With the entry into force of the General Data Protection Regulation, the topic of data protection gained some presence for a certain period in 2018. This was not least due to the drastically increased penalty ranges for fines, which as is well known can reach up to 20 million euros or 4% of the total global turnover.
What seems to have largely escaped public attention in the process, however, is the fact that national legislatures have introduced judicial criminal offenses in addition to this particular form of punishment of the "fine" under data protection law. This is the case in Austria and Germany, for example. In Austria, the following provision was introduced for this purpose in Section 63 of the Data Protection Act:
"Whoever, with the intent to unlawfully enrich himself or a third party thereby, or with the intent to harm another thereby in his right guaranteed by § 1 para. 1, or with the intention of damaging another person's rights as guaranteed by Section 1 (1), uses, makes available to another person or publishes personal data which have been entrusted to him or have become accessible to him exclusively on the basis of his professional employment or which he has obtained unlawfully, although the person concerned has a confidentiality interest in such data which merits protection, shall be punished by the court with imprisonment of up to one year or with a fine of up to 720 daily rates, unless the offence is punishable by a more severe penalty under another provision."
§ Section 63 of the Data Protection Act thus aims to safeguard the fundamental right to data protection standardized in Section 1 of the Data Protection Act with the most severe sanction known to Austrian law, namely imprisonment.
The criminal offense sanctions the processing of personal data with intent to enrich or with intent to harm.
Under these circumstances, the processing of personal data that has been entrusted or made accessible on the basis of professional employment or that has been obtained unlawfully is punishable.
Personal data in which the data subject has a confidentiality interest worthy of protection is protected. According to Section 1 of the Data Protection Act, a confidentiality interest worthy of protection does not exist "if data is not accessible to a confidentiality claim due to its general availability or due to its lack of traceability to the person concerned". Otherwise, the law generally assumes that a confidentiality interest worthy of protection exists.
While data processing with intent to cause damage in the corporate sector will only be realized under exceptional circumstances, data processing with intent to enrich is accomplished much faster than one would like to believe.
A problem in this context is the unfortunately widespread use of online tools, which are now generally known to be made available free of charge because they serve as data collection tools in the background for the companies providing them. This applies in particular to tools integrated into many corporate websites, such as Google Analytics or YouTube videos. The quid pro quo for the use of these tools is that data of every website visitor flows to Google or YouTube.
This data outflow is inadmissible under data protection law in most cases, at the latest since the repeal of Privacy Shield. Apart from the fact that the outflowing data in connection with company websites mostly became accessible in the context of professional employment, this also usually constitutes unlawful acquisition.
The crux of the matter, however, is that the use of these tools, which are highly questionable under data protection law, is usually based solely on the fact that they are made available free of charge and thus no costs are incurred for the company's own provision of such resources or the use of data protection-compliant solutions. However, intent to enrich is not only given if the aim is to achieve a profit, but also if the result of the frowned-upon action is to be a saving.
Inactivity on the part of data protection authorities currently often leads to known data protection problems being taken lightly, as there are supposedly no consequences under data protection law.
However, anyone who accepts problems under data protection law in order to avoid the expense of implementing them in compliance with data protection law is committing a crime of data processing with intent to enrich and is suddenly no longer dealing with an elusive data protection authority, but with the responsible public prosecutor's office.
The use of YouTube videos on corporate websites in particular therefore poses a massive risk for corporate decision-makers, which in the worst case can result in the imposition of custodial sentences.