Pandemics bring up issues related to fundamental rights and civil rights: freedom of movement, freedom of occupation and freedom of personal development – they are all being restricted to protect people’s health. The list could go on. The right to informational self-determination – to data protection – is also suffering from measures to combat the pandemic. That was the conclusion of the Annual Report 2020, which Stefan Brink, State Commissioner for Data Protection and Freedom of Information (LfDI) in Baden-Württemberg, presented at the beginning of this week. (8/2/2021)
Data is the new gold – and it is not just during pandemics that informational self-determination is suffering. We all surf the enormous world of the web and in doing so leave behind traces.
If you visit a website these days, you often see a huge block of text that reads: “We use cookies.” And underneath it says in large, bold text: “Accept all.” The alternative text is placed underneath, tiny and inconspicuous: “Other settings.” Users don’t want to make any settings, they just want to visit websites. So it’s no wonder that most just click “Accept all.”
One thing that’s a little reassuring here is that even Silicon Valley giants like Elon Musk are getting annoyed with it. Internet users should actually be happy about these cookie banners. For a long time, websites and advertisers just set cookies that created profiles about users without asking them first.
The flood of cookies has been regulated: The first step was the General Data Protection Regulation (GDPR), which came into force in May 2018. After that, banners appeared on websites saying something like: “By browsing our website, you accept that we use cookies.” The European Court of Justice ruled in 2019 (ref. C‑673/17) that such tacit consent is not legal and referred the case in question back to the Federal Court of Justice (ref. I ZR 7/16), where the case was originally heard. In May 2020, the Federal Court of Justice (BGH) ruled that the user’s consent is necessary for a site to be allowed to set cookies.
We are talking to Dr. Klaus Meffert. He has been working in software development for more than 30 years and has been intensely involved with the topic of data protection on websites since 2017.
Why have we needed to consider data protection on websites more closely since the summer of 2020?
There are, of course, some legal reasons – but there is also a personal expectation that you as an entrepreneur treat data from prospective customers or clients with care. The other thing is that here in Germany, we are dependent on the US as far as online services are concerned, starting with which tools we use for video conferencing…
I have to say here that things are not going to get any better in Germany. That’s because as long as we give Google and others even more data about us, we will not be able to catch up with the defecit we have in the online sector. I checked the numbers here again: Google now has triple-digit billion turnover every year. I would claim that Google achieves these numbers to a very large extent because of the data we hand out so liberally and that Google of course also makes use of in a targeted way.
Here’s a simple suggestion that is easy to implement: Why doesn’t the state finance the creation of a video platform? This would enable all website operators to solve the problem of embedding videos on their websites in a privacy-compliant way. The platform also doesn’t have to offer everything that YouTube can, but only as much as is necessary for its primary purpose. The costs for this are considerably lower than for the coronavirus app, as long as the contract does not go to those two lumbering companies again, both of which I worked for, by the way, for several years.
The legal reasons should actually be enough. Laws are there to be respected. It’s a bit difficult sometimes, especially when you’re given the wrong advice.
One issue is that network addresses – i.e. IP addresses – are personal data, and these data are transferred every time a website is visited, and if a website integrates any third-party tools – Google Maps, fonts, videos, etc. – then the network address of the caller, i.e. the user, is also passed on to this third party. In addition, numerous connection data are passed on – this is necessary due to the internet protocol – which allows users to be tracked. According to the General Data Protection Regulation, this is precisely what is not permitted without consent, and there is also a ruling in this regard on Privacy Shield from the ECJ on 16 July 2020. According to that ruling, the transfer of personal data to the US is not permitted without a legal basis. Standard contractual clauses may also not be effective for the US. Think of the Cloud Act here.
It’s possible to comply with data protection on the internet – especially since there are usually good alternatives. Sometimes it even makes sense to just stop using certain tools and delete them without replacing them. Instead of integrating Google Maps, a “Plan route” button is often sufficient. Then you can even preset the destination address.
We have noticed that more and more pages have these cookie banners where you have to click on the permissions individually.
Some do it in a really tricky way and use different colours to tempt the user to quickly click through.
People who work on data protection talk about “nudging” here – that is, seducing people to agree to the selection because it’s usually a big green button and the alternative is a small grey button on a white background. That may be permissible in particular cases. But if you first have to search for the place to decline, then I also believe that’s unlawful. If the decline button is visually de-emphasised a little, is the same size as the other button and is also accessible with a single click, that’s a borderline case. I don’t think that’s right either, but the risk is lower for the user. I saw an example where the option to decline was hidden in the text body, as a text link. Personally, I think that’s clearly illegal.
Cookie banners, however, are in themselves almost a guarantee that the website is not compliant with the law. You can see this in a practical test that is published on my blog Dr. DSGVO. I also describe how there are demonstrable reasons why consent tools can never work completely reliably.
A lot of marketers are getting a little stressed now because they would like to know a lot about their target group. This is bound to spark heated discussions in some companies. What kind of danger do you have to reckon with if you allow yourself a little bit of a careless attitude here? If you think for example that “Nobody else is doing it, so why should I?”
That’s not a good argument to my mind. The party responsible for the data is liable, and this is initially the operator of the website or the body named as the controller in the data protection declaration.
What orders of magnitude are we talking about in terms of liability?
Liability means first of all being responsible. This initially results in a lot of work, stress and often also financial costs. This could involve an inspection by the supervisory authority due to an (anonymous) complaint or a warning by a private person or a competitor. Especially for larger companies, there’s a risk of severe fines because the GDPR allows for turnover-based sanctions.
What about Google Analytics? Is it even possible to integrate it in a legally secure way?
It’s not entirely legally possible to use Google Analytics – in my opinion.
When it comes to consent, they have to explain what you are consenting to. Then they would actually have to write: “Please consent to us sharing your data with Google and Google doing what it wants with your data and also sharing that data with anyone Google sees fit.” If you formulate it like that, I could imagine that it would be legally secure if the GDPR didn’t require purposes to be clearly defined… The consent also has to be understandable for the normal user who’s not a computer scientist with a PhD, what you are consenting to has to be completely defined, and all formal requirements have to be met. That means Google Analytics could only be loaded after you have given your consent. I think that’s pretty impossible with Google Analytics. Apart from that, we also have to be clear that the vast majority of websites don’t have enough visitors that Analytics actually produces good data. If you add a consent banner then, which is required for Google Analytics, then there would be even fewer visitors. And it would be even less worthwhile to use Google Analytics.
Matomo is an alternative. You can configure it in such a way that it doesn’t even require consent, and you can still find out a lot of information about your users. You can do a lot with it.
For example, you can shorten the IP address, you can also make settings so no cookies are set or, for example, users can only be recognised as returning users for 24 hours. Data protection officials – e.g. from BW – say they still think it’s OK if a user can be identified as a returning user within 48 hours. Data protection authorities are usually a little more accommodating than the courts in this regard. I would say the maximum that could stand up in court is 24 hours. That’s my personal assessment. But definitely not a week. We’re talking about one or two days. … You can read the behaviour of this pseudonymised user on the site – which paths they took to arrive at the site, for example, which pages they visited, and which topics they find interesting.
That means I can see which search terms they used, where they came from, and what in particular they were interested in. But I can’t read off the IP address and then determine it was Ms or Mr XY from Z.
Think of Google Search Console here. If you want to know the search terms that were used to reach your website, you can use this option really well and also be on the safe side in terms of data protection law.
Integrating social media – Facebook, Instagram, YouTube –
If you just link to these services, it isn’t problematic from a data protection point of view. However, if special plug-ins are integrated, where, for example, the latest comments on your Facebook account could also be read on the website, that isn’t permitted without consent.
The integration of social media plugins can be handled in a reasonably legally secure way with the Shariff plugin. When it comes to just placing a link on the page, you can safely do as you please.
How do you see the integration of “Recaptcha” email forms in terms of data protection?
Recaptcha is a Google tool. This tool is subject to a consent requirement just because of the considerable number of cookies that are transmitted. This is absolutely mandatory under the ePrivacy Directive, which also applies to Germany according to a BGH ruling from 2020.
There are alternatives. But for that you have to look at the respective system. With WordPress, for example, there’s contact form Image reCaptcha. It can be integrated and runs on your own server.
What are the most common reasons for warnings?
So-called consent tools, often referred to as cookie consent tools, are, according to my field test of 10 popular consent solutions, a great danger for websites and quite often make them worse. I haven’t found a single website that was even close to legally sound when it used a consent tool. Even the providers of such tools, who use their own tool on their own website, can largely be described as GDPR non-compliant.
The data protection declaration is almost always significantly incomplete, even if someone has worked hard on it.
There are also often incorrectly integrated YouTube videos. Google Analytics is integrated illegally surprisingly often.
Quite often, mandatory information is also missing from the legal notice (this is not a data protection issue, but can be subject to a warning).
And often the data protection declaration is not always accessible with two clicks (it’s already enough if the problem is on an end device, such as a smartphone), or the link to the data protection declaration is not present on every page. The latter applies to every second website, even if many think otherwise.
What is your forecast for the future?
In the last few weeks, I’ve been working even more intensely than usual on the technical and legal aspects of data protection on websites.
You can read more about this and other topics on my blog Dr. DSGVO. In order to move data protection forward in Germany and Europe, I provide support in terms of knowledge for the non-profit data protection organisation None of Your Business (noyb.eu), where Maximilian Schrems is the honorary chairman. He brought about the ECJ rulings on Privacy Shield and then on Safe Harbor as well.
What exactly can you offer people who might read this interview and say: “Man, this guy knows what he’s talking about. What do I have to do to ensure my website is secure in terms of data protection so I can sleep soundly?”
There are several options. For those who have a small budget, we offer the option to do a deep audit of the website with the software I’ve developed. It produces a custom data protection declaration that you can use as a template. And if someone wants to spend a little bit more money, we also provide professional and technical advice. We help our clients find the best possible solution through personal advice. Using the tool I wrote, we can do this very efficiently and, of course, very cost-effectively. So legal certainty is no longer a question of price then but only of willingness. We primarily help avoid consent requests altogether. It’s more fun for the website visitors and increases the legal certainty for the data controller enormously.
We also offer a data protection quality seal after someone has secured their website in consultation with us. It can be embedded on their website. An added value for the client is obviously that the visitor sees the provider takes data protection seriously. A second added value, apart from legal certainty, is that if a website visitor thinks they’ve found a problem and clicks on the seal, they can also contact us. And if the assumption that something is wrong is unjustified, we can also respond directly. Otherwise we can mediate and reply that we will take care of the issue and pass on the request. Then the visitor feels heard, and the website operator doesn’t have any problems.
If you don’t want a website audit, but just a consultation, you can book me and get answers to all your website questions. I can offer a technical and legal consideration of the issues. For a solution to be good, it needs to be holistic.
If someone takes data protection on their website seriously, that’s already a positive sign. It’s a kind of quality feature for the company.
Thank you very much for the interview!
Editor’s comment: Dr. Meffert regularly writes about digital data protection on his blog Dr. DSGVO https://dr-dsgvo.de
DISCOVER THE STRENGTH OF MOBIMEDIA!
84347 Pfarrkirchen Rottpark 24 +49 8561 96160 info@ mobimedia.de