Ability to waive the security of processing through data protection consent
The question of whether the level of IT security can be lowered by consent is a recurring debate in Germany, even under the “old” Federal Data Protection Act. The prevailing literature is of the opinion that Art. 32 GDPR is not disposable or waivable. However, this also indicates that there are also differing views. In addition to the GDPR, various legal acts of the EU and the German legislator specify minimum requirements for IT security that must be complied with. IT security is therefore not a requirement that is determined solely and exclusively by the GDPR; other legal acts must also be observed.
In the following, some selected legal acts relating to regulations for ensuring IT security are assessed to determine whether the legal requirements for IT security contained therein can be weakened by consent under data protection law. This assessment is intended to inform data controllers so that they can make a more informed decision on how to deal with the issue.
To this end, the most important European and German legal framework conditions are first briefly presented, then the case law on data protection aspects is examined (most other regulations are too new for courts to have already dealt with issues arising from the legislation), followed by a presentation of the positions of various data protection supervisory authorities, which naturally only deal with data protection issues. Finally, the effects of the positions are discussed and the main points of the article are summarized.
The legal requirements
European law
Art. 24, 25 and 32 GDPR obliges controllers to take appropriate technical and organizational measures to ensure an adequate level of protection.
Art. 24 para. 1 GDPR requires the controller to implement “appropriate technical and organizational measures, taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. All measures must take into account that the processing is carried out in accordance with the requirements of the GDPR. Art. 24 para. 2 GDPR even explicitly emphasizes the requirement for data protection precautions, stating that the measures must be “proportionate” to the processing activities and the risks associated with them. At the same time, Art. 24 para. 1 sentence 1 GDPR contains an obligation to provide evidence.
In accordance with Art. 25 GDPR, the controller must take appropriate measures for the entire duration of the processing – i.e. from the planning of the processing to the end of the processing, including the deletion of all data – to ensure that all rights of data subjects are protected and that the GDPR is fully complied with. The factors to be considered when assessing the suitability of technical and organizational measures are listed exhaustively in Art. 25 (1) GDPR; consent is not included.
Art. 32 GDPR elaborates on the general principle of integrity and confidentiality contained in Art. 5 para. 1 lit. f GDPR and requires that an adequate level of protection for the security of personal data is ensured. The risks that may arise from the destruction, loss, alteration or unauthorized disclosure of personal data must be taken into account by controllers – and also by their processors – as factors in their choice of appropriate and proportionate safeguards, as a single vulnerability can compromise the overall level of protection. Therefore, if the level of protection is lowered in even a single individual case, the evaluations must be considered and presented in the form of a risk assessment. For example, opening an email attachment can pave the way for malware in various forms to enter the IT environment that is actually secured.
Art. 24, 25 and 32 GDPR assign obligations to controllers without making these obligations dependent on the consent of the data subjects, as the legislator did, for example, as an exception in Art. 49 para. 1 lit. a GDPR for third country transfers. The justifying effect that Art. 6 para. 1 lit. a GDPR grants to consent relates exclusively to the “whether” of the processing, but not to the “how”.
On March 12, 2024, the Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (“Cyber Resilience Act”) was adopted, but has not yet been published in the Official Journal of the EU and is therefore not yet legally binding. The Regulation does not apply to (Art. 2 (2-4)) Regulation (EU) 2017/745 (medical devices), Regulation (EU) 2017/746 (in vitro diagnostic medical devices), Regulation (EU) 2019/2144 (type-approval of motor vehicles and their trailers, etc.), Regulation (EU) 2018/1139 (civil aviation), Directive 2014/90/EU (marine equipment). Accordingly, the regulation applies to all medical IT systems that are not medical devices.
In principle, the regulation primarily affects manufacturers or distributors/actors who provide corresponding products on the European market. According to Art. 6 of the Cyber Resilience Act, however, the “essential requirements” specified in Annexes I and II must be implemented when procuring or using products with digital elements (= software or hardware products) (Art. 6). The requirements for users of such products include dealing with security vulnerabilities, but also basic IT security requirements such as authentication, identity or access management systems that the software must support. Indirectly, these legally stipulated options that software must provide during use create requirements for users with regard to how they handle these options.
The NIS 2 Directive, which must be transposed into German law by October 17, 2024, extends the scope defined by the NIS Directive and includes “essential and important facilities” in addition to critical infrastructures, meaning that more companies are covered by the Directive.
In accordance with Art. 21 NIS 2 Directive, institutions must take proportionate technical, operational and organizational measures to manage the risks to the security of the network and information systems that these institutions use for their operations or for the provision of their services and to prevent or minimize the impact of security incidents on the users of their services and on other services. The requirements must be implemented; there is no provision for a reduction in IT security for institutions affected by the European directive.
The CER Directive, which must be transposed into national law by October 17, 2024, lays down obligations for critical entities aimed at strengthening their resilience and their ability to provide services. Art. 13 of the CER Directive obliges the critical entities defined in Art. 6 para. 1, which according to Annex No. 5 of the CER Directive may include healthcare providers in particular, to take appropriate and proportionate technical, security and organizational measures to ensure their cyber resilience. These requirements cannot be restricted by the consent of data subjects either.
German law
§ Section 8a (1) BSIG obliges operators of critical infrastructures to “take appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are essential for the functionality of the critical infrastructures they operate.” In the healthcare sector, Section 6 in conjunction with Annex V BSI-KritisV specifies which healthcare facilities are to be regarded as critical infrastructures. If a facility falls under this category, the measures must be implemented. Failure to implement the requirements through the consent of affected persons cannot legalize a breach of the law, even in individual cases.
Legal requirements to be observed with regard to consent
The requirements for consent under data protection law cannot be presented in full here. Reference is made here to the relevant literature.
According to Art. 4(11) GDPR, consent is a “declaration or other unambiguous affirmative act” by which the data subject indicates that “they consent to the processing of personal data concerning them”. Consent, on the other hand, says nothing about the “how” of the processing. However, the data subject must have been informed about the “how” of the processing, otherwise consent is not informed, as required by Art. 4 no. 11 GDPR. Consent therefore always legitimizes the processing and only indirectly the “how”; accordingly, consent must always apply to the actual processing, not just the way in which data is processed.
Furthermore, consent can only relate to the relationship between the controller and the data subject, but can never extend to the relationship with third parties. Art. 25 and 32 GDPR contain requirements that the controller must meet in order to operate its IT systems in compliance with the law.
It can only be released from these requirements by a data subject on the basis of consent in individual cases – assuming that this is possible – if this lowering of the level of protection based on consent is not associated with any impairment of third parties. The protection of third parties must remain fully guaranteed. A corresponding risk analysis must therefore always be carried out in advance and the result of this analysis must be analyzed in detail with regard to the impact on the protection of third party data.
Furthermore, the relationship of dependency between the controller and the data subject must be taken into account. According to Recital 43 GDPR, in special cases “where there is a clear imbalance between the data subject and the controller” “and it is unlikely, in view of all the circumstances in the specific case, that consent was given voluntarily”, such consent should not be considered a valid legal basis. Therefore, the existing dependency of a data subject as well as the circumstances (e.g. depth of intervention, type of data processed or scope of data processing) under which consent was given must always be taken into account when assessing whether consent was given voluntarily.
Other aspects to be considered may lie in a specific pressure situation to which a data subject is exposed. For example, the time at which consent is obtained shortly before or after the conclusion of a contract, e.g. in the case of employment contracts, may be an indication that may call into question the voluntary nature of the consent.
Judgments on the topic
German courts
In 2021, the Higher Regional Court of Düsseldorf ruled that consent is a justification based on the private autonomous decision of the data subject and that it would be contrary to private autonomy if consent could not lead to a waiver of anonymization, pseudonymization and encryption techniques. The OLG Düsseldorf therefore sees a possibility that the consent of a data subject can legitimize the reduction of measures actually required to ensure an appropriate level of protection.
In 2023, the SG Hamburg ruled that “in particular when dealing with sensitive social data, specific requirements must be placed on secure communication, such as encryption” and that data subjects cannot effectively consent to unencrypted communication. The ruling also stated that Art. 32 GDPR “does not require data security at any price”, but that “a balance must be struck between the protective purpose and the effort involved”. In this case, the plaintiff was blind. According to the Hamburg District Court, a balancing exercise had to take into account “the violation of the plaintiff’s fundamental right to informational self-determination pursuant to Art. 2 para. 1 in conjunction with Art. 1 para. 1 GG. Art. 1 para. 1 GG and on the other hand the violation of his subjective right of defense from the prohibition of discrimination according to Art. 3 para. 3 sentence 2 GG”. In accordance with the Hamburg Equal Opportunities for Disabled Persons Act, the person had the right to prompt service. Due to her blindness, it was not possible for her to call up a homepage of the defendant job center to download the pdf file, nor was it possible to decrypt it. This was a special case in which consideration had to be given to the discrimination and disadvantaged position of blind people and the unencrypted transmission of the data by the job center was considered appropriate.
ECJ
A ruling by the ECJ on the question of whether consent can be used to modify the obligations imposed by law on a controller or processor was not yet available at the time of this article. However, the ECJ has already ruled on how the suitability of the technical and organizational measures is to be assessed and has also commented on the obligation to provide evidence of the suitability of the means.
The ECJ ruled that the suitability of technical and organizational measures must be assessed in two steps:
- Firstly, the risks of a personal data breach posed by the processing in question and its possible consequences for the rights and freedoms of natural persons must be identified. This assessment must be specific, taking into account the likelihood and severity of the identified risks.
- On the other hand, it must be examined whether the measures taken by the controller are appropriate to these risks, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of this processing.
When checking the suitability of these measures, a substantive examination must be carried out on the basis of all the criteria mentioned as well as the circumstances of the individual case and the evidence available.
The controller bears the burden of proof that the security measures taken by the controller were appropriate within the meaning of Art. 32 GDPR. The accountability of the controller requires that, in the context of an action for damages based on Art. 82 GDPR, the controller bears the burden of proof that the security measures taken by the controller were appropriate within the meaning of Art. 32 GDPR.
In the event of damage, it is up to the controller to prove that the measures taken were appropriate within the meaning of the GDPR, in accordance with the case law of the ECJ. In accordance with the ECJ ruling, consent does not play a role in the assessment of suitability, but the consequences for the rights and freedoms of natural persons do.
In the medical context in particular, there are processes that are time-critical. One example:
If a woman with suspected cervical cancer is operated on and genetic material is sent for histology intraoperatively, the patient is kept under anaesthesia until the histology results are available. Time-critical factors therefore play a role in this case: every anaesthetic involves a risk, so it must be as short as possible, also to avoid side effects. Sending a sealed envelope with a three-day waiting period is not an alternative to a telephone call, which always involves the risk of the contents of the conversation being intercepted.
With IP telephony, the communication can be recorded via the network, meaning that third parties could access the content. With mobile phones, an IMSI catcher can be used so that mobile phones connect to this instead of to a regular radio cell. The operator of the IMSI catcher can then listen in on calls.
Despite the potential risk of health information being intercepted during a telephone call, in view of the likely negative health consequences for the person undergoing surgery and the extremely low probability of this occurring, a telephone call will be the method of choice so that information can be exchanged between the histologist and surgeon as quickly and securely as possible and necessary in the circumstances.
The view of data protection supervisory authorities
German supervisory authorities
The following German supervisory authorities are of the opinion that, under certain conditions, appropriate technical and organizational measures can be dispensed with on the basis of a declaration of consent in individual cases to be documented:
- The Hamburg Data Protection Commissioner is of the opinion that Art. 32 GDPR can be waived by consent under certain conditions in specific individual cases and is therefore at the discretion of the data subject.
- The Bavarian State Office for Data Protection Supervision shared this view, albeit still under the old version of Section 9 BDSG. Under the GDPR, the authority took an approach similar to that of the Hamburg authority, at least with regard to email encryption, according to which a lower level of protection is possible under certain conditions.
- The Saxon Data Protection and Transparency Commissioner also sees the possibility that data subjects can consent to a lower level of protection, at least with regard to email communication.
- In 2022, the Conference of Diocesan Data Protection Officers of the Catholic Church in Germany assessed in its resolution that the obligation of a controller to take appropriate technical and organizational measures to ensure an adequate level of protection, as set out in Section 26 KDG, is of a fundamental nature, but that in individual cases a data subject can give informed consent to the non-application of individual technical and organizational protection measures in accordance with Section 6 (1) (b) or Section 11 (2) (a) KDG.
Other German supervisory authorities are of the opinion that it is not possible to comply with the legal requirements for IT security through consent.
- In 2019, the Federal Commissioner for Data Protection and Freedom of Information stated in his opinion on the tax incentives for electromobility that consent within the meaning of Art. 4 No. 11 GDPR is not a suitable instrument for deviating from the principle of security of processing to be observed; such consent would have no effect with regard to the level of protection to be chosen.
- In its 2020 activity report, the State Commissioner for Data Protection and the Right of Access to Files of the State of Brandenburg took the view that consent under data protection law relates exclusively to the question of whether one’s own personal data may be processed for a specific purpose and that consent therefore “cannot override regulations on the manner in which it is processed”.
- The Independent State Center for Data Protection Schleswig-Holstein denies that the measures to be taken by the controller can be waived by the consent of data subjects.
In November 2021, the DSK published a resolution according to which the technical and organizational measures to be provided by data controllers are based on objective legal obligations and are therefore not at the discretion of the parties involved. It is therefore not possible to waive the technical and organizational measures to be provided by the controller or to lower the legally prescribed standard on the basis of consent.
However, it may be possible, in individual cases to be documented, that controllers do not apply certain technical and organizational measures to be provided to the informed data subject to a reasonable extent at the express, own-initiative request of the data subject.
Austrian supervisory authority
The Austrian data protection authority ruled in 2018 that data security measures pursuant to Art. 32 GDPR are to be assessed solely by the controller, and that obtaining consent cannot allow any deviation from the required measures.
Discussion
The legislator has the right – and makes use of it – to override the will of data subjects through legislation, meaning that processing cannot be legitimized even with consent. An example of this can be found in social legislation.
In the area of IT security, the legislator has stipulated regulations that cannot be changed by consent. In addition to the regulations of the European GDPR, the legislation for critical infrastructures (BSIG in conjunction with BSI-KritisV) should be mentioned, for example. These national regulations impose obligations on the norm addressees that cannot be changed by consent.
Art. 24, 25 and 32 GDPR impose obligations on data controllers, whereby both Art. 25 and Art. 32 GDPR contain an exhaustive list of conditions that must be taken into account when determining the level of protection and the technical and organizational measures to be taken – consent is not one of them in either case.
To assess the appropriateness of the measures, the controller must evaluate the “likelihood and severity of the risk to the rights and freedoms of natural persons”. According to Title II (“Freedoms”) of the Charter of Fundamental Rights of the European Union, the rights and freedoms of data subjects include not only the protection of personal data (Art. 8 of the Charter) but also the right to security (Art. 6 of the Charter). According to ECJ case law, the right to security must be interpreted broadly. This right includes not only protection against crime and acts of violence, but also the safety of one’s own life and health. Accordingly, when assessing the adequacy of the level of protection to be guaranteed under Art. 32 GDPR, a controller must always take into account the impact of the technical and organizational measures on the life and health of a data subject.
Apart from the GDPR, European and German legal standards do not generally provide for a reduction, but the ideas on compliance with the EU Charter of Fundamental Rights naturally apply equally. These legal acts also require “appropriate and proportionate” measures.
A certain scope for assessing appropriate measures remains with the legal practitioner.
Conclusion
The consent of data subjects cannot change the legal requirements for the IT security to be guaranteed. However, the will of the data subjects can be an important factor in determining the appropriateness in a specific case.
Consent reflects the will of the data subject, but whether or not the will can be followed in view of the individual situation for reasons of risk assessment for the rights and freedoms of the data subject is a decision that must be made by a controller.
Art. 24, 25 and 32 of the GDPR at least offer plenty of scope for ‘exceptions’ and case-by-case considerations with regard to the individual level of protection. This is because, according to the wording of the standard, the controller – and, if necessary, also together with one or more processors in accordance with Art. 32 GDPR – must take ‘appropriate’ measures to ensure an ‘adequate’ level of protection. In doing so, the controller must also take into account the ‘state of the art’, but must also include the ‘purposes of the processing’ and the ‘severity of the risk to the rights and freedoms of natural persons’, which also includes the right to life and the physical and mental health of the data subject, in the assessment. The GDPR therefore offers the possibility of using the criterion of adequacy to determine the specific level of protection in individual cases and to take into account the interests of the data subjects, even without consent.
In contrast, German law requires critical infrastructures to comply with the ‘state of the art’, which is generally defined by the industry-specific security standards issued by association representatives. The German legislator does not provide for a case-by-case assessment in favour of data subjects.
In accordance with European and German legal requirements, data controllers must ensure the security of processing in line with the state of the art, whereby European law at least offers a margin of discretion with regard to the requirements of suitability or appropriateness.
Whether an individual decision is made in a specific situation for a single data subject and, based on this, a reduction in the level of security in this individual case, must be decided and justified by the respective controller, who may also be held liable in court in case of doubt, which may also include liability towards injured natural or legal persons.
Practical guide to the ECJ judgement of 23 December 2023, Case C-667/21 published
Issue 1/2024 of BvD-News (p. 28 to 35) discussed the implications of the ECJ ruling of 11 November 2023 (Case C-667/21) with regard to the permissions for processing the special categories of personal data referred to in Art. 9 para. 1 GDPR.
There is a lively exchange between the members of the BvD, the GDD’s Health/Social Affairs Working Group and the GMDS Data Protection Working Group, in which various commentaries on legal regulations and practical issues on various topics have already been developed. On the subject of the ECJ ruling, members of the three aforementioned associations have also developed a ‘Practical guide to dealing with the authorisation requirements for the processing of health data and genetic data’ (as of 6 July 2024).
Among other things, the practical guide
- addresses the special categories of data pursuant to Art. 9 para. 1 GDPR
- considers the justification grounds contained in Art. 6 (1) GDPR,
- proposes a mapping of the authorisation criteria contained in Art. 9 para. 2 GDPR to the justification grounds contained in Art. 6 para. 1 GDPR,
- considered the framework conditions for national legal authorisations from various perspectives and
analysed various German laws with regard to the ECJ ruling, i.e. also proposed corresponding provisions in Art. 9 in conjunction with Art. 6 GDPR for the exemplary German permissions considered.
The practical guide is available in the BvD members’ area. Non-BvD members can download it from the website https://gesundheitsdatenschutz.org/html/erlaubnistatbestandgesundheitsdaten.php
