Dear readers,

Data transfer to third countries is a current topic that regularly raises data protection issues in European companies. With regard to data transfers to the U.S. when using Google Analytics, the Austrian data protection authority recently issued a statement, which we have taken as an opportunity to present the current developments on data protection with Google Analytics in the main topic of this data protection newsletter.

In view of the data privacy issues involved in data transfers to the U.S., an expert opinion on the current status of U.S. surveillance law was commissioned by the German Conference of the Independent Federal and State Data Protection Authorities. We also report on this expert opinion and other current topics in this newsletter.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Current developments in data protection regarding the use of Google Analytics

In Germany, many companies make extensive use of the technical possibilities for evaluating the behavior of users on their own online sites. Alphabet/Google has the largest share in the market for analysis tools of this type with its Google Analytics service. With the help of Google Analytics, website operators can create detailed reports on the user behavior of website visitors; at the same time, however, the corresponding information is also available to Google as the operator of the service.

In the course of a complaint procedure, the Austrian data protection authority has now determined that website operators cannot use Google Analytics, at least in its version of August 14, 2020, in compliance with the General Data Protection Regulation (GDPR). The background and consequences of this decision are presented below, particularly with regard to transferability for the situation in Germany.

To the complete main topic

Higher Regional Court of Dresden: Retention obligations in the case of unlawfully collected data

The Higher Regional Court of Dresden has ruled that statutory retention obligations do not constitute a justification for permanently storing data that has not been lawfully collected (Higher Regional Court of Dresden, judgment dated December 14, 2021 - Ref. 4 U 1278/21).

In the case underlying the decision, the defendant debt collection company had requested that the plaintiff settle an alleged outstanding debt. However, it turned out that the plaintiff was not the actual debtor, but only a person with the same name. The plaintiff then requested that the defendant delete his personal data. The defendant refused to do so, stating among other things that it was subject to retention obligations under tax law and that it wanted to avoid further confusion in the future.

The Higher Regional Court affirmed the claim for deletion with regard to the name, address and date of birth of the plaintiff and thus with regard to the data with which he can be clearly identified. This duty to delete does not affect the duty to retain data in question pursuant to Section 147 of the German Fiscal Code (Abgabenordnung, AO), which only relates to business correspondence. The defendants were not obliged to delete the business correspondence. Rather, it was incumbent on the taxpayer to organize data files in such a way that an auditor accessing the data file could only access data that had to be retained. This could be achieved, for example, by restricting access or blacking out the data required for identification. The lawfulness of the data processing in the present case also did not result from Article 6(1)(1)(f) of the GDPR, since the interests of the plaintiff in his right to informational self-determination outweighed the interest of the defendant in not identifying and claiming the plaintiff again when determining the place of residence of the actual debtor.

(Johanna Schmale)

France: Supervisory authority sanctions Google and Facebook

CNIL, the French data protection authority, has imposed further fines on providers Google and Facebook for the unlawful design of cookie consents, and is also threatening to impose additional fines if the corporations fail to make adjustments within three months. In both cases, the supervisory authority had found that optional cookies could be confirmed with one click in each case, but that several steps were required to reject these cookies. This leads users to agree to the cookies out of convenience, because this is the easiest solution. Google must pay a total of EUR 150 million for this incorrect implementation on the search portal google.fr and the video portal YouTube, and a fine of EUR 90 million was imposed on Facebook. Both fine notices are not yet final and it is expected that the providers will appeal. The dispute over the last fine against Google is currently still pending before the Conseil d'État. The Irish Data Protection Commission, which has been criticized frequently for its inactivity in the past, would actually be the body responsible for supervising Google and Facebook. The CNIL, however, justifies its responsibility by referring to the e-privacy directive that is currently still in force. The CNIL itself reports on the procedure on its homepage, and Politico has also taken up the issue.

(Dr. Sebastian Meyer)

Austrian data protection authority on the storage of customer calls

In January 2022, the Austrian data protection authority announced a decision according to which a bank may not permanently store all of its customers' calls (Ref.: 2020-0.591.897 (D124.422)).

In the case underlying the decision, the complainant felt that his rights had been violated by a bank's recording of his customer call without an opt-out option. All calls were recorded and permanently retained by the bank. For this purpose, the bank invoked its statutory retention obligations as a payment and securities service provider.

In the opinion of the authority, a differentiation had to be made according to the type of calls for the assessment under data protection law. Legal recording obligations existed in part for the authentication of telephone banking orders or in relation to customer orders. However, the specific customer call of the complainant concerned did not fall under a corresponding obligation. Telephone calls subject to a statutory recording obligation had to be kept separate from other customer calls. By comprehensively recording customer calls, the bank had violated the principle of data minimization in view of the fact that the recording obligation did not apply across the board.

The decision was appealed to the Federal Administrative Court in Austria and is therefore not yet legally binding.

(Johanna Schmale)

Expert opinion on the current status of U.S. surveillance law

Under the auspices of the Berlin Commissioner for Data Protection and Freedom of Information, an expert opinion on the current status of U.S. surveillance law and surveillance powers was prepared on behalf of the German Conference of the Independent Federal and State Data Protection Authorities (Data Protection Conference, DSK) (expert opinion by Prof. Stephen Vladeck dated November 15, 2021). The background to the expert opinion is the current problem of data transfer to the USA in terms of data protection law. The level of data protection in the U.S. has been criticized in the past, among others, by the European Court of Justice (ECJ) in its judgment "Schrems II" (ECJ, judgment of July 16, 2020 – Ref. C-311/18), in particular due to national laws that provide for far-reaching access possibilities of U.S. authorities to data of American companies.

The author of the opinion concludes, among other things, that the term "electronic communication service provider", which is central to the applicability of Section 702 of the US Foreign Intelligence Surveillance Act (FISA), is to be understood very broadly. Powers of the U.S. authorities to demand the surrender of certain data files, even if a company is to be considered an "electronic communication service provider" only with regard to one service, are not limited to data in connection with that service.

The DSK has announced that the data protection supervisory authorities are currently evaluating the consequences resulting from the findings of the expert opinion. The expert opinion does not have any direct binding effect on the assessment of individual cases. According to the DSK, however, the supervisory authorities will take the report into account in their activities.

(Johanna Schmale)

Data protection incident: security vulnerabilities in the Swiss organ donation registry

A data protection incident has occurred at the national organ donation registry of the "Schweizerische Nationale Stiftung für Organspende und Transplantation" (Swiss National Foundation for Organ Donation and Transplantation, Swisstransplant). In the organ donation register, it was possible to register any person online without identity verification, and without that person's knowledge or consent.

The security vulnerability was discovered by IT security firm ZFT.Company, which on Jan. 18, 2022 published a detailed report on the incident on its website. In Switzerland, organ donation requires the informed consent of the person concerned. In this respect, the ZFT.Company criticized the registration and consent process, as well as the portal's authentication mechanism and its insufficient checking of the input parameters. According to the company, patients on the waiting list for organ donation are particularly affected by the security gap. It is not verifiable which author submitted which decisions in the register.

The incident is being investigated by the Swiss Federal Data Protection and Information Commissioner (FDPIC). In the meantime, he has published a short statement in which he informs, among other things, about the opening of a formal fact-finding investigation.

The case shows that inadequate technical and organizational measures can lead to serious security breaches in a company, with inadequate protection of particularly sensitive personal data posing an especially significant risk to data subjects.

(Johanna Schmale)