More than ever before, data is an essential commodity that no company can do without. As data becomes increasingly important, so do the efforts made by the authorities to protect it. Data protection violations, which can sometimes result in severe sanctions, are increasingly becoming a risk for companies.
Markus Fleck, product manager at Financial Lines within AGCS in Germany compares the situation in the US with the situation in Germany and looks ahead to 2018, when the legislation in Germany is set to be tightened up considerably.
"One of the biggest challenges created by the Internet and increasing networking in general relates to data protection. This is an issue that becomes more and more acute."[i]
This statement made by Klaus Schwab, the founder and executive chairman of the World Economic Forum, would appear to be spot-on - at least as far as the consequences of data protection violations in the US are concerned.
Sanctions resulting from data protection violations in the US
In the US, where no single authority is responsible specifically for data protection, various government authorities respond to data protection violations within their sphere of responsibility by launching supervisory law proceedings to clarify and, where appropriate, sanction these violations. This is evident from the following cases on which the authorities involved made information available to the public.
On August 3, 2016, for example, the Federal Reserve Board imposed a USD 36.3 million penalty on the Goldman Sachs Group for its unauthorized use of confidential supervisory information. The company was also obliged to implement new processes for the handling of confidential supervisory information. Finally, the Federal Reserve Board also plans to initiate enforcement proceedings against a former managing director at the bank.
On June 22, 2016, the Federal Trade Commission imposed a penalty of USD 0.95 million on the mobile advertising company InMobi after the company had tracked its customers' locations without their knowledge and consent in order to be able to serve them geo-targeted advertising.[ii]
Finally, the California Department of Justice reached a USD 33 million penalty settlement with the telecommunications company Comcast after the company published the names, phone numbers and addresses of tens of thousands of customers who had paid for a voice-over IP- phone service offered by the company.[iii]
In addition to the supervisory law proceedings, data protection law issues are often handled by the civil courts in the US. In the period between October 1, 2014 and December 31, 2015 alone, 83 class action lawsuits relating to alleged data protection violations were filed in the US.[iv] The following cases show the far-reaching consequences that proceedings like these can have for companies.
On March 7, 2016, the DIY chain Home Depot U.S.A. Inc. reached an agreement, in a class action lawsuit, with plaintiffs whose bank and customer data that had been stored by Home Depot had been stolen back in 2014. The company agreed to pay the affected customers a total of USD 13 million in compensation and also made USD 6.5 million available to set up an account monitoring system to help the individuals affected.[v]
On September 14, 2014, the Johns Hopkins Hospital reached an agreement, in class action proceedings involving former patients of the hospital, to pay USD 190 million after a former doctor at the hospital had videotaped and photographed his patients without their consent.[vi]
Finally, on March 9, 2015, the Target Corporation and its customers reached an agreement, in class action proceedings, on the payment of USD 10 million due to the theft of credit and customer card information that came to light on December 19, 2013.[vii]
Handling of data protection violations in Germany
Unlike in the US, Germany has authorities that are specifically responsible for data protection, namely the data protection officers of the German Federal Government and the federal states. Their activity reports provide a very good insight into the prevailing practice.[viii] The activity report prepared by the Hamburg data protection and information security officer for 2014/2015, for example, shows that, during the period under review, 2,934 petitions were filed by citizens triggering what are known as "ad hoc assessments" performed by the authorities responsible under data protection law.[ix] During the same period, 14 administrative fines of between EUR 200 and EUR 5,000 were imposed.[x]
This would appear to suggest that here in Germany, only very few, and, at the same time, only very few serious, violations of data protection law occur. In his activity report, however, the Hamburg data protection and information security officer also highlights the fact that his authority hardly performs any random checks at all due to a lack of staff.[xi]
The activity reports of the other data protection officers of the German Federal Government and the federal states create a similar impression.[xii]
Data protection violations would hardly seem to play any role in civil law proceedings in Germany either, or at least, judicial decisions on liability due to violations of data protection law provisions are hardly ever published.
General Data Protection Regulation (GDPR): New legal basis as of May 2018
The current situation in Germany could change as of May 25, 2018. This is when the EU General Data Protection Regulation (GDPR), which was finalized on December 15, 2015 after almost four years of negotiations between the European Council, the European Parliament and the European Commission, will come into force. The new regulation will then replace the EU Data Protection Directive (Directive 95/46/EG) and, unlike its predecessor, will apply directly throughout the European Union. This will create an uniform data protection standard in the European Union for the very first time. This data protection standard contains various principles that are already set out in the German Federal Data Protection Act (Bundesdatenschutzgesetz).
Article 6 of the GDPR, for example, sets out what is known as a "prohibition with reservation of permission" for the processing of personal data as a general principle. This means that data can only be processed if the data subject has granted his or her consent, or if another one of the exceptions set out in this provision applies. This is the case if
- data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. This justification shall not apply to authorities.
In addition, the principles of data avoidance, data economy, purpose specification and transparency apply.
Finally, ensuring data security has been set out as a central statutory principle of data protection (Art. 5.1f) and Art. 32 GDPR). Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor must implement appropriate technical and organizational measures. The level of security must be commensurate with the risk.
The GDPR will tighten up the legal situation considerably with regard to the statutory reporting obligations. Pursuant to Article 33.1 GDPR, personal data breaches must be reported to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. An exception can be made if the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.
The notification to the supervisory authority must include at least the following information:
- a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller also has to communicate the personal data breach to the data subject without undue delay (Art. 34.1 GDPR).
This provision extends the reporting obligations set out in the current legislation, under the German Federal Data Protection Act (BDSG), considerably. At the moment, there is only a reporting obligation if the protection of the personal data set out in § 42 a BDSG is breached. This data includes, by way of example, information on a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life, bank or credit card data or data that is subject to professional secrecy requirements. Under the GDPR, the data is no longer restricted to a certain catalog of personal data.
Compliance with the provisions of the GDPR is ensured via the supervisory authorities by independent data protection authorities. Pursuant to Article 51.1 GDPR, each member state must set up one or several independent supervisory authorities. The supervisory authorities must act with complete independence in performing their tasks and the members of the supervisory authority must be free from external influence in the performance of their tasks. Pursuant to Article 52.4 GDPR, this independence must also be reflected in adequate human, technical and financial resources for the supervisory authorities.
Compared with the EU Data Protection Directive, the GDPR gives the data protection supervisory authorities more extensive powers. The possible sanctions that can be imposed have also been extended.
In the future, the data protection authorities will also have powers in the public domain that they have not had in the past, at least not in Germany. In accordance with Art. 58 GDPR, they will, among other things, have the power to issue orders to public authorities, for example to prohibit illegal data processing, to order the erasure of personal data or to order the suspension of data flows to a recipient in a third country. These powers are unusual for German administrative law insofar as they allow one public authority to impose sovereign measures on another within the same administrative body. This means that the data protection authorities essentially take on the role of legal supervisory authorities. Powers like these are crucial in order to ensure the effective enforcement of data protection law. They also, however, mean that, at national level, authorities have to be afforded judicial protection against the measures taken by the data protection authorities.
In the non-public domain, on the other hand, the powers are comparable to those that already apply. In this respect, the GDPR makes a distinction, in Article 58, between investigative and corrective powers. The corrective powers range from reprimands pursuant to Article 58.2b to orders pursuant to Article 58.2d and limitations or bans on data processing pursuant to Article 58.2f. In addition to, or instead of, the abovementioned measures, an administrative fine can also be imposed pursuant to Article 83 GDPR, depending on the circumstances of the individual case. The scope for imposing administrative fines has been increased considerably.
For certain infringements, the GDPR provides for administrative fines of up to 4% of a company's annual turnover, or EUR 20 million, whichever is higher. This is calculated based on the total worldwide consolidated annual turnover, not just the turnover generated in Europe or within an individual group company.
In addition to the powers of intervention that the supervisory authorities have, the GDPR also sets out an independent entitlement to compensation. Pursuant to Article 82.1 GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. The controller or processor is only exempt from liability if it proves that he or she is not in any way responsible for the event giving rise to the damage.
A development that is currently unfolding in parallel with the developments in data protection law could have an impact on the significance of data protection: the national and also the EU antitrust authorities are increasingly looking at the growing significance of (personal) data in business life in general. This applies both to the EU antitrust authorities [xiii] and to the German Federal Antitrust Office (Bundeskartellamt). On March 2, 2016, for example, the latter initiated proceedings against Facebook Inc. and its German subsidiary based on suspected market abuse in the form of data protection violations.[xiv] It also published a paper on data and its impact on antitrust law. [xv]
The changes in data protection law set out above based on the GDPR, which will come into force on May 25, 2018, as well as the legal developments in the realm of antitrust law, inevitably lead to the conclusion that data protection poses an "acute" challenge to companies operating in Germany as well.
Markus Fleck is responsible for product development within the Financial Lines Underwriting team at AGCS Germany.
[i] Schwab, Klaus; Die vierte industrielle Revolution [The fourth industrial revolution], p. 152; Munich 2016.
[iv] BryanCave LLP, 2016 Data Breach Litigation Report, S2; https://www.bryancave.com/en/thought-leadership/2016-data-breach-litigation-report.html
[viii] Cf. "Zentralarchiv für Tätigkeitsberichte des Bundes- und der Landesdatenschutzbeauftragten und der Aufsichtsbehörden für den Datenschutz – ZafTDa" [Central archive of activity reports of the data protection authorities at the level of the German Federal Government and the federal states, and of the supervisory authorities for data protection] http://www.thm.de/zaftda/.
[ix] 25. 2014/2015 activity report of the Hamburg officer for data protection and freedom of information, p. 256; Hamburg 2016.
[x] 25. 2014/2015 activity report of the Hamburg officer for data protection and freedom of information, p. 259; Hamburg 2016.
[xi] 25. 2014/2015 activity report of the Hamburg officer for data protection and freedom of information, p. 256; Hamburg 2016.
[xii] Cf. "Zentralarchiv für Tätigkeitsberichte des Bundes- und der Landesdatenschutzbeauftragten und der Aufsichtsbehörden für den Datenschutz – ZafTDa" [Central archive of activity reports of the data protection authorities at the level of the German Federal Government and the federal states, and of the supervisory authorities for data protection] http://www.thm.de/zaftda/.
[xiii] By way of example: European Commission, "Google/Doubleclick", COMP/M. 4731, dated March 11, 2008, www.ec.europa.eu/competition/mergers/cases/decisions/m4731_20080311_20682_de.pdf, §§ 359- 366; European Commission, "Facebook/Whatsapp", COMP/M. 7217, dated October 3, 2014, www.ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf, §§ 180-189.