i.e. data in the state as initially collected, not derived or inferred data (such as data analytics). The main difference between the right of data portability and the right of access is the format and mode in which the data must be provided. While the purpose of the right of access is that the data subject gets to know which data is held by the controller (e.g. in order to exercise other rights) the primary purpose of the right of data portability is to avoid ‘lock-in’ effects and to facilitate the switching of suppliers. For instance, switching of provider with regard to a fitness app is much easier if the new provider receives all the data collected by the previous provider in order to provide personalised analytics or recommendations. Data portability also has a competition law aspect, as it might potentially serve as a vehicle to make data held by big private actors available to newcomers in the market. 46 Starting an E-Commerce Business in Austria The data subject has the right under Article 16 GDPR to obtain from the controller the rectification of inaccurate personal data. Taking into account the purposes of the processing, the data subject may also have the right to have incomplete personal data completed. Under the famous right to erasure (‘right to be forgotten’) as described in Article 17 GDPR, the data subject has the right to obtain from the controller the erasure of personal data where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. There is also a similar right under Article 18 to obtain restriction of processing (e.g. for periods during which the lawfulness of processing is contested). In any case, data must be erased where the data subject withdraws consent on which the processing was based (and where there is no other legal ground for the processing), or where the data subject exercises their right to object to the processing (and there are no overriding legitimate grounds for the processing). The GDPR lists some other cases where erasure may be obtained, but also a number of exceptions, so as to make sure that a range of legitimate purposes, such as scientific or historical research purposes or the exercise or defence of legal claims, are still possible. 4.3. What to bear in mind when setting up a trading website Selma and Sebastian are quite shocked to learn how difficult all this really is. But since the next step is finishing their trading website, they are mainly concerned about what all this means for the website design … 4.3.1. Information duties (data protection notice) When setting up a trading website, one of the most important duties to bear in mind is the duty to inform. There are two sets of information duties, in Article 13 and in Article 14 GDPR, depending on whether personal data are collected from the data subject or from other sources. Where data are collected from the data subject, as is often the case with online shops, the controller must provide the data subject with the items of information listed in Article 13. These include, inter alia, the identity and contact details of the controller and any data protection officer; the purposes of the processing and the legal basis for the processing (including, where the processing is based on legitimate interests, the concrete legitimate interests pursued); the recipients or categories of recipients of the personal data, if any; the period for which the personal data will be stored; the data subject’s rights and remedies; and the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 4.3.2. Cookies After having spent a whole day getting that data protection notice right (at least they hope they have), Selma and Sebastian are wondering whether there are any specific requirements concerning cookies. Since they always have to tick some boxes on cookies when they use the Internet, they suspect that there may be such requirements. As they have received some cool offers from companies that would provide services (e.g. analytics) or even pay money to them if Selma and Sebastian let them track their customers, they are inclined to use cookies to the maximum extent possible … Dealing with personal data 47 A cookie is a small piece of data or text file that a website asks a user’s browser to store on the local hard disk drive of the user’s device. A cookie allows the website to ‘remember’ the user’s actions or preferences over a period of time. Most web browsers support cookies, but users can set their browsers to decline them. Some cookies used by trading websites are necessary for the website’s proper functioning, e.g. session cookies avoid the customer having to re-enter information when jumping from the shopping cart to the product description and back again, and for being able to complete the ordering process. Other cookies may save the customer, when entering the access credentials for their customer account, from having to type in the full name and password for each purchase. However, there are also cookies such as third-party cookies used by other companies to track user behaviour and create personal profiles for purposes of targeted advertising. According to § 165(3) TKG, the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user has given their consent in accordance with the GDPR. This does not prevent any technical storage or access for the sole purpose of carrying out the transmission or as strictly necessary in order for the provider of a service explicitly requested by the user to provide the service. So the session cookie necessary for completing the ordering process is admissible without consent, while storing the access credentials requires consent, and all the more the setting of third-party cookies for targeted advertising. Since the CJEU has ruled that merely continuing to browse on a site does not amount to valid consent, and that having the option of unticking a pre-ticked box is not sufficient for other than functional cookies either, the vast majority of websites requires visitors to tick a consent box. It has become an extremely widespread habit to design this box in a way that the button for accepting all cookies is very well visible and placed in a manner that most users intuitively click on it, while the button for other settings is hidden and making a choice is burdensome. Such manipulative designs are called ‘dark patterns’. It is very doubtful whether this practice is compliant with both data protection law and unfair commercial practices law. 4.3.3. Privacy by design and by default As a general requirement for designing a trading website, an online shop will have to take into account the principles of privacy by design and by default as enshrined in Article 25 GDPR. ‘Privacy by design’ means that, taking into account the state of the art, the cost of implementation and the type of processing and the risks involved, the controller must implement appropriate technical and organisational measures to implement data-protection principles already in the technical design of equipment and other arrangements. ‘Privacy by default’ means that default settings are such as to allow only for processing of the minimum amount of data necessary for a particular purpose. 4.4. Contracting with other businesses Meanwhile, Selma is negotiating contracts with other companies, because they cannot run their business without the support of other service providers. Definitely, they need a contract with at least one provider of parcel delivery services, and with several providers of payment services (such as the big credit card companies or PayPal). They will also need software solutions provided by other businesses, e.g. for bookkeeping purposes, and they need arrangements with social media to run their ads. Selma has spent days analysing the terms and conditions provided by a dozen different companies and has difficulties figuring out how this relates to what she has just learnt about data protection law. Data protection has a massive impact not only on any dealings with customers, but also on any dealings with other businesses that involve in any way the processing of personal data, such as the 48 Starting an E-Commerce Business in Austria providers of parcel delivery services, bookkeeping services, but also with social media operators (e.g. a commercial page on Facebook) or providers of targeted advertising services. This also includes relationships with the providers of any software solutions that include the exchange of personal data, or storage space in a cloud. 4.4.1. Contracts with other controllers and processors In dealings with such other businesses the first question is whether the other business is an independent controller or a processor. This depends on who decides about the purposes and means of the processing, i.e. who is ‘in the driver seat’ as far as data processing is concerned (see above p. 42). There is also the possibility of joint controllership, i.e. two or more controllers jointly determine the purposes and means of processing and disclose to the data subject who is responsible for what. If the other business is an independent controller, onward supply of the data to that party must, as such, generally be based on a legal ground (e.g. consent). However, once the data has been passed on that other business has to rely on its own legal ground for any processing and has to comply directly with all requirements set out for controllers in the GDPR. There is only a limited notification obligation, i.e. the initial controller must communicate any rectification or erasure of personal data to each data recipient unless this proves impossible or involves disproportionate effort. This is one of the major weaknesses of the GDPR, since once data have been lawfully passed on to a third party who is an independent controller (e.g. where that was included in the smallprint to which the data subject had given consent) the initial controller has hardly any further responsibilities. There is not even a clear duty of the initial controller to exercise due diligence and check what the recipient will likely be doing with the data. If the other business is a processor no separate legal ground is required for engaging that party and entrusting it with the data, but the controller must use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. In addition, the GDPR lists, in its Article 28, a range of mandatory contractual terms any contract with a processor must include. Selma is really at a loss. She has figured out that the provider of cloud space is clearly a processor and that she must make sure their contract contains all the requirements under Article 28 GDPR. In most of the other cases she rather believes that the relevant companies would be independent controllers, but is not entirely sure. Given that some offers are astonishingly cheap, and much cheaper than others, she is of course wondering whether maybe those companies make part of their money with data … 4.4.2. Data transfers to third countries … in any case, Selma is glad she does business in Austria and some neighbouring countries and does not have to worry about those data transfers to third countries you often read about in the media… But is this really true? Things get significantly more complicated when data is to be transferred to a third country, i.e. a country that is not a Member State of the EU/EEA. This is very often the case, e.g. when making use of software solutions provided by U.S. companies and where such software solutions involve the sending of feedback data to the U.S., remote maintenance by the developer, or even storage of data on U.S. based servers. Any transfer of personal data to a third country must rely on one of the transfer tools listed under Chapter V GDPR. The most reliable transfer tool is that of an adequacy decision taken by the European Commission under Article 45 GDPR, i.e. a declaration that the third country ensures an Dealing with personal data 49 adequate level of protection. Such a transfer does not require any specific further authorization. Adequacy decisions exist, for instance, for Canada, Japan or Switzerland. There used to be adequacy decisions also for U.S. companies as far as these companies committed to a particular data privacy regime created specifically for that purpose by way of an international agreement, the Privacy Shield Agreement. However, the CJEU declared the Privacy Shield Agreement to be incompatible with EU law in the recent Schrems II decision (after having already declared the predecessor of Privacy Shield, the Safe Harbor Agreement, void in Schrems I). In the absence of an adequacy decision, a trader needs to rely on one of the transfer tools listed under Articles 46 to 48 GDPR for transfers that are regular and repetitive. In essence, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Such appropriate safeguards include, in particular, standard contractual clauses (SCC) issued by way of an EU Commission Decision. However, the CJEU has also clarified in Schrems II that it may not be enough to base a contract with a data recipient in a third country on SCC, but that a data exporter must assess whether there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tool relied on, such as far-reaching data access rights by U.S. authorities for the purpose of surveillance. If this is the case, supplementary measures such as strong encryption may need to be taken. One of the most controversial issues is the question to what extent a controller may resort to the transfer tools under Article 49 GDPR, including, in particular, the data subject’s free and explicit consent. 4.5. Requirements for bigger players Where processing is likely to result in a high risk to data subjects, the controller must carry out a data protection impact assessment first. This is required, in particular, in the case of a systematic and extensive evaluation of personal aspects of individuals (e.g. profiling) on which decisions are based that significantly affect the individuals, or of processing on a large scale of particularly sensitive data. The Austrian data protection authority has published a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. A controller or processor must furthermore designate a data protection officer, inter alia, where the core activities consist of processing which requires regular and systematic monitoring of data subjects on a large scale, or of processing on a large scale of especially sensitive data. The data protection officer may be a staff member or fulfil the tasks on the basis of a service contract. Big controllers employing at least 250 persons, and controllers engaging other than just occasionally in processing activities that are likely to result in a risk to the rights and freedoms of data subjects, face enhanced documentation duties under the GDPR. Such controllers must maintain a record of processing activities under its responsibility. That record must contain a long list of items of information that is similar to the information provided to data subjects under Article 13.