Annual Review 2017 and Outlook 2018
IT-Law and Privacy
These were and will be the legal topics in the areas of data privacy and IT-law.
The year 2017 brought legal changes in the area of data privacy and IT-law. We will show you the highlights of the year and give you an idea of what to expect in 2018.
1. EU General Data Protection Regulation
On 25 May 2018, the EU General Data Protection Regulation (GDPR) directly applies in all EU member states and thus largely modifies current data privacy law. Until then, in addition to the main new requirements of the GDPR, companies have to make sure that requirements, which were already mandatory under current data privacy law, are in place.
Both the Article 29 Working Party of the European data privacy authorities, and the German data privacy authorities have already published guidelines on the implementation of the GDPR. Furthermore, the data privacy commissioners of the federal states of Bavaria, Brandenburg and Lower Saxony published questionnaires on the implementation of the GDPR.
2. New German Data Privacy Act
In April 2017, the so-called "Data Privacy Adaptation and Implementation Act" was passed. It adjusts the current German Data Privacy Act to the requirements of the GDPR. The new German Data Privacy Act (BDSG-new) will enter into force simultaneously with the GDPR on 25 May 2018. The BDSG-new regulates specific topics such as data privacy in the context of employment, scoring and profiling, public video surveillance and the appointment of a data protection officer.
Other EU member states also published drafts or passed national data privacy laws on specific topics.
3. New German Federal State Data Privacy Laws
The data privacy laws of the German federal states will be adjusted to the GDPR as well. These laws apply to authorities and other public bodies of the German federal states. So far, the federal states of Brandenburg, Saxony, Bavaria, Mecklenburg-Western Pomerania, Lower Saxony, Baden-Württemberg, Hesse and Saxony-Anhalt have published drafts for new data privacy laws.
4. Sector-Specific Data Privacy Laws
Data privacy topics are not only regulated in general laws like the BDSG-new and the GDPR. In various situations sector-specific regulations apply, e.g. regarding the sectors energy, banking and insurance, tele-media and telecommunications, pharmaceutical and medical devices. These also will be adjusted to the requirements of the GDPR by the German legislator.
5. E-Privacy Regulation
6. US-EU Privacy Shield
Especially in regards to the use of cloud services, the transatlantic data transfer is of enormous importance to European companies. One basis for data transfer from the EU to the U.S. is the EU-U.S. Privacy Shield adopted in 2016, under which the registered U.S. companies commit to comply with certain data privacy standards. However, the future of the EU-U.S. Privacy Shield is still uncertain: Unlike the EU Commission, which drew a positive conclusion in its report from October 2017, the Article 29 Working Party of the European data privacy authorities has seen an extensive need for improvement in its report from November 2017.
The year 2017 came along with some headwind for Facebook from a data privacy point of view. In April 2017, the Hamburg Administrative Court ruled that Facebook is currently not allowed to process the data of German WhatsApp users without their consent. In addition, the French supervisory authorities consider the transmission of user data to Facebook illegal according to a recent notice. In its judgement from September 2017 the Berlin Superior Court ruled that online games on Facebook shall not be presented in a way that users automatically agree in the processing of their data by third parties when clicking on the "Play Game" button. Even more serious for the company should be considered the assessment of the German Federal Cartel Office published in December 2017. The German Federal Cartel Office expressed the opinion that Facebook abuses its dominant position in the field of social networks, as it makes the use of the social network dependent on the consent to unlimited collection of any kind of user data from third-party sources and its merging with the users’ Facebook account. The year 2018 will show how this development will continue for Facebook.
However, the topics described can also be relevant to other companies: In particular, the effectiveness of consent, the required transparency of data processing and the transfer of personal data within the group are issues that we frequently encounter in our daily consulting practice.
Employee Data privacy:
As already reported in our Newsflash the European Court of Human Rights (ECHR) and the Federal Labor Court (FOPH) decided on central issues of employee data privacy in 2017. Thus, the FOPH has declared the covert use of key loggers inadmissible, but the covert surveillance of employees to detect serious breaches of duty as admissible under certain circumstances. The ECHR stated in its judgment under which conditions the covert surveillance of Internet communication at the workplace is permitted.
1. Regulation on Critical Infrastructures
The “Act on Increasing the Security of Information Technology Systems” (IT-Security Act), which has been in force since July 2015, serves to improve IT security of critical infrastructures (CRITIS) in certain sectors. Among other things, it obliges operators of CRITIS to demonstrate appropriate protective measures, to designate a contact for IT security and to report security incidents. The first regulation on determining the CRITIS for the sectors energy, IT, telecommunications, water and food entered into force in May 2016. Since June 2017, the regulation also covers the sectors finance, insurance, transport and health.
2. Amendment of the German Civil Code
From 1 January 2018, the German Civil Code (BGB) contains new regulations that may be relevant for IT contracts. A new regulation, which may also apply to IT services such as assembly, installation, migration and implementation, concerns installation and removal costs. Further changes concern the reduction right for part payments and the acceptance in the context of contracts to produce a work.
According to a judgement of the Higher Regional Court of Frankfurt am Main of August 2017, agile software development contracts may be classified either as a contract to produce a work or as a service contract depending on how they are designed and actually performed. In agile software projects, the contracting parties agree in intermediate steps on the next steps and services, often payments are made on the services provided in the previous month. The court assessed such a monthly payment as a tacit acceptance of the previously performed services, which means that the client is obliged to pay the agreed remuneration. The case is currently pending before the German Federal Court of Justice. A high-instance decision on this subject is therefore to be expected within the next few years.