The General Data Protection Regulation (GDPR) has been in force in the European Union, Iceland, Lichtenstein and Norway for more than 4 years. Since then, this regulation has set a uniform data protection framework by regulating the handling of personal data. While the actual implementation of the GDPR was initially rather slow, data protection authorities and courts throughout Europe are increasingly pushing for compliance. In this article, we give you an overview of the most important decisions of the past months.
The GDPR at a Glance
Although the topics of data protection and privacy in the context of digitalization are heavily discussed in society, the specific contents of the GDPR are not really clear to many people. Therefore, we would like to briefly summarize the most important principles here. [1]
1. Prohibition with Reservation of Permission
Personal data may only be collected, processed or used with the explicit permission of the persons concerned.
2. Data Sparseness
Only required data may be collected and processed.
3. Purpose Limitation
Personal data may only be processed for the original purpose.
4. Data Correctness
Data must be correct and up-to-date.
5. Data Security
Personal data must be adequately protected.
6. Right to be Forgotten
Data subjects have a right to have personal data deleted or blocked.
7. Right to Data Portability
Data subjects have the right to take personal data to another provider.
8. Accountability
Supervisory authorities may require evidence of compliance with the data protection principles.
Current Decisions of European Authorities and Courts
Google Analytics violates the GDPR
The most prominent decisions by courts and data protection authorities in Europe currently concern the use of Google Analytics. After the Austrian data protection authority initially deemed the integration of the analytics tool on websites to be a violation of the GDPR in January 2022, the French CNIL (Commission nationale de l’informatique et des libertés) and the corresponding authority in Italy also deemed the use of Google Analytics to be illegal. Accordingly, the main reason for this assessment is the transfer of personal data of European citizens to the USA, which does not have similarly high data protection standards. Since this point of criticism cannot be circumvented with the current technical settings of the software, there is no improvement of the situation in sight and thus the use remains incompatible with European law for the time being. With regard to the decisions of corresponding national and European authorities, it is even more likely that violations in this regard will be legally sanctioned more often in the future. [2, 3, 4]
Microsoft Teams, Zoom & WebEx incompatible with European data protection
With the increased use of videoconferencing tools in the wake of the pandemic, data protection authorities have also been intensively reviewing common solutions. The most comprehensive review was conducted by the Berlin data protection commissioner. According to this, the common video conferencing tools (esp. Google Meet, Microsoft Teams, Zoom & WebEx) are not compatible with the legal framework of the GDPR. One of the main problems is again the data transfer to third countries. [5]
Office 365 disappears from public agencies and schools
Whereas at the start of the pandemic there was a hasty rush to use familiar solutions to drive forward the digitization of public authorities, especially schools, data protection authorities are now sharply criticizing the use of some software solutions and calling for an end to the use of such tools, which do not meet data protection standards. For example, the data protection commissioners of Baden-Württemberg and Rhineland-Palatinate recently announced that they would phase out the use of Microsoft 365 in schools at the end of the school year. Thus, schools and other government agencies are now required to use alternative software that does not have the known privacy issues. [6, 7]
Multi-million fines for Meta, Amazon & Co.
Apart from far-reaching legal consequences, fines are also increasingly being imposed on private companies for violations of the GDPR. Meta, for example, recently had to pay a fine of around 18 million euros following a complaint from the Irish Data Protection Commission. The year before, a fine of 225 million euros was imposed on Whatsapp (also Meta) by the same authority. In July of the same year, the Luxembourg data protection authority fined Amazon nearly 900 million euros for violations of the GDPR. Countless other rulings also highlight the lax approach of large corporations to the issue. Generally, according to the GDPR, a fine of up to 20 million euros or up to 4% of the global annual turnover is provided for violations. In a landmark ruling, the European Court of Justice ruled that consumer associations may also sue against violations of the GDPR without there being a violation of specific rights of data subjects. Thus, it can be assumed that the number of lawsuits for gross violations will continue to increase in the coming years. [8, 9, 10]
Heavy fines for Clearview AI
US-based Clearview AI specializes in AI-powered facial recognition. With more than 10 billion images in its database, the company claims to have the largest database in the world and to be able to identify almost every person worldwide in the next few years. The images come mainly from social networks and other online sources. In contrast to the aforementioned violations of the GDPR, the case presents the additional problem that the data subjects whose images are added to Clearview AI’s database from social media without being asked never had the opportunity to object to the company’s use of the images. This practice has met with resistance in some European Union countries. Data protection authorities in Greece, France, Italy, Austria, and the United Kingdom are currently reviewing the case or have already issued fines in the millions. [11]
Data Protection at ViOffice
ViOffice was founded out of the need to provide sustainable, European and secure IT services in a socially responsible way. Our technical focus is clearly on the promotion of easy-to-use open source software and the strengthening of data protection and privacy. All our servers are located in Germany and the data of our users is never shared with third parties. With our approach, we even go beyond the requirements of the DSGVO in large parts.
ViOffice follows the approach of data minimalism. The ViOffice services collect and store only the information that is absolutely necessary for use, such as the data that users themselves upload to the cloud and information that is legally necessary for the operation of ViOffice. For example, information and time logs on file accesses, conversation histories and corresponding meta data are expressly not stored. This is also done as far as possible through client-side encryption (i.e. locally on the end devices of the users), even before it reaches our servers.
Our web analytics tool, ViOffice Analytics, also focuses on data protection and privacy. Vioffice Analytics is based on the open source software Umami. This is an easy to use, “lightweight” analytics tool that gives you full control over the collected data, without third party insights while preserving the privacy of your visitors and users. ViOffice Analytics does not set cookies and does not analyze individual user behavior, but collects aggregated traffic data (traffic tracking instead of user tracking). This way you get the helpful information you need and still stay ethically, legally and technically on the safe side. Not even an annoying cookie banner is needed on a website.
Quellen
[1] Haucke, Annika (2022): Das müssen Sie 2022 über die Datenschutzgrundverordnung wissen. Online unter: https://www.e-recht24.de/datenschutzgrundverordnung.html [17.05.2022].
[2] Lewanczik, Niklas (2022): Google Analytics verstößt gegen europäisches Datenschutzrecht. Online unter: https://onlinemarketing.de/digitalpolitik/google-analytics-verstoesst-gegen-datenschutzrecht [13.01.2022].
[3] noyb (2022): CNIL decides EU-US data transfer to Google Analytics illegal. Online unter: https://noyb.eu/en/update-cnil-decides-eu-us-data-transfer-google-analytics-illegal [05.04.2022].
[4] Ikeda, Scott (2022): Italy Bans Google Analytics Over Improper EU-US Data Transfers. Online unter: https://www.cpomagazine.com/data-protection/italy-bans-google-analytics-over-improper-eu-us-data-transfers/ [05.07.2022].
[5] Berliner Beauftragte für Datenschutz und Informationsfreiheit (2021): Hinweise für Berliner Verantwortliche zu Anbietern von Videokonferenzdiensten. Online unter: https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/orientierungshilfen/2021-BlnBDI-Hinweise_Berliner_Verantwortliche_zu_Anbietern_Videokonferenz-Dienste.pdf [18.02.2021].
[6] Westphal, André (2022): Microsoft 365 wird wohl aus Schulen in Baden-Württemberg verschwinden. Online unter: https://stadt-bremerhaven.de/datenschutz-microsoft-365-wird-wohl-aus-schulen-in-baden-wuerttemberg-verschwinden/ [25.04.2022].
[7] SWR Aktuell (2022): Schulen in RLP dürfen Microsoft-Software Teams nicht mehr nutzen. Online unter: https://www.swr.de/swraktuell/rheinland-pfalz/duldung-microsoft-teams-in-rlp-schulen-lauft-aus-100.html [27.06.2022].
[8] Biselli, Anna (2022): 210 Millionen Euro Strafe gegen Google und Facebook. Online unter: https://netzpolitik.org/2022/frankreich-210-millionen-euro-strafen-gegen-google-und-facebook/ [06.01.2022].
[9] Gurkmann, Jutta (2022): Datenschutzverstöße von Meta und Co. EuGH bestätigt weitreichende DSGVO-Klagebefugnis von Verbraucherverbänden. Online unter: https://www.vzbv.de/urteile/datenschutzverstoesse-von-meta-und-co-eugh-bestaetigt-weitreichende-dsgvo-klagebefugnis-von [28.04.2022].
[10] Datenschutzexperte.de (2022): Bußgeldkatalog bei Datenschutzverstößen. Online unter: https://www.datenschutzexperte.de/datenschutz-bussgeldkatalog/
[11] noyb (2022): Zweite 20 Mio. € Geldstrafe für Clearview AI. Online unter: https://noyb.eu/de/zweite-20-mio-eu-geldstrafe-fuer-clearview-ai [13.07.2022].
Pascal founded ViOffice together with Jan in the fall of 2020. He mainly takes care of marketing, finance and sales. After his degrees in political science, economics and applied statistics, he continues to work in scientific research. With ViOffice, he wants to provide access to secure software from Europe for everyone and especially support non-profit associations in their digitalization.