In May last year a German lower federal court ruled that the use of WhatsApp is not legitimate without having obtained consent from those individuals whose contact data is uploaded to a WhatsApp messenger account (AG Bad Hersfeld, 15.05.2017 – F 120/17). The court considered the fact that WhatsApp automatically uploads the phone numbers of all contacts in a smartphone‘s address book. In its standard terms and conditions WhatsApp declares the following:
“Address Book. You provide us the phone numbers of WhatsApp users and other contacts in your mobile phone address book on a regular basis. You confirm you are authorised to provide us such numbers to allow us to provide our Services.”
In the court’s opinion, this automated upload infringes other user’s rights of self-determination if done without their consent. No less important, the court even ruled out implied consent of those users were already subscribed to WhatsApp and, as such, should be aware of this automated data upload mechanism. In the ruling the court asked a mother to produce the missing consent of those individuals that had been uploaded by her son to his WhatsApp messenger account.
Read about Thilo Weichert's take on the topic here.
When taking a look at the German court’s reasoning, it appears that individuals can be held liable when using WhatsApp and companies could be held liable when allowing their employees the use of WhatsApp on their business devices.
This is even more precarious with the GDPR on the horizon. So, where do companies stand with their preparations for the GDPR, and could the consider-ations of the German court have a legal impact on other jurisdictions as well?
On their path towards the GDPR, what challenges do companies typically face to achieve compliance?
In our view, different companies have different roads to the GDPR. Some already have fairly good knowledge of data protection and related requirements, while others are total novices in this area. However, most companies typically struggle to determine their data processing landscape, in particular as regards international data transfers. Yet, such an assessment is an indispensable requirement in order to properly determine compliance gaps that need to be filled before the GDPR comes into force. Other fields where action is required typically do not properly define (or are even missing) data processing agreements, consent declarations and, of course, implementation of the new concepts of the GDPR, such as records of processing activities, the concepts of privacy by design / default or of data portability.
Most companies are well aware of the upcoming changes, but only a few have already taken active measures towards compliance. A significant portion of companies are in the very early stages of launching their GDPR compliance programmes. The main challenge is to implement the GDPR requirements for the personal data that they are already processing and that is historically collected and stored in various places and systems in both hard and soft copies. The localisation of such historically collected personal data seems to be a common hurdle, but an important one to overcome in order to apply the new rules and principles.
The changes brought about by the GDPR are commonly regarded as a positive development toward greater coherence between the broad range of national rules. Nevertheless, satisfying the demands of the new regulation requires practitioners, ie entrepreneurs and companies to specifically observe its demands on clarity and transparency of data processing. As recent studies show, even though almost 90% of Polish company managers have come into contact with the GDPR provisions, more than three quarters of them are not aware of the severity of the financial penalties for non-compliance. What's more, companies are having trouble identifying the entities within their business structures responsible for compliance with new regulations. A company's ability to incorporate the GDPR is also broadly assessed in respect of its consistency in introducing up-to-date technologies and the ensuing burden of additional costs. Only one-third of enterprises invested in advanced tools to manage data security and prevent leaks of sensitive information. Polish companies could rely more on lawyers in order to familiarise the business teams with the new rules. On the other hand, compliance will not be achieved without closer and multidimensional cooperation between lawyers and IT professionals.
While in some cases the GDPR constitutes obligations for controllers and processors not established in the EU, we assume that Serbian companies operating in the EU will mostly face issues with respect to the applicability of the GDPR. As Serbian companies generally lack awareness of data protection, especially the obligations arising therefrom, it is realistic to expect a lot of issues in terms of compliance with the GDPR. In this regard, the obligation to appoint a representative in the EU under certain conditions (or the question of liability in the event of non-compliance with GDPR), seems to be the kind of issue that will raise doubts amongst Serbian legal entities. On the other side, the existing legal framework in Serbia does not provide a solid enough basis for efficient data protection in practice, and is not compliant with the rules of the GDPR. However, a new Act on Data Protection is expected to be adopted in early 2018, and will be harmonised with the GDPR, therefore decreasing the amount of uncertainty in practice.
Since the GDPR applies not only to organisations located within the EU but in certain cases also to companies outside the EU, the main issue for local companies will be to precisely determine if and when the GDPR applies to them, and if so, which obligations in particular.Implementing internal policies, processes and controls with the aim of mitigating risks related to privacy and confidentiality will be another issue for local companies on their path to the GDPR.Further harmonisation of the regulatory framework in Montenegro with the GDPR is also expected in the near future.
Most companies in Macedonia seem fairly well informed and responsive as regards data protection and their obligations under the data protection laws. The Directorate for Personal Data Protection has put in place many encouraging features to support greater awareness and to ensure that officers know about the changes in data protection regulations. This is done through regular training and workshops for data protection officers, but also through regular compliance controls of designated officers in companies. As Macedonian data protection law is largely in line with EU law, there are not many bridges which need to be crossed at this stage before the coming into force of the GDPR.
The GDPR is about regulation, but the recent court ruling in Germany shows a trend towards increased self-responsibility. Do you think your domestic courts might follow this path and establish case law focusing on the self-responsibility of the user?
Austrian case law has long been dominated by a focus on protection, in particular with respect to B2C relationships. The Austrian Supreme Court imposed very rigid formal requirements on individual consent when this consent should form a valid legal basis for the processing of that individual's data. In a nutshell, we would not expect the Austrian courts to increase the self-responsibility level of users / data subjects in the near future. In fact, we would not be surprised if in light of the accountability standards of the GDPR, the Austrian courts might even increase the compliance standards on data controllers (ie the companies processing personal data). In our opinion, however, a very significant point of the German court ruling is the fact that the court has denied the implied consent of other WhatsApp users to their data being uploaded, since the court has concluded that WhatsApp users do not understand the messaging app's T&Cs, which prevents the court from assuming implied consent. This rigid interpretation on the validity of implied consent might easily be adapted by the Austrian courts, since it ultimately strengthens the data subjects' protection. Companies should thus be very careful when relying on implied consent to process personal data.
Bulgarian case law is poor on privacy disputes. So far the regulator and the court have interpreted the law very strictly and we do not expect the Bulgarian courts to increase the self-responsibility level of users in the near future. The main focus is on the business and not on individuals when processing personal data in the course of individuals' personal or household activity.
The Polish courts approach the regulation of individual consent in quite a stringent manner. It is commonly assumed that such consent should be explicitly expressed. Moreover, the Supreme Administrative Court stated that the consent cannot be abstract, but should refer to the specific facts, including only the specific data and the precise manner and purpose of their processing. Separate consent to data transfer to third parties must be required, and the user must be granted optionality whenever giving consent to data processing. What appears more significant in light of the recent German ruling is that these restrictive conditions for data processing so far have been addressed exclusively to data controllers. Even though the German decision will not have a direct impact on the Polish system, the strict approach of Polish courts and other authorities is expected to continue following the entry into force of the GDPR. Since the GDPR rules are binding on the entities which effectively process data, the stricter responsibility will be attributed to the employees charged with these duties or, more likely, to the companies' management boards.
Considering the lack of Serbian court practice in the field of data protection, it is difficult to anticipate trends in its further development. However, as regards implied consent, it should be stressed that the current Serbian Data Protection Act does not regulate and allow implied consent; it rather asks for express consent (eg in writing).Implied consent shall be introduced by the forthcoming New Data Protection Act. Given that this new Act was prepared based on the provisions of the GDPR, it can be expected that once it is adopted, court practice will also shift towards the practices of the European courts.
Given the extremely modest existing case law on the subject, it is hard to predict whether domestic courts will establish case law that puts the focus on the self-responsibility of the user. The fact that court practice in Montenegro is not uniform makes it even more unpredictable. However, companies should take all necessary measures to implement adequate data protection and risk management processes, and view the practice of the European courts as a sign of possible further developments in the practice of the local courts.
Macedonian data protection law leans heavily on the idea of consent, and companies are increasingly using explicit consent wherever data may be processed. This is deliberately aimed at avoiding the question of implied consent in the WhatsApp case. Taking into account the current Macedonian data protection law and reforms that are now underway, we do not expect much room to be left for self-responsibility. In addition, the Directorate for Personal Data Protection maintains regular controls of companies and their compliance with the law on data protection (on a regular, occasional and monitoring basis), and processors are heavily fined for non-compliance with data protection laws. For these reasons, we expect that Macedonian courts will most likely gravitate towards a more regulatory approach as per the GDPR.
Austria: Gunther Leissler
Bulgaria: Stefana Tasakova
Macedonia: Nina Petkovska, Magdalena Petreska
Poland: Pawel Halwa
Serbia, Montenegro: Marija Zdravkovic, Pavle Tasic, Ana Vukcevic
Slovakia: Michal Lucivjansky