Data Protection & Privacy in Streaming

Data protection and IT service providers

 

1. Fundamental right to data protection

The protection of natural persons in the processing of personal data is treated in the European Union as a fundamental right of all Union citizens that is specially protected by law. The essential legal basis for this can be found in particular in the European Data Protection Regulation or DSGVO for short.

The aim is to facilitate cross-border processing within the EU by ensuring a uniform level of protection throughout Europe. Conversely, personal data should be protected from being processed in countries where no adequate protection of this data can be ensured.

The goal of European data protection law is thus to ensure the highest possible level of protection of personal data within the EU and to prevent dilution or undermining of this protection through data processing in countries without equivalent protection.

To this end, one of the tasks of the European Commission is to assess the extent to which countries outside the EU can guarantee an adequate level of protection. The prerequisite for this is that the principles of the rule of law are upheld and that enforceable legal protection options are granted.

 

1.1 Personal data

The fundamental right to data protection applies to the processing of "personal data."

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified by characteristics such as name, an identification number by means of location data, an online identifier, and one or more other special characteristics.

 

1.2 Processing of personal data

Any procedure involving personal data legally constitutes a "processing" of personal data. This therefore covers, in particular, all standard technical processes such as the collection, storage, retrieval, use and provision - but also any form of transmission of data.

On the basis of European data protection law, a number of basic principles must now be observed for the processing of personal data:

 

Streaming Privacy - Transparency

The handling of data must be transparent. The subject must at least be informed or aware that their data is being processed (e.g., that they are being photographed, filmed or recorded).

Streaming Privacy - Data

The principle of "data saving" applies. Whenever possible, no personal data should be processed or recorded.

According to the GDPR, the processing of personal data is generally permitted if at least one of the following reasons exists:

  • the affected person has consented,
  • the processing is necessary to fulfill a contract with the data subject,
  • the processing is necessary to comply with a legal regulation,
  • the processing is necessary to protect vital interests,
  • the processing is necessary for the performance of a public task, or
  • the processing is necessary for the purposes of the legitimate interests of the Processor or a third party.

 

Filming, photographing or making sound recordings is prohibited when:

  • it is an invasion of the privacy of others,
  • the recordings are used for facial recognition or other automated processes,
  • the recordings contain references to specially protected personal data, or
  • the data subject(s) has/have withdrawn consent. Withdrawal of consent can also occur, for example, after a photo has already been taken; this must then be deleted immediately.

 

2. Transfer of personal data

An essential form of processing of personal data is the transfer. In particular, a transfer takes place in any case of the use of service providers in connection with the provision of services to or with the respective data.

On the one hand, such data processing by a processor takes place in connection with an active transfer of personal data from the controller to the processor. On the other hand, a legal transfer also takes place when a processor determines, stores and processes data on behalf of the controller - regardless of whether the data is ever also technically under the control of the controller.

According to the GDPR, a prerequisite for the use of a processor is, in principle, that the respective processor provides sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that the processing meets the requirements of the GDPR and the protection of the rights of the data subjects is ensured. The fulfillment of these requirements must be contractually enshrined.

Initially, a transfer of personal data is generally only permitted if the processor is located in an EU member state.

The GDPR stipulates that personal data may generally only be transferred to a third country if the country in question ensures an adequate level of protection for the transferred data.

In this context, the EU Commission must now determine by decision which third countries can guarantee the rule of law, adequate legal protection options and an overall adequate level of protection for personal data on the basis of their domestic legislation or their international obligations.

In the absence of such an adequacy decision, such a transfer may only take place if the exporter of the personal data established in the Union provides appropriate safeguards, which may result, inter alia, from standard data protection clauses developed by the Commission, provided that data subjects have enforceable rights to the protection of their data on that basis.

If there is neither an adequacy decision nor appropriate safeguards in place, a transfer to a third country is in fact only permissible with the explicit consent of each data subject. However, a prerequisite for effective consent is prior full information "about the potential risks to the data subject of such data transfers in the absence of an adequacy decision and appropriate safeguards."

Example:

Significant adequacy decisions legalize data transfers to Switzerland and Canada.

However, no adequacy decision exists for transfers to the USA. In July 2020, the European Court of Justice put a stop to interim attempts to declare transfers to the USA legal.

Specifically, with its Privacy Shield decision, the European Court of Justice overturned the interim adequacy decision based on U.S. self-certifications under the EU-U.S. Privacy Shield agreement.

The reason given for the cancellation was that

  • relevant U.S. legislation does not have safeguards adequate for a state governed by the rule of law and, in particular, the known spying programs such as PRISM have neither any restrictions nor any legal protections for data subjects,
  • the fact that European data could be exposed to such a risk would constitute a violation of European fundamental rights, and
  • the legal situation in the U.S. cannot therefore ensure an equivalent level of protection of personal data in substance.

Some U.S. companies still try to present standard contractual clauses as a suitable basis for data transfers to the United States. However, the European Court of Justice has expressly stated in this context that standard contractual clauses can in principle constitute a suitable legal basis for transfers to third countries, since they themselves provide mechanisms that bring about a termination of transfers based on them as soon as the recipient is no longer in a position to fulfill its obligations under the agreement. In the case of the U.S., where under current law government and intelligence access is possible at any time, contractual commitments simply cannot be honored because no contractual arrangement can break current statutory law. Thus, the use of standard contractual clauses as a basis for U.S. transfers is inevitably ruled out, or their use would have the consequence that any transfer on their basis would have to be immediately suspended and the respective contract ultimately terminated.

In fact, this ultimately means that the use of U.S. service providers in connection with the processing of personal data will in most cases only be permissible with the explicit consent of each data subject or one must ensure that no personal data is transferred. The latter, however, can only be implemented with consistent use of encryption without access to keys by the respective service provider.

 

3. Consequences

Violations of the regulations surrounding the transfer of personal data to third countries are known to be punishable by fines of up to EUR 20 million or up to 4% of the total annual global turnover.

However, what can be even more serious besides such penalties is the civil enforcement component. The GDPR provides for the possibility for data subjects to claim damages in the event of data breaches. For the individual data subject, the damage caused by a data protection breach may not be immeasurable in individual cases - however, due to the potentially high number of similarly injured parties, the scope of damage compensation obligations can easily eclipse potential fines under certain circumstances.

From the perspective of the Board of Management/Executive Board, it should be borne in mind in this context that Austrian law in particular also provides for the imposition of fines on decision-makers in the company on the one hand, and on the other hand, obligations to pay damages on the part of the company may also result in liability issues for the Board of Management/Executive Board.

Data protection violations are no trivial offense

Particularly in connection with the transfer of personal data to U.S. recipients, there is now a rapidly increasing number of authority and court decisions that address the issue of the use of U.S. service providers, which was previously considered not to be taken entirely seriously due to perceived lack of clarity or was deliberately swept under the rug, and provide clarity.

4. Latest judgments

Authority/Court Commission Nationale Informatique & Libertés (French Data Protection Agency)
Date of decision 10.02.2021
Concerns Google Analytics
Core statements/Consequences The use of Google Analytics is not permitted. Standard contractual clauses are not a suitable legal basis for a data transfer to a US recipient. The technical measures set by Google are also insufficient to establish an adequate level of data protection.
Original text https://www.cnil.fr/sites/default/files/atoms/files/decision_ordering_to_comply_anonymised_-_google_analytics.pdf

 

Authority/Court Landgericht München (Munich Regional Court)
Date of decision 20.01.2022
Business ID 3 O 17493/20
Concerns Google Fonts
Core statements/Consequences By retrieving Google Fonts (fonts for the display of text on websites), the IP address of the respective website visitor is transmitted to Google and thus to a US recipient. This transmission is not permitted.
The transfer of the website visitor's IP address and the associated encroachment on the general right of personality is so significant with regard to the loss of control over a personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the user as a result, that a claim for damages in the amount of EUR 100 is justified.
Original text https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/

 

Authority/Court European Data Protection Supervisor (EDPS)
Date of decision 05.01.2022
Business ID 2020-1013
Concerns Google Analytics, Stripe
Core statements/Consequences The use of cookies for Google Analytics and Stripe and the related transfer of personal data to US recipients is not permitted. Standard contractual clauses are not a suitable legal basis for a data transfer to a US recipient.
Original text https://noyb.eu/sites/default/files/2022-01/Case%202020-1013%20-%20EDPS%20Decision_bk.pdf

 

Authority/Court Österreichische Datenschutzbehörde (Austrian Data Protection Agency)
Date of decision 22.12.2021
Business ID D155.027 2021-0.586.257
Concerns Google Analytics
Core statements/Consequences The use of Google Analytics is not permitted. Standard contractual clauses are not a suitable legal basis for transferring data to a US recipient.
In order to use Google Analytics legally, the explicit consent of each individual website visitor would have to be obtained after appropriate risk disclosure.
Original text https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_DE_bk_0.pdf

 

Authority/Court Administrative Court Wiesbaden
Date of decision 01.12.2021
Business ID 6 L 738/21.WI
Concerns Google Tag Manager, Cookiebot, Akamai
Core statements/Consequences The use of the consent service Cookiebot is temporarily prohibited. The transmission of the website visitor's IP address to a US recipient is not permitted. The use of the "Cookiebot" service transmits personal data to a US recipient, since the service is delivered by the content delivery network "Akamai" and the IP address is transmitted to Akamai on the occasion of the delivery.
Original text https://rewis.io/urteile/urteil/2tj-01-12-2021-6-l-73821wi/

 

Authority/Court European Data Protection Supervisor (EDPS)
Date of decision 03.05.2021
Business ID 2019-0878
Concerns Google Analytics, YouTube
Core statements/Consequences The use of Google Analytics and YouTube cookies without the consent of the user is prohibited.
Original text https://gdprhub.eu/index.php?title=EDPS_-_2019-0878