Photo Credit: Beata Hubrig
A guest contribution by Beata Hubrig
The field of data protection first developed at the end of the 20th century, when we began to outsource our personal information in technical devices and thus suffered a loss of control over ourselves. The rules governing data protection are classic protection laws and serve to prevent people from damage through the misuse of their data. A prominent example is identity theft, in which products are purchased with stolen name and address data, and are then delivered to different addresses. Although the victim of identity theft did not buy the products, he/she must initially pay for them. Victims are on their own to prove to the sellers and collection agencies that they did not purchase the goods themselves; in some cases the public prosecutor's office also investigates counts of fraud.
Violations of the right of informational self-determination can also be accompanied by far-reaching consequences for those affected. For this reason there is the so-called „restrictive regulation reserving the option of consent“. Our legal system basically works according to the principle that every action is allowed as long as it isn't expressly prohibited in codified law. In addition, our constitution stipulates that these prohibitions must be worded specifically enough so citizens can first inform themselves about which activities are prohibited. These prohibited activities must also be so concrete and specific that every normal citizen can understand them. Every citizen must be able to act in a law-abiding way because they understand what the state requires of them.
GDPR as a new legal basis
The data protection regulations disrupt this system of basic free action and prohibit every type of collection, processing and transmission of personal data. This ban applies equally for everyone. The ban applies to all personal data. These are all personal or objective information about natural, identifiable persons. Data protection thus concerns information about natural persons such as height, preferences, familiar situations, skills, whereabouts, and friends. Furthermore, in includes factual information such as financial situation, payment practice, personal items,the condition of these items, contractual relationships, etc.
Every instance of processing such data must be specifically allowed by the legislators , and the legislator must clearly express when it allows processing operations for a certain area. Examples include the 10th Social Security Code (Sozialgesetzbuch) and the Telemedia Act. Here the specific purpose of the processing is also defined, which cannot be adjusted to new requirements or areas of activity. This is the so-called strict earmarking.
Comprehensive information and voluntary decision
The other possibility for processing authorization is with the consent of those affected. The European legislator has provided for legal authorization in the data protection regulation from 25.5.2018 in Article 7 GDPR. The two cornerstones of legal consent are extensive information and the resulting voluntary decision to give one's consent. Consent which is procured after the processing is considered legally irrelevant and changes nothing about the illegality of the data processing.
Before giving their consent, the concerned person must survey the facts and be able to understand, and on the basis of this understanding consent to the processing or not. The legal authorization and consent are mutually exclusive. If the person affected expressly allows the concrete processing of their data, such as in a contractual agreement like a rental contract, additional consent may not be obtained.
The level of information is particularly important. The knowledge which the affected persons must have about data processing is not to be underestimated. Weeks before the new data protection regulation went into effect, a murmur rippled through social media because the requirement for information about the processing of third-party data supposedly only represents a bigger administrative burden. But this is just because a lack in understanding prevails. The ability to protect one's own data is dependent on the knowledge that a processing of the data by third parties is happening in the first place. So without the knowledge about who is using what data where and to what end, there is no possibility to protect oneself against the misuse of data by companies, states and persons outside of one's social circle.
When objects are stolen or someone's blood is drawn or hair is cut, in most cases it doesn't go unnoticed. However, when one's data is stolen, one simply doesn't notice and cannot defend oneself against it. Only when one's data have been misused and damages have been inflicted does the victim find out about the improper use of data. For this reason the European legislator has comprehensively defined transparency concerning the processing of our data. We must be able to know or find out who has which data and what is being done with them at any point in time.
The state supervisory authorities for data protection and freedom of information are responsible for implementing the GDPR. In addition, in-house data protection officers in the companies make sure that the rules are known and adhered to. Compensation for the unlawful use of data according § 823 Para. 2 BGB (German Civil Code) is possible, since the regulations for data protection are protection laws.
A good example is a civil suit by a former Genius employee against Apple Retail Germany GmbH. The plaintiff worked in the back of house and was unlawfully under video surveillance by his employer. This was an interference in his right to informational self-determination, for video surveillance was unauthorized in the back office. In the state labor court of Frankfurt am Main, he successfully claimed €7,000 in damages.
It always makes sense to deal with one's data in everyday life. One of the most important tips is to find out which scoring companies are on the market and which data they use from private individuals. If incorrect or outdated data are processed by these companies and passed on to other companies with whom one wants to do business, the affected person suffers irreparable damages.
That is why you should always consider to whom you are making your data accessible, who can access it, who are these persons, states or companies, and which interests they pursue. Could these entities reach their goals with these data, and do they have negative consequences? Which disadvantages arise from the use of these data: what could possibly go wrong?
For data protection, it's always important to ensure the security of one's own data. That's why one should ensure a functional backup method and develop a passion for encryption techniques. I recommend PGP for e-mails; Threema for text messaging and FileVault (MacOS) or Bitlocker (Windows) for computer encryption.
About the author: Beata Hubrig is an attorney for data protection, copyright and internet law. She has advised clients on topics concerning constitutional law and data protection for over ten years. She also advises re:publica GmbH as a data protection officer.