 Welcome to our next talk with the title Data Protection and Privacy for Citizens of the Untritered Territories, which is how Angela Merkel referred to the internet. Please welcome our presenter, Beertar Kahrhubrik. Thank you. I'm very happy to be able to be here and to talk about one of my favorite subjects, which is data protection and privacy. I've been working in this area for a while now and I'm here to tell you about the basics. What is data protection and privacy and what is it not? Data protection is a fairly new area of law. I can't really think of any younger ones and we saw one of the results this year, in May this year, when the general data protection regulation came into effect. And I'm certain that all of you experienced this and data protection is not simple. That's why I am so happy to talk about it. I'm going to make all the effort I can to ensure that when you leave this room or when you watch it later at home, that you're a bit more sure and certain about this subject. It's actually a complicated subject because the beginnings weren't very smooth. The lawmakers never came together and told themselves we need to regulate this. And I'm going to hear all the individual opinions when nobody was specialized in this and regulated it afterwards. In Germany it happened on the level of the individual states. First of all in Hessen and in 1983 the Federal Constitutional Court ruled that there is a basic right to data protection. So citizens have a right to decide for themselves who has their personal data and what they do with them and to control it and to improve it to not simply be an object but subject. And they can enter this process. I will get back to this. 25 years later the Constitutional Court reaffirmed that we have a second basic right, the right to confidentiality and integrity of data systems. I think this room probably contains about 2000 of these systems and all of them are protected and they are protected by our basic rights because the Constitutional Court said so and the Constitutional Court is the only court that can say things that become law. So let's look at more practical matters. I take my keys, my purse and go out and want to meet with friends at a party and before I do so I maybe want to run some errands. I'm in private, I enter the street and my neighbour's house has video surveillance. That's a privacy and data protection problem because I must be able to walk along the pavement without being the subject of surveillance. And the courts ruled that this is correct but the owner of the property also has the right to protect his property. So the compromise is that one third of the pavement can be under CCTV but two thirds must not be under surveillance. And so I go to a cash machine to withdraw some money that's being recorded. Then I'm buying a ticket, I get on the train, I'm on CCTV, the cameras see me getting on the train, sitting there reading what I'm reading, getting off the train. I enter a café, unfortunately even cafes these days are under CCTV that was different 50 years ago when you were able to sit there on your own. The public sphere, surveillance is everywhere in the public sphere and I have to understand that this is the way it is. And then in the evening I go to a party, I'm still talking about what is data protection and what is it not. And I meet some new people and data protection is not that I'm not allowed to give them my email address or my phone number but data protection means that I can't talk about private data of other people just to entertain them. We have to anonymise this. I can tell you the most crazy stories of my life and most of them do happen at work. At least when I interact with other people I can do all those things, I can tell you those stories but I'm not allowed to name names. I have to anonymise these. Many of you think I'm sure that data protection is older than these few decades because there are always areas where confidentiality was important. For example, when I visit the doctor's office people have always visited their doctors. And there's an area between the doctor and the patient that is protected by professional rules and legislation. The same is true for lawyers and their clients. It's not data protection that is doing this. It's required for these professionals to follow their profession. Doctors and lawyers can't work if their patients and clients can't speak in confidence. Data protection means that whenever a third person has personal data they're not allowed to use these to pursue their own economic interests. That's where data protection starts. Priests as well have this confidentiality. But once a priest uses technical means, for example, to list who was born, who married, who died and when they did so. These are protected data if they use technical systems for them. Because it's so important to reach a consensus about what we're talking about, there are certain terms that need explaining and that are explained by the law. I've taken four important terms that are very important to understand. These are personal data, then the subject, the responsible person and processing. Let's start with personal data. Data protection has a very well-defined area of responsibility. It's simply about personal data. It's not about impersonal data, for example, the location of a house. But once you, for example, the person living in the house or the person paying the mortgage on the house, that would be personal data, but not its location. The law says that personal data that give information about relationships, about identifiable and identified natural persons are personal data, but not companies. If of course we're looking at individual people within companies, these are personal data. For example, if I get the business card of the CEO, that is personal data, but data about the company itself would not be personal data. This is a bit nerdy, but I would like to give you a feel for what personal data means and why nearly all of us should think about personal data. I will give you some examples, names for example. Data of birth, age, address, email address, phone number, pictures, profession, nationality, religious and political views, preferences, sexuality, travel plans, criminal records, these are all personal data. Income, capital, debts, property, for example a house or a flat or a bicycle. The GDPR has extended this and made it more specific. It also includes all identification numbers we have, for example the social security number, the ID card number, passport numbers and all the data sets that are encoded by these. IP addresses, this was a very long battle if dynamic IP addresses are personal data, but the European Court of Justice said yes and that's that. The EU data are also very important, which we create every day. Ownership, so if I rent a flat, I'm in the German understanding of the term I own the flat or I'm in possession of the flat, profiling, client data, personal staff data, health data. The European Union also says that physical data, for example facial features or length of your hair, all of these are also personal data. And the subjects are all the people whose data is collected and used, so the people that are affected by this. The next question is what counts as information, working with information, so locating information, saving information and there's a joke from lawyers, so they are collecting ID cards and just collecting cards and information about people, they are not sorting them, so they are not working with them just putting them in a draw and so they are not subject to this law, but of course this doesn't work because they cannot work with these data in this case. So whenever you look for someone you are sorting the cards and so you're working with this, so this law applies. It also applies if you are sending the information somewhere or if you're even deleting them, I just repeated the text of the law and the main point is no matter what you do with the data you are processing it. So you can't wiggle out by saying I just looked at it a little whenever you're processing it and whenever you look at it you are processing it already, then this law applies. So for example a staff member is obliged to do whatever the boss says and so the boss is responsible for this, but if the staff member just does whatever they want in their shift then they are responsible in this case. So whoever gives the order is the responsible one and in that moment where you just hold your own counsel and you don't follow a direct order it's your responsibility to follow the law. This also applies for the punishments if you do something wrong. So now I explained to you the whole area we are talking about and now we are talking about the structure of the GDPR. It's called preventative, so preventative before something happens it's already forbidden but there is the option to allow it afterwards. Some laws might be structured differently so it's primarily allowed but it might be forbidden but in this case it's preemptively forbidden and it might be allowed. This is a bit unusual in the German law system, usually we are working with black lists so we have a clear list of things that are forbidden and if something is not forbidden explicitly then you are allowed to do it. In data protection and privacy it's different also in building codes because this is so potentially dangerous that the lawmaker, the European lawmaker in this case turned it around as it was already in Germany before. So for the Germans nothing changed. So in this case since everything is explicitly forbidden unless allowed you need permission by the data owner or the subject. There are four forms of permission. The biggest one is a physical contract and a written contract. Within a contract you can collect and work with all the data that you need for this contract. The preparation of the contract, the finalizing and the aftermath of the contract, that's the biggest point where you can have permission to work with data. After that there's the agreement so this is not the same as a contract, this is a different case. If you have a contract and there's data that you do not need for the fulfillment of the contract you are not allowed to use the data and only outside of the contract you can work with the agreement. So the lawmaker says that all the subjects have to know what is happening with the data, who is responsible and only then can you agree to that. As a third permission form there's a law abiding pledge or stuff you have to do to abide by the law. For example you have to submit data to the financial offices and there are very difficult questions to be asked. For example if there are two conflicting rights which one is heavier. So if something is, if someone who's data you have committed a crime you have to weigh the rights, the right of the subject for privacy and the interest, the public interest for punishment of crimes and it's really important where is the status. So are you just in a public room or are you in a hospital and you really have to check how important the rights are and even professionals, the lawyers who worked in this field for a long time still struggle with this sometimes and you always have to check why one right is heavier, weighs heavier or is more important than another one and you always have to look for a way that does not hurt as much as otherwise on the basic rights. One prominent example for this is the law about a copyright of public art and the question here is when am I allowed to take a photograph of someone because there's the right of your own image and the basic important thing here is the agreement. So someone has to agree to have their photo taken and every photographer who takes pictures of people has to be aware of this. So there is usually no case where you just lose the right on your own picture especially if someone is in a private area where you're just amongst friends drinking alcohol and the stuff. It's really important that you have this right on your own picture and if you're in a public area you have less of an expectation. So you must have less of an expectation that you are not photographed. So there's this distinction between the private area and the public area and this agreement can have different forms and you must at least check visually if they are in agreement with this. You can't just walk around taking photographs of people because every person has to write on their own image and you can't just take a photograph of someone and if someone is turning away or putting the hand in front of their face it's kind of obvious that they don't want to be photographed and you have to respect that and it's important to know that here you don't always have to react immediately. It's also possible that you after your photo has been taken just react and tell them no I did not like that and the photo has to be deleted and very important there is the the job or the profession of a model and if you take a picture of someone to advertise you have to accept that the other one expects the payment of some form and you have to discuss this and agree on a payment and talking about this area where it's a current case. I want to talk about the law against a bad faith between competitors. So if a business does something that is not proper in a common sense then another company or business can address this in court and in the spring 2018 I spent by listening to ideas and theories that with the GDPR there will be a lot of cases for the courts because it's such a new thing and there's three reasons against this. Number one the goal of this GDPR is not business to business interactions and companies do not really are not really mentioned in it and the lawmaker also said that it's about natural persons so real human people and because it is a european european idea there are also other laws that have to cooperate with this but the main idea is to protect natural people. There's also quite a list that handles punishments and how to handle if something is breached and business to business is not really handled in there and if a person so a natural person just some human breaks the law it's not really a thing that they are punished by or brought to court by another company or by any company so this is a privilege of the state in this case so this theory does not hold that the courts will be busy with inter-business topics because of this. Informational policies are also very important this is not just data management it's also where companies have to tell you what they do and this is necessary because there is no other way for you to know what a certain company does with your data so what does it does the company have to tell you they have to tell you what kind of data they the company uses normally if someone attacks you or takes away your property or if something happens to you in the real world you will notice it's usually nothing that happens without you noticing but if someone breaches your data confidentiality or your privacy there's no way for you to know normally so the company has to tell you what they collect what kind of data and then why so there's this idea that all data that has that is collected has to be collected for a reason and you have to be told the reason so every point of information is fixed is linked to a reason so you cannot collect any data just for future use you already have to know what it's for and especially not for private use there has to be your reason and it has to be sensible so when you know what kind of data is collected and processed by whom and you do not like that then you have rights and you also have to be informed about your rights so you have to be informed what is happening what is happening to you and what you can do against that so again these points of information is who are you where are you what are your problems and then you have to be again you have to be called told what kind of data there is about you and what you can do about it what are your rights what actions you can take and how can you correct this basic rights are defensive rights usually defensive right means a civilian is defending themselves against a public or when the state attacks them but of course you also have the possibility and must have the possibility to defend yourself against other private attacks and these rights you have to use them because if you do not want to use them they just disappear there are other people who fought for these rights especially those thousands that fought for it in 1983 before the basic rights court in in Germany there was a census and they fought against it in court and of course people before that and especially in this case they fought against the state collecting all the state where you live who you are who you are living with and so many people before us fought for this rights and we have to use this so at least i do it and we we really should follow these people and we should use the rights that they fought for because it would be a shame if they went to waste and of course it's difficult and we have many areas where we have to figure out what's happening at all so 80 percent of your time you have to invest to first figure out what's happening before you can do anything so sometimes stuff is just told and isn't happening at all and you have to check what can you do and what are the tools that the law gives you to react to this what's allowed what's not allowed and how can you actually react to that and how can i um how can i figure out a way to stay a subject and not an object in this data data usage so i'm happy to answer any questions now thank you we have seven minutes for questions and answers you know how it works we have five microphones simply queue up and if you're watching this online this is not a problem either because we can read you the internet let's start with microphone two please thanks for your talk how can i help others to take advantage of the informational rights especially towards companies when they may not even be aware that these companies are saving their data are storing their data that's an interesting question how can i help the first thing you can do is always to give people information is it there's about people you know or people you don't know well my grandma for example you can you can you have to talk to her you have to find out which con companies she interacts with of course there are many many companies attempting fraud here or many people attempting fraud i would try to explain to her where the dangers lie then go through her documents and check what company she interacts with and um after that i would write to these companies and help her write to these companies and insist on your rights so first you have to inform her because i'm i'm sure she doesn't know about her rights she didn't grow up with these and um try to find out who who you're dealing with for example certainly insurance companies and then ask them for the data and check if if it all looks right insist on correction or deletion whenever applicable young man at microphone one please you we're talking about the you were talking about the cafe around the corner where i come from many restaurants and small shops use several cctv cameras and i think they would i think they have to inform about this in their entrance area and when i tell them about when i ask them about this they say that they didn't they either are unaware of this or that the cameras aren't recording and i'm unhappy about this so what can i do yeah both of their points are wrong the fact that they don't know about the regulation doesn't doesn't doesn't do anything about the fact that these laws still apply people have to find out what they're allowed to do and what not i think video surveillance and cctv is uh is a very old subject it's been talked about a lot these people using cctv have to inform that people are that they're using cctv and even if it's simply monitoring so if they're just if they're not recording they have to do it still and the there are government offices to whom you can complain they're now independent and they all citizens can turn to these offices and complain and citizens have a right to a reaction and somebody from these offices will get in touch with these people using surveillance and we know that there are some potentially very heavy fines involved so is that still true when the cameras are simply fake and the cameras are simply dummies when there's a working camera then it's either being recorded or being played back on a monitor but dummies in the in the public sphere aren't that important because they don't have much of an impact but in in closed rooms they are because the people in these rooms won't realize that these are simply dummies but it's about it's about their rights so the rules are still the same i work in information security and there are some strong regulations tools in many companies does this apply for data protection is there some awareness because the gdpr states that you must use technical means to protect data do company are companies aware of this because it doesn't really look like it yet yes there are in my experience and this is true and many people visiting this conference deal with information security i've never met a company that didn't have some basic security regulations for example controlling access to servers not having data on servers that are accessible from the internet and there are many means of protecting personal data and the fact that this is known about in companies well everybody who does infrastructure and companies who is under sis admin and a company has heard about this of course it's not perfect data protection is is a moving target it's constantly developing i've never seen a company where all the basics were missing but of course things can go under the radar and be disregarded there might be interface problems that data isn't being deleted properly so it exists yes and in the same way that technology develops protection has to develop as well and this protection is not simply technical but also organizational the biggest protection the biggest problem is is an unmotivated employee i work a lot with employees as well i do workshops i'm always available and it's something that's developing so yes this exists i was wondering if data protection applies to intelligence or to messengers as well for example whatsapp and if messengers like signal may be able to circumvent these for example if you send pictures of other people or personal data via whatsapp what what what applies there well the gdpr rules apply as well but you're probably wondering why so many people are using whatsapp which is not always necessarily encrypted and of course the people using it leak a lot of things and i'm not a friend of whatsapp i'm not a fan of it for example if you use whatsapp as a teacher in school two things are needed firstly you need to look at how secure the software is but more importantly those using whatsapp or other messages must be informed about what it means there are things you must never ever do there are things that are dangerous that may cause damage and there's a level on which you can use it but it's a it's always a problem if you use it for example at school or at work and if you if you don't talk about it if you don't think about what you're sending there christmas parties for example are critical or dangerous because it's not simply about the when it's not simply about the at the start of the christmas party but maybe also later when you've had a few drinks and are messing about and the problem there is not just the messenger but also that these data are being are being recorded and sent so you have to look at the software that you're working with and you have to talk about what you're allowed to do and what you're not allowed to do is there a legal way of outing neo-nazis yes when the person is a figure of public interest so if there are if there are a figure of public interest then yes you can you can report about report on them and report their data so this is by far not everybody but only those who who participate in public debate