Interdisciplinary advice at the intersection

The particular strength of the law firm lies at the intersection of the company’s key activities. Through the Criminal Compliance pillar, arguments under ordinary criminal law and the specific provisions of supervisory offences law can be fully exploited during any investigation proceedings by the supervisory authorities and also counter the risks of fines under the GDPR. Disputes with the supervisory authorities are not exhausted by considerations of proportionality and negotiations over the scale of the sanction. The synergy effects of the fields of law are felt much further: data protection law is both an area of advisory services and also a means of defence.

Criminal law advisors have always had an interface with data protection due to their proximity to the supposed conflict between freedom and security. During the current Covid-19 crisis, another (alleged) dichotomy is being constructed between freedom and health. Discussions about the tracking of infected persons demonstrate that data protection is quick to be presented as a luxury standing in the way of the supposed frictionless collaboration between state and the economy. The right of informational self-determination is being impacted from both sides.

Companies as an extension of the state

Limiting the state’s hunger for information has long been a widely accepted principle. Alongside the defence function of data protection law, we are now equally seeing challenges in the private sector. This is not only due to the economic value of customer and utilisation data or the risks of misuse during the commercial operations of data controllers. Companies are also increasingly acting as an extension of the state in the field of compliance.

The limited resources of the prosecuting authorities are also leading to a “privatisation” trend in the area of criminal law. In the event of (and early in the run-up to) any suspected infringement, it has become the norm to expect companies to conduct internal investigations and to pass on their findings to the prosecuting authorities in the guise of a form of collaborative partner. Any such decision not only impacts the company’s own interests, but also (and most notably) the personal data of its employees.

Reconciling data protection and compliance

When working with external service providers, all compliance measures must therefore take into account information obligations and data subject rights alongside the legal foundation itself, in addition to the terms of data processing, cross-border transfers and other risks. But data protection does not in any way constitute an impediment to compliance. Correctly structured, for example, keywords strictly limited to the necessities of the investigation can both protect the interests of data subjects and prevent an unrestricted scope of the investigation.

However, internal investigations are just one manifestation of a wider field of conflict: social control by the state is now being exercised at the very onset of initial suspicion. As the state is limited by its own capacity, it is now obligating private operators. Examples of this are raw materials supervision, account data access, comprehensive and cross-sector anti-money laundering provisions and various manifestations of telecommunications data retention. Social networks are above all currently being affected by the further extension of the Network Enforcement Act (NetzDG). In many cases, such obligations are inadequately defined. Yet at the same time, any partial or non-compliance may be sanctioned through fines. Data protection law can also highlight limits in this area.