New consumer protection regulation for digital products

/in ,

With the Digital Content and Digital Services Directive (EU Directive 2019/770), the EU is further expanding the European Digital Single Market, facilitating the consumer access to digital products. The outspoken goal of the EU was to ensure a balance between a high level of consumer protection while promoting the competitiveness of businesses. Nevertheless, the contractual design of the provision of digital content must be adapted in some fundamental points due to the new legal framework that has been in force in Germany since 01 January 2022.

1. Relevant provisions and scope of application

The new legal framework for the provision of digital products in Germany came with several amendments to the German Civil Code (BGB). Nevertheless the following overview will focus on the new regulations in Sections 327 et seq. BGB, which have an essential impact on the design of Terms & Conditions in B2C-relations.

Those regulations apply to all consumer contracts on the provision of digital content or digital services (digital products) in payment of a price. A major change is that the new legal regulations shall also apply if the consumer provides personal data as payment, unless the personal data is exclusively processed for the purpose of supplying the digital content or digital service or for complying with legal requirements. As free digital content is often provided with the specific goal to harness the collected personal data of users beyond the extent which is necessary for supplying the digital product itself, this expansion of the scope of application means many use cases like free Consumer Apps, etc., which have been previously rather unregulated are now subject to a stricter consumer protection regulation in Germany.

2. Obligation to provide the digital product

If the Sections 327 et seq. BGB apply, the trader is under a contractual obligation to provide the digital product. If the trader fails to provide the product, the consumer can terminate the contract, claim damages or claim reimbursement of futile expenses. In the event of a lack of conformity or defective performance, the consumer shall be entitled to have the digital content or digital service brought into conformity, to receive a proportionate reduction in the price, or to terminate the contract. The consumer may further demand damages or reimbursement of futile expenses. In particular for digital products offered “free of charge” and for which the consumer only “pays” with personal data, this means a paradigm change compared to the former regulations, which left the trader greater leeway to change or withdraw the product and which also offered a more lenient regulation in case of product defects.

3. Obligation to update the digital product

Another controversial topic has been regulated in Section 327f BGB, stipulating that the trader must ensure that the consumer is provided with updates necessary for the digital product to remain in conformity with the contractual conditions and that the consumer is informed about these updates accordingly. These mandatory updates explicitly include security updates. The obligation to update the digital product applies as long as the digital product is made available and can therefore even go beyond the general warranty obligations. The trader is even liable for product defects if he has provided an update but the consumer has not installed it, either because the trader has not sufficiently informed the consumer about the availability of the update and the consequences of failing to install it, or because the failure to install was due to defective installation instructions.

4. Modification of the digital product

A particularly challenging provision can be found in the new Section 327r BGB, which implements Article 19 of the Digital Content Directive. Where the contract provides that the digital content is to be supplied to the consumer over a period of time, the trader may modify the digital content beyond what is necessary to maintain the digital content in conformity, only if

  • (1) the contract allows, and provides a valid reason for, such a modification,
  • (2) such a modification is made without additional cost to the consumer and
  • (3) the consumer is informed in a clear and comprehensible manner of the modification.

If these requirements are not met, the consumer has the right to terminate the contract. However, Recital No. 77 of the Digital Content Directive explicitly states that, if the modified digital content is no longer in conformity with the subjective and the objective requirements for conformity, the consumer shall also be able to demand cure, to reduce the price as well as to demand damages or reimbursement of futile expenses.

Pursuant to Recital No. 75 of the Digital Content Directive valid reasons to modify the digital product could encompass cases where the modification is necessary to adapt the digital content to a new technical environment or to an increased number of users or for other important operational reasons.

In particular with free apps, it is not uncommon to change the catalogue of features during the runtime of the app, sometimes maybe expanding the features, but often also removing features which prove to be impractical or not economically viable. However, according to the examples given in Recital No. 75 of the Digital Content Directive, neither the practicality nor the economic viability should be valid reasons to remove features from the app. If the removal of such features proves to be a defect, the user could theoretically demand the app to be restored to the previous version.

5. Consequences for contract design

The new regulations significantly tighten the legal obligations for the provision of digital products, especially in those cases, where the product is provided free of charge and access is only paid by the consumers data. The former legal framework did not explicitly recognize personal data as a valid mean of payment and therefore did not oblige the trader who received the data to perform for it in return. With the new regulatory framework, the trader’s performance obligations are now very similar to those of a normal purchase or rental contract. Since the legal requirements can hardly be altered by contract according to Section 327s BGB, the new regulations require a redesign of most existing contracts. Even more than in the past, it will be important to define the scope of performance carefully in order not to expose oneself to supplementary performance obligations and to reserve the right to make changes at a later date. Also, the trader is imposed with additional information requirements which need to be complied with in order to avoid cease and desist letters from competitors.

Should you have any questions regarding the new regulatory framework, we will be happy to offer our support.

Dr. Sebastian Engels,

Dr. Sebastian Engels

/in , , , , , , , , , , , , , , ,
Read more

GDPR – New Standard Contractual Clauses

/in

Since the CJEU annulled the EU-US Privacy Shield in July 2020, the European Commission’s Standard Contractual Clauses have in practice formed the most relevant basis for cooperation with service providers and partners outside the EU. The Standard Contractual Clauses have now been fundamentally reformed and the new clauses must be implemented since 27 September 2021. We summarise the most important changes and the resulting need for action.

Background

The GDPR protects personal data of EU citizens also outside the EU. Personal data may only be transferred to countries outside the European Union (so-called third-countries) if an adequate level of data protection comparable to the GDPR is guaranteed in these third-countries. For a number of countries, such as most recently the United Kingdom, the adequate level of data protection has been positively established by an adequacy decision of the Commission. For most countries, however, no such adequacy decision exists. This also applies to the USA since the CJEU declared the EU-US Privacy Shield, which has been in force since 2016, null and void in 2020 (judgment of 16.07.2020 – C311/18 – Schrems II). As an alternative, the focus shifted to the possibility of ensuring an adequate level of data protection on a contractual basis by executing the European Commission’s Standard Contractual Clauses.

These Standard Contractual Clauses have now been thoroughly revised by the European Commission and adopted in their latest edition on 4 June 2021 (Implementing Decision (EU) 2021/914). The new Standard Contractual Clauses are to be applied to all new agreements as of 27 September 2021. For legal relationships established by then, the old Standard Contractual Clauses will remain applicable for another 15 months. However, by 27 December 2022 at the latest, all data transfers to third-countries must be adopted to the new Standard Contractual Clauses or an alternative instrument to ensure an adequate level of data protection.

Modular construction principle for different constellations

To cover the different scenarios of international data transfers, the new Standard Contractual Clauses rely on a modular building block principle instead of the previous separate sets of documents for each scenario. On the one hand, this leads to increased flexibility, especially since data transfers between processors and (sub)processors and between processors and controllers are now also covered. On the other hand, the application of the Standard Contractual Clauses thus gains in complexity, especially since the principle remains that the clauses are only considered a suitable guarantee for ensuring an adequate level of data protection if they are used essentially unchanged.

Model order processing agreement included

In addition to guaranteeing an adequate level of data protection, the new Standard Contractual Clauses also explicitly serve to fulfil the obligations under Article 28 (3) and (4) of the GDPR to conclude a data processing agreement. They are thus at the same time a model data processing agreement. For this purpose, the European Commission also adopted separate model data processing clauses, which can be used in domestic processing scenarios (Implementing Decision (EU) 2021/915). Since the use of these clauses is not mandatory, it remains to be seen whether they will prevail in practice compared to the numerous freely available templates for data processing agreements.

New testing and documentation requirements for the implementation of Schrems II

The new Standard Contractual Clauses are in parts obviously designed as a response to the risks identified by the CJEU in Schrems II in the context of third-country transfers, in particular regarding excessive access to personal data by public authorities. However, they do not solve the practical problems arising for implementing companies. For example, the CJEU explicitly requires implementers of the Standard Contractual Clauses to assess the legal provisions applicable in the recipient’s country to see whether the statutory framework even allows the data recipient to comply with the provisions of the Standard Contractual Clauses. If, as in the USA, the legal regulations permit access by public authorities that the CJEU considers incompatible with European standards, the parties must take additional organisational and technical measures to effectively counter these risks.

The new Standard Contractual Clauses manifest this obligation by requiring the contracting parties to conduct a prior impact assessment, the outcome of which must be documented. As a result, both parties must explicitly confirm that there are no concerns about the ability to comply with European data protection standards. The clauses also contain obligations for the data recipient to notify the sending entity about requests from public authorities and to exhaust legal remedies where such remedies are prohibited.

Outlook and recommendation for action

The new Standard Contractual Clauses undoubtedly fit better into the regulatory system of the GDPR and offer practical advantages, such as an increased flexibility and the implementation of the CJEU’s requirements from Schrems II. The mandatory transfer impact assessment on the first view appears to be an intensification of the legal obligations, but ultimately merely implements the situation that applies since Schrem II. Furthermore, the explicit implementation of this requirement in the Standard Contractual Clauses could increase the practical willingness of third-country service providers to participate in a transfer impact assessment as well as the remediation of identified risks through technical and organisational measures.

If no real alternative to the conclusion of the Standard Contractual Clauses is established at the political level, which currently is not foreseeable, there is no way of avoiding the new Standard Contractual Clauses for a cooperation with service providers in third-countries, such as the USA. The current relevance of the topic is also shown by recent measures of the German data protection authorities, which in July 2021 sent questionnaires to companies throughout Germany in a coordinated focus audit regarding the handling of third-country transfers in accordance with Schrems II. Corresponding audits are to be expected in particular in connection with the changeover deadlines for the use of the new Standard Contractual Clauses on 27 December 2022.

Against this background, all EU-based companies should be prepared, whereby the following measures seem advisable for a practicable implementation of the legal requirements:

  • Conducting an internal screening for processes that involve the transfer of data to third-countries, such as the USA (e.g., in the context of website tracking, software tools, etc.).
  • Evaluating the possibility of suitable alternative providers based within the European Union.
  • Preparing different sets of the Standard Contractual Clauses according to own needs.
  • Preparing a standardised impact assessment process for third-country transfers and a catalogue of appropriate, technical and organisational measures to reduce identified risks.
  • Ongoing documentation and review of the measures taken, as evidence for submission to the data protection supervisory authority in case of an audit.

If you have any questions about the new Standard Contractual Clauses or about third-country transfers in general, please do not hesitate to contact us.

Silke Freund and Dr. Sebastian Engels with article in the “International Comparative Legal Guide – Copyright Laws and Regulations 2021”

/in

The Global Legal Group has published a new edition of the “International Comparative Legal Guide” on copyright law. The guide is aimed specifically at corporate lawyers and provides comprehensive information on copyright laws and regulations for 18 countries from Australia to Zimbabwe. 

BOEHMERT & BOEHMERT lawyers Silke Freund and Dr. Sebastian Engels have taken over the part for Germany. In their article entitled “Germany: Copyright Laws and Regulations 2021”, they provide an insight into the legal situation in Germany and deal in seven chapters with general questions on copyright subsistence, ownership and exploitation of rights, owner and enforcement rights as well as criminal offences and current developments. 

The complete article is available online here and can also be downloaded as PDF.

CJEU declares Privacy Shield invalid

/in

By decision of 16 July 2020 (C-311/18), the European Court of Justice (CJEU) declared the EU-US Privacy Shield, which was the basis for a GDPR compliant transfer of personal data of EU citizens for numerous US service providers, to be invalid. The decision makes it necessary for all internationally acting companies, but also for companies simply working with service providers outside the EU, to closely review all data transfer to third countries, in particular to the USA, for GDPR compliance.

By decision of 16 July 2020 (C-311/18), the CJEU declared the EU-US Privacy Shield, which was the basis for a GDPR compliant transfer of personal data of EU citizens for numerous US service providers, to be invalid. The decision also raises questions regarding the use of the standard data protection clauses adopted by the Commission (“Standard Data Protection Clauses”) for safeguarding an adequate level of data protection when transferring data to  third countries, such as the USA, and clarifies that the mere execution of the Standard Data Protection Clauses can no longer be considered a guarantee for GDPR compliance. The decision thus makes it necessary for all internationally acting companies, but also for companies simply working with service providers outside the EU, to closely review all data transfer to third countries, in particular to the USA, for GDPR compliance.

Background of the decision

The GDPR protects the personal data of EU citizens not only within the European Union. The GDPR also requires that personal data may only be transferred to countries outside the scope of the GDPR (so-called third countries) if an adequate level of data protection comparable to the GDPR is safeguarded in these third countries. For a number of countries this adequate level of data protection has been positively established by a Commission adequacy decision. Until now, this also applied to the USA, with the particularity that the adequacy decision did not apply per se to the entire USA, but only to companies that had certified themselves according to the rules of the EU-US Privacy Shield negotiated between the USA and the EU and had thus been subject to the provisions of this agreement. The EU-US Privacy Shield followed up to the so-called “Safe Harbor Agreement” in 2016, which the CJEU declared invalid in its ruling of 6 October 2015 (C-362/14) due to incompatibility with European data protection standards.

As an alternative to such an adequacy decision, the GDPR provides for further mechanisms safeguarding an adequate level of data protection. A particularly important alternative in practice are the Standard Data Protection Clausesof the European Commission which are concluded directly between the data-exporting company and the data importing company.

The decision

In its decision of 16 July 2020, the CJEU now also declared the adequacy decision on the EU-US Privacy Shield to be invalid, thus depriving a high number of current data transfers to the USA of their legal basis. As regards the Standard Data Protection Clauses, the decision also contains statements which call into question the suitability of this instrument for ensuring an adequate level of data protection with regard to data transfers to the USA.

Towards the EU-US Privacy Shield, the CJEU concludes that the adequacy decision regarding the Privacy Shield cannot be reconciled with the standards established by the GDPR, in particular because it does not proportionately limit the rights of access to personal data granted by US law to the US security authorities, nor does it provide the data subjects with an effective legal remedy for taking action against unlawful interference by US authorities.

As a result, the adequacy decision on the EU-US Privacy Shield was declared invalid, so that on this basis a lawful data transfer to the US is no longer possible.

In contrast, the CJEU explicitly confirmed, in relation to the Commission’s decision on the Standard Data Protection Clauses, that the legal assessment had not revealed any evidence which might affect the validity of the decision. The Standard Data Protection Clausesthus remain as a potential basis for data transfers to third countries. However, also with regard to the Standard Data Protection Clauses, the judgment states that the assessment of whether an adequate level of data protection exists on the basis of the Standard Data Protection Clauses depends both on the contractual obligations and on whether the legal system of the third country safeguards an adequate level of data protection, in particular with regard to access to data by public authorities. At the same time, the court clarifies that it is the responsibility of the data processing companies to verify whether the data importing company is legally in a position to comply with the contractual obligations at all and, in case of doubt, to suspend the data transfer.

Furthermore, the CJEU imposes an obligation on national data protection supervisory authorities to verify actual compliance with the contractual obligations stipulated by the Standard Data Protection Clausesand to intervene if these obligations cannot be met.

Consequences of the decision

The decision concerns not only data transfers to the US, but all data transfers to third countries for which no adequacy decision by the Commission exists.

Individual agreements between the companies involved, Binding Corporate Rules and Standard Data Protection Clausescan still be used as a basis for GDPR compliant data transfers to third countries. However, in the future, more attention should be paid to whether the legal requirements at the data importer’s place of business permit compliance with the agreed data protection rules. As in compliance with the CJEU decision, the competent data protection supervisory authorities will also put a closer focus on this, itis to be expected that European authorities develop a common position with regard to specific third countries in order to ensure uniform application of the law and greater legal certainty.

What to do now

  • While it is to be expected that the European data protection authorities will soon take a position on the CJEU decision, immediate action is required, as there is no transition period.
  • Any data transfer based solely on the EU-US Privacy Shield has been illegal since the decision and should be suspended immediately until an alternative basis for data transfers to the US is found.
  • In case of a data transfer based on contractual arrangements, such as the Commission’s Standard Data Protection Clausesit should be examined whether the contractual obligations stipulated in such arrangement can be met subject to the legal requirement in the respective third country. In any event, it may be an option to meet the concerns of the CJEU by means of additional contractual provisions for a transitional period until a coordinated position of the data protection authorities emerges.
  • If necessary, a data transfer can also be carried out on the basis of one of the exemptions under Article 49 GDPR, in particular on the basis of express consent, whereby the legal requirements for effective consent must be complied with, unless another exception applies.

Not least because of the clear call for action which the CJEU directed to the competent data protection supervisory authorities in its decision, the practical relevance of the ruling should not be underestimated.

Silke Freund and Dr. Sebastian Engels contribute to the “International Comparative Legal Guide – Digital Business 2020“

/in , ,

The Global Legal Group has published the first edition of the “International Comparative Legal Guide – Digital Business 2020”. The guide is aimed specifically at corporate attorneys and offers a comparative legal analysis of current legal requirements and topics for digital business. 

Under the heading “Digital Business Laws and Regulations – Germany”, BOEHMERT & BOEHMERT attorneys Silke Freund and Dr. Sebastian Engels provide an insight from a German perspective. 

In eleven chapters, they deal with regulations for e-commerce, data protection, cyber security, cultural norms, brand enforcement online, cloud computing and further digital topics. 

The complete article is available here online or as PDF.

Brexit and Data Protection Law – if the UK becomes a third country without a deal

/in ,

In case of an unregulated hard Brexit, the European Data Protection Law would also come down with full force: The United Kingdom would become, from one day to the next, a “normal” third country and would also be treated as such by the EU Data Protection Law. The transfer of personal data from the EU to the United Kingdom would only be legitimate if and as long as specific conditions are met.

The EU General Data Protection Regulation (GDPR) establishes a uniform level of data protection throughout the European Union which allows free data exchange within the EU: Since the same Data Protection Law (in principle) equally applies in all EU Member States, personal data may be transferred within the Union across the internal frontiers without any special requirements or conditions, as they are equally well protected in all Member States via the GDPR.

Data transfer to third Countries only under special conditions

As soon as the United Kingdom leaves the European Union, it will become a third country from one day to the next. Under the GDPR, personal data may be transferred to a third country only if specific conditions are met, as described below.

If the Brexit is unregulated, i.e. without any special agreement between the Union and the Kingdom, the aforesaid also applies to the UK – immediately and directly, as of 29 March 2019 at 00:00 CET, without any grace period, as provided for in Art. 71 of the Draft Agreement of 14 November 2018 which was rejected by the House of Commons on 15 January 2019: It was planned therein that the GDPR should continue to apply to the UK until the end of 2020. For the time thereafter, a national UK Data Protection Law was to be established to provide essentially the same level of data protection in the UK as within the European Union.

What does that mean for companies established in the EU?

In terms of data protection, an unregulated Brexit particularly affects the “remainers” in the EU, namely, the EU-based companies that wish to exchange data with UK-based companies. The EU companies are then so-called “data exporters”, and they therefore have to set the stage for data transfer that is compliant with EU data protection law. If the requirements are not met, data must not be transferred to the third country. If data are transferred nevertheless, the EU-based companies are committing a data protection violation. It is therefore in the direct interest of EU-based companies to comply with the GDPR requirements for transfers to third countries.

The goal of special provisions of the GDPR for exporting data to third countries is the best possible protection of personal data and the persons to whom they relate in the third country. Data transfer to a third country is permitted only if

  • the European Commission has decided, by means of an adequacy decision, that the third country ensures an adequate level of protection,
  • or appropriate safeguards have been provided
  • or the transfer can be justified by one of the derogations set forth in the GDPR.

In detail:

  • Adequacy decision of the Commission

    With regard to some third countries, the European Commission did confirm that an adequate level of data protection does exist in these countries. These include, inter alia, Canada, Japan, Switzerland and Israel., Personal data may be transferred to these countries without establishing additional safeguards.
    With regard to the UK, however, there is no such decision, and it is unlikely that such a decision will be taken in the near future. In a notification of 14 November 2018, the Commission in this regard simply stated:
    “(…) the adoption of an adequacy decision is not part of the Commission’s contingency planning.”

  • Providing “appropriate safeguards

    ”The export of data to third countries may take place if the data exporter provides “appropriate safeguards” to ensure an adequate level of data protection. In particular, this includes the use of the so-called “Model Clauses” which were previously approved by the Commission. These Model Clauses are currently still applicable in principle, in modified form, but are not unchallenged. In fact, they are currently under review in the context of proceedings pending before the European Court of Justice. It cannot be ruled out that these Clauses may suffer the same fate as the Safe Harbour Agreement, which was declared invalid by the ECJ.
    “Appropriate safeguards” also include binding corporate rules (BCR) within groups of undertakings, which, however, must be approved beforehand by the supervisory authorities.

  • Derogations for specific situations

    The GDPR provides a number of “derogations for specific situations” in which a transfer of data to a third country is permitted even without an adequacy decision and without “appropriate safeguards”. This includes, in particular, the case where the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers. Personal data, as another example, may also be transferred to a third country if this transfer is necessary for the performance of a contract concluded with the data subject or concluded in his/her interest.
    Whether the data transfer is covered by one of the derogations must always be carefully examined on a case-by-case basis.

It is important to keep in mind that ensuring compliance of the third country transfer alone is not sufficient; in addition, the obligation to provide information must be fulfilled. The data subjects must be given information about the intention to transfer personal data to a third country and also about how the adequate level of data protection will be ensured.

What does that mean for UK-based companies?

The GDPR is European Union Law and applies directly in all EU Member States. One would think that the GDPR therefore does not have any relevance for UK-based companies after the UK’s withdrawal from the EU. But this is not the case: Companies established in third countries are also fully subject to the rules of the GDPR if they offer goods or services to individuals in the Union and in this context process personal data of persons residing there. For example, a British online shop that offers and sells goods to the EU, is subject, without restrictions, to the rules of the EU Data Protection Law. The same applies where the behavior of individuals residing in the European Union is monitored out of the third country (e.g. via web tracking).

For such UK companies, the unregulated Brexit therefore means that they are subject to the strict EU data protection regulations due to their activities in the EU, but (being companies in a third country) no longer benefit from the principle of the free transfer of data.

Do not forget assessment Stage 1

The question whether and under what conditions the transfer of data to a third country is compliant with the GDPR concerns Stage 2 of the assessment of whether the personal data may be transferred from one body to another. Irrespective of whether the recipient of the data is located inside or outside the EU, companies must first assess whether or not the data transfer to a third party is GDPR-compliant at all, which requires applying a specific legal basis.

Conclusion

In particular, EU-based companies that intend to transfer personal data to the United Kingdom must be prepared for an unregulated Brexit. It must always be assessed on which legal basis the transfer of personal data to the UK can take place as of the Brexit reference date, and appropriate measures must be taken to ensure an adequate level of data protection.

Brexit and Data Protection Law – if the UK becomes a third country without a deal

/in ,

In case of an unregulated hard Brexit, the European Data Protection Law would also come down with full force: The United Kingdom would become, from one day to the next, a “normal” third country and would also be treated as such by the EU Data Protection Law. The transfer of personal data from the EU to the United Kingdom would only be legitimate if and as long as specific conditions are met.

The EU General Data Protection Regulation (GDPR) establishes a uniform level of data protection throughout the European Union which allows free data exchange within the EU: Since the same Data Protection Law (in principle) equally applies in all EU Member States, personal data may be transferred within the Union across the internal frontiers without any special requirements or conditions, as they are equally well protected in all Member States via the GDPR.

Data transfer to third Countries only under special conditions

As soon as the United Kingdom leaves the European Union, it will become a third country from one day to the next. Under the GDPR, personal data may be transferred to a third country only if specific conditions are met, as described below.

If the Brexit is unregulated, i.e. without any special agreement between the Union and the Kingdom, the aforesaid also applies to the UK – immediately and directly, as of 29 March 2019 at 00:00 CET, without any grace period, as provided for in Art. 71 of the Draft Agreement of 14 November 2018 which was rejected by the House of Commons on 15 January 2019: It was planned therein that the GDPR should continue to apply to the UK until the end of 2020. For the time thereafter, a national UK Data Protection Law was to be established to provide essentially the same level of data protection in the UK as within the European Union.

What does that mean for companies established in the EU?

In terms of data protection, an unregulated Brexit particularly affects the “remainers” in the EU, namely, the EU-based companies that wish to exchange data with UK-based companies. The EU companies are then so-called “data exporters”, and they therefore have to set the stage for data transfer that is compliant with EU data protection law. If the requirements are not met, data must not be transferred to the third country. If data are transferred nevertheless, the EU-based companies are committing a data protection violation. It is therefore in the direct interest of EU-based companies to comply with the GDPR requirements for transfers to third countries.

The goal of special provisions of the GDPR for exporting data to third countries is the best possible protection of personal data and the persons to whom they relate in the third country. Data transfer to a third country is permitted only if

  • the European Commission has decided, by means of an adequacy decision, that the third country ensures an adequate level of protection,
  • or appropriate safeguards have been provided
  • or the transfer can be justified by one of the derogations set forth in the GDPR.

In detail:

  • Adequacy decision of the Commission

    With regard to some third countries, the European Commission did confirm that an adequate level of data protection does exist in these countries. These include, inter alia, Canada, Japan, Switzerland and Israel., Personal data may be transferred to these countries without establishing additional safeguards.
    With regard to the UK, however, there is no such decision, and it is unlikely that such a decision will be taken in the near future. In a notification of 14 November 2018, the Commission in this regard simply stated:
    “(…) the adoption of an adequacy decision is not part of the Commission’s contingency planning.”

  • Providing “appropriate safeguards

    ”The export of data to third countries may take place if the data exporter provides “appropriate safeguards” to ensure an adequate level of data protection. In particular, this includes the use of the so-called “Model Clauses” which were previously approved by the Commission. These Model Clauses are currently still applicable in principle, in modified form, but are not unchallenged. In fact, they are currently under review in the context of proceedings pending before the European Court of Justice. It cannot be ruled out that these Clauses may suffer the same fate as the Safe Harbour Agreement, which was declared invalid by the ECJ.
    “Appropriate safeguards” also include binding corporate rules (BCR) within groups of undertakings, which, however, must be approved beforehand by the supervisory authorities.

  • Derogations for specific situations

    The GDPR provides a number of “derogations for specific situations” in which a transfer of data to a third country is permitted even without an adequacy decision and without “appropriate safeguards”. This includes, in particular, the case where the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers. Personal data, as another example, may also be transferred to a third country if this transfer is necessary for the performance of a contract concluded with the data subject or concluded in his/her interest.
    Whether the data transfer is covered by one of the derogations must always be carefully examined on a case-by-case basis.

It is important to keep in mind that ensuring compliance of the third country transfer alone is not sufficient; in addition, the obligation to provide information must be fulfilled. The data subjects must be given information about the intention to transfer personal data to a third country and also about how the adequate level of data protection will be ensured.

What does that mean for UK-based companies?

The GDPR is European Union Law and applies directly in all EU Member States. One would think that the GDPR therefore does not have any relevance for UK-based companies after the UK’s withdrawal from the EU. But this is not the case: Companies established in third countries are also fully subject to the rules of the GDPR if they offer goods or services to individuals in the Union and in this context process personal data of persons residing there. For example, a British online shop that offers and sells goods to the EU, is subject, without restrictions, to the rules of the EU Data Protection Law. The same applies where the behavior of individuals residing in the European Union is monitored out of the third country (e.g. via web tracking).

For such UK companies, the unregulated Brexit therefore means that they are subject to the strict EU data protection regulations due to their activities in the EU, but (being companies in a third country) no longer benefit from the principle of the free transfer of data.

Do not forget assessment Stage 1

The question whether and under what conditions the transfer of data to a third country is compliant with the GDPR concerns Stage 2 of the assessment of whether the personal data may be transferred from one body to another. Irrespective of whether the recipient of the data is located inside or outside the EU, companies must first assess whether or not the data transfer to a third party is GDPR-compliant at all, which requires applying a specific legal basis.

Conclusion

In particular, EU-based companies that intend to transfer personal data to the United Kingdom must be prepared for an unregulated Brexit. It must always be assessed on which legal basis the transfer of personal data to the UK can take place as of the Brexit reference date, and appropriate measures must be taken to ensure an adequate level of data protection.

Commentary on the Scope and Application of The Portability Regulation (Regulation (EU) 2017 / 1128)

/in

Since 1 April 2018, the Portability Regulation (Regulation (EU) 2017/1128) prohibits geo-blocking of online content within the European Union. An Open Access commentary on the Scope and Application of the Portability Regulation co-authored by Sebastian Engels and Jan Bernd Nordemann provides useful guidance on the requirements of the Portability Regulation for all actors in the digital content economy.

Since 1 April 2018, the Portability Regulation prohibits geo-blocking of online content within the European Union. The regulation regulates the unrestricted access to (paid) subscribed online content of all European citizens, regardless of where they are present in EU territory. The presence must be “temporary”. Providers of fee-based online content are then obliged to guarantee their subscribers cross-border portability. A limitation of the access or the demand of additional fees is prohibited. The Portability Regulation does not apply directly to offers that are not or not directly liable to payment, such as media libraries. It is rather voluntary for these providers. Furthermore, the Portability Regulation also includes rules to minimize the user’s personal data collected in order to identify the Member State.

As a useful guidance on the requirements of the Portability Regulation for all actors in the digital content economy an Open Access commentary on the scope and application of the Portability Regulation co-authored by Sebastian Engels and Jan Bernd Nordemann has been published in JIPITEC – Journal of Intellectual Property, Information Technology and E-Commerce Law.

The commentary can be freely accessed via the following link:
https://www.jipitec.eu/issues/jipitec-9-2-2018/4728

General Data Protection Regulation (GDPR) – Trans­parency obligations for companies

/in

The GDPR introduced new and in some cases deviating regulations with regard to data protection information obligations. In particular, companies should review their data protection declarations and consent procedures in order to avoid fines and official objections. Becoming GDPR compliant can certainly be seen as an opportunity to eliminate previous flaws with regard to transparency in data processing and ensuring the effectiveness of existing declarations of consent.

Transparency in the handling of personal data is an integral part of data protection. Data subjects should always have the opportunity to understand who is processing which data, when and for what purpose. Accordingly, data protection law contains a large number of transparency obligations designed to ensure transparency in data processing.

Duty to provide information when collecting data

The GDPR contains an extensive catalogue of provisions requiring the controller to inform potential data subjects on the scope of data processing, which are reflected in Articles 13 and 14 of the GDPR. In addition, Article 12 GDPR contains specific provisions on the form in which the information must be provided, namely in a precise, transparent, comprehensible and easily accessible form in clear and simple language.

Art. 13 and Art. 14 GDPR list obligatory information, which must be communicated to the data subject. It is of particular relevance that according to Art. 14 GDPR, the data subject must also be informed if the data is not collected directly from the data subject but from another source, e.g. from the Internet or via a lead provider. Although Art. 14 allows for a number of narrow exceptions to this principle, these will normally not be relevant, in particular for the collection of personal data for commercial purposes.

Further information and disclosure obligations

In addition to Art. 13 and Art. 14 GDPR, the GDPR contains further transparency obligations, some of which go beyond the previously applicable obligations. According to Art. 15 GDPR, for example, the data controller must provide the data subject with comprehensive information on the data stored and processed in relation to this data subject. Insofar as a controller invokes a legitimate interest, the data subject must be informed of his right to object pursuant to Art. 21 para. 4 GDPR.

Consent under the GDPR

Of particular importance is the transparency of data processing also in connection with obtaining consent for data processing, which is often overlooked by the responsible controller. Compliance with the transparency rules and information obligations is particularly important in this context, as a lack of transparency can, in case of doubt, lead to the ineffectiveness of the consent and thus to the illegitimacy of the data processing carried out on the basis of the consent as a whole.

Particularly when obtaining consent through pre-formulated texts, it must be ensured that the type, purpose and scope of data processing is made clear from the text of the consent in plain, intelligible and simple language in order to ensure that the consent is “informed” and therefore valid. In addition, the data subject must be made aware of his or her right to revoke consent at any time. Finally, consent must be given actively so that implicit acceptance of the declaration is not an option.

Of practical relevance is the question of the extent to which consents obtained in the past, i.e. before 25 May 2018, continue to be valid under the GDPR. It follows from recital 171 of the GDPR that existing consents remain effective provided that their nature corresponds to the conditions of the GDPR. Accordingly, the association of the German supervisory authorities for data protection (Düsseldorfer Kreis) also regards previously effective consents as still valid, at least in principle, if they were obtained in accordance with the requirements of the old version of the German Data Protection Act (“BDSG”). However, this does not apply to the consent of minors who had not yet reached the age of sixteen when the consent was granted, because under the GDPR, minors under the age of sixteen cannot grant consent without the consent of their legal guardians.

Against the background of the increased liability for data protection violations under the GDPR, we recommend, that existing consents be critically re-examined in any case as to their compatibility with the requirements of the GDPR. In this respect, it should also be borne in mind that the willingness of affected customers to give their consent in connection with the conversion to the GDPR is likely to be significantly increased. Accordingly, the switch to the GDPR should also be seen as an opportunity to “improve” the data protection consents and to avoid legal risks for the future.

Conclusion

The GDPR introduces new and in some cases deviating requirements with regard to transparency obligations. In particular, companies should review their privacy policies and consent procedures in order to prevent future fines and official objections. In this context, the conversion to the GDPR can well be seen as an opportunity to eliminate previous flaws with regard to transparency in data processing and ensuring the effectiveness of existing declarations of consent.

Menu

Informations

Legal Areas

© Copyright 2023– BOEHMERT & BOEHMERT