Jusletter IT

After a nearly four-year legislative process a political consensus has been achieved in December 2015 on the new EU General Data Protection Regulation between the European Parliament and the Council of the EU. Important improvements: strengthening data subjects' rights, right to be forgotten, right to data portability, simpler access to information, and a data breach notification. Data protection authorities will be strengthened. Violations of data protection law can be punished with high administrative fees. The General Data Protection Regulation shall enter into force in 2018.

The concepts of «Privacy by Design» and «by Default» have gained importance over the last years since it was recognized that solely formal legal regulations are not able to secure data protection. This assessment is now also reflected in the General Data Protection Regulation; several provisions enable technical engineering in compliance with data protection rules. For the first time, providers of products and services are legally requested to take data protection concerns into consideration in the IT development phase. This procedure should solve the currently existing issues of the technical implementation of normative data protection requirements. However, the success of these regulations will be vitally dependent on the cooperation of market-dominant IT-companies and the introduction of technical standards.

The article highlights selected characteristics of consent according to the final draft of the European Union (EU) General Data Protection Regulation (GDPR) dated December 15th, 2016. In particular, the aspects of a «clear affirmative action» as well as the «freely given» consent are being analysed and compared to Swiss laws.

The consent is the foundation to the probably most frequent case of processing of personal data in practice. This is reflected not only in the right to concealment in basic data protection rights, but also serves as a protection of children against discriminatory legal transaction, especially in distance sellings. By the imminent decree of an European General Data Protection Regulation, many of the current issues regarding delimination and differentiation of approval according to civil and data protection law could have been solved. The fact is, that this has not been done, in reality even more questions have occured. The article shows the current complex of problems and provides an insight into the impacts of the – after an agreement in trilog procedure has occured – soon to be implemented regulation.

Performed by Weblaw AG, on 2 November 2015, the first Webinar@Weblaw took place on the topic of «The Safe Harbour Decision of the ECJ». The respective podcasts are available here. (ah)