Hello Hi Actually, it's quite a turnout quite impressive I mean, I'm a lawyer talking about legal issues right after lunch, and there are so many people here. Thank you very much for that I Have about 20 minutes. I will just give you a real short into

Introduction to what is a privacy? We'll talk a little bit about a privacy. We'll talk about data protection We're going to talk about what is a topic for you with an app development? What are the points you have to obey and Like and the introduction I said not to obey privacy by design and not to obey privacy by default Will not be an option for app development in the future. We will get back to that in about 15 minutes

First I think a lot of you haven't heard about CMS. So I'm gonna introduce Us for a short moment. We are an international law firm We are about 5,000 lawyers all around the world with about a stuff from about 7,000

When we look we We cover actually most of the world we are and our offspring was back in the 90s and 80s and the UK and Germany then expanded all over Europe and Now covering especially the Middle East Asia Africa and South America

North America is still a topic. We are not there yet, but we will get there. So That's so much for me. I'm Working in the Leipzig and Berlin office of CMS has a Ziegler within the IP and IT My main focus is data protection privacy and trademark

and Two of two out of three. I will be talking about now data protection and privacy Where's the need for privacy and data protection coming from about Seven years back eight years back when I started working as a lawyer and you were said you were walking in You were working in data protection. Everyone was looking at you like, okay, what are you doing?

Nobody cared about data protection since then two things have changed radically. The first is the technology Eight years back ten years back. There wasn't smartphones Apple I know I'm at Android conference, but the Apple App Store opened 2007 that just ten years back so

with the increase of technology and the speed of technology increasing and all the connection all those variables also smart devices all those stuff Happening around within the last ten years Put a whole push into privacy issues because at this moment We are technology at a point where you can access everything that you have on your smartphone from everywhere

Problem is everyone else can too and this gave at what's known was the second issue that puts privacy forward with him he revealed what was possible how technology could be used and What the issues were? Not only from the authorities but also from companies those two issues pushed

Put privacy and data protection back on the map and if we look at numbers today About 90% of people those numbers are from 2017 actually worrying about privacy when using online technologies So it will be an actual

economic factor for you as app developers to think about privacy issues because a lot of people are worrying about those Points when thinking about which technology will I use which technology will I buy how much data will I give? And 50% are actually very concerned about that one. So keep that in mind. We are not talking about just legal issues here

Those are relevant economic factors Now you're worrying I'm not doing any app with privacy, so do I have an issue is privacy an issue for me or Don't I have to care about anything or about that one? There's one simple question you have to answer yourself

Do or does my air does my app collect share personal data Sing thinking about it. I don't know. What is personal data for us lawyers? Personal data can be a really a lot of things it can be which is obvious

The first and the last name it can be an email address It can be a telephone number and now come the fun things it can be location data. It can be Analytics data, it can be an IP address. It can be a mobile subscriber identity. It can be a mobile subscriber number It can be biometrical number even just the name of a phone, you know

When you use your smartphone or something like that and you name it this data can be personal data so because the definition of personal data in a legal sense it it have to be identify a person or a person has has to Be identifiable through the data in combination with other data. So even if you just have an

Device number, but you can combine it with a telephone number and combine this telephone number with a name You have a personal data. So I think It is clear to say that every app Developed used and

Stored will have a privacy issue Because of that definition that a person just needs to be identified or identifiable and If in any reason you the Apple you're you are creating the app you are using can does that Sorry, that's that can identify or identifiable a person and using the data you have in privacy issue

And you have then to think about those privacy laws around the world Around the world, it's something I'm just will be talking about you and German private law. I'll not be talking about any other private law because I can't do that. I'm a German lawyer

I have an understanding of German law and have an understanding of European law I don't have an understanding of US law or Korean law or anything else. We have other people for that So just European law and German law. What is the legal framework within Europe? You have to be

Differed to relevant subjects. First of all, we have the general data protection laws We in Europe. It is a general data protection directive Within Germany. It's what he called the bonus Darden stokes because it's these are the basic data protection laws you have to check if you are working in the sector and

Now Come to points if you remember those two, I'm I'm glad because that's all I want to tell you about Those data protection laws comprise any processing of personal data Everything you do with personal data is comprised by these laws

It doesn't matter how little you use data if you just share it of you or if you just reuse it Everything you do is comprised and then as a second point everything is prohibited unless Allowed by law or you have a consent of the user

The main point for the allowed by law is the such called contractual needs What is the contractual need if you sell your app to me? I'm your user you sell me your app. I You need my personal data to bill me Sure, otherwise you couldn't get the money

But if it's a one-time payment, you just need those data one time after that. You need to delete it if you If it's in subscription model you need my Personal data every month. So the use of this personal data is allowed because of a concrete

Contractual need because otherwise I wouldn't be able to use your app But to analyze my data to combine my data with other data to see when I'm using your app Am I using your app more in the morning or am I using it more in the evening? Am I using it when I'm staying at home or if I'm on the road all those Analyzing of data is not a contractual need and therefore not allowed by law

you will need in a legal sense a consent by the user to do so and The last point is those rights of users that you need a consent for cannot be waived in a contract

That's something different from US law There is no waiver concerning personal rights within the European Union On the other hand, those are the general rules But we have also a little special rule that's called the e-privacy directive. That's actually the mobile and

their Internet based data protection rules that which comprises the use of personal data especially within mobile devices and within mobile data traffic and Comprises things like tracking and especially through the use of cookies. Why is that cookie so important those e-privacy directive?

Was first issues in 2002. So the technology they're thinking about an internet from 15 years ago And Cookies was then the big thing And this will change in the future. I'll come to that in a minute Those e-privacy directed will get an update which will be actually kind of a game changer for the mobile industry

At the moment we have those cookie issues, you know, you have to click on a website and this yes We accept cookies. That's a lot. That is a legal issue you have to do now So that's the legal framework actually at the moment What will change within the next year because we are going through some radical legal changes within the next year

First of all, we're gonna have a new general data protection Regulation the European Union will have one data protection law for all member states So there won't be a difference if you're based in

England if you're based in Spain if you're based in France or if you're based in Germany all European member states will have the same data protection rules For German data protection rules, not so much will change it's it will still be the same everything is prohibited unless allowed by law or You have a consent of the user

here are three four points that will nonetheless be From interesting for app developers. First of all, we have an increased territorial scope meaning In our days this will be enforced from May next year

If you are now based in Russia If you're based in the US and if you're all based in Africa and you're offering your services here There may be a possibility that you can evade European data protection laws that will not be possible within the future because

In the future it will be if you offer your services in the European Union You are bound by the law of the general data protection regulation, otherwise, you will not be able to offer your services here So this will be a change for every company based outside the European Union because you now You know will have to obey European Union law The second is every user of you will have the right to be forgotten

That doesn't mean that doesn't just mean you have to delete all the data of the user You actually have to construct a state where it is like the user never registered with you You you're not allowed to keep any information on a user if I delete my contract with you and say please forget me

I was never here Third one is and that's Just a legal issue. Actually. No one has any idea how to do that on a technical level Maybe someone here has there will be a right to data portability meaning If I have a if I as a user change a platform

It must be possible that I take my personal data with me from one platform to another so in the end actually, it would mean if I change from Amazon to another online shop, I Maybe have to take my data from Amazon with me no idea how does how this should work?

We don't have a standard No one has any ideas, but it will be the law up there up next year and The last thing is we're gonna have massively increased fines At the moment if you are found guilty of data protection violation, the maximum fine will be around

300,000 euros for one violation that will be the massive as a this would be the maximum fine at the moment Starting May next year the maximum fine will be 20 million dollar 20 million euros per violation

so this can be really really nasty for companies and even for small companies and This is what I meant when I was talking about okay, here will be a game changer for mobile industry Next year. We also will have a new ibis. I privacy regulation

That will change the law from 2002. It's not final yet It is it's still in discussion, but a few points are clear that will become Enforced first of all privacy by design and privacy by default will not be mandatory anymore If you release an app if you release and device it first of all must be designed

to minimize data use privacy by design and If you allow different settings for a user The default setting must be the most data sensitive setting possible privacy by default Those will not be

Nice to have things those will be as a standard then It will change the laws on tracking and it will change the laws on the use of metadata and Prowler browser tracking At the moment a website is responsible if a user uses do not track option within a browser

The website is report is responsible to respect that do not track option. That's why they don't work In the future it will be the responsibility of the industry or the company

Allowing the access to the internet The problem is every app allows an access to the internet So therefore it is your responsibility as app developers that when people say I will not be tracked You have to include technical options that they will not be tracked

so the responsibilities shift From the website to the access provider Last point data walls at the moment a few platforms saying, okay You will only be allowed to use our service if you allow us to track us and if you give us your personal data

So that we can analyze it that will also not be possible in the future Probably because they will say Those services will have to offer a user another way to use the service without giving the data Data walls will not be possible

This is what changes and especially the e-privacy regulation with the tracking Regulations will be very very interesting for the mobile industry What to do to come to be compliant with data protection laws? First of all, give yourself and

Privacy policy, this is a minimum content What should include every privacy policy should include first of all identify yourself Then tell the user what categories of data are we using? why are we using them if we are giving them to third parties to whom and why and

Inform the user that he has a right of withdrawal concerning his consent Then if you want to use the data for anything else then constructional needs Get a consent If you want to change the data or do something new with it get a new consent

Include privacy by design and privacy by default and at least Uphold your own laws if you tell so in your privacy policy that you only will do Specific things with the data don't do other things with it I mean this I know this is just best practice from a lawyer's point of view

I know this is not perfectly feasible. I know everyone else is doing something else I'm not here for that. I'm just here to tell you this would be a best practice to do so This is the worst case privacy policy. We're not sure which data we have

We're not sure what we're doing with it, but we'll let you know if you figure that one out This doesn't comply with any of these So this is not how to do it now what can happen if you use such a privacy policy

Actually privacy laws can be enforced by your competitors another company can sue you for Not obeying privacy laws chambers of commerce can sue you for it and especially data protection agencies Those have a real good standing within the European Union and they actually can come to your company and saying okay

We now want to see what are you doing with it with personal data and they're actually taking camp at your office and be staying there for two or three days and They were they will have a look at everything that you're doing and They ask question like where are your servers?

How are your doors locked? Why is everything secure? So those can be really really nasty for a young company to deal with when you have a controlled by a data protection agency So in the end when you're now controlled by an agency or anything else

What's the worst that could happen you actually The obvious would be cease and desist. That means your app gets deleted from the App Store or from the Google Play Store and The data gets deleted you get administrative fines. We talked about it at the moment 300,000 euros within next year up to 20 million and

Up to next year. You also can be sued for personal damages. This means If I use your app, you misuse my personal data. I get a damage from that one Like I don't know. I don't get a new insurance or something like that I can sue you for this misuse of data and for the personal damages coming with it

That is what could happen if you actually do not obey privacy laws. I know Privacy and data protection issues are really hard. It's a little bit like herding cats. They're moving everywhere

you have no idea where they will be next and there are thousands of thing you have to care about and This one actually you're thinking at least I'm not in charge of a data protection project So this will be the final remarks I know kind of bold ending with the Tim Cook quote here, but

mobile telephones are at the moment the maybe most sensitive object anyone can have our Complete personal life is on these things 20 years back You would have maybe taking a photo and sent to a friend now you're using an Instagram or or any other app for that

At the moment at the morning I was at the IFA fair and there are fitness trackers all over it Personal lives are completely digital allies at the moment take this responsibility seriously and take Control of what you use with personal data, you can use a lot of personal data

you can do a lot within the legal framework, but respect this legal framework and This is what I wanted to end with thank you for your attention, I think I'm in time We're gonna have time for a few questions. There's my contact details or write me on Twitter or anything else

I'll be around for half an hour or an hour. So something like that. Thank you very much Yeah, actually I have a lot of questions, but but I'm gonna Ask only two and I'm a bit concerned about the definition of about this personal data

Let's let's see that we we are doing the project Regarding the EMA and MC data. For example, if the phone are registered for the company only So there is not know any actual person

Registered or so to say and is this EMA number still considered a personal data? Do you completely minimize it or? This is just an abstract case. For example, this is not always possible to Retrieve the actual person who's actually using the phone

Could be a gray area I have to take a shoot from the hip here because I don't know the whole case But it could be a gray area that there are arguments Considering the sort of the any realization of the data

But if you do you have the possibility that when you combine it with other data you have you can Know. Yes This is just just a situation that didn't really happen Because I'm pretty confident about the email and last name the first name there are clearly personal data

Yeah, but the email number is actually phone Item for phone property so to say yeah, but you can Reference the data of the phone identity back to a phone number or an email address indeed indeed indeed and Actually the European court just decided that an IP address is a personal data

Because I have the right to go to court if someone violates Copyright from that IP address I can get the information from the telephone provider who was using that IP address at that moment So so this is this is a possible so it might be it might be aha

Okay, so second short question is like how how precisely is this? This Protection defined in the UE directive and how Does it needs to be further implemented in the ue countries because I'm from Poland

I'm just wondering what is needed from mine from my state to be this this protection fully enforce You would have to check with what you have to do under Polish law at the moment for German law It doesn't change much within the next year. So check with

What if what you have to do with Polish law and then? Compare it to what you have to do now on as a general protection regulation of the okay So what is the name of this new directive which is the general data protection regulation? Okay, GDPR, okay Thanks a lot

In the EU and particularly in Germany, we're pretty lucky that we have a strong data protection law Yeah, and you said that with user consent you can do more than it's regulated And what I see is that You often have a construct that if you don't accept that contract you cannot use the service For example, if you get a new shiny Mercedes you cannot do much without opting into that

That's what those data walls I was talking about Within the e-privacy regulation, which is still in discussion within the European Parliament At the moment there are prohibited to use data walls in the future. So all those Approaches to get data actually might

Not be worthwhile within the next year, but this is music for the future right now And how about degraded service? Like I mean do I have to get exactly the same? No, no, no you at the moment. You don't have to get exact the same service You just have an option to use the service in general. So

What you can do is okay. I'll give you a free candy or whatever If you give me a little more of your data, so there can be an a an exchange of personal data against use of service but Let's see. It's still in discussion will be a point to watch within the next year

Thank you My My question goes more or less in the same direction But in the case of a paid service when you have to or you want to make some analytics to improve the service You still have to provide an option. Do you still have to provide an option to use this without collecting analytics?

Yep. Okay, but then you can say okay in this case We degrade the service to some extent that will from all we know at the moment be The way that you privacy regulation will be going Okay, keep an eye out. Just keep an information. It will be

Legislated middle next year. Sorry. We don't have any more time. I think but we can talk Thank you very much. And in some minutes another talk will start