Rules For Data Protection on the Web

From May 25, 2018, the new General Data Protection Regulation will apply within the European Union. In an interview, lawyer Marcus Dury explains what this means.

Dury is a specialist lawyer for IT law and owner of the law firm DURY LEGAL Rechtsanwälte. The law firm advises companies in the field of IT law and industrial property protection at three locations in Rhineland-Palatinate and Saarland. Together with Website-Check GmbH, the law firm offers legal certification and deficiency analysis for professional websites or online shops.

dd24: What exactly is the General Data Protection Regulation, to whom does it apply and what is its main objective?

Dury: Website operators will be faced with serious tightenings due to the GDPR. Of course, it remains to be seen how severely violations will be prosecuted in practice. In my opinion, the most important aspects are the following:

  • As a website operator, I can no longer simply integrate every script and plug-in of a non-European provider on the website. It is necessary that an adequacy decision of the EU Commission regarding the country of residence of the provider of the script exists (e.g. Switzerland), or if such an adequacy decision does not exist, that the provider has voluntarily and insofar as corresponding bilateral regulations exist, committed to compliance with European data protection standards. For US companies, this can be done, for example, through a declaration of compliance with the currently applicable EU-US Privacy Shield.
  • Every website through which personal data (e.g. also the user's IP address) is collected for purposes other than the mere delivery of the website must in future be provided SSL-encrypted (Forced-SSL).
  • Insofar as a data protection officer must be appointed, this officer must also be named on the website with the name and business address as well as further contact information in the privacy policy of the respective website.

dd24: In which cases and in which way do bloggers, operators of club websites and other websites with a private or non-commercial focus also have to adapt to the GDPR?

Dury: All the above points apply only to commercial websites, association websites and websites operated under public law. Purely private hobby and family websites are excluded. However, the borderline is already blurred. Bloggers who use advertising banners or other sources of monetisation are no longer acting "privately" according to established case law.

The decisive factor is whether the operation of the website is a long-term activity. This is the case with most seriously run blogs. An intention to make a profit is not required. In case of doubt, one should assume that a blog or website could be considered "business-like". We therefore always advise including an imprint and a privacy policy on a website.

dd24: Are there best practice guidelines regarding data protection, cookies and the duty to inform for private website operators?

Dury: Basically, all websites should run with Forced-SSL. Active scripts and plug-ins from third-party providers should not be blindly trusted. Ultimately, every site operator is responsible for what he embeds on his website. A privacy policy is obligatory, even for non-commercial offers.

dd24: What does the GDPR mean for users of website tracking tools such as Google Analytics?

Dury: Google joined the EU-US Privacy Shield in 2016 and claims to comply with European data protection standards. Since the revelations by Edward Snowden, everyone should decide for themselves whether this can still work in the USA. Until the European Court of Justice decides on the fate of the EU-US Privacy Shield, however, nothing is likely to change for users of Google Analytics. You simply have to conclude the data processing contract with Google and include legally compliant information texts with corresponding opt-out options in your privacy policy.

dd24: The General Data Protection Regulation provides for extensive information and deletion obligations for providers. What does this mean in concrete terms for users of internet services, what does the GDPR mean for them?

Dury: According to the GDPR, providers have to inform users of online offers about quite a lot when they process personal data. To try to summarise: You actually have to inform about everything you do with the data and, in addition, why you do it and to what extent it is allowed. An exhaustive list would go beyond the scope of this interview.

In addition, users of online services must also be informed about their rights, including the right to have their data deleted. It is important that this information must comply with the so-called transparency requirement. It must be simple and clearly understandable, not for me or the provider of the online offer, but for a consumer with average understanding.

As far as deletion specifically is concerned, data subjects can indeed demand the deletion of their data at any time. Whether you really have to delete them depends on whether they are not subject to a retention period, e.g. due to other regulations, e.g. due to tax regulations.

dd24: Why and to what extent are providers from non-EU countries also affected by the European General Data Protection Regulation?

Dury: In addition to standardising the level of data protection within Europe, the GDPR also aims to export European data protection standards all over the world. In future, every company will have to comply with the GDPR if it offers data processing related to Europe and European consumers, even if it is based in China.

dd24: The GDPR also has consequences for the collection and storage of data in the course of a domain registration. What will change here?

Dury: According to the GDPR, personal data may only be collected if the data subject expressly consents or if the processing is otherwise justified. In the case of domain registration, direct customer data is collected from resellers, which is necessary for the processing of the contract. The collection of data is therefore justified there.

However, registrars like Key-Systems only need part of this data, namely to actually register the domain with the registries. The data going beyond this is only processed or collected on behalf of the actual responsible party, the reseller. The registration in turn requires the transfer of personal data to the registry. These are not all located within the EU. The registrars' contracts with resellers and registries must therefore all be put to the test.

dd24: Whois, the address book on the internet, so to speak, in which contact data for every domain is stored, is also currently under scrutiny: why?

Dury: The Whois rules of some TLDs are very far-reaching and oblige the disclosure of the name, address, telephone number and other contact data. This is particularly the case with all TLDs that are subject to ICANN's Whois rules. This practice largely contradicts the GDPR, in particular the principle of data minimisation, and could hardly be justified in the past.

In principle, one has two options. Either explicit consent would have to be obtained from all registrants or Whois would be abolished in its current form. A transitional solution is available for the European area in the form of the expert opinion by the colleagues from Rickert and Fieldfisher, which the eco association presented in December 2017 and which advises data economy.

dd24: The Federal Data Protection Act and other German legal provisions were adapted to the requirements of the GDPR last year. Can you summarise these adjustments and their consequences for us?

Dury: Since the GDPR is directly applicable law and is also above national law, the German legislator only has the possibility to fill in the leeway that has been explicitly released for regulation in the member states. Therefore, the German BDSG was first adapted to European law. At the same time, for example, special regulations were made in the area of employment relationships, serious and commercial data protection violations were made punishable and special regulations were established for the appointment of data protection officers.

dd24: What remains the same about data protection on the internet despite the GDPR and the adapted laws in Germany?

Dury: German data protection law has always functioned according to the principle of prohibition with reservation of permission. This means that personal data could only be processed if the processing was permitted by the consent of the data subject or by a legal provision. This will not change under the GDPR. So not everything will be different. However, it is expected that the combination of concrete rights of citizens and the new very high fine framework will lead to better and, above all, more transparent handling of data.

dd24: There is a lot of criticism of the General Data Protection Regulation, both from the data and consumer protection groups and from the business community. What are the biggest points of criticism from the two camps and why are opinions so far apart?

Dury: It's like always, for some it doesn't go far enough, for others it has been overshot. Consumer protectionists criticise above all that current developments threaten the protection of personal data and thus people's right to informational self-determination, such as Big Data, the feeding of artificial intelligence, the Internet of Things and ubiquity computing in general and, of course, Industry 4.0. The GDPR does not have any specific regulations for individual technologies, but sets out abstract rules that apply everywhere. Some consumer advocates fear that this will not work because the respective data protection requirements in the individual contexts are sometimes quite different.

By the way, some voices from the business community also complain that many regulations are not specific enough. What exactly does it mean, for example, that software complies with data protection "by design", as required by the GDPR? However, data controllers may face fines if they use software that does not comply with the regulation. If one then takes the extraordinarily high fine framework into account in the interaction, these abstract obligations create uncertainty from the perspective of some critics.

dd24: Mr. Dury, thank you for the interview and we wish you all the best!