Data Protection Officers for Europe

In December 2015, after years of negotiations, the EU Parliament and the EU Council agreed on a European General Data Protection Regulation (GDPR). The aim is to level the protection of personal data throughout Europe. From a German perspective, the existing data protection laws will not change essentially in view of the GDPR. However, some companies in the rest of Europe will face quite some changes. One of these changes will be the mandatory appointment of Data Protection Officers throughout Europe.

Data Protection Officer: from exception to standard

The European General Data Protection Regulation establishes the obligation to appoint a Data Protection Officer (DPO) on a European level. According to the former guideline EC/95/46, the appointment of a DPO was only optional. Hardly any EU member state – one of the exceptions was Germany – had made use of this possibility.

However, in the future, companies will have to appoint a Data Protection Officer if personal data is processed in order to regularly and systematically monitor data subjects on a large scale, as for example the measuring of accesses on websites. Furthermore, the appointment also applies in cases in which the core activities of companies is the processing of special categories of data on a large scale like health data in a health insurance company.

The dimension of this very general provision is not yet assessable. Vague definitions such as “a large scale” are from a legal perspective far too subjective to foresee which kind of companies will be covered by this wording. However, it is clear that the idea of a Data Protection Officer finally has started to settle in the perception of European politics.

For German companies, not too many changes with respect to the appointment of a DPO are to be expected. A clause in the respective provisions of the General Data Protection Regulation enables EU member states to establish their own rules for the compulsory appointment of the Data Protection Officer. It would not come as a surprise if Germany made use of this option since it already has quite strict rules for the appointment of a DPO in place in its Federal Data Protection Act.

Requirements for a Data Protection Officer

Other European member states will have to consider the requirements and necessary profile for a Data Protection Officer. Comparable to the German rules, the GDPR stipulates that DPOs need to have expert knowledge in the field. In this context, seminars and trainings will be key as they are already around here.

However, it is expressly foreseen that companies have the option to choose whether they wish to appoint an employee as an internal DPO or if they want to commission this function and to appoint an external DPO. Also this model is not new to German companies.

In the case of an internal Data Protection Officer, namely if the company appoints one of its employees, it has to be ensured that the designated DPO does not face a conflict of interest in view of his/her regular job. This problem is unlikely to appear if the company decides to appoint an external DPO.

From an organisational point of view and to ensure a direct channel for the communication, according to the provisions in the European General Data Protection Regulation, the DPO has to be in direct reporting line to the CEO or at least to the highest management of the company. In order to avoid potential conflicts due to conflicting interests between the management and the DPO, the GDPR prescribes once more that the internal or external DPO may not receive any instructions regarding the exercise of his/her tasks and may not be dismissed or penalised for performing his/her tasks.

Tasks of the Data Protection Officer

The tasks of the DPO remain more or less unchanged in the new GDPR and accordingly comparable to the ones in the German Federal Data Protection Act. Besides the requirement to inform and advise the company and its staff about data protection related questions, the DPO also has the task to monitor the compliance with the data protection rules. Additionally, he/she needs to provide advice and monitor the performance of the new data protection impact assessment, the latter being somewhat comparable to the former prior checking in EC/95/46.

Additionally, the DPO is the contact point for the supervisory authority and obliged to cooperate with it. This in particular will be one of the most important tasks of the DPO since according to the “one-stop-shop” idea of the GDPR, data subjects and companies can revert to one supervisory authority for all their concerns.

Expressly incorporated in the rules is now the obligation to publish the contact details of the DPO and to communicate these to the supervisory authority.

Role of the DPO in a corporate group structure

For an international company with locations in other European member states, it is important to note that following the harmonised provisions of the regulation, it is possible to appoint a single Data Protection Officer, e.g., the DPO of a German company, as the DPO for the entire group of companies. The advantages of such a DPO for an entire corporate group are clear: a good overview, simplified coordination between the locations and relatively short ways of communication. In cases of very large groups, an additional local role to support the DPO, e. g. a Data Protection Coordinator, should nevertheless be envisaged.

Conclusion: The role of the Data Protection Officer will be upgraded

In conclusion, while at least in Germany the existing legislation will only be amended in details, there will be a clearly different perception of the role of the Data Protection Officer as an institution within companies throughout Europe. The DPO will be a crucial element of large international companies and at the same time this increases his/her standing and position in a company. Companies with branch offices in numerous, not only European member states, should already now start looking into having one Data Protection Officer for the entire group of companies.

Against the background of the new provisions of the GDPR in relation to the DPO, it is clear that the former strict German rules in data protection, sometimes even considered as too strict, will now be a clear advantage of location: While companies in other EU member states now have to establish respective data protection roles and procedures for the first time, German companies already benefit from the established procedures and having an appointed Data Protection Officer.

[av_sidebar widget_area=’bewertungssterne’]

[av_icon_box position=’top’ boxed=” icon=’ue835′ font=’entypo-fontello’ title=’Our data protection services’ link=’manually,https://www.activemind.de/en/data-protection/’ linktarget=” linkelement=’both’ font_color=” custom_title=” custom_content=” color=” custom_bg=” custom_font=” custom_border=”]Appoint one of our experts as external Data Protection Officer! [/av_icon_box]

Data protection related “gag orders” by US authorities

How intensely are American authorities using their right to inspect personal data collected by companies? In the face of the recent devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, this question again arises. Indeed the Tribunal brought forward as an important argument the mass and uncontrollable surveillance activities of US-American authorities. According to the ECJ, this is not in compliance with the EU´s data protection regulations. As recent publications show, the Tribunal in its reasoning for the judgment was closer to reality than suspected.

Surveillance through the Patriot Act (now Freedom Act)

Following the attacks of 9/11, the Patriot Act (now superseded by the Freedom Act) gave permission to US authorities to obtain information from companies which could be of national interest for the US. This also covered information about persons outside the US since the US did not recognize the territoriality principle in the context of this surveillance activity.

The right to access such information can be exercised by the authorities independently, so without any further, e. g. judicial, authorisation. In the context of the Safe Harbor ruling of the ECJ, inter alia this circumstance had been challenged as disproportionate because it opened the door to an uncontrolled surveillance of personal data without any purpose limitation. The judges of the ECJ were right on spot with their assessment.

Data surveillance as per “National Security Letter”

Meanwhile it has transpired that American authorities have sent out many so-called “National Security Letters” for their surveillance activities. By means of these letters in form of written requests, companies are forced to provide information on their customers. Even a multinational company like Microsoft failed to challenge these requests as being unlawful in front of a court.

Most interestingly, the “National Security Letters” also request that companies concerned are not allowed to inform their customers of the information requests. It does not come by surprise that in English speaking countries these requests are called “Gag Orders”.

What is enquired by a “National Security Letter”

It is of specific interest for the European public that one of such “National Security Letters” which had been submitted to a small internet service provider has been published after a long judicial dispute in the US. The content of the letter shows the dimension of the surveillance activities. In the specific case, the authority had requested the following data:

  • DSL account information
  • Radius log
  • subscriber name and related subscriber information
  • Account number
  • Date the account opened or closed
  • Addresses associated with the account
  • Subscriber day/evening telephone numbers
  • Screen names or other on-line names associated with the account
  • order forms
  • Records relating to merchandise orders/shipping information for the last 180 days
  • All billing related to the account
  • Internet service provider (ISP)
  • All e-mail addresses associated with Internet Protocol (IP) addresses assigned to the account
  • All website information registered to the account
  • Uniform resource locator (URL) address assigned to the account

and, most interestingly,

  • Any other information which you consider to be an electronic communication transactional record.

It should not be left unmentioned that the published “National Security Letter” dates back to the year 2004. It is not known what kind of information on top of that is requested by authorities nowadays. However, it is a fact that between 2003 and 2005 alone approximately 140.000 of such letters were sent to companies.

Conclusion: Quo vadis international data flow?

Of course, the information requested by the letters was only personal data. According to EU provisions and also according to the German Federal Data Protection Act, such data must only be processed under the principle of purpose limitation and processing must be proportionate. Additionally, the permission to access such data collected by an Internet Service Provider (without the consent of the data subject) is subject to a judicial order by a judge.

Inter alia because of the dimension and the uncontrollability of accessing personal data, the ECJ ruled the Safe Harbor agreement invalid. The now published “National Security Letter” illustrates which kind of data American authorities request. In the face of the pure amount – both of the data and the submitted “National Security Letters” – the ECJ is indeed right with its ruling.

At the moment, the European Commission strives to agree on a revised agreement with the US in order to allow the data flow into the US. According to the latest statements by the EU Commissioner for Justice, Věra Jourová, the new agreement is scheduled to be put in place already in January 2016. Needless to say, from a European data protection perspective, the circumstances concerning the “National Security Letters” are hopefully taken into account in the negotiations.

[av_sidebar widget_area=’bewertungssterne’]

[av_icon_box position=’top’ boxed=” icon=’ue835′ font=’entypo-fontello’ title=’Our data protection services’ link=’manually,https://www.activemind.de/en/data-protection/’ linktarget=” linkelement=’both’ font_color=” custom_title=” custom_content=” color=” custom_bg=” custom_font=” custom_border=”]Cross border data flows are always subject of concern for companies. The experts of activeMind AG remain at your disposal for an individual consultation. [/av_icon_box]

From the Patriot Act to the Freedom Act – data protection in the United States

On 2 June 2015, the US Senate passed the Freedom Act, new legislation which replaced parts of the expired Patriot Act. The revision of, inter alia, those parts which dealt with telecommunication data and its surveillance, turned out to be necessary in order to restore the trust of the US public in their authorities after the Snowden revelations. According to the Freedom Act, it is prohibited for American authorities (e. g. the NSA) to collect mass data of data subjects. Against the background of the recently devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, companies may ask whether by means of the legal changes a data transfer to the US is now possible again.

What was the content of the Patriot Act?

The Patriot Act, inter alia, dealt with the collection, storing and processing of telecommunication data. This meant for instance that the length of a telephone conversation, the location, the name, the address and the invoice of the telecommunication user could be stored and processed. Once the data was collected, American authorities had access to this data for further processing without any limitations.

According to German and European law this data qualifies as personal data which is covered by data protection law. Processing of such data is, at least in Germany, only allowed if the data subject consented to it or if it is covered by a legal basis. Additionally, the country in which the data should be processed must provide for a data protection level which is comparable to the one of the EU. The latter was supposed to be the case for companies in the US which were certified under the Safe Harbor agreement. But exactly this agreement has been ruled invalid by the ECJ, in view of the lack of protection of data subjects against improper access to their data through American authorities which eventually caused the unlawfulness of data transfers to the US.

Relevant data protection changes through the Freedom Act

The question now arises if telecommunication data is better protected by the US Freedom Act (which stands for “Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act”). If this was indeed the case, probably one could argue that the required level of data protection is now in place and a new Safe Harbor agreement may be obsolete or at least easier to negotiate. But to the contrary: the Freedom Act does indeed contains changes, but these changes are not sufficient to raise the data protection standards to an acceptable level.

On a first read, the Freedom Act appears to be a positive development from a European Data Protection perspective. American authorities themselves are not allowed to store telecommunication data and they do not have a direct access to it anymore. But upon a closer look, this positive impression is soon blurred: telecommunication data is now stored directly with the provider and can be transferred to the authorities upon request. For this purpose, American authorities now at least have to demonstrate a specific cause, e.g. that a data subject is a potential threat. However, apart from that, there is no further restriction which limits the surveillance and processing of mass telecommunication data. The detour via the collection of the telecommunication data with the provider cannot limit the general concerns.

A step closer to data protection – but only one

The changes through the US Freedom Act are definitely a step in the right direction. But from a European data protection perspective, and also in view of the Safe Harbor ruling, the changes make no relevant difference. The criticism in the context of the Safe Harbor decision explicitly focussed on the mass collection and surveillance of data without any restriction for a specific purpose or the provision of legal means to appeal against an arbitrary processing of personal data. The Freedom Act does not help here. The Safe Harbor dilemma is not yet solved.

US Freedom Act vs. data retention in Germany

However, unfortunately there are similarities between the US Freedom Act and the recently introduced German Data Retention Act. One could even say that the differences are marginal. The Data Retention Act allows telecommunication providers to collect and store telecommunication data. Authorities can request access to the data through an order by a judge and subsequently process this data. In fact, only the judicial authorisation, the deadline to retain such gathered data and the existing legal means of redress are the only differences to the US legislation. Therefore, it remains open whether the new German Data Retention Act will be upheld in a judicial review. In 2010, the German Constitutional Court already once before declared a similar piece of legislation to be unconstitutional.

[av_sidebar widget_area=’bewertungssterne’]