Data protection

Definition and delimitation

Data protection law is a category of EU law (with German roots). European constitutional law (primary law) explicitly recognises data protection (including a regulatory mandate) (Article 16 TFEU; Article 8 CFR). Data protection law has a very wide-ranging regulatory competence (Article 16 (2) TFEU) because the internal market reference otherwise required for union legislation is dispensed with. At the European level, the General Data Protection Regulation (GDPR) is the dominant approach; and the JHA Directive (Directive [EU] 2016/680 “on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”), although sector-specific, is also a general regulation. For specific areas of life and law, the telecommunications sector in particular should be mentioned (e-privacy Directive; planned e-privacy Regulation). Aspects of (regulated) self-regulation (Art. 40 f. GDPR) are regulated in detail, but the practical significance is still very low.

Data protection law aims to enable data subjects to protect their informational interests and concerns. Self-determination of the individual is often cited as the guiding principle of data protection, which cannot be denied with regard to the consent options of the data subject. On the other hand, the chosen regulatory method of a ban on the processing of personal data with the reservation of consent is strongly characterised by the fact that here, above all, third parties are set limits for the processing. Freedom and liberty for informational self-determination should first of all be created by this “third-party restriction”. However, at least from a legal point of view, the free movement of personal data has (in the meantime) also been explicitly recognised as a protective goal (Article 1 (1) a.E. GDPR), which also takes into account the entrepreneurial freedom of processors from Article 15 EU-GRCh.

History

The central starting point for data protection law in Germany was – after preliminary work in the 1970s – the idea of “informational self-determination” over personal data from the census ruling of the Federal Constitutional Court (1983). The court derived a “right to informational self-determination” from the general right of personality. Individuals should be able to decide for themselves who receives and processes their data and be protected against the unlimited collection, storage, use and disclosure of their personal data. All forms of processing of personal data fall within the scope of protection of informational self-determination.

The (German) data protection law originates above all from scepticism about state data processing (census, before that already microcensus and dragnet) and less, but later also, about the SCHUFA. European data protection law already had the economy in mind because of the focus of competence on the internal market. In the current debate on data protection and digital policy, the focus is on the (also US-American) digital corporations (GAFAM).

For the time being, the distinction between the public and private (formerly: non-public) sectors (which is significant in German law) does not exist in EU data protection law. However, with an eye trained in German data protection law, one can nevertheless recognise this dichotomous distinction in the area exceptions of Art. 23 of the GDPR and the JHA Directive.

Application and examples

The legal starting point of the GDPR is the prohibition with the reservation of permission (cf. the permissive elements of Art. 6 of the GDPR). In addition, there are further more organisational basic obligations (Art. 5 GDPR). There are few risk-based approaches in EU data protection law (e.g. data protection impact assessment, obligation to appoint company data protection officers; for sensitive data). In addition, EU data protection law cannot be derogated from in principle, but in the relationship between the “controller” and the “data subject”, it can be shaped quite extensively by means of consent, although consent is itself quite presuppositional.

a) Scope of application

Despite its comprehensive regulatory concept, the General Data Protection Regulation is not applicable to everything and anything. Its application is limited by the scope of the EU regulatory concept as a whole. For example, parliamentary law (even if this is disputed), the right of pardon and title law fall within the member state reservation area. The applicability to health and disaster areas is disputed; it also does not apply to the military (cf. Art. 39 TEU) and intelligence services. Some areas are more or less excluded from the scope of the GDPR, such as the media (Art. 85 GDPR) and access to information (Art. 86 GDPR), while in others it opens them up to Member State regulation (e.g. personal identification numbers, Art. 87 GDPR; employment, Art. 88 GDPR; archives, historical research and statistical purposes, Art. 89 GDPR). In general, the applicability of the GDPR is limited by the fact that it only applies to electronic and (partially) automated data processing, not to “mental” or “manual” data processing. Private-family data processing (Article 2(2)(c) of the GDPR, the so-called “household exemption”) is also exempt from the GDPR. In practice, however, the exception is understood so narrowly that even church choirs fall within the scope of data protection law.

The legal definition of “personal data” under data protection law as the object of protection of the GDPR is found in Art. 4 No. 1 GDPR. It is understood broadly and also includes, in particular, the ability to relate to persons. Published personal data fall within the scope of the GDPR, but in cases of journalistic and editorial publication or publication for artistic, literary or expressive purposes, they are (re)referred to the Member State law pursuant to Article 85 of the GDPR.

European personal data law does not make a distinction between nationals and non-nationals. Dead persons are not understood as persons and their data are not (any longer) understood as personal data; however, European law leaves room for member state expansion here. For “special categories of personal data”, it depends on the existence of the qualifying characteristics in the person to whom the data relate. It does not depend on the controller or the place of processing or, in particular, the context.

b) Consent

Consent to the processing of data gives individuals the opportunity to allow their data to be processed. To ensure that only conscious decisions are taken into account here, high demands are placed on the voluntariness and unambiguousness of consent. At the same time, from a processor’s point of view, consent is in practice the most flexible tool for the lawful processing of data outside the (limited) statutory permission norms.

c) Statutory authorisation provisions

In the interest of the general public and third parties, the Federal Constitutional Court already allowed exceptions to the fundamental prohibition of data processing at the time of the census decision in 1983 and stated that this right of the individual cannot apply absolutely. The GDPR also follows this concept of “prohibition with reservation of permission” (cf. Art. 6 GDPR). In view of the technical and social reality of ubiquitous data processing, this hardly seems conceivable otherwise. Thus, as an alternative to consent, it is permitted that the party processing personal data may also rely on a legal basis for this.

d) Accompanying information obligations

Irrespective of the legal basis for personal data processing – consent or legal authorisation – data protection law for the protection of the individual’s personal data focuses in particular on information and aims to reduce existing knowledge deficits on the part of the data subject. Without knowing who knows what about them, data subjects cannot effectively assert their rights. Conventional means for this are information at the time of data collection, subsequent notification or information at the request of the data subject. In addition, there are occasional labelling obligations and public announcements of data breaches.

e) Data protection management

A functioning data protection strategy has now become a real legal obligation under the GDPR (cf. Art. 24 GDPR). Data controllers must create a register of processing activities before the start of data processing (Art. 30 DS-GVO). This also includes data security measures. In addition, the obligation to conduct a data protection impact assessment prior to high-risk processing activities illustrates that processors must have a concrete idea of data protection. Ultimately, the communication obligations of the GDPR also build on this. These declare the transparency of processing (Art. 5(1)(a) of the GDPR) and, in particular, transparency vis-à-vis data subjects (Art. 12 of the GDPR) – also when exercising their data subject rights pursuant to Art. 15 et seq. of the GDPR – to be basic obligations. DS-GVO – are basic obligations for every data-processing entity. Article 5 (2) of the GDPR also imposes extensive accountability obligations on the data controller regarding compliance with the processing and transparency obligations.

Criticism and problems

The “gateway” to the GDPR is quickly reached. This is due to the very broad and risk-independent concepts of processing and personal reference. Furthermore, the GDPR essentially provides for uniform obligations regardless of the (economic) size of the processor (one size fits all), which is partly perceived as an excessive burden for non-profit organisations and small and medium-sized enterprises.

An important point of criticism is the communication of processing operations relevant under data protection law (and the “informed” consent based on this). Data subjects are said to be “rationally apathetic”. For data subjects, it often seems “more favourable” to accept data protection violations or informational intrusiveness by processors, or even not to deal with the fact and the framework conditions of personal data processing at all. The reason for this, apart from the sheer amount of information, is the information gap between the controller and the data subject, and partly also the flow of information itself. The amount of information processed today has reached an extent that is difficult to visualise in conceivable units. Likewise, processors often have a knowledge and information advantage that is difficult to compensate for. The legislator tries to compensate for this in many areas by imposing detailed information obligations; however, it has become apparent that extensive notification and documentation obligations often do not help the data subjects if it is hardly possible for them to check the information provided. This phenomenon is often described as “information overload”.

In addition, informational interventions are not immediately tangible. They usually have no direct consequences. From a psychological perspective, it is therefore understandable that threats to and violations of informational privacy are perceived as less urgent than impairments by the physical environment. In addition, the most frequent violations take place at a very low-threshold level (especially in the advertising sector and on the internet), so that legal action is usually not only refrained from, but is not even perceived as an option. Another factor is the habituation to giving away data in the “free internet”, where data is given away in exchange for content or services, so to speak.

Therefore, as long as data subjects do not consider data protection information important, they will eventually find themselves in the situation where data protection is not only a “nuisance” for those responsible, but also for the data subjects. Those responsible try to formally comply with the requirements, while those affected mechanically avoid the information as far as possible by clicking and wiping it away.

Research

The current focus of data protection research is likely to remain on the manifold questions of interpretation of the GDPR. In addition, fundamental research is being conducted into whether and to what extent the instruments of the GDPR are manageable, expedient, innovation-promoting and risk-adequate. To this end, the work is not only interdisciplinary, but above all comparative (for example, in the project Vectors of Data Disclosure – A Comparative Study of the Use of One’s Own Personal Data from the Perspectives of Jurisprudence, Cultural Studies and Business Informatics). Global law-making activities in data protection law are of particular interest not only in this context. Especially with regard to the global South, questions of legal transfer (and imperalism) as well as the containment of a “data colonialism” (Couldry/Mejias) also arise. Since a worldwide harmonisation of data protection rights and an amendment of the GDPR are not currently obvious, conflict of laws will play an important role in the foreseeable future.

---