privacy

history

The American debate was also reported in Europe. At the end of the 1960s, Germany was looking for a term that would avoid the direct translation of the term “privacy” - (general) personal rights - because of the controversial debate since the 19th century and its bulkiness. Based on the term "machine protection" (legislation on the safety of work equipment), the scientific word "data protection" was created, which was initially criticized because of its ambiguity (not the data is protected, but the people), but is now used internationally (data protection, protection des données, protección de datos, zaschtschyta danych, προστασία δεδομένων προσωπικού χαρακτήρα etc.).

In 1970, Hessen passed the world's first data protection law ; The German Federal Data Protection Act (BDSG 1977) followed in 1977, the focus was on determining the prerequisites for the introduction of data protection officers and the priority given to the protection of personal data. State data protection laws were passed in 1981 for all federal states. The BDSG 1977 saw it as the task of data protection " to counteract the impairment of legitimate interests of the data subjects by protecting personal data from misuse during their storage, transmission, modification and deletion (data processing)" (§ 1 Paragraph 1 BDSG 1977). Any data processing that was not carried out on a legal basis was abusive. At that time, data protection was seen as the protection of personal data from data processing that was not legally legitimized. In 1983 the Federal Constitutional Court made it clear in the so-called census ruling that data processing on a legal basis can inadmissibly interfere with the fundamental rights of those affected. The court derived a “right to informational self-determination” from the general personal right. The census judgment shaped the understanding of data protection in Germany and was a milestone in the history of German data protection. Since then, data protection has been understood as the protection of the right to informational self-determination (e.g. § 1 State Data Protection Act Schleswig-Holstein) or - more generally - as protection of the personal right when processing personal data (§ 1 BDSG).

In 1995 the European Data Protection Directive 1995/46 / EC was passed. In 2001 and 2006, amendments to the BDSG followed. Further novellas were dated May 29, 2009 and July 2 and 3, 2009.

With the immediate application of the higher-ranking European General Data Protection Regulation on May 25, 2018, most of the previous BDSG was superseded, and on the same day the complete new version of June 30, 2017 came into force.

Regulations

Comparison of some countries in the privacy ranking 2007 of the organization Privacy International .
(the lighter the color, the higher the level of protection)

International regulations

With the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data, internationally valid guidelines have existed since 1980 , which have the goals of extensively harmonizing the data protection provisions of the member states, promoting a free exchange of information, avoiding unjustified trade barriers and, in particular, a gap between to prevent European and US developments.

In 1981, the adopted Euro Europe with the European Data Protection Convention of the first international agreement on data protection. The European Data Protection Convention is still in force today and is binding under international law for all 46 states (as of July 30, 2013) that have ratified it. The convention is open to states worldwide. The first accession country outside Europe is Uruguay, for which the convention came into force on August 1, 2013. (In contrast, the data protection guidelines of the European Union are only binding for the EU member states and therefore only to be implemented by them in national law.)

United States

In the United States, privacy is rarely regulated by law or regulation. In many cases, access to private data is socially acceptable, e.g. B. a credit check before agreeing an employment relationship or before renting an apartment. There are regulations for individual sub-areas, e.g. B. the Children's Online Privacy Protection Act (COPPA, German: "Law to protect the privacy of children on the Internet") and in the area of ​​health insurance the Health Insurance Portability and Accountability Act (HIPAA), but no comprehensive regulation for the handling of personal data .

One possible reason for this is that the US government has little confidence in protecting personal information. It is argued that in many cases data protection collides with the requirements in the 1st Amendment to the United States Constitution (First Amendment), which regulates freedom of expression . Data protection has also been used as an instrument to suppress freedom of expression in many countries around the world.

The Supreme Court of the United States has indeed in the case v Griswold. Connecticut 1965 interpreted the Constitution as granting individuals a right to privacy . Yet very few US states recognize an individual's right to privacy. One of the few exceptions is California . In Article 1, Section 1, of the California Constitution, an inalienable right to privacy is established, and California law has at least partially implemented this principle in some legal regulations. For example, the California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial websites or online services that collect personal information about citizens of the State of California via their websites to place a conspicuous note on the same pages about how they handle the data and to also comply with these self-imposed data protection guidelines - but not specified in detail.

The US Department of Commerce developed the (voluntary) Safe Harbor procedure between 1998 and 2000 , with which US companies can more easily demonstrate compliance with the EU Commission's data protection directive (95/46 / EC) when dealing with European business partners.

There is no comprehensive independent data protection oversight in the USA, only the Federal Trade Commission (FTC), which operates in the field of trade and which occasionally also deals with data protection issues. The FTC only intervenes if a company does not adhere to its self-imposed data protection guidelines; However, there are no minimum requirements about the existence or form of such a voluntary commitment. So if a company does not voluntarily commit to data protection, the FTC does not intervene either, since there is no violation of any regulations.

In contrast to European regulations, there are no legal requirements in the USA regarding the retention period for collected personal data. Furthermore, there is no right to information from authorities or companies about what personal data is stored (with the exception of the Freedom of Information Act ), and no right to correct incorrect data. All existing data protection regulations only apply to citizens of the USA and those who stay in the USA for a long time, not to data that comes from abroad.

The then Federal Commissioner for Data Protection, Peter Schaar , has therefore criticized the expansion of the intra-European automated data exchange regulated in the Prüm Treaty to the USA, which was agreed in March 2008 between the Federal Republic of Germany and the USA .

In March 2017, the Senate and House of Representatives suspended large parts of data protection for Americans in order to allow telecommunications providers, even without the express consent of their customers and users, to collect geospatial data, information about finances, health, children and movement patterns on the Internet for their users To be able to use advertising purposes. Furthermore, the corporations are now allowed to sell their users' information directly to third parties.

European Union

The protection of personal data is a fundamental right in the European Union. With Directive 95/46 / EC (Data Protection Directive) , the European Parliament and the European Council laid down minimum standards for data protection in the member states in 1995. However, the directive did not apply to the area of judicial and police cooperation , the so-called third pillar of the Union. In Germany, the directive was implemented into national law in 2001 with the law amending the Federal Data Protection Act and other laws . The transfer of personal data to third countries that are not members of the EU or that are party to the Agreement on the European Economic Area was also regulated : According to Article 25, the transfer was only permitted if the third country guaranteed an "adequate level of protection". The decision as to which countries guarantee this level of protection was made by the Commission, which was advised by the so-called Article 29 data protection group . In 2015, according to the decision of the Commission, an appropriate level of protection was guaranteed by the following third countries: Andorra , Argentina , Faroe Islands , Guernsey , Isle of Man , Israel , Jersey , Canada , New Zealand , Switzerland , Uruguay and when applying the principles of " Safe Harbor ”and when submitting Passenger Name Record to the US Customs and Border Protection (CBP) .

In particular, the decision on the permissibility of the transmission of passenger name records to the US customs authorities is highly controversial. The European Court of Justice ( ECJ ) has annulled these decisions of the Commission and the Council on the basis of an action brought by the European Parliament.

The general data protection guideline was supplemented by the area-specific data protection guideline for electronic communication .

In principle, the member states are not allowed to weaken or strengthen the data protection stipulated by the regulation through national regulations. However, the regulation contains opening clauses for national legislation for certain aspects of data protection.

Germany

According to the case law of the Federal Constitutional Court, data protection is a fundamental right ( right to informational self-determination ). Thereafter, the person concerned can basically decide for himself who to give which personal information.

However, this fundamental right is not explicitly mentioned in the Basic Law. On the other hand, a data protection regulation has been included in most of the state constitutions , for example in Berlin (Art. 33), Brandenburg (Art. 11), Bremen (Art. 12), Mecklenburg-Western Pomerania (Art. 6 Paragraphs 1 and 2), North Rhine-Westphalia (Art. 4 para. 2 as well as the guarantee of the establishment of the data protection officer in Art. 77a), Rhineland-Palatinate (Art. 4a), Saarland (Art. 2 para. 2), Saxony (Art. 33), Saxony-Anhalt ( Art. 6 Para. 1) and Thuringia (Art. 6).

Federal public authorities and companies that provide telecommunications or postal services on a business basis are subject to supervision by the Federal Commissioner for Data Protection . The state authorities are controlled by the state data protection officers . The private companies (with the exception of telecommunications and post) are subject to the supervision of the data protection supervisory authorities for the non-public area, which are based at the state data protection officer or the state authorities (e.g. Ministry of the Interior ). The EU Commission has initiated infringement proceedings against the Federal Republic of Germany, as some state data protection officers and all state authorities do not work “in complete independence”, but rather the state government is authorized to issue instructions.

Austria

The legal basis for data protection in Austria is the Data Protection Act (DSG) . Compliance with data protection is monitored by the data protection authority , which has been headed by Andrea Jelinek since January 1, 2014.

However, it is also possible to enforce data protection under civil law in the ordinary courts (in particular, deletion and correction of incorrect data).

Switzerland

As in Germany, the Federal Data Protection Act regulates data protection for the federal authorities and for the private sector; The respective cantonal data protection law applies to the cantonal authorities.

The cantons are responsible for monitoring compliance with cantonal data protection laws. You are not subordinate to the Federal Data Protection Officer, but control independently.

A notable difference to the regulations in Germany and Austria, for example, is the fact that in Switzerland, in addition to the information obligation, there is also an information obligation (Art. 14 and Art. 18a): Is personal data processed by federal bodies or particularly sensitive personal data or personality profiles by private individuals Persons, then the data subjects must be actively informed by the owner of the data collection. Similar to what is defined in Germany and Austria, in Switzerland any data that allows a profile to be created (Art. 3d) are treated as particularly sensitive data.

church

Procedure

Main principles of data protection are

• The prohibition with reservation of permission (§ 4 BDSG), according to which data may not be processed without a legal basis
• Data economy and data avoidance , special form: prohibition of mandatory real names
• Necessity ,
• Earmarking .

If data may be processed on the basis of a legal basis, technical and organizational measures must be taken to ensure operational data protection in the technical processes and functions. The standard data protection model (SDM) formulates all operational requirements that personal procedures have to meet.

Scope of application

Data protection relates to the collection, processing and use of personal data.

Definitions:

• Collect = procure, Section 3 Paragraph 3 BDSG.
• Processing = saving, changing, transmitting, blocking, deleting, § 3 Paragraph 4 BDSG.
• Use = Any use, unless it is a matter of processing, i.e. H. Use is the generic term for processing and use, Section 3 (5) BDSG.

Data protection control

The public sector oversight is:

• the Federal Commissioner for Data Protection , for the area of ​​the federal authorities
• the state commissioners for data protection , for the area of ​​state authorities
• Special data protection officer for corporations, institutions and foundations under public law (e.g. broadcast data protection officer )

In addition, authorities have the option / obligation to appoint official data protection officers. These can take on individual tasks (e.g. keeping the data protection register), but do not prevent the superordinate officer from monitoring it.

In the non-public area, data protection supervision is regulated by state law. This is z. B. located at the district government, the Ministry of the Interior or the state commissioner for data protection. The Federal Commissioner for Data Protection is also responsible for postal and telecommunications companies .

Various associations are also concerned with strengthening data protection, such as the German Association for Data Protection , the Society for Data Protection and Data Security , the FIfF , digitalcourage (formerly FoeBuD), or in Austria the ARGE Daten and the Working Group on Data Reserves Austria .

Conflicts

Data protection collides with other goals in various areas. These conflicting goals have to be resolved by weighing data protection against other goals. Excessive data protection or data protection in the wrong place can also be harmful.

Data protection and freedom of information

Data protection is fundamentally in conflict with the demand for freedom of information . Freedom of information means that information from public administration ( administrative transparency ) and politics are made public to the citizen (principle of publicity ). However, this information is also subject to data protection and should therefore be treated confidentially. This conflict of goals is resolved very differently. In Sweden , the principle of public access is traditionally valued much higher than data protection. Even highly private data such as income tax returns are public. In Germany there has traditionally been a reluctance of public administrations to publish information. It was only in 2006 that this attitude was relaxed by the Freedom of Information Act . The balance between the concerns of freedom of information and data protection was made in § 5 Freedom of Information Act largely in favor of data protection:

Data protection costs

Data protection causes costs and is therefore in conflict with the goal of companies and administrations to work cost-effectively. Data protection can (albeit to a lesser extent) contribute to cost savings.

You will incur costs, among other things:

• for the data protection officer and his organization (e.g. material resources, employee training)
• due to the fact that operational data processing becomes more complicated and therefore more expensive due to data protection (e.g. access rights management, deletion, archiving and blocking functions)
• by processing requests from third parties about stored data and requests for correction or deletion
• by documenting and checking the data protection measures taken

In addition, there are indirect costs, for example in the form of multiple entries of data if automated data transfer is not permitted (e.g. the tax office may not automatically change the address of taxpayers from the residents' registration office). Use of data that leads to business opportunities is also in some cases not permitted due to data protection. So z. For example, banks do not evaluate their customers' payment transactions to determine whether they have business connections with competitors and then submit product offers to them.

Of even greater importance are economic costs that arise from the fact that in the absence of perfect information there is a significant deviation from the assumptions of a perfect market. Data protection, which (otherwise it would be empty of content) reduces the flow of information, automatically reduces economic efficiency (on this and on further references cf. Maennig 2006). In extreme cases, the hiding of information with reference to data protection is interpreted as an attempt to misrepresent yourself or your company to the detriment of others or society, for example by suppressing unpleasant information. A typical example is laws that protect financial information. These make it possible, for example, for people and companies with an insolvency history to present themselves just as positively as other people and companies. If they then receive loans, credit cards, etc., there is a risk that the number of future defaults and thus the credit risk will increase - with the consequence of higher risk margins for everyone, including the innocent.

Due to the economic costs associated with data protection, the economic answer to the question of data protection is not yes or no; rather, the search is on for an optimal amount and structure of data protection.

To save costs z. B. contribute:

• Smaller amounts of data due to the principle of data economy
• More efficient IT systems due to more systematic IT organization and documentation

The cost aspect has been an issue since the beginning of data protection. A study from 1985 showed data protection-induced costs of from 1977 to 1985

• up to 0.3 million marks for almost all small and some medium-sized companies,
• 0.3 to 0.6 million marks in the majority of medium-sized companies and
• 1 to 3 million marks in most large companies.

A few large companies had costs of more than 20 million marks. Due to ever more stringent data protection regulations, the costs are now many times higher.

A lack of data protection also causes costs, sometimes considerable, for the organizations. The direct costs here are e.g. B. to name fines for non-compliance with data protection regulations. Violations of data protection are potentially capable of damaging the image of the organization and thus damaging the business.

Data protection and the fight against crime