GDPR Laws on the Internet: The Key Rulings and Risks
The General Data Protection Regulation (GDPR) has been in force in the European Union since May 2018. From then on, courts and policy-makers have repeatedly been busy underpinning the legal requirements with experience from practice. This results mainly in regulations being declared invalid by new rulings or leading to adjustments. Staying on top of the GDPR developments, we shed light on what it means for businesses and how you can protect your business.
In May 2023, the European Court of Justice (ECJ) handed down an important ruling on the subject of compensation for damages in the event of data leaks. If customers' data is leaked to the public, the company that caused the leak may now be obliged to pay - even if there is no concrete evidence of damage.
Claim For Compensation
The first judgment of the European Court of Justice deals with the claim for compensation under Article 82 of the General Data Protection Regulation (GDPR). This section regulates the right of compensation for people affected by data protection breaches. Previously, it was considered that a certain materiality limit existed, which ensured that compensation for minor damage caused by data protection breaches was not possible. Damage therefore had to reach a quantifiable threshold before it could be compensable.
The European Court of Justice has now revised this approach and stipulates that damage does not have to exceed a certain threshold before those affected are entitled to compensation. The judges argue that this approach has long been common for minor injuries to property, such as scratched car paint, and that this also applies to data protection - even if the damage is not always immediately apparent.
European Data Protection Society (EuGD) vs. Scalable
This view is exemplified by a series of judgements against the online broker Scalable, whose customer data fell into the clutches of hackers. As a german legal tech, EuGD regularly represents those affected by data protection violations and has now dealt with a case in which a Scalable customer was blackmailed with his data by criminals. He received an email with a scan of his ID card. The court then awarded the affected person 1,200 euros in damages.
This ruling is not the first of its kind: Already in 2021, EuGD won 2,500 euros in compensation after customer data was stolen from Scalable. This decision mainly took into consideration the fact that the security breach was the responsibility of the company, even if there was no misuse of the data by third parties (case number 31 O 16606/20). The data became accessible to criminals via a service provider with whom Scalable had not worked for some time. However, the company had failed to change the access data to the IT systems used by the service provider. Unauthorised persons had taken advantage of this glaring security gap. According to the court, this was an avoidable incident and thus a data protection violation.
Problem: How To Quantify The Damage?
The question of compensation for damages, however, continues to pose challenges for the courts, as a concrete sum is difficult to quantify if those affected by data protection violations have not suffered any material damage in a clear amount. Important aspects in the assessment so far have been, for example, how criminals got hold of the data, how sensitive it was and whether there was any misuse.
Conclusion: The Legal Risk Increases
The ruling is pleasing for those affected and reason enough for companies not to get too comfortable with data protection. Because even if you commit a data protection breach and the damage to those affected cannot be quantified, it is now possible that you will be sued for non-material damages - the risk of a legal dispute has therefore increased significantly. Therefore, adhere precisely to the legal requirements and protect your customers' data comprehensively.
This also includes protecting your business from cybercrime. Data is highly sought after by hackers. Read here how you can protect yourself: Hacker Attack: How to Protect Your Business from Cybercrime.
In addition to the regulations on personal data within the EU states via the GDPR, the regulation of data transfer to third countries is also important. Under current law, personal data is not actually allowed to leave the European Economic Area (EEA) at all – unless the transfer takes place based on a valid transfer mechanism, such as standard contractual clauses. But the rules for personal data also apply when they are transferred across borders to countries with different legislation. To ensure compliance, the legal framework offers three options:
- The EU Commission considers the data protection of a third country to be adequate if it is based on a bilateral agreement. Such an adequacy decision exists, for example, with Japan and the UK.
- There are “binding internal data protection regulations”, so-called Binding Corporate Rules. These are guidelines for handling personal data, which the Article 29 Data Protection Group (also known as the European Data Protection Board) of the European Commission has developed.
- The inclusion of approved declarations of commitment in contracts, so-called standard contractual clauses, is particularly common in this regard. The ECJ confirmed these clauses as a valid transfer mechanism for data in its “Schrems II” judgment.
The Privacy Shield, which regulated the transfer of personal data, existed with the USA until July 2020. But this was declared invalid by the European Court of Justice in the judgment known as “Schrems II” (named after the Austrian lawyer and data protection activist Max Schrems, who also filed the lawsuit). The reason for this is that the legal situation and the monitoring practices by secret services in the USA cannot be reconciled with European data protection.
Following the fall of the Privacy Shield, the European Commission adopted two standard contractual clauses in June 2021, which take into account the new requirements of the GDPR and the ECJ ruling and are intended to replace the Privacy Shield data transfer system. These are standardised and pre-approved model data protection clauses that you can include in contractual agreements and that provide you with an easy-to-implement template for meeting data protection requirements.
You can download both standard contractual clauses in several languages from the European Commission’s website:
- Standard contractual clauses for international transfers
- Standard contractual clauses for controllers and processors in the EU/EEA
The example of Google shows that there is still great uncertainty for companies when it comes to data transfer to the USA. On the one hand, almost no website operator can avoid Google services - on the other hand, Google’s headquarters are still in the USA and the legal situation regarding data transfer remains uncertain. This uncertainty has already led to several written warnings in Germany and Austria because of Google Fonts and Google Analytics.
Google Fonts Wave of Warnings
In January 2022, the Munich Regional Court ruled that the use of Google Fonts on websites “undisputedly” transmitted the dynamic IP addresses to the Google servers in the USA. According to Article 82 (1) GDPR, the plaintiff was awarded damages of 100 euros for “individual malaise”. Although the verdict is an isolated case, some lawyers and associations that specialise in legal warnings sensed an opportunity, so numerous website operators received written warnings for the remote integration of Google Fonts in autumn 2022.
exali customers were also among those that received legal warnings. Over 100 of them contacted our insurance experts in October and November 2022 after receiving a legal warning about Google Fonts. Due to the high number, we contacted the insurer and prepared a reply letter that we made available to our customers.
More than 100 exali customers contacted our insurance experts by the end of October 2022 because they had received a written warning for the use of Google Fonts.
Google Analytics to Be Banned Soon?
While the wave of legal warnings about Google Fonts in Germany and Austria is still ongoing, the next problem for website operators is already in the starting blocks: Google Analytics. After Austria, France and Italy, the Danish data protection authority also declared the use of the tool illegal in September 2022. This is because Google transfers user data outside of the EU. Google has already reacted with the introduction of Google Analytics 4, but: the Danish data protection authority sees problems here too, because IP addresses are also used to determine the whereabouts of the users - although the IP address is then deleted, depending on the whereabouts there may still be a direct connection to US before the deletion.
In October 2022, US President Joe Biden passed a new executive order. It is supposed to serve as the basis for a new EU-US data transfer agreement, which will be published in March 2023. The executive order stipulates that US intelligence services’ access to data be limited to what is “necessary” and “proportionate” and formulates twelve goals intended to justify the use of mass surveillance. In addition, the executive order includes a two-tier mutual legal assistance mechanism that EU citizens can use to lodge complaints against unlawful access to their data.
However, data protection advocates consider the executive order to be far from sufficient to justify a new adequacy decision. This is because on the one hand, it is only an administrative order issued by decree that can be revoked without further ado, and on the other hand, the real problem - the surveillance laws of the USA - continues to be ignored. The Austrian non-governmental organisation NYOB, which is also the driving force behind the Schrems rulings, has already announced that it will challenge the changes before the European Court of Justice.
It can be concluded from this that there is currently a lack of legal certainty when it comes to third-country transfers and this gap will not be closed in the foreseeable future. The global convergence of different data protection laws remains a major issue that raises more questions than answers for the companies concerned. In order not to be completely helpless in the face of the current uncertainty, companies should analyse their processes for data transmission to third countries on their own initiative and carefully document the results. This helps you create a foundation, so you are not completely unprepared if the authorities conduct an audit.
Insurance Against GDPR Violations
As far as legal warnings and claims for damages are concerned in terms of the GDPR, we can protect you financially if you have taken out Professional Indemnity Insurance through exali.com. In these cases, the experts check the written warning for data protection violations at their own expense to determine whether the claim is justified and pay the justified claims for damages. If there are doubts about the legality of a written warning, Professional Indemnity Insurance defends the claim and also assumes the costs (e.g. for lawyers, experts, courts). The same applies in the event that others receive a fine due to your failure to perform the service or work provided (e.g. one of your customers) and claim this fine back from you in the form of compensation for damages. These “third-party fines” are also covered by Professional Indemnity Insurance via exali.
Fines imposed on you by a court or a data protection authority for a data breach are also insured as part of your Professional Indemnity Insurance (provided that this assumption of costs is legally permitted in the individual case).
If you have any questions about how to protect against data protection violations, you are welcome to contact our customer service - you can reach the exali customer advisors by phone from Monday to Friday 9:00 a.m. to 6:00 p.m. (CET) on +49 (0) 821 80 99 46-0 or via the contact form.
A good website not only needs an appealing design and informative content, but must also comply with the requirements of the GDPR. Otherwise you face legal warnings - from data protection authorities, but even more likely from competitors. The basic requirements for a data protection-compliant website are as follows:
- SSL certificate: Encryption according to HTTPS
- Privacy by design: Your website should be technically set up in such a way that only the data that is actually required and permitted is collected
- Privacy by default: This principle means that the website already has data protection-friendly default settings that serve to protect the privacy of users. This is intended to protect users who are less tech-savvy and who, for example, do not know how to adjust their data protection settings.
Legal Notice / Imprint
A GDPR-compliant imprint must contain the following information:
- Information on the responsible data controller: Name of the website operator or company and address
- Contact details of the website operator: In any case, an email address and a telephone number must be given here.
- Legal mandatory information for companies: Legal form, register entry and VAT tax identification number (if available)
The handling of cookies has been confusing website operators for years, because the GDPR actually has nothing at all to say on the subject. Therefore, an ePrivacy regulation should actually have come into force at the same time as the GDPR, but this has been postponed again and again and is currently in a trilogue between the EU Council, EU Commission and EU Parliament. Entry into force before 2023/24 is unlikely.
However, the GDPR stipulates that users must agree to the processing of their data. The Viennese non-governmental organisation NOYB therefore started a scan of more than 3,600 websites in March 2021 and submitted more than 700 complaints to the companies whose cookie banners had a misleading design and/or no “reject” banner in the cookie banner. In order to make the cookie banner GDPR-compliant, a cookie consent tool is currently recommended.
A cookie consent tool is recommended if you use tools that are not just required for the technical operation of your homepage. This includes tools such as:
- Google Analytics
- Facebook Pixel
- LinkedIn Events, Twitter Events
- Marketing tools
The consent tool works like a mask that you place over your website. It has both a button with which you agree to the use of non-essential cookies and one with which you can reject it. In addition, users can also choose which tool they agree to - if no tick is set, these cookies will actually be blocked.
If you integrate contact forms on your website, they must also be GDPR-compliant. Generally, if you give your website visitors the opportunity to contact you via a contact form, no explicit consent is required to process the data, as there is a legitimate interest. This means you have a legitimate interest in responding to and contacting interested parties. BUT - you still have to include a data protection notice according to GDPR in EVERY contact form on your website. Users must confirm that they have read this data protection notice and agree to it - the easiest way to do this is to click a checkbox - before the contact form is sent.
Important: Inform the users about the following points in the data protection notice:
- How is the data processed?
- For how long is data stored?
- What are the rights of data subjects?
- What does the data protection declaration say?
Commissioned Data Processing According to GDPR
If a company commissions third parties (e.g. external service providers) and they process personal data as part of the order, then this is considered commissioned data processing.
In this case, the company must enter into a data processing agreement (DPA contract) with the service provider in accordance with Art. 28 GDPR. This regulation also applies if companies use tracking software (e.g. Google Analytics) or outsource their accounting or data centres.
Clients should never rely on service providers to take care of data protection, they remain primarily responsible for this!
If you operate an online shop, the same requirements apply as for the website plus the following additional ones:
- Legal texts: In addition to the imprint and data protection declaration, you must also provide users with a withdrawal policy including a withdrawal form template, as well as payment and shipping instructions and general terms and conditions.
- Encrypted forms: Customer data is transmitted from the shopping cart using a form. This process must be encrypted so that no data can be accessed from outside. In addition, only the data that is necessary for the fulfilment of the respective task should be requested.
- Record of processing activities: All operators of an online shop are obliged to document all regularly occurring data processing processes in a so-called record of processing activities (RPA).
- Documentation of technical and organisational measures: In order to meet the requirements of the GDPR, you must document technical and organisational measures such as data backups, data encryption, access to data processing systems or control of the goods or office space both in your online shop and at the physical headquarters of your company.
Newsletters are still one of the best tools to communicate with your customers and promote your offer. In order to make the newsletter GDPR-compliant, you have to keep the following in mind:
- Registration form: Only the email address and the consent to data processing may be mandatory fields for the newsletter registration. All other information (e.g. first name/surname, address, interests) must be voluntary.
- Double opt-in: A newsletter registration is only valid if users have confirmed the registration via double opt-in.
- Newsletter tools: If you use external newsletter tools, you must include them, including information on data processing, in your data protection declaration.
- Unsubscribing: In principle, each of your newsletters must contain a link to unsubscribe in the footer.
We have also summarised details for a legally compliant newsletter for you in this article: Legally Secure Newsletter Marketing: This Is What You Need to Know
Marketing without social media - hardly imaginable! If you use social media channels for your business, there are also some GDPR requirements here:
- If you use plugins such as Facebook Pixel or LinkedIn Event, these must be listed in the data protection declaration. In addition, users must individually agree to the use of these in the cookie banner or be able to reject them individually.
We have described in detail in the following article how you can make your business accounts in social networks legally secure and GDPR-compliant: Facebook, Instagram, Twitter & co.: An Overview of the Risks in Social Media
First of all, it is important to know that a GDPR warning does not always have to come from a supervisory authority. In fact, many legal warnings are issued by competitors or, as the example with Google Fonts illustrates, by lawyers and associations who are trying to capitalise on a judgment. Most often, (alleged) violations on one’s own website are the subject of legal warnings.
A look at the GDPR portal, which records both GDPR violations and violations of other data protection laws, shows that the most common reasons for fines by authorities are the following:
- Data protection violations in the processing, use or security of personal data
- Inadmissible monitoring of employees - the German company Notebooksbilliger.de received a hefty fine of 10.4 million euros for this in 2021. You can find more about this in the following article: Data Protection: 2021 Is the Year With the Highest Fines to Date
- Use of outdated software
- Late reporting of a data breach
This checklist tells you the most important thing about dealing with data protection authorities that can be learned from past cases – especially when dealing with personal data processing:
- If you become aware of a data breach or data violation, seek professional advice immediately and, if necessary, report it to the relevant authority
- Work closely and transparently with the data protection authority and do everything you can to keep the damage as low as possible - this will have a mitigating effect on the sentence
- Never forget to conclude an data processing agreement with service providers and remember: You cannot relinquish responsibility, you remain the main responsible controller for data protection
- Also pay attention to data protection in everyday correspondence by email. It is always best to check several times that no email addresses are publicly visible.
Daniela has been working in the areas of (online) editing, social media and online marketing since 2008. At exali, she is particularly concerned with the following topics: Risks through digital platforms and social media, cyber dangers for freelancers and IT risk coverage.
In addition to her work as an online editor at exali, she works as a freelance editor and therefore knows the challenges of self-employment from her own experience.