data it law August 2017: consents under GDPR & the lawfulness of web scraping

The overview of interesting Data & IT Law articles and news in August 2017!


Several interesting decisions in India, France or Germany

The Supreme Court in India unanimously declared that privacy is a fundamental right. The case dealt with a 12-digit “Aadhaar” number, which is almost obligatory for Indian citizens and it corresponds to records including citizen’s fingerprints and eye scans. Guardian noted that “(a) nine-member panel of the court in Delhi found that a right to privacy was intrinsic to article 21 of the Indian constitution, which declares that no person can be deprived of their life or liberty without a procedure established by the law.” For an overview of cases in the area of right to privacy, see this article.

At HL data protection, the authors referred to an interesting case in Germany. The German Federal Labor Court held that “German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty (judgment dated July 27, 2017, case ref. 2 AZR 681/16). This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data privacy laws from their proceedings.

Bloomberg BNA referred to a case in France. The privacy regulator – the Privacy Office – fined Hertz for a data breach with a 40,000 EUR fine. It held the “Hertz failed to meet its data security obligations. The enforcement audit of the company’s website determined that a computer coding error by a subcontractor exposed personal data, including names, addresses, and driver’s license numbers, for customers signed up for a discount promotion.”


Pre-formulated declarations of consents & myth busting

Consent under GDPR is a widely discussed topic. As there are still no official guidelines from WP29, there are many issues that are not 100 percent clear. There were two interesting articles about the topic this month.

The authors at KU Leuven published a working paper about pre-formulated declarations of consent. They analyse the Recital 42 of the GDPR and the specific reference to Unfair Terms Directive (93/13/EEC). They concluded that there is a problem with core terms of the contract, as defined in Articles 3(2) or 4(2) of Unfair Terms Directive. “(T)he classification of what constitutes the ‘core’ terms for the purposes of pre-formulated declarations of consent remains uncertain and this is indicative of the teething problems inherent to the alignment of the data protection and consumer protection policy agendas.”

The Information Commissioner’s Office also dealt with an issue of consent, in its GDPR myth series. In the article the author argues that, contrary to many “recommendations”, consent is not the only legal ground for personal data processing. “So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way. Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR. Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.”


Is web scraping of publicly available information legal?

The Next web referred to a judgment of US District Judge in San Francisco, in which the court held that an analytics company has the right to scrape data from LinkedIn. The analytics company trained artificial intelligence tools based on LinkedIn publicly available data.

“Since the data was made publicly available by the users posting it, LI was not able to prove ownership of it to a degree that gives it the right to block others from accessing it. Anyone could, theoretically, click on every profile and use a pen and paper to copy all the info, and then feed the data into a computer. If they had enough time and manpower. Of course, this would be ridiculous and inefficient, which is why such tasks are done using an algorithm that gathers and sorts data.”

LinkedIn may have asked the analytics company to stop and it should have stopped. However, LinkedIn cannot implement technology to prevent the company from accessing these public profiles.

It must be noted that the decision is situated in the US context.


An English version of German data protection act published

The German Data Protection Act (Bundesdatenschutzgesetz) passed on April 27, 2017. However, this month the German Ministry of Interior affairs published an English translation.

At HL Data Protection, the authors published an overview of requirements in which the German act differs from the GDPR. They include:

  • Specific processing situations (data protection at work, video surveillance and profiling)
  • Data protection officers (The German rules regarding the duty to appoint a data protection officer are stricter than those stipulated by Art. 37 GDPR. According to Sec. 38 BDSG, companies operating in Germany must designate a data protection officer if they constantly employ at least 10 persons dealing with the automated processing of personal data. Moreover, companies must also appoint a data protection officer if they undertake processing that is subject to a data protection impact assessment pursuant to Art. 35 GDPR or if they commercially process personal data for the purpose of transfer or anonymous transfer or for purposes of market or opinion research.)
  • High risks in case of misconduct (Violations which solely concern BDSG requirements law will be limited to a maximum fine of EUR 50,000, but this scenario will be rare in practice and cover very specific cases only, like information duties referring to consumer loans.)
  • Compensation for personal suffering (Data subjects (including employees) may claim damages for non-pecuniary damage)
  • Parts of the previous BDSG remain (The German legislature appears to preserve most of the previous German provisions regarding employees´ data protection in the new BDSG)
  • Transparency (The extensive notification obligations stated in Secs. 13 et seq. GDPR largely remain)
  • Works Councils and the new Sec. 26 BDSG (Where works councils process personal data, they must also comply with the regulations of the BDSG and GDPR in the future. This is a considerable change, as previously German works councils did not have to observe specific data protection requirements, but only the far broader rules of German works constitution law and other general employment laws.)
  • Works Council Agreements (Collective agreements remain a legitimate instrument for the regulation of admissible data processing. These agreements, however, must fulfill the requirements of Sec. 88 para. 2 GDPR and Sec. 26 BDSG. Hence, a lot of works council agreements in force have to be amended individually or by means of a respective framework works council agreement. In particular, respective works council agreements must contain specific provisions which reflect the requirements of Art. 88(2) GDPR as well as those of Art. 5 GDR.)

Leave a Reply

Your email address will not be published. Required fields are marked *