Author: Gerhard Walter, Editor, Solutions by HANDELSBLATT MEDIA GROUP GMBH
- the GDPR as a challenge for corporate groups operating across Europe
- Data protection through pseudonymisation
- Requirements for the burden of proof
After more than two years of GDPR, what are the biggest implementation challenges?
In my opinion, the biggest challenge is that there is still no reliable case law on many important areas of the GDPR, which means viewpoints on individual topics vary widely. Happily, the German data protection authorities have now made statements on relevant topic fields. But naturally, in terms of content these statements cannot always be completely correct, as the Orientation Guide for Telemedia Providers has shown. So often, if a company follows the statements or other established views but the courts then decide otherwise, the company cannot simply change the procedure it’s implemented, particularly if technically complex data processing is involved. In addition, corporate groups that operate across Europe are confronted with the fact that because of the legal histories of individual EU member states, different interpretations of the GDPR exist. But to implement a group-wide data protection management system effectively – especially with regard to controls – the same internal guidelines need to apply to all group companies. Obviously this excludes special national regulations on data protection, which are based on the use of opening clauses in the GDPR by individual member states.
Do you think companies have to meet higher data protection standards because consumers have become more critical?
Companies have to observe existing data protection regulations not because consumers have become more critical, but because it’s in the best interests of value-driven companies, and an important compliance task. But in practice, the fact that consumers have become more critical makes non-compliant data processing visible, because the number of complaints to the data protection authorities increases. But surely no company with a long-term data protection strategy would knowingly accept legal violations in the hope that they would not be detected or made public. The fact that consumers are now more critical also means the practical workload for companies has increased massively, for example due to the higher number of data subject rights that are exercised.
To what extent does the need for voluntary consent add to companies’ workload?
Voluntary consent was required before the GDPR took effect, although the coupling ban regulated in the BDSG (2009) was less strict than the standardised one in the GDPR. Based on practical experience, many sides now believe companies should first try to map data processing on a different legal basis than on the obtaining of consent. One the one hand, this is because the legal requirements for obtaining legally compliant consent are relatively high, which leads to uncertainties. On the other hand, most potential users – especially online – don’t actually read declarations of consent because of ’click fatigue’ – for example when permanent opt-in banners get on their nerves. The responsibility for that lies with legislators, not with companies. In my view, striving for effective data protection via very good pseudonymisations – not by obtaining consent – is far more appropriate for consumers and data processing companies alike. It would be good if European legislature were to re-emphasise in discussions, especially during the negotiations on an ePrivacy Regulation, the fact that obtaining consent is not – as previously claimed – the ideal route for legitimizing data processing. Of course, obtaining consent must be mandatory in some data processing fields – for example when health data is involved.
What problems can arise in practice?
One major challenge with regard to obtaining consent involves fulfilling the burden of proof obligation as defined in Article 7 (1) GDPR. A few years ago, email marketers developed the ’double opt-in procedure’ as proof of consent. But in certain constellations, delivering proof can be difficult or laborious. Obtaining consent for online tracking is one example worth mentioning here. This fact urgently needs to be considered as part of the requirements that apply to the obligation to provide evidence.
Do you use the German government’s corona app?
Yes, I do. For me personally, using it is an important part of the social solidarity we need in the difficult situation we currently face.
Simon Menke is head of Corporate Intellectual Property and Data Protection at the Otto Group Holding. His responsibilities include providing legal advice in the field of data protection to Otto Group companies. He led the group-wide project to ensure the implementation of GDPR requirements, and advises on almost all topics of data protection. Before joining the Otto Group in 2012, Simon Menke worked as a lawyer in a Hamburg law firm that specialises in intellectual property law and data protection.