Data protection law at the turn of the year - and what companies will still have to deal with in 2022

The year 2021 is drawing to a close. While the well-deserved break between the years is gradually approaching in business and industry, a large number of legal topics remain highly topical and should be seriously addressed by the beginning of 2022 at the latest - if this has not already happened. The digital upheaval is in full swing and poses major challenges to companies more and more. To prove this thesis, the mere reference to the "new" EU standard contractual clauses is already sufficient.

In addition to the constant change in data protection practice, other topics are increasingly coming into focus. For example, the innovations in the digital sales law and the Supply Chain Duty of Care Act should be mentioned here. The coalition agreement of SPD, FDP and the Green Party also indicates in some places that various current topics are on the agenda of the new government. In order to see the wood for the digital trees, we would like to provide a brief overview of current topics at the turn of the year that will (still) be of great importance for companies in 2022.

The third country data transfer

It is now well known that there is never a standstill in the area of data protection law. Last year, for example, was still strongly marked by the "Schrems II" decision of the European Court of Justice. The implementation of the new EU Standard Contractual Clauses (SCC) as well as the performance of a Transfer Impact Assessment (TIA) are now part of everyday life in data protection law issues. We have already reported extensively on the adoption of the new SCC in our article of 08 June 2021 ("EU Commission adopts new standard data protection clauses for international data transfers").

While new third-country transfers must already be made on the basis of the new SCC since 28 September 2021, companies still have time until 27 December 2022 to adapt their old third-country transfers accordingly. In addition to the question of which module applies with regard to the respective third-country transfer, it must be carefully reviewed in particular whether additional measures are necessary to ensure an adequate level of data protection. Pursuant to clause 14 lit. a) of the SCC, the contracting parties must affirm that they have no doubts that the data importer is prevented from fulfilling the obligations arising from the SCC by applicable laws and practices in the third country. Currently, this primarily concerns data transfers to the USA. On this occasion, we already referred to the so-called "6-step model" updated by the European Data Protection Committee (EDSA) in our article of 23 June 2021 ("EDSA recommendations for third country transfers updated").

Likewise, in our article of 01 October 2021 ("Standardisation and automation of a transfer impact assessment in the context of the new EU standard contractual clauses"), we showed our standardized solution in the implementation of the TIA. This will remain highly relevant in 2022, since - as already shown - the old third-country transfers will have to be adapted accordingly and, if necessary, extended by further measures.

Responsible means responsible - Court decision: “Cookiebot”

A recent decision by the Wiesbaden Administrative Court (VG) on 1 December 2021 caused a stir in connection with third-country transfers. In the interim legal protection, an application was granted which prohibited the RhineMain University of Applied Sciences from using the "Cookiebot" service - as a so-called consent management platform - on its own website to obtain various consents from users. The user data collected in this context (including the unabbreviated IP address) is subject to access by a provider of a so-called Content Delivery Network (CDN) tool based in the USA. In addition to the - in this respect already known - statement that IP addresses are regularly personal data, another statement of the 6th Chamber of the VG Wiesbaden comes into focus: Responsible means responsible. Despite the fact that in the present case it is not the RhineMain University of Applied Sciences that enables access to personal data by the US service provider, in the opinion of the VG Wiesbaden, the RhineMain University decides at least indirectly on the means and purposes of the data transfer through the use of "Cookiebot". In the opinion of the Wiesbaden Administrative Court, the transfer of data to the USA - in particular due to the provisions of the so-called Cloud Act - does not constitute an adequate level of data protection. In particular, such instruments had not been implemented that could lead to an adequate level of data protection ultimately being affirmed. The latter primarily concerns the new SCCs, which were not concluded between the website operator and the "Cookiebot" provider.

Even though the aforementioned decision may have a massive impact on a large number of data protection officers, we would like to dampen the current panic a little. In our opinion, the further procedural steps should first be awaited. Since this is "only" a decision on interim legal protection, it remains to be seen how the further course of the proceedings will develop. Although one would like to accuse the Wiesbaden Administrative Court of inaccuracies in data protection law in some points - this concerns in particular the legal handling of the SCC - companies are advised to review their data processing chains and third country transfers again, at least in the medium term. If personal data are transferred to the USA, it should be checked whether there is a need for further action. If a TIA audit - to be carried out by the controller - comes to the conclusion that further measures must be taken to ensure an adequate level of data protection, influence should be exerted on the link in the data processing chain (e.g. through specific obligations in a processing contract) that directly initiates the third-country transfer. If, on the other hand, it is not possible to exert such influence, the data controller must - if one takes the decision of the Wiesbaden Administrative Court seriously - break off the contractual relationship with the data exporter.

Cookies and the TTDSG

Even without a reference to a third country transfer, the use of so-called cookies is of central importance for a large number of companies. As we already announced in our article of 06 October 2021 ("Legal regulation for the use of cookies"), the Data Protection and Privacy in Telecommunications and Telemedia Act (TTDSG) has now come into force on 01 December 2021. Since we have already pointed out the essential innovations in the linked article, we would now like to take a look at another central problem in the application of the law: Under what conditions is a cookie absolutely necessary within the meaning of Section 25 (2) TTDSG? This is of particular importance because in such a case, exceptionally, theconsent of the user of a so-called terminal device is not required.

As a reminder, the TTDSG - like the e-Privacy Directive - distinguishes between different types of cookies. On the one hand, cookies are conceivable without which it is not possible to provide the service offered. On the other hand, app and website operators in particular like to use cookies that only provide an advantage to the operator itself (e.g. to carry out reach measurements). If one follows the view of some German data protection supervisory authorities, the criterion of absolute necessity must be understood very restrictively. According to an opinion of the Hamburg Commissioner for Data Protection and Freedom of Information of30 November2021, for example, only a technical necessity is sufficient, "but not [an] economic necessity". Cookies for saving cookie settings, for remembering items in the shopping cart, for (technically) enabling video streams, for personalising services, as well as cookies that serve the operator's security purposes, among others, may be considered absolutely necessary. If, on the other hand, cookies are used for advertising, tracking or geolocation, the provider must obtain the consent of the respective user of the terminal device. As can be seen from Section 25 (1) sentence 2 TTDSG, consent must comply with the standards of the GDPR and, in particular, must be given voluntarily and without the presence of pre-ticked boxes. Finally, operators of terminal equipment should pay attention to the "interplay" of the TTDSG and the GDPR: If personal data are processed after the use of a cookie, this must be in line with the requirements of the GDPR. In particular, this requires the existence of a legal basis under data protection law - regularly based on Article 6 GDPR.

Even though the TTDSG will probably only apply to the use of cookies and comparable tools for a limited period of time due to the planned enactment of an e-Privacy Regulation by the European legislator, companies should once again thoroughly review the design of their cookie banners. It is obvious that the entry into force of the TTDSG will provoke renewed reviews by supervisory authorities.

Purchase law 4.0

Even though we would love to continue reporting on data protection law as one of our core competences, there are other exciting innovations that companies will have to observe in the future. As we already reported in our article of 04 October 2021 ("Kaufrecht 4.0"), some far-reaching amendments to the German Civil Code (BGB) will come into force on 01 January 2022. In addition to adjustments to the law on sales, in future Sections 327 et seq. BGB(new) will contain a completely new type of contract for the provision of digital content or digital services. Even if many of the innovations primarily address the B2C sector, the changes should not be underestimated in their entirety.

On the one hand, the revision of the law on defects of quality in Section 434 BGB(new) is also relevant in the B2B area without restrictions. Whereas up to now a defect of an object of sale has existed if, for example, it is not suitable either for the contractually agreed use or for the usual use, in future so-called subjective and objective conditions must be cumulatively present in order to protect the seller from warranty claims. For the seller, this means that he must adapt his sample contracts accordingly, but without exceeding the limits of what is legally permissible. If the seller (also) acts in the B2C sector, strict standards apply.

On the other hand, in our legal practice we are regularly confronted with the fact that companies are often not aware of which regulations apply in the B2C area. However, if a company is not prepared for the eventuality, it will hardly be able to fulfil the multitude of requirements and information duties that have to be observed. This is all the more true since according to Section 312 (1a) BGB (new), in future even the provision of personal data can lead to a consumer's right of revocation. In this context, one only has to think of the pandemic-related multitude of webinars or comparable offers in which, for example, the advertising drum was beaten for one's own company. If a consumer within the meaning of Section 13 of the German Civil Code (BGB) is hidden among the participants and the personal data provided is not used exclusively to (technically) enable the respective offer, this can result in a consumer's right of revocation.

The coexistence of the different types of contracts must also be penetrated, at least in an overview. While a contract for the provision of cloud services in the B2C area will in future be governed by Sections 327 et seq. BGB (new), this does not also apply in the B2B area. In the latter case, the applicability of tenancy law provisions will presumably remain as usual. The question of which warranty law is applicable also contains some subtleties in detail.

Even if such companies, which primarily operate in the B2B sector, can take a somewhat more "relaxed" approach to the topic, a rough overview of the new regulations is essential.

Compliance as a growing challenge

Under the umbrella term compliance, companies can expect two major construction sites in the future.

As we recently reported in our article of 02 December 2021 ("Current status of the Whistleblower Directive"), Germany has - at least as things stand - "slept through" the transposition deadline for Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law(the so-called Whistleblower Directive). However, we expect that an implementing law will not be long in coming once the legislator has agreed on a final version. The directive stipulates that companies with a workforce of at least 250 employees must set up a reporting system for compliance tips by whistleblowers by 17 December 2021 at the latest. Companies with between 50 and 249 employees, on the other hand, do not have to implement the respective requirements until 17 December 2023. In order not to be "caught cold" by the expected implementation law, companies should start working seriously on the implementation of a corresponding reporting system. With "SKWhistle", we have created a modular consulting solution that supports you in setting up, establishing and operating a whistleblowing system. The individual modules can be booked either at agreed fixed prices or individually according to the respective expenditure. If required, we will also be happy to advise you on the choice of a technical solution. We have provided further details in this context in our article of 11 May 2021 ("SKWhistle: Hinweisgebersystem rechtssicher implementieren").

The second major compliance-related topic that should be on companies' agendas is the Supply Chain Sourcing Obligations Act (LkSG), which we believe is widely underestimated. Subject to some special provisions, the final version of the Act will enter into force on 1 January 2023. The Act aims to improve the protection of human rights in supply chains based on the division of labour and to effectively enforce their observance. Section 2 para. 2 LkSG lists a large number of conceivable "human rights risks" which potential addressees of the law must also observe outside their own work structures in the future. In this context, the prohibitions of child and forced labour, slavery, unequal treatment in employment relationships and the observance of the applicable occupational health and safety obligations are particularly worthy of mention. Since, in addition to other environmental risks to be observed, 11 conventions for the protection of human rights annexed to the law are also part of the protection concept, the standard of care to be observed here can be considered very far-reaching.

Section 1 of the LkSG defines the addressees of the law in more detail. Primarily affected are enterprises - irrespective of their legal form - whose head office, branch office or registered office is in Germany, provided that in addition at least 3,000 employees are generally employed in Germany. Employees posted abroad are also covered. If a company only operates a branch office in Germany pursuant to Section 13d of the Commercial Code and also generally employs at least 3,000 employees in Germany, it is nevertheless subject to the Act. From 1 January 2024, it must also be noted that the threshold values for the number of employees are only 1,000.

In Sections 3 - 10 of the Act, the various due diligence obligations to be observed by the addressees are described in more detail. If a company falls under the scope of application of the Act, it must in future implement, among other things, a risk management, a risk analysis, remedial and preventive measures and, again, a complaints procedure within the company. It quickly becomes clear here that the topic of compliance is currently a major issue at both European and national level.

IT security risks also come into focus

Under the highly topical term of the Java security vulnerability "Log4Shell", the topic of IT security is also increasingly coming into focus. The Java logging library "Log4j" is a component of a large number of commercial products. Since open-source products can also be affected, the impact of the recently discovered security vulnerability is considerable. In summary, the identified vulnerability allows attackers to execute certain programme codes via the internet, thus enabling further attacks on a system. Reason enough for the Federal Office for Information Security (BSI) to issue a security warning with the "Red Warning Level". On the BSI website, a separate category with several linked documents has been published, in which further information as well as recommendations for action are shown. The Bavarian State Office for Data Protection Supervision has also published a handout on its website on the initial analysis in order to provide those responsible and their company data protection officers with the necessary remedial measures.

The current circumstances once again show the importance of the data processing security requirements contained in Article 32 of the GDPR, which should not be underestimated. Depending on the specific case, the identification of a security vulnerability on one's own systems can lead to a reportable breach of the protection of personal data within the meaning of Article 33 of the GDPR. Even if the focus is regularly placed on the existence of a legal basis under data protection law, data controllers should also attach appropriate weight to IT security in particular.

What else is planned?

In our article of 1 December 2021 ("Mehr Digitalisierung wagen - was planiert die künftige Ampelkoalition?") we already showed that the new traffic light coalition has a number of plans for digitization. For companies, this means that they must remain vigilant and keep an eye on the current focus topics.

Even if the present article may give the impression that one can hardly become master of all these topics, we would like to reassure you at this point. It is comprehensible and also not necessary that all the aforementioned topics can be mastered at the same time and taken into account in your own company. No one expects you to do so. However, we would like to sensitise you once again with this brief outline at the end of the year and prepare you for the upcoming topics.

If one deals with the new need for action as early as possible, a smooth transition to a new practice can be managed. As you have come to expect from us, we are always at your disposal in case of questions as well as for the concrete implementation of a new law.

As the year draws to a close, however, we wish you nothing but a reflective holiday season and a good start to the new year 2022.

This article was written with the kind assistance of trainee lawyer Marius Drabiniok.