Dear readers,

The processing and exchange of personal data is constantly increasing in the course of the digital transformation. Within the EU, the requirements to be met by data processing result primarily from the General Data Protection Regulation (GDPR). This regulation should sufficiently protect the fundamental rights and freedoms of data subjects. At the same time, the free movement of personal data within the EU must not be unreasonably restricted or prohibited. The anonymization project of the Data Protection Foundation also operates in this area of tension. For anonymized data sets, there are significantly greater possibilities for use, since by removing the reference to a person, the scope of data protection law and thus the many strict specifications are left behind. However, the process of anonymization is not regulated in more detail in the GDPR and there is also a lack of official specifications or guidelines in other respects, which has sometimes led to uncertainties in practical implementation. In order to counter these uncertainties, uniform points of orientation for responsible persons were to be developed within the framework of the anonymization project on the basis of already existing procedures and criteria, guidelines and proposals for action. These, in turn, should serve as a starting point for rules of conduct on anonymization in accordance with Art. 40 of the GDPR. The results of the project, which take into account and evaluate both the legal and regulatory requirements for anonymization, will be presented at an event hosted by the Data Protection Foundation in Bonn on December 7, 2022.

In our data protection newsletter, we regularly inform you about current developments in data protection law. As usual, you will find articles on events in data protection law in this issue, including the Advocate General’s opinion on the requirements for immaterial damages, the ECJ’s decision on the scope of the obligation to delete data in the event of consent revocation, and the current fine imposed by the Irish supervisory authority on Meta Group.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Employer access to employee e-mail accounts

A large number of employees have a business e-mail account for the performance of their duties. Occasional access to these e-mail accounts is a relevant issue for many companies. In practice, the question frequently arises as to whether or in which cases and to what extent the employer may access the business e-mail accounts of its employees and what requirements must be observed in this regard.

Of particular practical relevance here is, on the one hand, the case where access to an employee’s e-mail box is required in order to be able to process the employee’s business correspondence in the event of the employee’s absence. On the other hand, in certain cases employers have an interest in checking whether an employee’s e-mail account is being misused, for example for private communication during working hours or even for passing on business secrets.

To the complete main topic

New standard contractual clauses: Deadline for conversion of old contracts ends

In June 2021, the European Commission adopted new standard contractual clauses in response to the “Schrems II” ruling of the European Court of Justice (ECJ, judgment of July 16, 2020, Ref. C-311/18), which will now serve as appropriate safeguards for compliance with European data protection standard and will be used to secure international data transfers. We already reported extensively on this in the main topic of our data privacy newsletter in July 2021. The transitional period of 18 months provided in Article 4 (4) of the Implementing Decision for the conversion of the old standard contractual clauses to the new clauses will now expire at the end of the year. Specifically, companies can only use the old regulations to safeguard data transfers to third countries until December 27, 2022.

Companies should therefore promptly check whether the new standard contractual clauses have already been concluded with all service providers and partners who transfer personal data to or process data in a third country. If this is not the case, a switch from the old to the new clauses must be made by December 27, 2022, at the latest, as otherwise there will be no resilient legal basis for the third-country transfer, unless other safeguards have been put in place.

(Christina Prowald)

Advocate General: Requirements of the immaterial claim for damages

In the preliminary ruling proceedings UI v. Österreichische Post AG, the Advocate General of the European Court of Justice (ECJ) published his opinion on October 6, 2022 (Opinion of October 6, 2022, Ref. C-300/21). The content of the opinion relates to the prerequisites for a claim for damages under Article 82 of the GDPR.

The background to the preliminary ruling procedure is a legal dispute before the OGH in Austria, in which the plaintiff asserted a claim for damages under Article 82 of the GDPR against Österreichische Post AG in the amount of 1.000 €. The defendant had processed information about the political views of its customers without their consent. The plaintiff, who was also affected by the data processing, stated that he was annoyed, angered and offended by the data processing and claimed damages from the defendant on the basis of this. The party affinity attributed to him was an insult and shameful as well as damaging to his credit, he said. The behavior of Österreichische Post had caused him great annoyance and a loss of trust as well as a feeling of being exposed. In order to clarify whether the claimant’s allegations were sufficient for the award of damages, the OGH first submitted the question to the ECJ whether the claim under Article 82 of the GDPR requires, in addition to a breach of provisions of the GDPR, that the claimant has suffered damage or whether the breach of provisions of the GDPR as such is already sufficient for the award of damages. In addition, the Supreme Court wanted to know, among other things, whether it is a prerequisite for the award of immaterial damages that there be a consequence or result of the infringement of at least some weight that goes beyond the annoyance caused by the infringement.

The Advocate General now stated that for the recognition of a claim for damages suffered by a person due to a breach of the GDPR, the mere breach of the standard as such is not sufficient if it is not accompanied by material or immaterial damage. In the absence of damage, damages would no longer fulfill the function of compensating for adverse consequences and would rather have the legal nature of a sanction. He further commented that the immaterial damage claim regulated in the GDPR does not extend to mere annoyance to which the violation of its provisions may have led the data subject. If damages for weak, temporary feelings and emotions in connection with violations of data protection law are rejected, the data subject is not completely deprived of rights; the system of the GDPR then offers other remedies. It was ultimately a matter for the national courts to work out when, on the basis of its characteristics, the subjective feeling of displeasure could be regarded as immaterial damage in an individual case.

It now remains to be seen whether the ECJ will follow the opinion of the Advocate General, which is also held by many German courts. It is to be hoped that the decision will provide a remedy to the current great legal uncertainty.

(Christina Prowald)

LG Köln: Compensation for unauthorized disclosure of employee data to the employer

On September 28, 2022, the Regional Court of Cologne ruled that the unauthorized disclosure of an employee’s personal data to the employer by another company gives rise to a claim for damages in the amount of 4.000 € (LG Köln, judgment of September 28, 2022, Ref. 28 O 21/22).

The plaintiff purchased a passenger car from a company. At the request of the plaintiff, communication with the company took place via his professional e-mail account. When problems eventually arose with the financing and the plaintiff did not respond to messages, the company contacted the plaintiff’s employer and explained the situation in an e-mail. The plaintiff felt that his rights had been violated by this e-mail and the disclosure of the facts to his employer and demanded damages in the amount of 100.000 €.

The court stated that there was a lack of justification for the disclosure of the contractual relationship between the plaintiff and the defendant to the plaintiff’s employer. In particular, Article 6 (1) (1) (b) of the GDPR ("performance of a contract") could not be used as justification. In the absence of a legal basis, the data processing was accordingly unlawful. In addition, the infringement was so serious that it constituted a violation of the plaintiff's personality requiring compensation and triggered an obligation to pay damages. However, taking into account all the circumstances and consequences for the plaintiff, the court considered damages in the amount of 4.000 € to be sufficient as compensation for the damage incurred.

(Christina Prowald)

ECJ on the scope of the obligation to delete in the event of revocation of consent

In a recent ruling, the European Court of Justice dealt with the scope of the obligation to delete data in the event of the revocation of consent and decided that in the case where various controllers rely on a single consent, it is sufficient for the data subject to contact any one of the controllers to revoke his or her consent (ECJ, judgment of October 27, 2022, Ref. C-129/21).

In the case underlying the decision, Telenet, a Belgian telephone service provider, had provided contact information of its subscribers to providers of subscriber directories, including the provider Proximus. Proximus provides subscriber directories and directory assistance services that contain the name, address and telephone number of subscribers of the various providers of publicly available telephone services. Proximus also forwards the contact information to another provider of subscriber directories.

One of the subscribers requested Proximus not to list his contact data in its subscriber directories and those published by third parties. Proximus then changed the subscriber’s status so that his contact data was no longer to be published. However, Proximus subsequently received an update of the subscriber in question’s data from Telenet, in which the data was identified as “non-confidential”. The data was registered by Proximus according to an automated procedure in such a way that it appeared again in the subscriber directories.

Following the subscriber’s complaint, the Belgian data protection authority imposed a fine of 20.000 € on Proximus. Proximus appealed the authority’s decision to the Brussels Court of Appeal, which in the further course of the proceedings referred various questions to the ECJ for clarification.

The ECJ ruled that the publication of personal data in a public directory requires the subscriber’s consent. This extends to any further processing of the data by third parties operating in the market for publicly available directory assistance services and directories, provided that such processing has the same purpose. Consent did not require that the data subject knows the identity of all directory providers that will process his or her personal data at the time it was given. However, subscribers would have to be able to obtain the deletion of their personal data from the subscriber directories. In this regard, the ECJ confirmed that a controller such as Proximus would have to take appropriate technical and organizational measures to inform the other providers of subscriber directories to which it had supplied data of the withdrawal of the data subject’s consent. Such a controller would also have to inform the telephone service provider that had provided it with the personal data so that the latter would adjust the list of personal data to be provided. Indeed, if different controllers rely on a single consent of the data subject, it is sufficient for the data subject to contact any of the controllers to withdraw his consent. The ECJ also ruled that a controller must take reasonable measures to inform search engine providers of the request it has received from the subscriber of a telephone service provider to delete his or her personal data.

The ECJ’s decision shows that the exercise of the right to erasure should be made as simple as possible for the data subjects. In the event of a request for deletion following the revocation of consent, data controllers must therefore not only delete the data themselves, but also inform other data controllers of this under certain circumstances.

(Johanna Schmale)

DSK: Assessment on Microsoft 365

The Data Protection Conference (DSK), the association of independent German federal and state data protection supervisory authorities, published an assessment on Microsoft 365 on November 24, 2022. The DSK stated that the proof of operating Microsoft 365 in a data protection-compliant manner could not be provided by the controller through the data protection addendum of September 15, 2022 provided by Microsoft. As long as the necessary transparency about the processing of personal data from commissioned processing for Microsoft’s own purposes was lacking and its lawfulness was not proven, the proof could not be provided. The basis for this decision was the report of the Working Group DSK “Microsoft Online Services”.

The report shows that, among other things, the question of in which cases Microsoft is acting as a processor and in which cases as a controller could not be conclusively clarified. According to Article 5 (2) of the GDPR, data controllers must positively demonstrate that they comply with the data protection requirements of the GDPR (so-called accountability). In the case of Microsoft 365, however, this is not possible as long as Microsoft uses personal data for its own purposes but does not provide any further information on this. If there is a lack of corresponding information, information obligations pursuant to Article 13 and 4 No. 11 of the GDPR cannot be fulfilled. In addition, the working group also criticized Microsoft’s continuing far-reaching rights to disclose data “in order to fulfill legal obligations” as well as the insufficient safeguards for data transfers to the United States.

The Thuringian State Commissioner for Data Protection and Freedom of Information, Dr. Lutz Hasse, commented on the DSK’s determination as follows: “My supervisory authority will now – like the other data protection supervisory authorities – seek contact with those responsible in the public and non-public sectors to discuss a proportionate implementation of this legal situation. In this context, time aspects and alternative paths will be the subject of discussion.”

(Christina Prowald)

EDPS: Convention on Artificial Intelligence

On October 13, 2022, the European Data Protection Supervisor (EDPS) issued his Opinion on the European Commission Recommendation for a Council Decision authorizing the opening of negotiations on behalf of the European Union for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law of August 18, 2022.

A first committee for artificial intelligence was already established in September 2019. A new committee was then tasked in April 2022 with negotiating a suitable legal instrument for artificial intelligence by November 2023. In parallel, the European Commission’s proposal for an AI regulation from April 2022 is currently going through the legislative process.

In his opinion, the EDPS, Wojciech Wiewiórowski, welcomes the start of negotiations on the Convention: “The Convention is an opportunity to develop the first legally binding international instrument on artificial intelligence in line with EU standards and values on human rights, democracy and the rule of law. To achieve this, the Convention should include adequate, strong and clear safeguards to protect individuals who may be affected by the use of AI systems.”

In addition, the EDPS makes the following recommendations for action:

• 1. The general objectives should focus on the protection and rights of individuals who may be affected by the use of AI systems. The Convention should be consistent with the existing EU legal framework on data protection.
• 2. AI systems that pose unacceptable risks to individuals should be prohibited. Specifically, the use of AI for certain purposes, such as social assessment of individuals and biometric identification of individuals in publicly accessible spaces, should not be allowed.
• 3. Special attention should also be paid to monitoring the use of AI systems. Procedural safeguards should be provided to protect individuals who may be affected by the use of AI systems.

 (Christina Prowald)

Data leak at Toyota: Hackers probably capture data from 300.000 customers

The car manufacturer Toyota announced on December 7, 2022, that probably almost 300.000 e-mail addresses of customers as well as the associated administration numbers were disclosed by hackers (press release dated October 7, 2022). After an investigation, the car manufacturer concluded that there were no signs of data misuse, but that unlawful access could not be ruled out either. The cause of the incident was the fact that part of the source code of the T-Connect website was inadvertently made publicly available on Github. The source code also contained an access key to the database server where customers’ data was stored. Drivers who use Toyota’s online service T-Connect are affected by the data leak. T-Connect is the automaker’s official connectivity app that allows the vehicle’s infotainment system to connect to a smartphone and retrieve driving and vehicle data. The company said that no other data such as names, phone numbers, credit card data or other information was affected by the incident.

There have already been several data leaks and data protection incidents at the Japanese company in the past. In March 2019, hackers captured data from 3.1 million customers. In February 2022, production had to be partially shut down after a supplier was affected by a cyberattack.

(Christina Prowald)

Ireland: Fine against Meta for Facebook scraping

The Irish Data Protection Commissioner (DPC) announced on November 28, 2022, that a fine of 265 million € and a number of remedies have been imposed on Meta Platforms Ireland Limited (Meta) (press release dated November 28, 2022). In terms of content, the focus was on compliance with the data protection requirements of the GDPR in the area of data protection through technology design and through data protection-friendly default settings. The complaint was that data from Facebook and Instagram users was widely accessible online. The DPC’s decision relates to a feature that allows users to find friends by importing contacts stored in their smartphone into the Facebook or Instagram app.

The data protection supervisory authority launched the underlying investigation back in April 2021 after it was revealed in the media that data records, including name, phone number and e-mail address, of nearly 533 million users from more than 100 countries were available online. Within the scope of the investigation, the “Facebook Search”, “Facebook Messenger Contact Importer” und “Instagram Contact Importer” tools in particular were examined and evaluated. One focus of the investigation was on the implementation of technical and organizational measures in accordance with Article 25 of the GDPR. The investigation also involved coordination and cooperation with the other EU data protection supervisory authorities, which agreed with the DPC's decision. Facebook informed that the possibility of scraping phone numbers has already been stopped and the decision is being reviewed.

(Christina Prowald)