Happy Birthday GDPR

May marks the first anniversary of the GDPR coming into full effect, and a lot has happened since then. “General Data Protection Regulation”, or GDPR, was named phrase of the year in 2018, and the term was literally on everyone’s lips. According to a survey, 67% of EU citizens are familiar with the General Data Protection Regulation, while 36% say they’re aware of the content of the regulation.

Since last year the security and privacy of private individuals and their personal data has had to be protected appropriately and consistently throughout the EU. So as a private individual, you may find yourself being presented with a document to sign at the dentist’s, for instance: “ah, you know – data protection and all that”. Companies operating WiFi hotspots, for example, are already having to put in a bit more effort. There has to be a legal basis if data is to be processed: when a guest books a room with WiFi, or a customer buys a WiFi hotspot ticket. Data can only be used for the intended purpose. Strict regulations apply to data for marketing purposes: not only do customers have to agree to use of their data, they also have to be told what it will be used for. ‘Implicit’ consent along the lines of “using this WiFi hotspot means you agree to receive advertising mail” is no longer legally compliant. If data is transferred to third parties, the subject in question must also be notified of this or agree to it, and in addition agree to the retention period. And last but not least, we have the data protection notice, which explains what data is stored, on what basis and for how long. All this information has to be clearly apparent and mustn’t be hidden in the infamous “small print”. More information on this can be found in our blog post for WiFi hotspot operators.

As anticipated, not all companies were able to implement these instructions and so data breaches gave rise to complaints and reports. According to the European Data Protection Board, 281,088 reports were submitted in the context of the GDPR by May 2019, of which 144,376 were complaints.

However, the wave of lawsuits feared initially has so far failed to materialise, as a very large number of companies have adapted to the GDPR and taken the necessary precautions. But this may also be due to the fact that the wheels of justice turn slowly: and so the first penalties will also only be imposed slowly. For instance, in Germany a police officer was fined EUR 1,400 recently for using his position to obtain a woman’s contact details. He used a car registration to search for her personal data in the internal database and phoned her, which is clearly in violation of the GDPR.

Incidentally, it seems this regulation has become a good way of earning money, too. Besides law firms specialising in data protection, civil rights organisations and associations have also now committed themselves to data protection. IGD Interessensgemeinschaft Datenschutz e.V. , which operates as a representative of citizens in matters relating to business operators and companies, was founded recently and has already hit the headlines due to the fact it’s been issuing warnings. The warning received is accompanied by an invoice. Whether non-governmental organisations are allowed to issue such warnings hasn’t been clarified as yet, but in any case this association isn’t legitimised to do so. If you receive an invoice from this organisation or any similar body, don’t pay it. Contact a data protection officer or a public authority for information first.

What else is there? Data retention – no thanks!

The EU Council recently tasked the EU Commission with discussing the repealed 2014/2016 data retention regulations. In this context, reference is made to the storage of certain data such as call logs, location data and classification of the IP address used at a specific time, as well as passing on this information to authorities. This law was repealed back then as it’s illegal to store data without justification on individuals who aren’t suspected of any crime.

But how is data retention compatible with the General Data Protection Regulation, and are there strong arguments (counter-terrorism measures were cited at the time of its introduction) to justify such retention? This is precisely what the Commission is to investigate – what data is required by the authorities, and how could ‘legal’ implementation of data retention be structured? Furthermore, the EU also has an ePrivacy regulation on its agenda that’s designed to protect citizens, particularly online. Data retention restricts the right to keep communications confidential and thus has entirely the opposite effect to the ePrivacy regulation. How all this fits together and maintains compatibility with the fundamental rights of the EU and the individual member states now has to be clarified. So, things are looking exciting – stay tuned!

Now what?

The fact that individual EU member states have interpreted the law differently is still resulting in uncertainty. Among other things, the German parliament is discussing easing up on the GDPR for small companies and associations, for instance. For example, a data protection officer should only have to be appointed if a company has 20 or more employees (previously, companies were obliged to appoint an officer if they had 10 or more employees working with personal data). In Austria, data protection should even have to yield if it restricts freedom of expression

Many questions remain unanswered, but we can guarantee you one thing: with the IACBOX, you know you’re erring on the side of caution given the current legal situation. It offers data-saving and privacy-friendly basic settings, as well as deletion and anonymisation functions and data protection information for end users. And with the add-on Privacy Toolkit module, you also have options to create an individual data processing directory that takes into account specific login methods and database connections, as well as convenient options for privacy by design/default pre-settings, confidentiality and order processing agreements, checks, help texts and access logging. The technical design of the module is such that the IACBOX development team can react promptly to changes. So your guest WiFi solution is always up to date and you’re always on the safe side.