GDPR Laws on the Internet: The Key Rulings and Risks

The General Data Protection Regulation (GDPR) has been in force in the European Union since May 2018. From then on, courts and policy-makers have repeatedly been busy underpinning the legal requirements with experience from practice. This results mainly in regulations being declared invalid by new rulings or leading to adjustments. Staying on top of the GDPR developments, we shed light on what it means for businesses and how you can protect your business.

Artikelübersicht:

Data Protection: Strengthened Rights Of Affected Persons

Data Transfer to Third States: The Provisions of EU Law

EU Standard Contractual Clauses for Data Transfer

Google and the GDPR

New Privacy Shield Coming?

Taking the Initiative Instead of Waiting

GDPR Requirements for your Website

GDPR-compliant online shop

Newsletter and GDPR: What You Need to Know

GDPR-Compliant Social Media Marketing

GDPR Fines: What Gets Fined Most Often

Checklist: Learnings from the Fines Imposed to Date

Update: Data Protection - Strengthened Rights of Affected Persons

In May 2023, the European Court of Justice (ECJ) handed down an important ruling on the subject of compensation for damages in the event of data leaks. If customers' data is leaked to the public, the company that caused the leak may now be obliged to pay - even if there is no concrete evidence of damage.

 

Claim For Compensation

The first judgment of the European Court of Justice deals with the claim for compensation under Article 82 of the General Data Protection Regulation (GDPR). This section regulates the right of compensation for people affected by data protection breaches. Previously, it was considered that a certain materiality limit existed, which ensured that compensation for minor damage caused by data protection breaches was not possible. Damage therefore had to reach a quantifiable threshold before it could be compensable.

The European Court of Justice has now revised this approach and stipulates that damage does not have to exceed a certain threshold before those affected are entitled to compensation. The judges argue that this approach has long been common for minor injuries to property, such as scratched car paint, and that this also applies to data protection - even if the damage is not always immediately apparent.

European Data Protection Society (EuGD) vs. Scalable

This view is exemplified by a series of judgements against the online broker Scalable, whose customer data fell into the clutches of hackers. As a german legal tech, EuGD regularly represents those affected by data protection violations and has now dealt with a case in which a Scalable customer was blackmailed with his data by criminals. He received an email with a scan of his ID card. The court then awarded the affected person 1,200 euros in damages.

This ruling is not the first of its kind: Already in 2021, EuGD won 2,500 euros in compensation after customer data was stolen from Scalable. This decision mainly took into consideration the fact that the security breach was the responsibility of the company, even if there was no misuse of the data by third parties (case number 31 O 16606/20). The data became accessible to criminals via a service provider with whom Scalable had not worked for some time. However, the company had failed to change the access data to the IT systems used by the service provider. Unauthorised persons had taken advantage of this glaring security gap. According to the court, this was an avoidable incident and thus a data protection violation.

Problem: How To Quantify The Damage?

The question of compensation for damages, however, continues to pose challenges for the courts, as a concrete sum is difficult to quantify if those affected by data protection violations have not suffered any material damage in a clear amount. Important aspects in the assessment so far have been, for example, how criminals got hold of the data, how sensitive it was and whether there was any misuse.

Conclusion: The Legal Risk Increases

The ruling is pleasing for those affected and reason enough for companies not to get too comfortable with data protection. Because even if you commit a data protection breach and the damage to those affected cannot be quantified, it is now possible that you will be sued for non-material damages - the risk of a legal dispute has therefore increased significantly. Therefore, adhere precisely to the legal requirements and protect your customers' data comprehensively.

This also includes protecting your business from cybercrime. Data is highly sought after by hackers. Read here how you can protect yourself: Hacker Attack: How to Protect Your Business from Cybercrime.

Data Transfer to Third States: The Provisions of EU Law

In addition to the regulations on personal data within the EU states via the GDPR, the regulation of data transfer to third countries is also important. Under current law, personal data is not actually allowed to leave the European Economic Area (EEA) at all – unless the transfer takes place based on a valid transfer mechanism, such as standard contractual clauses. But the rules for personal data also apply when they are transferred across borders to countries with different legislation. To ensure compliance, the legal framework offers three options:

EU Standard Contractual Clauses for Data Transfer

The Privacy Shield, which regulated the transfer of personal data, existed with the USA until July 2020. But this was declared invalid by the European Court of Justice in the judgment known as “Schrems II” (named after the Austrian lawyer and data protection activist Max Schrems, who also filed the lawsuit). The reason for this is that the legal situation and the monitoring practices by secret services in the USA cannot be reconciled with European data protection.

Following the fall of the Privacy Shield, the European Commission adopted two standard contractual clauses in June 2021, which take into account the new requirements of the GDPR and the ECJ ruling and are intended to replace the Privacy Shield data transfer system. These are standardised and pre-approved model data protection clauses that you can include in contractual agreements and that provide you with an easy-to-implement template for meeting data protection requirements.

You can download both standard contractual clauses in several languages from the European Commission’s website:

Google and the GDPR

The example of Google shows that there is still great uncertainty for companies when it comes to data transfer to the USA. On the one hand, almost no website operator can avoid Google services - on the other hand, Google’s headquarters are still in the USA and the legal situation regarding data transfer remains uncertain. This uncertainty has already led to several written warnings in Germany and Austria because of Google Fonts and Google Analytics.

Google Fonts Wave of Warnings

In January 2022, the Munich Regional Court ruled that the use of Google Fonts on websites “undisputedly” transmitted the dynamic IP addresses to the Google servers in the USA. According to Article 82 (1) GDPR, the plaintiff was awarded damages of 100 euros for “individual malaise”. Although the verdict is an isolated case, some lawyers and associations that specialise in legal warnings sensed an opportunity, so numerous website operators received written warnings for the remote integration of Google Fonts in autumn 2022.

exali customers were also among those that received legal warnings. Over 100 of them contacted our insurance experts in October and November 2022 after receiving a legal warning about Google Fonts. Due to the high number, we contacted the insurer and prepared a reply letter that we made available to our customers.

More than 100 exali customers contacted our insurance experts by the end of October 2022 because they had received a written warning for the use of Google Fonts.

 

Google Analytics to Be Banned Soon?

While the wave of legal warnings about Google Fonts in Germany and Austria is still ongoing, the next problem for website operators is already in the starting blocks: Google Analytics. After Austria, France and Italy, the Danish data protection authority also declared the use of the tool illegal in September 2022. This is because Google transfers user data outside of the EU. Google has already reacted with the introduction of Google Analytics 4, but: the Danish data protection authority sees problems here too, because IP addresses are also used to determine the whereabouts of the users - although the IP address is then deleted, depending on the whereabouts there may still be a direct connection to US before the deletion.

New Privacy Shield Coming?

In October 2022, US President Joe Biden passed a new executive order. It is supposed to serve as the basis for a new EU-US data transfer agreement, which will be published in March 2023. The executive order stipulates that US intelligence services’ access to data be limited to what is “necessary” and “proportionate” and formulates twelve goals intended to justify the use of mass surveillance. In addition, the executive order includes a two-tier mutual legal assistance mechanism that EU citizens can use to lodge complaints against unlawful access to their data.

However, data protection advocates consider the executive order to be far from sufficient to justify a new adequacy decision. This is because on the one hand, it is only an administrative order issued by decree that can be revoked without further ado, and on the other hand, the real problem - the surveillance laws of the USA - continues to be ignored. The Austrian non-governmental organisation NYOB, which is also the driving force behind the Schrems rulings, has already announced that it will challenge the changes before the European Court of Justice.

Taking the Initiative Instead of Waiting

It can be concluded from this that there is currently a lack of legal certainty when it comes to third-country transfers and this gap will not be closed in the foreseeable future. The global convergence of different data protection laws remains a major issue that raises more questions than answers for the companies concerned. In order not to be completely helpless in the face of the current uncertainty, companies should analyse their processes for data transmission to third countries on their own initiative and carefully document the results. This helps you create a foundation, so you are not completely unprepared if the authorities conduct an audit.

Insurance Against GDPR Violations

As far as legal warnings and claims for damages are concerned in terms of the GDPR, we can protect you financially if you have taken out Professional Indemnity Insurance through exali.com. In these cases, the experts check the written warning for data protection violations at their own expense to determine whether the claim is justified and pay the justified claims for damages. If there are doubts about the legality of a written warning, Professional Indemnity Insurance defends the claim and also assumes the costs (e.g. for lawyers, experts, courts). The same applies in the event that others receive a fine due to your failure to perform the service or work provided (e.g. one of your customers) and claim this fine back from you in the form of compensation for damages. These “third-party fines” are also covered by Professional Indemnity Insurance via exali.

Special case: first-party fines

Fines imposed on you by a court or a data protection authority for a data breach are also insured as part of your Professional Indemnity Insurance (provided that this assumption of costs is legally permitted in the individual case).

If you have any questions about how to protect against data protection violations, you are welcome to contact our customer service - you can reach the exali customer advisors by phone from Monday to Friday 9:00 a.m. to 6:00 p.m. (CET) on +49 (0) 821 80 99 46-0 or via the contact form.

GDPR Requirements for your Website

A good website not only needs an appealing design and informative content, but must also comply with the requirements of the GDPR. Otherwise you face legal warnings - from data protection authorities, but even more likely from competitors. The basic requirements for a data protection-compliant website are as follows:

Technical Requirements:

Legal Notice / Imprint

A GDPR-compliant imprint must contain the following information:

Privacy Policy

In addition to the imprint, your website must also contain a privacy policy in which you list the scope and purpose of the data processing, the rights of data subjects, as well as plugins from third-party providers (such as Google Analytics, social media) and the commissioned service providers used. Information on objection to the data measures must also be included.

Cookie Banner

The handling of cookies has been confusing website operators for years, because the GDPR actually has nothing at all to say on the subject. Therefore, an ePrivacy regulation should actually have come into force at the same time as the GDPR, but this has been postponed again and again and is currently in a trilogue between the EU Council, EU Commission and EU Parliament. Entry into force before 2023/24 is unlikely.

However, the GDPR stipulates that users must agree to the processing of their data. The Viennese non-governmental organisation NOYB therefore started a scan of more than 3,600 websites in March 2021 and submitted more than 700 complaints to the companies whose cookie banners had a misleading design and/or no “reject” banner in the cookie banner. In order to make the cookie banner GDPR-compliant, a cookie consent tool is currently recommended.

Cookie Consent

A cookie consent tool is recommended if you use tools that are not just required for the technical operation of your homepage. This includes tools such as:

The consent tool works like a mask that you place over your website. It has both a button with which you agree to the use of non-essential cookies and one with which you can reject it. In addition, users can also choose which tool they agree to - if no tick is set, these cookies will actually be blocked.

Contact Forms

If you integrate contact forms on your website, they must also be GDPR-compliant. Generally, if you give your website visitors the opportunity to contact you via a contact form, no explicit consent is required to process the data, as there is a legitimate interest. This means you have a legitimate interest in responding to and contacting interested parties. BUT - you still have to include a data protection notice according to GDPR in EVERY contact form on your website. Users must confirm that they have read this data protection notice and agree to it - the easiest way to do this is to click a checkbox - before the contact form is sent.

Important: Inform the users about the following points in the data protection notice:

Commissioned Data Processing According to GDPR

If a company commissions third parties (e.g. external service providers) and they process personal data as part of the order, then this is considered commissioned data processing.

In this case, the company must enter into a data processing agreement (DPA contract) with the service provider in accordance with Art. 28 GDPR. This regulation also applies if companies use tracking software (e.g. Google Analytics) or outsource their accounting or data centres.

Keep in mind:

 Clients should never rely on service providers to take care of data protection, they remain primarily responsible for this!

GDPR-compliant online shop

If you operate an online shop, the same requirements apply as for the website plus the following additional ones:

Newsletter and GDPR: What You Need to Know

Newsletters are still one of the best tools to communicate with your customers and promote your offer. In order to make the newsletter GDPR-compliant, you have to keep the following in mind:

We have also summarised details for a legally compliant newsletter for you in this article: Legally Secure Newsletter Marketing: This Is What You Need to Know

GDPR-Compliant Social Media Marketing

Marketing without social media - hardly imaginable! If you use social media channels for your business, there are also some GDPR requirements here:

We have described in detail in the following article how you can make your business accounts in social networks legally secure and GDPR-compliant: Facebook, Instagram, Twitter & co.: An Overview of the Risks in Social Media

GDPR Fines: What Gets Fined Most Often

First of all, it is important to know that a GDPR warning does not always have to come from a supervisory authority. In fact, many legal warnings are issued by competitors or, as the example with Google Fonts illustrates, by lawyers and associations who are trying to capitalise on a judgment. Most often, (alleged) violations on one’s own website are the subject of legal warnings.

A look at the GDPR portal, which records both GDPR violations and violations of other data protection laws, shows that the most common reasons for fines by authorities are the following:

Checklist: Learnings from the Fines Imposed to Date 

This checklist tells you the most important thing about dealing with data protection authorities that can be learned from past cases – especially when dealing with personal data processing: