Which data protection rules actually apply and who sets them? For example, the word cookie does not appear in the legal text of the GDPR. There is also nothing to read about plug-ins such as Google Maps. If a law were too specific, it would fill the shelves. If a law is too abstract, doubts must be resolved by individual decisions.
introduction
Time and again questions arise when it comes to websites, apps or social media profiles. What is allowed and what must be taken into account? Due to the different interests and competencies of different advisors and market parties, different statements and recommendations arise accordingly. The following interest groups of data protection advisers spontaneously come to mind:
- industry associations: Are very rarely pro privacy. Even some data protection associations are secretly twisting the thread in a way that favors businesses and disadvantages consumers. One example is the lobby on § 26 TTDSG, which was also sparked by a board member of a major German data protection association. This member is also a member of the supervisory board of a non-profit foundation, which in turn “belongs” to a very large German Internet company (same postal address, etc.)
- lawyers: Depending on who the lawyer usually wants to represent or actually represents, the lawyer likes to take the position that seems favorable to his client. For example, professional articles are more business-friendly if a lawyer likes or often represents companies in data protection processes.
- online lawyer: I cite times as an example xRight45. These are lawyers who don’t have a ready-made solution and who create pseudo-solutions by discussing problems away.
- advertising agencies or. website maintenance: They usually do not have their own point of view, but cite the source, which says what fits the planned action, for example whether to use Google Analytics.
- Data Protection Officer: They usually take privacy very seriously. Not infrequently, however, they slip into a risk assessment in favor of their clients so that a client doesn’t become too unhappy because of the “truth”.
- privacy advocate: From my perspective, at least they try to apply the high standards of the law, as is meant by strict standards. The established case law of the ECJ shows that this approach is appropriate.
These stakeholders and advisors interpret the realities of data protection differently, or pick and choose the realities that fit and leave out others that don’t fit so well with the desired outcome.
kinds of truth
There are basically two kinds of truth. The written word and the judicial spoken word. The first is called law, the second is called judgment. I will elaborate on both below.
The law
A law is a legally binding arrangement, as I would say it as a non-lawyer. A law consists of at least one legal text. However, this is not enough, as the AVG shows. The GDPR also consists of considerations. Likewise, each of the 99 articles of the GDPR contains a headline that, to my knowledge, is not an official part of the legal text.
legal text
A legal text can usually only be kept general. If it were very specific, hundreds of volumes would fill up quickly. However, not all specific cases would then be taken into account. Moreover, a law that would be very specific would probably not be enacted so quickly.
The dilemma of a legal text is that it must remain largely vague and must therefore create room for misunderstandings and ambiguities.
cup a GDPR article
As mentioned above, the title of an article is not an official part of the legal text, as far as I know (if it is different, message me). However, there must be a reason why, for example, Article 49 of the GDPR is entitled “Exceptions for certain cases”.
If one does not take the title seriously or does not consider it binding, one could read the article just mentioned as follows: The article describes that the consent of the data subject as the owner of the data is required if his data is transferred to states of the secret service, such as the US. Without the title of Article 49 GDPR, one might think that consent can be requested for any number of data transfers to the US.
If you take the title “Exceptions for certain cases” seriously, Article 49 GDPR says that data transfers to the US can only be justified in exceptional cases and therefore not regularly with consent. Fortunately, a recital helps to clarify things.
recitals
A recital is a kind of commentary on the legal text by the legislator (or affiliated bodies). It shows how a law is meant. The above example with Article 49 GDPR can be solved using Recital 111 as follows. This recital states that consented data transfers are only allowed “if the transfer is incidental”.
A lawyer once told me that recitals are not an official part of a law. I object that even the ECJ continually uses considerations in its judgments. What the ECJ is doing here can’t be a bad practice (and if it were, we’d have very different problems than discussing subtleties).
courts and their rulings
In Germany, local courts, regional courts, higher regional courts, the federal court and the federal constitutional court are responsible for data protection issues. The highest court is the European Court of Justice (ECJ). What he decides is valid. However, the fact that the ECJ makes a ruling does not mean that the case is closed. This begs the question: what is it really about?
Each judgment is an individual decision, so based on concrete circumstances. However, the beauty of the Internet and technology is that there are countless analogous and thus very similar cases that can be described as similar. For example, cookies are generally the same in terms of how they work. Cookies are accesses from end devices. These in turn are regulated in § 25 TTDSG. Or let’s take Google Fonts. This was only a decision of the regional court of Munich. Anyone who integrates fonts so that they are loaded from a Google server is doing so in exactly the same way as thousands of website operators. There is no difference between these thousands of websites when it comes to Google Fonts. The situation is the same (assuming, of course, that the fonts are loaded without permission and without a contractual basis or on the basis of the alleged legitimate interest).
For example, a ruling by the BGH about Google Fonts could be applied analogously to all websites that integrate Google Fonts incorrectly. The decision of a regional court applies in the first instance only to the persons for whom this regional court is responsible because of their place of residence. Other regional courts are not bound by this decision. It is, however, relevant if an LG has given a judgment on a case that now another LG has to decide. A court will gladly accept the reasons of another court, as long as those reasons are well founded and the judge does not have to act against his or her personal convictions. This personal imprint of a judge should not play any role. But it always plays a role, I can say from experience. A judge is only human. Unfortunately, some judges sometimes forget their duty of neutrality, although this should be described as a criminal offence.
Reasoning beyond measure
An obiter dictum is a legal opinion of a court, which, however, has not arisen in response to a question in a case to be judged. Rather, the court took the opportunity to get rid of a legal opinion, because otherwise there was no possibility or probably will not in the future.
If the BGH expresses such a legal opinion, then in my opinion subordinate courts, which are almost all other courts in Germany, should be kind enough to accept and apply the opinion of the BGH. Unfortunately, some judges of the courts subordinate to the BGH assume otherwise. I see that as intolerable, that’s something about a constitutional complaint is attached.
guidelines
Guidelines are not laws. They are usually assumed to have been transposed into national law within a few years. A well-known example is the EU’s ePrivacy Directive. The German legislator was back in the sleeping car and so the BGH had to act as legislator.
It all went like this:
- The ePrivacy Policy has been published
- Germany was asleep and languishing with the outdated Telemedia Act (TMG).
- In 2020, the BGH decided in the Planet 49 judgment (BGH judgment of 28 May 2020 – I ZR 7/16) that § 15 paragraph 3 TMG must be reinterpreted in such a way that it corresponds to the spirit of art. 5 paragraph 3 of the ePrivacy Directive. The BGH has thus pursued legislation that it is not allowed to do. However, the result was positive, so that no one was bothered by it.
- At the end of 2021, Germany briefly stopped sleeping and released the TTDSG. Article 25 TTDSG now regulates the so-called cookie directive.
A directive does not apply until it has been adopted by national law. Or until something unforeseen happens and judges bring order to smooth out the sloppiness of the legislature, even though the judges shouldn’t have an iron.
Conclusion
The data protection officer follows the gold standard of case law, which is the accepted or pre-existing case law of the ECJ. Moreover, it is based on common sense and morality. Lawyers have no morals because they side with their client, who can be a good boy or a bad girl.
Consultants often do what they think is right. Or because they have a customer who benefits from a certain opinion. Or because they can further secure their professional life by expressing an opinion.
Unfortunately, our legal system is not fair. Extremely long procedures lead to injustice. Expensive lawyers can occasionally cloud the truth or hide behind piles of paper until no one knows what’s right and what’s wrong.
However, legal certainty is increased by lawsuits by private individuals, which may include you. By that I mean lawsuits against data sinners. If you’re always complaining but doing nothing, you’re not moving anything. Write an email to a data sinner who mishandled your data and ask them to stop. If the person does not respond, engage a lawyer and notify the person responsible. The world can be that simple. If you are not sure if there is a violation on a website, please write to me. I will give you feedback. Or use my website_check.
PS: The title photo is not discrimination against men, it could have been about a woman. I don’t think being a man is suspicious of wanting to discriminate against men. One time a woman wrote to me criticizing a featured image for having an aesthetically pleasing body that the lady attributed to a woman, although it wasn’t immediately obvious I thought it worth mentioning.