Traditionally, the Autumn Conference and the subsequent Authorities Day organized by the German Association of Data Protection Officers (BvD) are devoted to current developments in data protection. At the sixth edition of the conference, held in Stuttgart from October 26 to 28, presentations and debates focused on questions regarding the EU’s digital files and the new plan for a new Trans-Atlantic Data Privacy Framework (TADPF) with the United States. Michael Will, President of the Bavarian State Office for Data Protection Supervision, appealed to the approximately 250 company and about 150 authority DPO’s in Stuttgart to deal with the planned legislative projects such as the Digital Services Act, the Digital Markets Act, the Data Act and the planned AI Regulations in good time. This is because, if translated into German law, there could well be further tasks for state data protection commissioners, as well as company and authority data protection officers. “Look for guidelines from the European Data Protection Board, not short papers from the German Data Protection Conference,” Will appealed to the participants.

Here you can read statements of the keynote speakers on selected issues:

How has the EU changed data protection?

Renate Nikolay, Head of Cabinet of the Vice President of the EU Commission and Commissioner for Values and Digital, Véra Jourová

With the Digital Services Act, the Digital Market Act, the Data Act, the Data Government Act and the AI Act, the EU wants to commit the big data companies like Google, Apple or Meta to the European understanding of data protection. Behind this is the realization that the digital transformation can only succeed with functioning data protection and efficient economic use of data. The goal is to use the files to put an end to the Wild West of digitization and bring order to the use of data within Europe.

Even though the EU Commission has long been providing better protection for data subjects in the EU against data misuse step by step, the Data Act and the Data Government Act were developed very quickly. Therefore, constructive-critical voices are very important in the legislative process. The EU Commission is trying to achieve a lot and to establish an original European approach, for example in comparison to the data-driven companies in the American Silicon Valley. But now it is first a matter of finalizing these acts, implementing them and making sure they work.

The EU has made a big promise to control the big platforms more effectively. In doing so, it has once again created a regulatory reference point for the world alongside the GDPR in data protection. The U.S. in particular envies our modern horizontal data protection regime because it recognizes that in its country, data protection fragmentation is almost impossible to contain. Data protection and digital transformation made in Europe, which put people at the center, are becoming a momentum between autocratic and democratic states. That’s why we need to solidify strategic alliances with states that take a similar approach to digital transformation as we do. And that includes the United States. I am confident that we will work out a data transfer regime and an adequacy decision with the U.S. that can stand up to another lawsuit by, say, Max Schremms in the European Court of Justice.

More generally, the GDPR in its fifth year shows that it has definitely developed teeth: More and more, the supervisory authorities in the member states are making large fine decisions, which have so far added up to around 1.5 billion euros. In addition, cooperation between supervisory authorities in cross-border disputes is becoming more pliable. Nevertheless, we want to further strengthen cooperation among EU states and with the European Data Protection Board. Similarly, we must continue to educate SMEs and small businesses and support data protection supervisors’ proactive dialog with citizens and businesses.

What impact will the pandemic have on data protection?

Dr. Jan Wacke, Deputy Director of the LfDI Baden-Württemberg 

Various fundamental rights were restricted in the pandemic, including freedom of assembly, freedom of trade and profession, and freedom of movement. But there were also many encroachments on the fundamental right to data protection; consider the collection of contact data in cafés and restaurants, the disclosure of health data and other sensitive information in many everyday situations, or the processing of health data by employers, for example.

By and large, these pandemic-focused measures were compatible with the GDPR. Even in the crisis situation, the Regulation proved to be flexible enough, among other things because of its opening clauses. [For example, an important opening clause was in Article 9, paragraph 2, letter i DSGVO. This clause allows the processing of special categories of personal data for the protection against serious health risks].

To be sure, individual aspects of these pandemic regulations were problematic. Often, the legislators and regulators did not comply with the obligation to consult under Article 36(4) of the GDPR. Data protection deficiencies of individual standards (e.g., the distinction between lawful processing/processing by virtue of consent, the guarantee of adequate and specific measures within the meaning of Article 9(2)(i) GDPR, for example, by imposing a legal obligation of secrecy on test centers) could possibly have been avoided if the consultation procedure had been carried out. This could also have contributed to a better acceptance of the standards by reducing the number of regulatory changes. However, one of the basic problems faced by standard setters during the crisis was certainly the urgency of regulatory action.

In addition to regulatory intervention, there were numerous practical deficits in the implementation of data protection requirements. Particularly noteworthy, for example, were the deficiencies in technical and organizational data protection in contact data processing or at test centers.

At another level, the pandemic promoted profound social developments: It pushed cashless payment, established digital communication as a new standard in both professional and private life, and gave an enormous boost to digitization in schools, universities, and the healthcare sector. Unfortunately, digital literacy has not kept pace and has often given way to an uncritical belief in digitization.

During the pandemic, “data protection” was sometimes branded as a “super fundamental right” that hindered such developments and the fight against the pandemic. Where did this (inaccurate) perception come from? Unlike other fundamental rights, informational self-determination has been given special “guardians” in the form of data protection supervisors and data protection commissioners in view of the threats that are difficult for the individual to understand and the individual’s limited ability to defend himself or herself. In many cases, the pandemic broke new legal ground for which there was as yet no case law. In view of the length of legal proceedings, there was hardly any guidance from the third estate. As a result, the “privacy watchdogs” came into sharper focus. On the other hand, the pandemic has shown in an exemplary manner that data protection and digitization go very well together, and can even promote each other (for example, through the Corona warning app, the Luca app, etc.).

In the wake of the pandemic, it is now up to us supervisory authorities to first look at where and when there is still a “pandemic” at all, for which interventions in data protection would (still) be necessary. We also want to use digitization with integrated data protection. In Baden-Württemberg, for example, we are in talks with a number of start-ups in the healthcare sector about how data use and data protection can go hand in hand.

As an indirect consequence of the pandemic, the handling of research data in the healthcare sector has also come into sharper focus (even if the associated national and European legislation can hardly be understood exclusively as a means of dealing with the pandemic). Particularly in research with health data, data protection must be understood as a condition for the acceptance of data processing. Data protection in research is therefore not just about the individual interests of those affected, which would have to be weighed against the interest of the community in progress through research. Rather, there is at the same time a public interest in safeguarding data protection with a view to acceptance (for example, also of the health care system “producing” the data). In other words, safeguarding data protection is ultimately in the interest of the data controller, especially in the case of research with health data.

What’s next for data transfer to the USA?

Alexander Filip, Business and Division Manager for International Data Transfer at the Bavarian State Office for Data Protection Supervision

If we talk about data transfer to third countries, it quickly becomes apparent that this wording alone raises many questions. In the interpretation of the European Data Protection Committee EDSA in the Guidance Paper No. 5/2021 of 18.11.2021 it is stated what is to be understood as data transfer to a third country at all. The EDSA is currently working on a second version. Whether this will be available by the end of the year is still open.

According to the current first version, the EDSA speaks of data transfer to a third country when a controller or processor transfers personal data to another controller or processor in a third country. Thus, the data flows from one controller or processor to another. The final version of the paper remains to be seen, there could still be some clarifications, but this is currently still under discussion.

In practice, it is not always easy to determine which data protection role a data recipient in a third country has in a specific case. However, the answer to the question of whether a transfer to a third country exists according to the interpretation of the EDSA presented above depends on this: Data disclosure is only a transfer to a third country if the recipient in the third country is to be classified as a processor or controller separate and distinct from the transferor.  There are a number of scenarios that can be argued about here. The supervisory authorities are considering whether further such scenarios will be exemplified in the final version of the above-mentioned paper and classified accordingly in legal terms.  If, for example, an employee on a business trip logs into the intranet of the home company via remote access and thereby accesses personal data, the EDSA does not consider this to be a transfer to a third country because the employee is not a separate controller or processor. But couldn’t the infrastructure used by the employee in the third country or the access possibilities existing there for authorities there make the use of the data insecure? This question is valid and shows that the specific risks arising from third country contact must be taken into account even if the scenario is not legally assessed as a “transfer to a third country” – in the traveling employee scenario, for example, in the context of measures under Article 32 GDPR.

Another possible dispute: a company from Europe maintains its own server in the USA. Again, the first EDSA draft does not provide for data transfer to a third country. But what about the risks arising from the operation of the server in the third country? Here, too, the above considerations apply accordingly.

Likewise, the EDSA does not see any data transfer if a company in Europe transfers data to a branch office in Singapore, for example – unless the branch office is to be classified as a separate processor (or controller) in the specific case.

Regarding Google Analytics, we share the legal assessment of the supervisory authorities of Austria, France and Italy, which have already issued rulings in this regard – according to which the transfer of personal data in the context of the use of Google Analytics (at least in the cookie-based variant) violates Chapter V of the GDPR because the “additional measures” offered by Google are not sufficient, in the view of the aforementioned authorities and also of the BayLDA, to ensure a level of protection equivalent to the EU level of data protection. Conceivable are Google Analytics variants in which so-called server side tracking is done, i.e. when the tool is used without the use of a cookie and without unique IDs contained therein. However, even in this variant, the use can only be permissible if further requirements are met – namely, only if, regardless of the lack of unique IDs, no data is transmitted to Google beyond this that would allow the user to be identified. The French data protection authority has stated a number of requirements for this on its website, which are shared by the BayLDA. Whether the tool is at all interesting for the using company under these conditions is then another question.

Another frequently asked question is whether Microsoft 365 complies with data protection law. Unlike the supervisory authority in Baden-Württemberg, the BayLDA has not undertaken a comprehensive data protection assessment of the use of this software in schools, for example. The supervisory authority in Baden-Württemberg saw, among other things, ambiguities as to what data Microsoft processes in total and for what purposes.  Based on the information available to the BayLDA to date, we do not currently see any circumstances regarding the use of MS365 that would require supervisory measures to be taken with regard to the use of Microsoft 365 by the bodies subject to the supervision of the BayLDA.

The Executive Order presented by US President Joe Biden, which is to become part of the successor regime to the EU-US Privacy Shield, appears to be a not insignificant step forward compared to the previous standards under the old Privacy Shield. In particular, the data protection court to be established at the U.S. Department of Justice, where data subjects from the EU whose data has been transferred to the U.S. can seek legal protection, appears to have made some progress with regard to the independence and the competences of this body. At any rate, this is an improvement over the ombudsperson, which was anchored in the EU-US Privacy Shield and which the ECJ classified as inadequate in the Schrems II ruling.

However, the changes set out in the Executive Order have yet to be implemented on the U.S. side. In addition to the establishment of the above-mentioned data protection court, these include a number of changes in the internal procedural regulations and policies of various U.S. intelligence agencies; in this respect, the Executive Order provides that changes are to be made to take account of the principles of necessity and proportionality of data access urged by the European Court of Justice. So far, these changes have not been completed. Only when the U.S. side confirms this to the European Commission will the Commission be able to issue the decision envisaged as a successor to the Privacy Shield. As long as the changes have not been implemented, European companies wishing to transfer data to the U.S. cannot assume that the problems identified by the European Court of Justice with regard to the situation in the U.S. have been resolved.