Newsflash IT / Privacy
Second draft of new German Data Protection Act
11 November 2016
In May 2018 the EU General Data Protection Regulation (GDPR) will apply. Until then the German legislator has the opportunity to complement and specify the rules of the GDPR by national law.
As the first draft of the new German Data Protection Act, published September 2016, has met with criticism, the German Federal Ministry of the Interior published a second draft.
Besides rules on data processing operations in the public sector, the draft contains rules for private companies, which process personal data in the context of the activities of an establishment in Germany. Inter alia, the draft provides specific rules for employee data processing, for scoring activities and rules on data transfer to credit agencies.
Like the first draft, the second draft restricts the rights of the data subject, granted by the GDPR. However, it is questionable, if companies will benefit from the suggested economy-friendly approach of the German Federal Ministry of the Interior. Besides the question, if the intended restrictions are permissible according to EU law, such broad national deviations from the GDPR complicate a consistent and legally secure privacy practice.
Extensive audit by German supervisory data protection authorities
3 November 2016
The German supervisory data protection authorities announced, that, they are planning to audit 500 companies, starting in November 2016.
Subject of the audit is the transfer of personal data to third countries outside the EU/EEA. The questionnaire investigates:
- the kind of personal data that is transferred
- the purposes of the data transfer
- the nature of the data transfer
- the countries to which the data is transferred and
- the legal basis for the data transfer.
The audit focuses on the data transfer caused by the usage of external services, like remote maintenance, support, travel management, CRM systems, recruiting, cloud-based storage solutions and office solutions, communication services and collaboration platforms.
The supervisory data protection authorities of the German States Bavaria, Berlin, Bremen, Hamburg, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland and Saxony-Anhalt will participate in the audit-process.
German Bundestag resolves law for automatic driving systems
29 September 2016
Today, the German Bundestag resolved, that the recent amendments in the Vienna Convention on Road Traffic will apply in Germany from now on.
What does that mean for assisted, automated and autonomous driving technologies?
A first step has been taken. Based on the resolution, national law can be adapted in a way that it is possible to react faster to to the technical developments in the area of assisted and automated driving: According to the amendments of the Vienna Convention, vehicle systems which influence the way vehicles are driven, e.g. advanced driver assistance systems or automated driving technologies are permitted in two constellations. Firstly they are permitted, if they comply with the regularly revised and updated technical vehicle regulations of the United Nations Economic Commission for Europe (UNECE). Secondly they are permitted, if they can be overridden or switched off by the driver.
However, the use of fully autonomous vehicles in the public road traffic is not legal yet. Correspondent amendments of the international conventions on road traffic are being discussed.
27 September 2016
In June 2016 the German data privacy officer of the city of Hamburg pointed out, that the use of Google Analytics is not legally compliant, because the data transfer is still based on Safe Harbor.
Google recently joined the EU U.S. Privacy Shield. Google also provided a new contract on commissioned data processing.
We highly recommend website-owners using Google Analytics to sign the updated contract with Google. The use of Google Analytics is not legally compliant if it is based on the previous contract.
If you use Google Analytics on your website, Google processes personal data of your users and makes it available for statistical purposes. In order to use Google Analytics legally compliant, it is necessary to:
1. Enter into a contract on commissioned data processing with Google,
2. Anonymize the user’s IP address with the help of the tool “anonymize IP”,
3. Refer to the use of Google Analytics in your data privacy statement and implement a possibility for the user to object (opt-out).
As the data are processed in the U.S., a legal basis for the data transfer is needed. In the past, the data transfer was based on the Safe Harbor Agreement. After Safe Harbor was abolished by the European Court of Justice, there is a new legal basis since summer 2016: the EU U.S. Privacy Shield.
14 September 2016
On 14 September 2016 the so called “Düsseldorfer Kreis” decided on the continued validity of consents in data processing under the GDPR.
The “Düsseldorfer Kreis” is a board, in which the German supervising authorities for data privacy in the private sector coordinate and determine their approach on several topics.
According to the current resolution, consents given by the data subject under the German Privacy Act (BDSG) can remain valid under the EU General Data Protection Regulation (GDPR). The supervising authorities believe that consents, which are compliant with the BDSG generally also fulfill the requirements of the GDPR and therefore remain valid.
However, according to the resolution, consents will not remain valid, firstly when the data subject does not reach the minimum age of 16 years, ruled in Art. 8 GDPR. Secondly, consents will not remain valid if they were not freely given, i.e. if a consent is requested, even though it is not necessary for the performance of a contract or a service.
Furthermore, we recommend to continue to use consents only, if the data subject was previously informed about its right to withdrawal. Because deviating from the BDSG, according to Art. 7 No. 4 GDPR a valid consent requires that the data subject has been previously informed of the right to withdrawal.
7 September 2016
Six months after the European Data Protection Regulation (GDPR) entered into force, the first draft of a new German Data Protection Act (ABDSG) was published. It aims to complement and specify the GDPR regulations.
The draft provides regulations regarding the rights of the data subject, the data protection officer, employee data protection, the supervising authorities and the conditions for imposing administrative fines.
Which parts of the draft will become final, remains to be seen. First statements by the German Ministry for Justice and Consumer Protection and the Federal Commissioner for Data Protection point out some need for changes. In particular the limitation of the data subject’s rights arouses opposition.
Safe Harbor 2.0
19 August 2016
Since 1 August 2016 the procedure for US companies to get certified under the new EU-US Privacy Shield (Privacy Shield) is open. From a privacy law perspective the certification confirms an “adequate level of data protection” according to sec. 4b par. 2 BDSG.
The participating US companies are listed in the public „Privacy Shield List“ managed by the US Department of Commerce. The list contains inter alia the companies’ Privacy Policies and information on the data involved as well as the companies’ contact details to address requests or complaints. Companies must respond within 45 days of receiving a complaint.
However, the further development should be observed considering the ongoing criticism of the Privacy Shield and the doubts whether the EU Commission’s adequacy decision will stand a review by the European Court of Justice (ECJ). Regarding a long-term strategy for the international data transfer the remaining options like the EU Standard Contract Clauses (with consideration of a potential review by the ECJ) and Binding Corporate Rules should still be taken into account.
Safe Harbor 2.0
12 July 2016
On 12 July 2016 the EU Commission paved the way for the transfer of personal data to the US by adopting the EU-US Privacy Shield (Privacy Shield). The Privacy Shield follows the Safe Harbor Agreement which was abolished by the European Court of Justice (ECJ) in October 2015. According to the EU Commission’s adequacy decision it ensures an appropriate level of privacy as well as sufficient rights of the data subject. It serves as a basis for the transfer of personal data processed in the EU/EEA to US-based companies joining the program.
The procedure to apply for the public list of registered companies with the US Department of Commerce is open from 1 August 2016.
However, considering the extensive criticism the Privacy Shield is facing, there is some doubt whether it will stay and provides a sustainable solution for EU-US data transfer. It is pretty likely that the ECJ will be provided with the question, if the Privacy Shield serves as a basis to ensure an adequate level of privacy.
10 June 2016
Website operators beware: The Hamburg data protection authority recently published a statement saying, that the use of the analytics tool Google Analytics is currently not legally compliant.
The reason for the warning is, that the tool transfers data to the US still based on the Safe Harbor Agreement though the Safe Harbor Agreement was abolished by the European Court of Justice in October 2015. Accordingly it does no longer serve as a basis for data transfers to the US. Recently the first administrative fines were imposed against companies that did not yet adapt their data transfer.
An updated version of the Hamburg data protection authority’s Google Analytics guide can be expected soon. Until then the use of Google Analytics remains risky.
1 June 2016
On 1 June 2016, the German parliament agreed on an amendment of the German Telemedia Act (TMG). The amendment pursues the aim to stimulate the provision of open WiFi networks within Germany by eliminating the operator’s liability risk for infringements by third parties using the open WiFi.
It is still uncertain, if the amendment will sufficiently answer the open legal questions regarding the operation of open WiFi. However, the draft amendment excludes the liability for damages (see Sec. 8 par. 1 TMG) while questions like the liability for injunctive reliefs and the burden of proof remain unsolved.
Safe Harbor 2.0
26 May 2016
The Irish Data Protection Authority, who is responsible for Facebook, announced its intent to ask the European Court of Justice to review the transfer of data to the USA based on EU Model Clauses.
Since the Safe Harbor decision the EU Model Clauses have been recognized at least as a temporary “solution”. Should the European Court of Justice follow its previous approach with respect to the EU Model Clauses, they are likely as well not sufficient to form the legal basis to transfer EU data to the USA. The reason is, that nevertheless the key issue, the access by the US authorities and the insufficient legal protection rights against such access, remains the same.
A final solution of the key issue by amending US law is almost impossible for political reasons. However, there are also doubts about the new EU-US Privacy Shield to solve the problem. The EU Parliament has just rejected the results calling them insufficient, the negotiations between the EU and the US to be continued.
26 May 2016
In a non-binding resolution, the EU Parliament asks the EU Commission to continue negotiating with the United States on a new agreement for the protection of EU citizen personal data transferred to the United States. The negotiations have become necessary after the European Court of Justice had abolished "Safe Harbor" in October 2015.
Following the Parliament’s statement the so far achieved results require further improvement. Although the parties agreed on the requested establishment of an Ombudsman, however, he would lack the necessary powers and independence to effectively achieve his objectives. Furthermore the appeal procedures would need to become more user-friendly and efficient. However, the most important issue mentioned by the Parliament are the still missing stipulations to prevent the access by the US authorities.
4 May 2016
Already in April 2016 the EU Parliament passed (see below) the EU General Data Protection Regulation (GDPR). With the GDPR being published in the EU Gazette the transitional period begins and the unified EU Data Protection Law becomes effective on 25 May 2018 (for further information on the impacts see also here).
However, the GDPR allows national legislatures to enact national laws on certain topics. Therefore, national data protection law is facing major changes during the transitional period, in particular with regard to the establishment and organization of the national supervisory authorities, legal protection against their decisions and the regulation of further sanctions. Also, employee data protection and the requirements for the mandatory appointment of a data protection officer may be ruled individually by national legislation.
20 April 2016
The Federal Constitutional Court (BVerfG) decided on a constitutional complaint against the amended Federal Criminal Police Office Act (BKA Act) passed in 2009. The amendment involved extended the BKA powers regarding the use of data for counter-terrorist purposes. The BVerfG decided in its “Fundamental judgement regarding Data Privacy” (citing the Vice President of the court Ferdinand Kirchhof), that these powers are partly unconstitutional.
The court ruled, that the BKA Act in general is constitutional, while a number of stipulations are disproportional and violate the fundamental constitutional rights. Especially the observance and monitoring of residential property as well as the transfer of data between national and international authorities are critical: The regulation on the national data transfer are not proportional and moreover the concept of international data transfers are not in compliance with the fundamental rights.
Because the judgement does not concern the core of the BKA Act, the regulations stay in force to a limited extent until the middle of 2018, the deadline for the German legislator to modify the BKA Act.
18 April 2016
According to the ordinance 730 facilities are qualified as critical infrastructures. The operators of these facilities are obliged to notify the German Federal Office for Information Security (BSI) about their internal central contact centers within six month and to provide the BSI with the prove of compliance with the minimum standards on IT Security within two years after the enforcement of the ordinance (approximately in May 2016).
Further ordinances for the industries of transport and traffic, health, finance and insurance are supposed to follow until the beginning of next year.
EU Data Protection Regulation (EU-DPR)
14 April 2014
After years of debates the uniform framework for data protection in the EU becomes reality. The EU Parliament finally passed the EU Data Protection Regulation (EU-DPR), which enters into force as from two years after being published in the EU Gazette, approximately in June 2018. The EU-DPR replaces the national Data Protection regulations of the EU member states. Its goal is to strengthen the individual rights and to ensure an improved and uniform Data Protection level in Europe to prepare the EU for the digital era.
Several trade associations already criticized the costs for companies to implement the new requirements, even more with respect to the higher sanctions in the future. Companies face penalties up to 4% of their annual turnover, which will be measured by their global total turnover.
The EU-DPR imposes a new program of duties, which requires technical and organizational measures, i.e. regarding the processing of customer and employee data as well as the amendment of business contracts with other companies (for further information on the impacts see also here).
Within the deadline of two years companies shall prepare for the future in Data Protection. This requires the analysis of their current Data Protection Governance and its adjustment to comply with the new requirements.
14 April 2016
The EU Parliament approved the debated storage of passengers’ data, the so-called PNR-directive (Passenger Name Record). For around five years the PNR-directive has been heavily discussed, but not agreed upon by the EU Parliament.
The PNR-directive obliges airlines to submit passengers’ data for all flights from third countries to the EU and vice versa to national authorities of the member states. Additionally member states can apply the directive as well on intra-EU flights. The directive shall foster the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The member states shall establish central PNR authorities being responsible for the collection, storage and processing of data and who will manage the exchange with other member states and Europol.
In the future information such as name, address as well as phone and credit card number and the flight destination have to be stored for a period of five years. After six months the data will be “marked out”, i.e. stripped of the elements that may allow the identification of individuals.
The deadline to transfer the directive into national laws will be two years. But before the directive is still subject to the formal approval by the Council.
16 March 2016
Following a case being tried in front of the district court of Munich between Sony Music Entertainment and the owner of a light and audio tech store, who offered free WLAN to customers within his store, the European Court of Justice has to decide on the question, if the operator of an open WLAN is vicarious liable for copyright infringements by the network users. The WLAN involved in the case was used in 2010 for the illegal offering of a work owned by Sony.
Finally the Advocate General argues against a vicarious liability of the store owner. He could rely on the EU directive on electronic commerce (2000/31/EG).This directive limits the liability of intermediate providers of mere conduit services for unlawful acts committed by a third party with respect to the information transmitted.
Should the European Court of Justice agree with the Advocate General’s opinion – which is not binding but often serves as a guideline - the German concept of the vicarious liability (“Störerhaftung”) has to be amended. Moreover, the draft of law – currently debated in the German Parliament – has to be modified. The draft stipulates a general obligation of password protection for private as well as commercial WLAN. Additionally, operators of WLAN open to the public would be obliged to ask their users before connecting to refrain from any illegal use.
Safe Harbor 2.0
29 Februray 2016
The EU Commission published different documents with respect to the new Data Privacy Agreement between the EU and the USA, the so-called Privacy Shield, and asked the EU Member States, the Article 29 Working Group and the EU Parliament for their statements.
The published information include the general Data Privacy Principles to be followed by companies, i.e. the requirements on certifications. Also the draft of the EU Commission adequacy decision (confirmation reg. the compliance with the EU Data Privacy standards) and several written declarations by the US government are on the table. These documents are supposed to form the future legal framework for the transfer of EU data to the USA.
The official letters of the US authorities contain certain commitments and assurances as regards access to data for law enforcement and national security purposes. These guarantees are supposed to protect EU data against the access by US authorities without cause, as happened in the past. Data Privacy experts already started criticizing, that there are certain exceptions to these guarantees, including the data access to fight terrorism, the trade of mass destruction weapons or international crime.
5 February 2016
The Federal Ministry of the Interior published the suggested draft of the first ordinance on the IT Security Law this week. The draft was addressed to the federal states and unions for their statements.
So far the draft concerns the industries Energy, Water, Food, IT and Telecommunications. Especially the stipulations on categorizes of facilities and details on services are interesting. According to the draft around 650 facilities in Germany are qualified as critical infrastructures (KRITIS).
The Federal Office for Information Security (BSI) pronounced the ordinance to be enforced in the spring 2016 already. Other ordinances for the industries of transport and traffic, health, finance and insurance are supposed to follow during the year 2016.
Even if the draft is not supposed to be the final version of the ordinance, it provides at least a tendency to estimate the scope of the IT Security Law.
Safe Harbor 2.0
4 Februray 2016
Following the press conference held by the EU Commission on 2 February 2016 regarding the EU-US Privacy Shield the Article 29 Working Party published its official statement on 3 February 2016. Because only extracts of the content and the wording of the new agreement were provided so far, the Article 29 Working Party was not able to review and decide on the issue yet. Anyway, the concerns on the current US legal framework remain.
Therefore the Working Party asked the EU Commission to provide the complete documents until the end of February 2016. The Working Party will then analyze, if the issues regarding the US legal framework can be solved and if the new agreement provides legal certainty regarding the other data transfer instruments. The results are to be finalized during an extra-ordinary plenary meeting.
According to the Article 29 Working Party the use of Standard Contractual Clauses and Binding Corporate Rules should remain permitted in the meantime. Even if statements by the Working Party are not binding for German public authorities, they serve as an important guideline. Therefore the use of these instruments should be continued, recognizing it as a temporary solution.
Safe Harbor 2.0
2 Februray 2016
The European Commission and the United States have agreed on a new framework for transatlantic data flows. According to the currently available information, the successor of the Safe Harbor Arrangement shall be adopted under the title “EU-US Privacy Shield”.
The EU-US Privacy Shield aims at (in comparison to the Safe Harbor Arrangement more strict) surveillance by the U.S. Department of Commerce and Federal Trade Commission (USFTC) of companies that are commissioning data the stem from Europe. As a key commitment, the US has given the EU written assurances that the access of data by public authorities will be permissible only to the extent necessary and proportionate. Further, indiscriminate mass surveillance on the personal data transferred to the US has been explicitly ruled out. Any EU citizens who consider that their data has been misused will have the possibility to bring forward direct complaints towards the FTC or to assert claims in the course of alternative dispute resolution procedures (which shall be free of charge). For potential complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
As of today, with the agreement on the EU-US Privacy Shield the discussions between the EU Commission and the US come to an end. The EU-US Privacy Shield will now be subject to a review by the Art. 29-Working Party and needs to be finally adopted by the Member States. Also on US side certain tasks need to be completed until the EU-US Privacy Shield will enter into force.
1 Februray 2016
The Art. 29 Working Party’s deadline regarding the negotiations on a new Safe Harbor Agreement between the US government and the EU Commission expired today. From now on sanctions by the public authorities with respect to unlawful transfers of personal data to the US are possible, further official information are announced: A briefing of the EU parliament by the the EU Commission regarding the results of the negotiations with the US government is scheduled for later today. The Art. 29 Working Party will hold a meeting on 2 February 2016 and announced its statement for 3 February 2016.
9 January 2016
Due to the Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes (Regulation on consumer ODR) new duties to inform within the e-commerce are in place. The reason is the implementation of an EU ODR-platform (Online dispute resolution platform), which enables online merchants and consumers to resolve their disputes online. Online merchants are obliged to link the ODR-platform and to provide an e-mail-address on their website. Although the EU Commission announced the launch of the ODR-platform not until 15 February 2016 the new duties are already binding.
21 December 2015
The German Federal Government has answered a minor interpellation of the parliamentary group DIE LINKE that personal data transfers from Europe to companies located in the USA can be performed on basis of the remaining legal grounds (standard contracts, consent, binding corporate rules (BCR)). The German Federal Government, however, declared in its statement that the Art. 29 Working Party currently examines the impact of the ECJ ruling on these remaining legal grounds.
Learn more in our Legal Dbriefs Webcast on 17 Febraury 2016.
17 December 2015
On basis of an amendment of the German Act on Cease and Desist Actions (Unterlassungsklagengesetz – UklaG) specific authorized consumer protection associations become entitled to file an action against companies and company owners in case of data privacy infringements. The UKlaG states that data protection authorities need to be heard ex officio in the course of the lawsuit. The cease and desist actions will most likely trigger after math in terms of administrative summary proceedings. Due to a transition period unlawful data transfers to the USA which were permissible until the ECJ ruling of 6 October 2015 on basis of “Safe Harbor” can be challenged only as from 1 October 2016.
Learn more in our Legal Dbriefs Webcast on 17 Febraury 2016.
EU Data Protection Regulation (EU-DPR)
15 December 2015
On 15 December 2015 the responsible EU institutions agreed on a joint text for the new EU Data Protection Regulation (EU-DPR). The agreement is a milestone in the reform of European Data Protection Law and at the same time start signal of strategies for EU Data Protection compliance. For the creation of a uniform framework for data protection in the EU only the final adoption by the European Parliament is still needed. This is expected in early 2016.
7 December 2015
At the end of the year 2015 the EU achieved a political consent on a draft of a European Network and Information Security Directive (NIS). Germany already transformed at least parts of the NIS into a German IT Security Law, which already came into force on 25 July 2015. But a number of question remain, in particular regarding the scope of application of the IT Security Law and the impact of the NIS on the IT Security Law.
Safe Harbor 2.0
26 October 2015
Further to the „Safe Harbor“-decision of the ECJ of 6 October 2015 the independent data protection authorities of the German federation and states (so-called Data Protection Conference) declared within a position paper dated 26 October 2015 that on the one hand Binding Corporate Rules (BCR) shall for the time being not be accepted for the legitimization of personal data transfers to the USA and on the other hand to review BCR and the EU Standard Contractual Clauses in the light of the decision of the ECJ. A binding statement is announced to come from the German as well as from the European data protection authorities (Art. 29 Working Party) for the end of January 2016. Should the decision be, that neither EU Standard Contractual Clauses nor BCR are capable of legitimizing a transfer of personal data from the EU to the USA anymore, only individual declarations of consent may qualify as legitimization in the future.
“Safe Harbor” decision of the European Court of Justice (ECJ)
6 October 2015
In its judgment of 6 October 2015 (ref. C-362/14), the European Court of Justice (ECJ) declared what is known as the “safe harbor” decision of the EU Commission to be invalid. This means that as from this date the transfer of personal data from Europe to companies in the USA can no longer be based on the safe harbor decision.
Many companies will thus lose the legal basis chosen by them to date for the transfer of personal data to service providers and companies in the USA. In particular, it will no longer be possible for European and US affiliates to transfer personal data between them on the basis of “safe harbor”.