Since 25 May 2018, the basic data protection regulation (GDPR) has been applied in the European Union in order to set limits to uncontrolled data collection. With the e-Privacy Regulation, the European digital economy now faces new challenges.
The latest court ruling of the European Court of Justice (ECJ) of 1 October 2019 confirms what the Commanders Act has been communicating to its customers since 2018: Before cookies can be set or other personal data collected, an explicit opt-in is required.
In an interview with Timo von Focht, Country Manager DACH at Commanders Act, Dr. Jana Moser, expert for strategic data protection, explains what this means for European companies and online marketers. She explains the framework conditions and effects of the new ECJ case law on data protection and data strategies of European companies and describes the current marketing in the age of GDPR and ePrivacy.
Timo von Focht: Hello Jana, I am very pleased that you are doing this interview with me. How many years have you been dealing with data protection and data strategies in companies? In your opinion, how have these topics developed in recent years?
Dr. Jana Moser: The subject of data protection has been with me for a good ten years now. Everything started with my work as a data protection officer at studiVZ/schülerVZ. At that time, the topic was still more of a niche topic. I remember that we had a hard time explaining to representatives of authorities and politicians how data protection-friendly attitudes can look in a social network. At that time, anything that was only a step in the direction of digitally processing or disseminating personal data was almost frowned upon.
In recent years, both society and politics have become accustomed to this through rapid digitalization. This can be seen very clearly in Google Streetview. This is no longer an issue, for example. Almost everyone uses WhatsApp and working with tools such as Trello, Office 365, Slack or Google Docs is increasingly becoming standard.
At the same time, however, there are also more data protection judgments and movements that want to protect people’s privacy. This is a good thing, but not surprising: the more people use their data digitally, the greater the presence of the topic and the greater the probability that open differences of opinion will arise.
Timo von Focht: In your opinion, is the GDPR rather a necessary evil or progress or an opportunity for the digital economy?
Dr. Jana Moser: The GDPR is an economic advance in this respect, as it attempts to harmonize data protection regulations throughout Europe. Uniform rules are always advantageous because everyone is playing on the same field. However, there are still enough possibilities for the EU member states to create their own regulations and thus create disparity in Europe again. In addition, the rules from Europe are difficult to enforce outside Europe. This is where desire and reality diverge.
The clear winners of the GDPR, on the other hand, are data protection lawyers and associations who now have the opportunity to file lawsuits against companies that do not comply with the GDPR.
In this respect, the basic data protection regulation is also an advantage for companies that currently rely on the still diverging level of data protection in the world, above all the different level of protection between the EU and the USA. Customers who fear complaints from consumers, supervisory authorities and associations will seek their salvation from local companies. I think, however, that this advantage of local establishment will disappear in the medium term. Both the EU and the US have an interest in working together. Then it is only a question of whether the services from Europe are good enough and whether by then they have been able to win a large number of customers to compete with the offers from the rest of the world.
Timo von Focht: After the three ECJ rulings this year on the GDPR: What risks are European companies taking if they continue to rely on exemptions such as the famous legitimate interest (Art. 6 1 (f) GDPR) in the collection of personal data in marketing?
Dr. Jana Moser: If a company uses the legitimate interest as a legal basis and this is missing, i.e. if the interests or fundamental rights and freedoms of the person concerned, which require the protection of personal data, prevail, the processing of the data is simply unlawful.
It is, of course, possible for another legal basis to apply, such as a contract with the data subject or consent. In most cases where Art. 6 para. 1 sentence 1 lit. (f) GDPR has been applied, the latter is not obtained.
Thus, if there is no legal basis, the data were unjustly processed. The data subject then has, among other things, the right to have his data deleted (Art. 17 para. 1 lit. (d) GDPR). In this case, the company must in principle inform the recipients of this data of the request for deletion.
The data subject may also lodge a complaint with the competent supervisory authority, which will then examine the data processing in detail. This can lead to appropriate measures such as temporary or permanent restrictions on data processing or the revocation of certifications. Finally, fines of up to four percent of the total annual turnover or EUR 20 million can be imposed.
In addition, the person concerned can initiate legal proceedings directly against the company, for example claims for damages or claims for information.
Timo von Focht: How high are the liability risks for the respective company? How high are the personal risks for the respective data protectors, company directors or managing directors? What penalties have already been imposed here?
Dr. Jana Moser: The question of liability is extremely relevant for the responsible companies not only in view of the very high fines already mentioned. Whereas in the past the Federal Data Protection Act had to allow for a maximum of EUR 300,000 per case, now EUR 20 million fines or fines based on the worldwide turnover can be expected – and the authorities make use of it. Most recently, the not yet legally binding fine of 14.5 million EUR against Deutsche Wohnen for erroneous deletion/archiving has become known. For example, Google received a fine of EUR 50 million from the French supervisory authority for intransparent data protection information and the German delivery service Delivery Hero received a fine of around EUR 200,000 for not deleting customer profiles.
In addition to the administrative offences under the GDPR, other monetary risks are also conceivable. These include, above all, claims for damages by the person concerned or prohibition orders which can lead to a collapse in revenues. Indirect damage caused by a so-called shitstorm and thus a lower reputation and loss of trust in a brand or company should not be underestimated either.
In addition, civil law claims for information or forbearance may be considered. As a rule, this results in additional attorney and court costs. In addition, criminal sanctions are possible, especially against executives and managing directors, if data is intentionally processed without authorization.
However, the concrete risk for a company and its managing directors or board members always depends on the individual case. It is important that third parties, joint managers or contract processors cannot simply reject liability. This is because the GDPR grants the party concerned a direct claim for damages against both the responsible party and the processor. The fine imposed by the supervisory authorities is added to this.
Timo von Focht: In May 2018, the US government under Donald Trump tightened the “Cloud Act” under which US companies and companies operating in the USA must also disclose their data on foreign servers. How should companies now deal with Google, Amazon and other US cloud providers? How can European companies protect themselves here and what does the ECJ say about this? Can the EU-US Privacy Shield Agreement still be invoked?
Dr. Jana Moser: Indeed, it is no longer enough to say “The data is processed in the EU”. In view of US legislation, it cannot be ruled out that US intelligence services may access information stored within the EU by EU subsidiaries of a US company.
US requirements for such access have always differed from European requirements. For example, the former “Safe Harbor Agreement” with the United States, which served as the basis for transferring data to the United States, was considered inadequate. This was not only because US companies could declare themselves as “Safe Harbor certified” and the controls by the Federal Trade Commission (FTC) were not effective from the EU’s point of view. On the contrary, court cases such as that of Microsoft, which had to hand over data from the Irish subsidiary to the US mother, made it clear that two conflicting legal systems were facing each other and that the protection of the privacy of Europeans was at risk.
The successor to the Safe Harbor Agreement, the EU-US Privacy Shield, is now being criticized by data protection activists for the same reasons. In October 2019, however, the European Commission confirmed the sign as a sufficient basis for a so-called third country transfer. It thus continues to serve as a condition under which data may be transferred to an otherwise “insecure third country”. Only the ECJ can still overturn this assessment. The procedure is already pending, so everyone is eagerly awaiting the ruling. If the data protection sign no longer applies, standard contractual clauses can theoretically be used or consent obtained. However, it is hardly conceivable that a company from a country that does not have an adequate level of protection due to its legislation (such as the CLOUD ACT) can sign and comply with effective standard contractual clauses. In addition, consent will have to be particularly transparent and detailed so that the data subject is also aware of the risk of the lack of data protection.
As long as legislation differs so widely in terms of protection of data subjects and there is no agreement between countries, there will always be a risk for companies to work with partners who are not exclusively established in the EU.
Timo von Focht: Consent is becoming more and more important as a legal basis for the collection of personal data and the setting of cookies. There are now many Consent management platforms. What would you recommend to companies when selecting providers?
Dr. Jana Moser: In principle, the data protection concept of the CMP provider should be queried first. This is where the wheat often separates from the chaff. An expert quickly recognizes in the concept whether the provider knows what he is talking about and whether he really lives data protection or only sees it as a promising source of income. Secondly, I would check exactly what the processed data is still being used for by the provider. Not infrequently they are used further or even transferred to third parties. Finally, client separation is recommended so that the data is processed separately for each company.
Whether you choose an EU or US company depends on your own risk affinity and what is processed by the provider. Pure on-premises solutions are certainly very low-risk, whereas pure SaaS solutions certainly involve a high data protection risk because of the CLOUD ACT.
Timo von Focht: What are the advantages of log-in solutions for marketing? Would you recommend building such a solution yourself or using a network solution (such as NetID or Verimi)? For which industries is what recommended?
Dr. Jana Moser: Log-in solutions and thus user registrations will be essential if you want to document data protection consents cleanly. Interestingly, the current monopolists Google, Facebook, Apple, Amazon and Microsoft have recognized this earlier. Without registration with these companies, their services cannot be used. By registering, personal consents can be stored and documented. This is then the basis for building up user profiles in even more detail and using them economically as a result.
It is correct that no more data should be collected just to be “GDPR compliant”. However, the persons responsible are subject to an accountability and proof obligation pursuant to Art. 5 para. 2 GDPR. And it is hardly possible to sustainably store a data protection-compliant consent without a registration and to substantiate it in the result. The user for whom, for example, only a cookie ID or another identifier was stored can change his device settings and delete cookies – which would actually make the user profile anonymous – but very often additional data is stored so that in combination a person or a terminal can be identified again. If a user logs in to have his or her data deleted, it is difficult to identify him or her as an authorized user. Here it depends strongly on the individual case.
Apart from that, fewer and fewer users are willing to give comprehensive consent if they do not get any added value for it. These added values are then often person-related, so that a registration makes sense. At this point, the top dogs are currently in the lead: anyone who already has log-in data with a provider who already offers added value through its services will rather take these than have to remember new registration data. This will further strengthen the monopolists and enable them to obtain consent and collect data earlier and more often.
If a company recognizes this situation, it is already well ahead – but these are the fewest. Initiatives such as VERIMI and NetID are therefore particularly important: These log-in alliances aim to be an alternative to the log-in monopolists. They make the “registration dilemma” more and more obvious. Unfortunately, even the legislators did not recognize this before the GDPR came into force. It is therefore important that every company now deals with these alternatives and registration.
In my opinion, the largest German log-in alliances VERIMI and NetID pursue completely different goals. The shareholder structure already shows that NetID is geared towards marketing and thus advertising in the media industry. I expect that all NetID companies will jointly obtain consent for comprehensive tracking. VERIMI, on the other hand, is cross-industry and concentrates strongly on the added value for users through the secure storage of data with VERIMI. From my perspective, your focus is on data protection and security. This also seems to be due to the rather conservative shareholders and companies around VERIMI. Involved are, for example, Allianz Versicherung, Deutsche Bank and Bundesdruckerei.
Timo von Focht: In your opinion, what can, or must European companies do now to protect themselves from warnings and build up a solid, long-term data strategy?
Dr. Jana Moser: Companies have to deal with this issue. There’s no point waiting any longer and hoping that someone else will take care of the issue. With the GDPR, the monopolists have done this very well and lobbied well. If companies continue to wait and see, in case of doubt a competitor is about to take care of their data protection issue and send them a reminder or draw the attention of the supervisory authority to them.
A rough inventory analysis is therefore certainly the first step: Which data, which documentation and which partners are available? In the second step, I would determine the risks per area: How high is the risk and how likely is it that it will materialize?
After that, I would gradually approach and implement each area. I always recommend that two people wear the hat for the topic internally. Initially, they can tackle the issues with the help of external experts and acquire their own knowledge over time, then there is no dependence on external experts. After all, colleagues understand the company better, have more insight into the company than outsiders and often enjoy more trust.
Timo von Focht: How do you see the future of ePrivacy? What can companies and solution providers expect?
Dr. Jana Moser: The ePrivacy Regulation is not expected to come into force before the end of 2021. Nevertheless, companies should prepare themselves for the fact that the subject of consent will then become even more important. The above-mentioned legitimate interest, which is known from the GDPR, should not currently exist in the ePrivacy Regulation. This probably applies not only to personal data, but also to metadata and machine data. However, the details have not yet been determined. By the way, the same also applies to the default setting of browsers and the setting of third-party cookies, which is prevented by default. If the previous forecasts are actually accepted, the current advertising industry will soon cease to exist. Good for the consumer, bad for the advertiser who clings to the old. So, it’s time for new advertising ideas and concepts.
Timo von Focht: What can companies optimize their privacy settings so that more website visitors can release their data? In the course of this: When is which cookie approval worthwhile for consumers?
Dr. Jana Moser: Transparency, convenience and added value are certainly the decisive keywords in this context.
The clearer and more transparent the data protection settings are, the more trust a user has in the service he wants to use. In addition, the settings must be easy and comprehensible to use. I do not consider it necessary to provide over-information by displaying even the smallest cookie information and designation. This does not create any added information value for the person concerned.
Anyone who hides data protection options somewhere will certainly not get any praise from the user. One has to consider that negative examples are more and more often posted in the social networks. Therefore, a bad data protection communication strategy can also develop into a shitstorm for a company.
Ultimately, users are always in a better mood when they can expect or receive good services or even added value from a company. Then even long or confusing data protection regulations are accepted.
As a result, it is only possible to say roughly which cookie agreement is worthwhile for which consumer and when. If a user wants his peace of mind and does not want any personalization, he should not give any consent. For those who see personalization as pleasant and advantageous, profiling can make sense. However, consent must be given for this if individualization is not already a necessary subject of the contract.
Timo von Focht: Thank you very much for the interview, Jana.
Dr. Jana Moser: