Newsflash IT / Privacy

Notice of EU Commission on transfer of personal data between the EU and Great Britain after Brexit

9 January 2018

Upcoming changes in data privacy requirements for the transfer of personal data to the United Kingdom (“UK”):

With notice from 9 January 2018 the EU Commission pointed out that due to the Brexit European law like the EU General Data Protection Regulation will not apply in the UK as from 30 March 2019. Regarding data privacy the UK will be classified as a third country. For this reason data transfer to the UK will require the proof of an adequate level of data privacy in UK, which can be acquired, e.g. by EU Standard clauses or Binding Corporate Rules.

However, in a statement, the UK Information Commissioner's Office has already announced that despite the Brexit the current EU data protection standards will continue to be a legal standard. Thus, the UK is seeking an adequacy decision by the EU Commission that facilitates data transfer and does not require further proof of an adequate level of data privacy.
Until then companies, that transfer personal data to UK business partners need to be aware of the upcoming changes and should develop a strategy on how to deal with the new situation on time.

BSI publishes management report on IT-Security 2017

23 November 2016

In November, the Federal Office for Information Security (BSI) published its annual management report on IT security in Germany. Following an analysis of the current security situation, the report illustrates recent kinds of attacks, their causes and how to defend against them.

According to the report, the risk situation remains tense. Developments such as the "Internet of Things“, „Industry 4.0" and "Smart Everything" offer cyber criminals a growing target area that they can use to gain access to information, sabotage business and administrative processes or otherwise enrich themselves with criminal activity. In particular, phishing attacks and the use of blackmailing ransomware against authorities and companies have increased.

The BSI notes that antivirus programs often are not up-to-date as malware is being developed in a high pace. In addition, the human factor as a source of danger is important, for example with regard to the so-called "CEO-Fraud". Companies should train their employees more intensively in IT security matters.

The report underlines, that cyber-attacks such as WannaCry or Petya/NotPetya can have immense consequences, which make it necessary to understand information security as a basis for successful digitization.

New compendium on IT security

11 October 2016

The German Federal Office for Information Security (BSI) presented its new compendium on IT security (IT-Grundschutz). It replaces the current IT security catalogues (IT-Grundschutz-Kataloge) and in its first edition contains a modernized version of the most relevant previous components as well as components regarding new IT security topics. It was designed to provide more flexibility and differentiation. The final draft is available here.

Furthermore revised versions of the BSI Standards and a guideline for the basic coverage of small and medium enterprises have been published.

Currently the documents are available in German language only.

Recent decisions on covert employee surveillance

11 October 2017

Recently the European Court of Human Rights (ECHR) and the German Federal Labor Court (BAG) ruled on central questions regarding the protection of employee data.

In its decision of 29 June 2017 the BAG ruled that Sec. 32 of the Federal Data Protection Act (BDSG) does not only permit covert surveillance measures by employers to disclose criminal offences, but also to disclose severe breaches of employees’ duties. According to the decision employers on the one hand are allowed to monitor whether an employee complies with its duties and on the other hand are allowed to store and process all data needed to fulfil the burden of proof in a potential proceeding against unlawful dismissal. If all less intrusive measures failed, covert surveillance measures can be permitted to disclose severe breaches of employees’ duties. Such a severe breach can be the pursuit of a competitive business activity during the employment relationship.

The decision by the EGMR from 5 September 2017 indicates criteria on when the surveillance of an employee’s internet communication is permitted. The decision is based on a situation in which an employee’s messenger communication was secretly surveilled in order to detect unauthorized private use. According to the EGMR a covert surveillance of employee communication is permitted only within narrow bounds. The lawfulness in particular depends on

• whether the employee was previously informed about the possibility that its communication can be supervised,
• whether the qualitative and quantitative extent of the surveillance is appropriate,
• whether the surveillance measures are justified by sufficient substantial evidence,
• whether less intrusive measures can be used,
• whether the gathered data are only used to fulfill the rightful aim of the surveillance,
• whether sufficient measures are planned to protect the affected employee. The employer should only access the content of the communication if the employee has been informed in advance.

Covert surveillance measures that do not meet the requirements violate the right to respect for private life and correspondence in Art. 8 of the European Convention of Human Rights.

This decisions complement the recent decision of the BAG that declared the covert use of software key loggers which monitor all keystrokes on employees’ computers inadmissible.

Companies should adjust their compliance systems to the recent jurisdiction. Surveillance measures have to be adequate and proportionate. Transparent internal provisions are a key requirement for the lawfulness of these measures.

Data protection authority investigates use of Facebook Custom Audience

7 October 2017

The Bavarian data protection authority (BayLDA) recently investigated if companies use Facebook Custom Audience in compliance with data protection law. Facebook Custom Audience is an online advertising tool that enables companies to place customer specific advertisement on Facebook by either uploading customer lists or by embedding a Facebook pixel in the company’s website that tracks users’ online behavior.

According to the results of the investigation, the use of Facebook Custom Audience often does not comply with data protection law. In many cases there exists a lack of transparency as companies fail to sufficiently inform the data subject. Furthermore the data subject’s right to object has not or not properly been implemented.

Considering the upcoming EU General Data Protection Regulation and thus high risks of administrative fines companies should review if their use Facebook Custom Audience complies with data protection law. A short guideline published by the BayLDA provides general guidance on this topic.

Court decision: no premature enforcement of the GDPR

13 September 2017

According to a decision of the Administrative Court of Karlsruhe (court) data protection authorities are not allowed to issue orders or sanctions regarding the EU-General Data Protection Regulation (GDPR) yet.

Reason for the legal dispute are upcoming legal changes regarding the storage limitation of creditworthiness data for credit agencies. Unlike the current rule in Sec. 35 of the German Data Protection Act the GDPR does not provide for concrete retention and deletion periods. According to Art. 5 GDPR personal data may be stored (only) as long as it is necessary to fulfil the specific purpose. The impact of the changes and the upcoming Codes of Conduct are currently negotiated by data protection authorities and branch associations.

In this regard the data protection authority of Baden-Wuerttemberg issued an order against a credit agency which was subject-matter of the proceeding. Due to the upcoming changes he determined concrete data retention periods and asked credit agencies in his territory to prospectively comply with these periods and to include them into their deletion concept.

The court abolished the order. According to the decision data protection authorities are not allowed to issue orders regarding the GDPR before its validity on 25 May 2018. Furthermore data protection authorities are not allowed to preventively restrict and enforce rules of the GDPR that leave room for an individual assessment.

German supervisory authorities provide templates for records of processing activities

30 June 2017

The German supervisory authorities have agreed on new templates for the records of processing activities according to Art. 30 of the EU General Data Protection Regulation (GDPR):

• Controller’s records of processing activities (Art. 30 Sec. 1 GDPR),
• Processor’s records of processing activities (Art. 30 Sec. 2 GDPR),
• Overview technical and organizational data protection measures,
• Supplementary notes.

The templates offer guidance for companies regarding the drafting of their records of processing activities and their adaption to the new requirements of the GDPR. In particular with regard to technical and organizational measures companies should establish if and to what extent their current documentation complies with the new requirements.

German Bundestag passes amendment of Sec. 203 StGB

29 June 2017

On 29 June 2017 the German Bundestag passed statutory amendments which facilitate the use of external IT providers by persons subject to professional confidentiality. Major change is the amendment of sec. 203 of the German criminal code (StGB). Sec. 203 StGB penalizes the disclosure of third parties’ secrets by persons subject to professional confidentiality in the course of their professional activity (e.g. lawyers, doctors, members of insurance companies).

The amendment aims to adapt sec. 203 StGB to the new requirements resulting out of the ongoing digitalization and to facilitate the use of external service providers, in particular regarding the establishment, operation, maintenance and adjustment of IT systems and applications. Currently the involvement of external service providers requires explicit consent of the person concerned if the service provider is able to access the secrets. In the future it is permitted to disclose secrets to so-called “contributing persons”, if the disclosure is necessary for the proper exercise of the professional activity and if the external service providers is bound by respective confidentiality clauses. External service provider staff should be aware that the new law holds them personally liable if they disclose secrets that became known to them in the course of their business activity.

The statutory amendments also include changes to the Federal Lawyers’ Act (BRAO), the Federal Notarial Code (BNotO), the Patent Attorneys’ Act (PAO), the Tax Consultants’ Act (StBerG) and the Federal Auditors’ Act (WPO).

Supervisory authorities publish guidelines on privacy in the context of employment

29 June 2017

New guidelines on privacy at work: The Article 29 working group, an association of representatives from the national supervisory authorities as well as the Data Privacy Officer of Baden-Wuerttemberg recently published guidelines on privacy in the context of employment. Another publication by the Data Privacy Officer of Bavaria also deals with this topic (see here, here and here). The Guidelines do not cover the new version of Sec. 26 of the Bundesdatenschutzgesetz (German Privacy Act) yet. However, the topics and recommendations that are addressed in the guidelines will remain relevant under the new law.

German higher administrative court rules on new telecommunications data retention obligation | German Federal Network Agency suspends enforcement

22 June 2017

The higher administrative court of North Rhine-Westphalia ruled that the new German telecommunications data retention obligation does not comply with EU law (22 June 2017, 13 B 238/17).

According to the court the obligation of public telecommunications providers in Sec. 113 b Telekommunikationsgesetz (German Telecommunications Act) to generally store their user’s traffic and location data for ten (traffic data) or four (location data) weeks without occasion does not comply with Art. 15 (1) of the EU directive on privacy and electronic communications (2002/58/EC). The court based its decision on a decision by the European Court of Justice (21 December 2016, C-203/15 and C-698/15). According to that decision national laws on telecommunications data retention have to define limitations based on purposes like the prevention, investigation, detection and prosecution of serious crime or for vital national security interests.

The decision is not subject to appeal, a final decision in the main proceeding has not been adopted yet. So far the decision applies to the applicant company only. However, the Bundesnetzagentur (Federal Network Agency) announced to refrain from any administrative orders and actions regarding the enforcement of the telecommunications data retention obligation until a final decision in the main proceeding is reached.

German Federal Court of Justice rules on storage of IP addresses by website operators

16 June 2017

The Bundesgerichtshof (German Federal Court of Justice) ruled that website operators may store the IP addresses of their users without consent beyond the actual use, if this is necessary to secure the operability of the website (verdict of 16 May 2017, VI ZR 135/13) - in particular if the website is under threat of cyberattacks. However, the question when exactly a website is in danger of cyberattacks remains unclear and will most likely be the subject to future trials. The storage must serve the purpose to prevent attacks and facilitate prosecution.

In October 2016 the European Court of Justice had already ruled that IP addresses do qualify as personal data (C-582/14, NJW 2016, 3579). Article 4 No. 1 of the upcoming General Data Protection Regulation (GDPR) also specifies IP addresses as personal data.

Article 29 working group publishes first statement on EU-US Privacy Shield

15 June 2017

In preparation for the first annual review of the EU-US Privacy Shield by the European Commission the Article 29 working group, an association of representatives from the national data protection supervisory authorities, released a statement.

The working group is concerned if the US Department of Commerce will implement the Agreement correctly and requested the specification of its vague legal definitions. Furthermore, the group expressed its concerns if and how the new US administration will handle the agreement. More information on recent developments in US Privacy law should be provided.

IT-Security: Amendment of the Regulation on identifying critical infrastructures

6 June 2016

New developments in the area of IT security: The German Government has passed an Amendment of the Regulation on identifying critical infrastructures (see here (in German only)). The Amendment determines critical infrastructures for further sectors.

The background:
With the Act on IT Security in 2015 various obligations have been established for operators of critical infrastructures, e.g. the obligation to provide and prove an appropriate, state of the art protection of the IT systems, to name a contact point and to notify the German Federal Office for IT-Security (BSI) in case of any substantial disturbances or malfunctions of the IT-Systems (Sec. 8 a and b BSI Act).

To enable operators to determine critical infrastructures the Regulation on identifying critical infrastructures (BSI-KRITIS-Verordnung) has been passed in May 2016. It provided rules for the sectors energy, water and nutrition, information technology and telecommunications. The Amendment supplements rules for the sectors finance and insurance, health, traffic and transportation.

The Amendment will presumably become effective in summer 2017. Subsequently operators of critical infrastructures in the new sectors will have to name a contact point to the BSI within six months and implement as well as prove appropriate technical and operational measures to protect their IT Systems within two years (see BSI guidelines (in German only)).

New rules on the electronic identity card

2 June 2017

On 2 June 2017, the German Bundesrat amended the law governing the use of Germany’s electronic identity card (consolidated version not available yet: draft, changes by the Bundesrat). The aim of the amendment is to simplify its online functionality in a way that increases both acceptance and use by its holders.

In the future the online functionality of the electronic identity card will automatically be activated. The basis of the online functionality, the electronic proof of identity (eID) has already been incorporated since November 2010. However, until now the online functionality was only activated if requested by the holder, which according to evaluations only a third of the holders chose to do.

The amendment also makes it easier for companies to receive an authorization to provide online functionalities of the electronic identity card.

Furthermore, the amendment to the law will provide security authorities automated access to the eID’s biometric photograph. This has faced heavy criticism by privacy activists.

The bill requires the Federal President’s signature to be enacted. Except for the automated access to the biometric photograph which applies in May 2018 it will become effective on the day after its publication.

Update new German Privacy Act

12 May 2017

The new German Privacy Act (BDSG-new) is there: On 12 May 2017 the German Federal Council approved the final draft and finalized the legislative procedure.

The BDSG-new contains rules, e.g. on employee data processing as well as data processing with regard to consumer credits, scoring and credit reference and the obligation to designate a data protection officer. Soon, we will provide more Information on the BDSG-new in our Topics IT/ Privacy.

The BDSG-new will enter into force on 25 May 2018.

Germany is the first EU-country to implement a national law accompanying the EU General Data Protection Regulation (GDPR). Likely the BDSG-new will provide a basis for national Privacy laws in other EU Member States. As the BDSG-new provides comprehensive deviations from the GDPR, there is reason to fear that various Privacy requirements will differ in each EU Member State and that the idea of the GDPR to provide a harmonized Privacy law will not prevail.

German Bundestag adopts new data protection law

27 April 2017

On 27 April 2017, the German Bundestag adopted the EU Data Protection Conformation and Transposition Act (DSAnpUG-EU) in its most recent version, dated 25 April 2017. The legislative package adapts German privacy law to the requirements of the General Data Protection Regulation (GDPR) and the EU-Privacy Directive for Police and Justice (EU-Directive 2016/680). Its centerpiece is the new Federal Data Protection Act (BDSG) that will replace the present BDSG on 25 May 2017. It will complement and specify the GDPR in certain aspects.

With the approval of the draft by the German Bundesrat, which should take place in May 2017 the legislative process will be completed. This makes Germany the first European country to adapt its national rules to the new requirements of EU privacy law.

However, it remains to be seen if the completion of the legislative process will provide the envisioned legal certainty: the European Commission already joined in with the criticism on some rules of the new BDSG and expressed doubts on their legality.

White Paper Digital Platforms

20 March 2017

On 20 March 2017 the German Federal Government released its “White Paper Digital Platforms”. The document presents the results of a stakeholder consultation, in which companies, syndicates, associations and citizens participated. The consultation confronted the general public with several propositions and questions pursuant to the design of a future German digital regulatory policy.

The White Paper was released in the wake of the Digital Strategy 2025 of the Federal Ministry for Economic affairs and Energy (BMWi) from March 2016, which identified central principles and areas of action for the further digitalization of the economy and everyday life in Germany. The White Paper stands for a rapid and EU wide uniform implementation of the European General Data Protection Regulation. Furthermore, the BMWi gives its views on the adoption of a Trust Services Act and considers the establishment of a digital agency.

EU US Privacy Shield and Trumps „Executive Order“

2 March 2017

Within a recent interview by the news agency Bloomberg the EU Commissioner of Justice said she will “not hesitate” to suspend the just established EU US Privacy Shield agreement, “if there is a significant change”.

The Commissioner’s statement is caused by the US President’s executive order on “Enhancing Public Safety in the Interior of the U.S.”, passed January, 25. Due to this order the US “Privacy Act” does not apply to non-US citizens. In answering a request by the EU Commission the US Ministry of Justice confirmed on February, 22 to hold on to the Privacy Shield. However, with respect to the “unpredictability” the EU Commission wants to continue the dialog and the EU Commissioner of Justice will meet with US government representatives in Washington D.C. in the end of March.

Should the Privacy Shield be suspended, the legal basis for data transfers in the US will be uncertain again.

Current GDPR guidelines of the Article 29 Working Party

1 February 2017

In December 2016 the Article 29 Working Party published some Guidelines regarding the implementation of the EU General Data Protection Regulation (GDPR): One Guideline addresses the Right to data portability in Article 20 GDPR (Guideline, FAQ). Another Guideline was published on the topic „data protection officer“ (Guideline, FAQ). The third Guideline concerns the question, which supervisory authority is in lead in cases of cross-border data processing, Article 56 GDPR (Guideline, FAQ). Further Guidelines regarding the topics consent, profiling, transparency, data transfer to third countries and data breach notifications will follow in the course of the year 2017.

The Article 29 Working Party is a European association of representatives from the national data protection supervisory authorities, the European Commission and the European Data Protection Supervisor. It advises the European Commission on data protection and promotes the uniform application of European data protection law. Its opinions and guidelines have to be regarded as mandatory as they reflect the legal opinion of the supervisory authorities in the area of data protection.

German government enacts new German privacy bill

1 February 2017

Today, the German government decided on a new bill, that adapts national privacy law to the new requirements of the EU General Data Protection Regulation (GDPR).

The GDPR contains several opening clauses that enable the national legislators to enact complementary and specifying national law, e.g. in the area of employee data protection or regarding the requirements for the designation of a data protection officer.

The bill still will be subject to the legislative procedure. But the decisions by the German Bundestag und Bundesrat are uncertain as the draft - like the first two drafts - is facing a high amount of criticism, e.g. concerning the planned reduction of the rights of the data subject and the simplification of public video surveillance. Also, critics consider parts of the bill to be contrary to European law, especially insofar as they go beyond the scope of the opening clauses of the GDPR.

IT Security, eGovernment, automated driving: German government votes for new bills

25 January 2017

New developments in the area of IT/Privacy: Today, the German government decided on relevant new bills.

In the area of IT security, a bill implements the EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) into national law. The NIS Directive provides obligations for providers of critical infrastructures as well as digital service providers.

Another bill concerns the topic of eGovernment. A so called “Open-Data-Law” shall promote the free provision of public data by the federal German administrative authorities.

The third bill aims at integrating the topic „automated driving“ into the existing German Road Traffic Act (StVG): In the future highly and fully automated vehicle systems can take over driving tasks autonomously under specific circumstances.

Privacy: Review 2016 and prospects for 2017 | GDPR: Get ready for May 2018!

10 January 2017

EU General Data Protection Regulation (GDPR), new German privacy law, international data transfer, E-Privacy Regulation, rising litigation risks regarding privacy. These have been the privacy topics in 2016 that will still be of high relevance in 2017. In our article „Review 2016 an prospects for 2017“ we provide an overview of what has been important and what to expect in 2017.

Are your ready for May 2018? In May 2018 the GDPR directly applies in all EU Member States, which means that companies and the public authorities need to implement the new rules until then. 2017 marks the kick-off for the implementation of the GDPR. Are you ready? We support you in facing the challenges of the GDPR and in using your chances. Deloitte Legal provides an interdisciplinary approach that helps you to no longer just „stick in compliance“, but to „look ahead“. Get ready for May 2018 – here you can find out more.

New rules on data transfer in international law enforcement cooperations

27 December 2016

There have been new developments concerning the transfer of personal data between investigative and judicial authorities in 2016:

On the European level, the Directive 2016/680 entered into force in April 2016. It harmonizes the rules for the transfer of personal data for the purpose of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties. It includes rules on data processing, the rights of the data subject, data protection and data security. The Directive has to be implemented into national law until May 2018.

On an international level, the so called “Umbrella Agreement” is relevant. It establishes binding rules on data transfer between investigative and judicial authorities of the U.S. and the Member States of the EU. The agreement aims at a better cooperation in law enforcement and fight against terrorism. In addition it shall ensure a better protection of the data subjects. Besides a limitation of retention periods, the data subjects shall have the right to access and rectify their personal data. However, practically the protection is limited: the rights have to be exercised in front of U.S. courts and can be rejected for reasons of inner security. After the European Parliament and the European Council gave their consent on the Agreement in December 2016, the agreement will enter into force after the last procedures, in particular on U.S. side have been completed.

Second draft of new German Data Protection Act

11 November 2016

In May 2018 the EU General Data Protection Regulation (GDPR) will apply. Until then the German legislator has the opportunity to complement and specify the rules of the GDPR by national law.

As the first draft of the new German Data Protection Act, published September 2016, has met with criticism, the German Federal Ministry of the Interior published a second draft.

Besides rules on data processing operations in the public sector, the draft contains rules for private companies, which process personal data in the context of the activities of an establishment in Germany. Inter alia, the draft provides specific rules for employee data processing, for scoring activities and rules on data transfer to credit agencies.

Like the first draft, the second draft restricts the rights of the data subject, granted by the GDPR. However, it is questionable, if companies will benefit from the suggested economy-friendly approach of the German Federal Ministry of the Interior. Besides the question, if the intended restrictions are permissible according to EU law, such broad national deviations from the GDPR complicate a consistent and legally secure privacy practice.

Extensive audit by German supervisory data protection authorities

3 November 2016

The German supervisory data protection authorities announced, that, they are planning to audit 500 companies, starting in November 2016.

Subject of the audit is the transfer of personal data to third countries outside the EU/EEA. The questionnaire investigates:

• the kind of personal data that is transferred
• the purposes of the data transfer
• the nature of the data transfer
• the countries to which the data is transferred and
• the legal basis for the data transfer.

The audit focuses on the data transfer caused by the usage of external services, like remote maintenance, support, travel management, CRM systems, recruiting, cloud-based storage solutions and office solutions, communication services and collaboration platforms.

The supervisory data protection authorities of the German States Bavaria, Berlin, Bremen, Hamburg, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland and Saxony-Anhalt will participate in the audit-process.

German Bundestag resolves law for automatic driving systems

29 September 2016

Today, the German Bundestag resolved, that the recent amendments in the Vienna Convention on Road Traffic will apply in Germany from now on.

What does that mean for assisted, automated and autonomous driving technologies?

A first step has been taken. Based on the resolution, national law can be adapted in a way that it is possible to react faster to to the technical developments in the area of assisted and automated driving: According to the amendments of the Vienna Convention, vehicle systems which influence the way vehicles are driven, e.g. advanced driver assistance systems or automated driving technologies are permitted in two constellations. Firstly they are permitted, if they comply with the regularly revised and updated technical vehicle regulations of the United Nations Economic Commission for Europe (UNECE). Secondly they are permitted, if they can be overridden or switched off by the driver.

However, the use of fully autonomous vehicles in the public road traffic is not legal yet. Correspondent amendments of the international conventions on road traffic are being discussed.

IT/Data Protection

27 September 2016

In June 2016 the German data privacy officer of the city of Hamburg pointed out, that the use of Google Analytics is not legally compliant, because the data transfer is still based on Safe Harbor.

Google recently joined the EU U.S. Privacy Shield. Google also provided a new contract on commissioned data processing.

We highly recommend website-owners using Google Analytics to sign the updated contract with Google. The use of Google Analytics is not legally compliant if it is based on the previous contract.
---
Some background:
If you use Google Analytics on your website, Google processes personal data of your users and makes it available for statistical purposes. In order to use Google Analytics legally compliant, it is necessary to:
1. Enter into a contract on commissioned data processing with Google,
2. Anonymize the user’s IP address with the help of the tool “anonymize IP”,
3. Refer to the use of Google Analytics in your data privacy statement and implement a possibility for the user to object (opt-out).
As the data are processed in the U.S., a legal basis for the data transfer is needed. In the past, the data transfer was based on the Safe Harbor Agreement. After Safe Harbor was abolished by the European Court of Justice, there is a new legal basis since summer 2016: the EU U.S. Privacy Shield.

IT/Data Protection

14 September 2016

On 14 September 2016 the so called “Düsseldorfer Kreis” decided on the continued validity of consents in data processing under the GDPR.
The “Düsseldorfer Kreis” is a board, in which the German supervising authorities for data privacy in the private sector coordinate and determine their approach on several topics.

According to the current resolution, consents given by the data subject under the German Privacy Act (BDSG) can remain valid under the EU General Data Protection Regulation (GDPR). The supervising authorities believe that consents, which are compliant with the BDSG generally also fulfill the requirements of the GDPR and therefore remain valid.

However, according to the resolution, consents will not remain valid, firstly when the data subject does not reach the minimum age of 16 years, ruled in Art. 8 GDPR. Secondly, consents will not remain valid if they were not freely given, i.e. if a consent is requested, even though it is not necessary for the performance of a contract or a service.

Furthermore, we recommend to continue to use consents only, if the data subject was previously informed about its right to withdrawal. Because deviating from the BDSG, according to Art. 7 No. 4 GDPR a valid consent requires that the data subject has been previously informed of the right to withdrawal.

IT/Data Protection

7 September 2016

Six months after the European Data Protection Regulation (GDPR) entered into force, the first draft of a new German Data Protection Act (ABDSG) was published. It aims to complement and specify the GDPR regulations.

The draft provides regulations regarding the rights of the data subject, the data protection officer, employee data protection, the supervising authorities and the conditions for imposing administrative fines.

Which parts of the draft will become final, remains to be seen. First statements by the German Ministry for Justice and Consumer Protection and the Federal Commissioner for Data Protection point out some need for changes. In particular the limitation of the data subject’s rights arouses opposition.

Safe Harbor 2.0

19 August 2016

Since 1 August 2016 the procedure for US companies to get certified under the new EU-US Privacy Shield (Privacy Shield) is open. From a privacy law perspective the certification confirms an “adequate level of data protection” according to sec. 4b par. 2 BDSG.

The participating US companies are listed in the public „Privacy Shield List“ managed by the US Department of Commerce. The list contains inter alia the companies’ Privacy Policies and information on the data involved as well as the companies’ contact details to address requests or complaints. Companies must respond within 45 days of receiving a complaint.

However, the further development should be observed considering the ongoing criticism of the Privacy Shield and the doubts whether the EU Commission’s adequacy decision will stand a review by the European Court of Justice (ECJ). Regarding a long-term strategy for the international data transfer the remaining options like the EU Standard Contract Clauses (with consideration of a potential review by the ECJ) and Binding Corporate Rules should still be taken into account.

Safe Harbor 2.0

12 July 2016

On 12 July 2016 the EU Commission paved the way for the transfer of personal data to the US by adopting the EU-US Privacy Shield (Privacy Shield). The Privacy Shield follows the Safe Harbor Agreement which was abolished by the European Court of Justice (ECJ) in October 2015. According to the EU Commission’s adequacy decision it ensures an appropriate level of privacy as well as sufficient rights of the data subject. It serves as a basis for the transfer of personal data processed in the EU/EEA to US-based companies joining the program.

In order to join the Privacy Shield program, US-based companies have to annually self-certify based on the Privacy Shield Principles. They have to comply with a detailed set of requirements and have to develop a Privacy Policy Statement including specific information defined by the Privacy Shield. Also, they have implement the privacy principles of transparency, data minimization, data security, data transfer, data integrity and confidentiality.

The procedure to apply for the public list of registered companies with the US Department of Commerce is open from 1 August 2016.

However, considering the extensive criticism the Privacy Shield is facing, there is some doubt whether it will stay and provides a sustainable solution for EU-US data transfer. It is pretty likely that the ECJ will be provided with the question, if the Privacy Shield serves as a basis to ensure an adequate level of privacy.

IT/Data Protection

10 June 2016

Website operators beware: The Hamburg data protection authority recently published a statement saying, that the use of the analytics tool Google Analytics is currently not legally compliant.

The reason for the warning is, that the tool transfers data to the US still based on the Safe Harbor Agreement though the Safe Harbor Agreement was abolished by the European Court of Justice in October 2015. Accordingly it does no longer serve as a basis for data transfers to the US. Recently the first administrative fines were imposed against companies that did not yet adapt their data transfer.

An updated version of the Hamburg data protection authority’s Google Analytics guide can be expected soon. Until then the use of Google Analytics remains risky.

WiFi Liability

1 June 2016 

On 1 June 2016, the German parliament agreed on an amendment of the German Telemedia Act (TMG). The amendment pursues the aim to stimulate the provision of open WiFi networks within Germany by eliminating the operator’s liability risk for infringements by third parties using the open WiFi.

It is still uncertain, if the amendment will sufficiently answer the open legal questions regarding the operation of open WiFi. However, the draft amendment excludes the liability for damages (see Sec. 8 par. 1 TMG) while questions like the liability for injunctive reliefs and the burden of proof remain unsolved. 

Safe Harbor 2.0

26 May 2016

The Irish Data Protection Authority, who is responsible for Facebook, announced its intent to ask the European Court of Justice to review the transfer of data to the USA based on EU Model Clauses.

Since the Safe Harbor decision the EU Model Clauses have been recognized at least as a temporary “solution”. Should the European Court of Justice follow its previous approach with respect to the EU Model Clauses, they are likely as well not sufficient to form the legal basis to transfer EU data to the USA. The reason is, that nevertheless the key issue, the access by the US authorities and the insufficient legal protection rights against such access, remains the same.

A final solution of the key issue by amending US law is almost impossible for political reasons. However, there are also doubts about the new EU-US Privacy Shield to solve the problem. The EU Parliament has just rejected the results calling them insufficient, the negotiations between the EU and the US to be continued.

Safe Harbor

26 May 2016

In a non-binding resolution, the EU Parliament asks the EU Commission to continue negotiating with the United States on a new agreement for the protection of EU citizen personal data transferred to the United States. The negotiations have become necessary after the European Court of Justice had abolished "Safe Harbor" in October 2015.

Following the Parliament’s statement the so far achieved results require further improvement. Although the parties agreed on the requested establishment of an Ombudsman, however, he would lack the necessary powers and independence to effectively achieve his objectives. Furthermore the appeal procedures would need to become more user-friendly and efficient. However, the most important issue mentioned by the Parliament are the still missing stipulations to prevent the access by the US authorities.

IT/Data Protection

4 May 2016

Already in April 2016 the EU Parliament passed (see below) the EU General Data Protection Regulation (GDPR). With the GDPR being published in the EU Gazette the transitional period begins and the unified EU Data Protection Law becomes effective on 25 May 2018 (for further information on the impacts see also here).

However, the GDPR allows national legislatures to enact national laws on certain topics. Therefore, national data protection law is facing major changes during the transitional period, in particular with regard to the establishment and organization of the national supervisory authorities, legal protection against their decisions and the regulation of further sanctions. Also, employee data protection and the requirements for the mandatory appointment of a data protection officer may be ruled individually by national legislation.

IT/Data Protection

20 April 2016

The Federal Constitutional Court (BVerfG) decided on a constitutional complaint against the amended Federal Criminal Police Office Act (BKA Act) passed in 2009. The amendment involved extended the BKA powers regarding the use of data for counter-terrorist purposes. The BVerfG decided in its “Fundamental judgement regarding Data Privacy” (citing the Vice President of the court Ferdinand Kirchhof), that these powers are partly unconstitutional.

The court ruled, that the BKA Act in general is constitutional, while a number of stipulations are disproportional and violate the fundamental constitutional rights. Especially the observance and monitoring of residential property as well as the transfer of data between national and international authorities are critical: The regulation on the national data transfer are not proportional and moreover the concept of international data transfers are not in compliance with the fundamental rights.

Because the judgement does not concern the core of the BKA Act, the regulations stay in force to a limited extent until the middle of 2018, the deadline for the German legislator to modify the BKA Act.

IT-Security

18 April 2016

The German Federal Government passed an ordinance to specify the IT Security Law last week. Subject to this first ordinance are the industries Energy, Water, Food, IT and Telecommunications.

According to the ordinance 730 facilities are qualified as critical infrastructures. The operators of these facilities are obliged to notify the German Federal Office for Information Security (BSI) about their internal central contact centers within six month and to provide the BSI with the prove of compliance with the minimum standards on IT Security within two years after the enforcement of the ordinance (approximately in May 2016).

Further ordinances for the industries of transport and traffic, health, finance and insurance are supposed to follow until the beginning of next year.

EU Data Protection Regulation (EU-DPR)

14 April 2014

After years of debates the uniform framework for data protection in the EU becomes reality. The EU Parliament finally passed the EU Data Protection Regulation (EU-DPR), which enters into force as from two years after being published in the EU Gazette, approximately in June 2018. The EU-DPR replaces the national Data Protection regulations of the EU member states. Its goal is to strengthen the individual rights and to ensure an improved and uniform Data Protection level in Europe to prepare the EU for the digital era.

Several trade associations already criticized the costs for companies to implement the new requirements, even more with respect to the higher sanctions in the future. Companies face penalties up to 4% of their annual turnover, which will be measured by their global total turnover.

The EU-DPR imposes a new program of duties, which requires technical and organizational measures, i.e. regarding the processing of customer and employee data as well as the amendment of business contracts with other companies (for further information on the impacts see also here).

Within the deadline of two years companies shall prepare for the future in Data Protection. This requires the analysis of their current Data Protection Governance and its adjustment to comply with the new requirements.

IT/Data Protection

14 April 2016

The EU Parliament approved the debated storage of passengers’ data, the so-called PNR-directive (Passenger Name Record). For around five years the PNR-directive has been heavily discussed, but not agreed upon by the EU Parliament.

The PNR-directive obliges airlines to submit passengers’ data for all flights from third countries to the EU and vice versa to national authorities of the member states. Additionally member states can apply the directive as well on intra-EU flights. The directive shall foster the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The member states shall establish central PNR authorities being responsible for the collection, storage and processing of data and who will manage the exchange with other member states and Europol.

In the future information such as name, address as well as phone and credit card number and the flight destination have to be stored for a period of five years. After six months the data will be “marked out”, i.e. stripped of the elements that may allow the identification of individuals.

The deadline to transfer the directive into national laws will be two years. But before the directive is still subject to the formal approval by the Council.

IT/Data Protection

16 March 2016

Following a case being tried in front of the district court of Munich between Sony Music Entertainment and the owner of a light and audio tech store, who offered free WLAN to customers within his store, the European Court of Justice has to decide on the question, if the operator of an open WLAN is vicarious liable for copyright infringements by the network users. The WLAN involved in the case was used in 2010 for the illegal offering of a work owned by Sony.

Finally the Advocate General argues against a vicarious liability of the store owner. He could rely on the EU directive on electronic commerce (2000/31/EG).This directive limits the liability of intermediate providers of mere conduit services for unlawful acts committed by a third party with respect to the information transmitted.

Should the European Court of Justice agree with the Advocate General’s opinion – which is not binding but often serves as a guideline - the German concept of the vicarious liability (“Störerhaftung”) has to be amended. Moreover, the draft of law – currently debated in the German Parliament – has to be modified. The draft stipulates a general obligation of password protection for private as well as commercial WLAN. Additionally, operators of WLAN open to the public would be obliged to ask their users before connecting to refrain from any illegal use.

Safe Harbor 2.0

29 Februray 2016

The EU Commission published different documents with respect to the new Data Privacy Agreement between the EU and the USA, the so-called Privacy Shield, and asked the EU Member States, the Article 29 Working Group and the EU Parliament for their statements.

The published information include the general Data Privacy Principles to be followed by companies, i.e. the requirements on certifications. Also the draft of the EU Commission adequacy decision (confirmation reg. the compliance with the EU Data Privacy standards) and several written declarations by the US government are on the table. These documents are supposed to form the future legal framework for the transfer of EU data to the USA.

The official letters of the US authorities contain certain commitments and assurances as regards access to data for law enforcement and national security purposes. These guarantees are supposed to protect EU data against the access by US authorities without cause, as happened in the past. Data Privacy experts already started criticizing, that there are certain exceptions to these guarantees, including the data access to fight terrorism, the trade of mass destruction weapons or international crime.

IT-Security

5 February 2016

The Federal Ministry of the Interior published the suggested draft of the first ordinance on the IT Security Law this week. The draft was addressed to the federal states and unions for their statements.

So far the draft concerns the industries Energy, Water, Food, IT and Telecommunications. Especially the stipulations on categorizes of facilities and details on services are interesting. According to the draft around 650 facilities in Germany are qualified as critical infrastructures (KRITIS).

The Federal Office for Information Security (BSI) pronounced the ordinance to be enforced in the spring 2016 already. Other ordinances for the industries of transport and traffic, health, finance and insurance are supposed to follow during the year 2016.

Even if the draft is not supposed to be the final version of the ordinance, it provides at least a tendency to estimate the scope of the IT Security Law.

Safe Harbor 2.0

4 Februray 2016

Following the press conference held by the EU Commission on 2 February 2016 regarding the EU-US Privacy Shield the Article 29 Working Party published its official statement on 3 February 2016. Because only extracts of the content and the wording of the new agreement were provided so far, the Article 29 Working Party was not able to review and decide on the issue yet. Anyway, the concerns on the current US legal framework remain.

Therefore the Working Party asked the EU Commission to provide the complete documents until the end of February 2016. The Working Party will then analyze, if the issues regarding the US legal framework can be solved and if the new agreement provides legal certainty regarding the other data transfer instruments. The results are to be finalized during an extra-ordinary plenary meeting.

According to the Article 29 Working Party the use of Standard Contractual Clauses and Binding Corporate Rules should remain permitted in the meantime. Even if statements by the Working Party are not binding for German public authorities, they serve as an important guideline. Therefore the use of these instruments should be continued, recognizing it as a temporary solution.

Safe Harbor 2.0

2 Februray 2016

The European Commission and the United States have agreed on a new framework for transatlantic data flows. According to the currently available information, the successor of the Safe Harbor Arrangement shall be adopted under the title “EU-US Privacy Shield”.

The EU-US Privacy Shield aims at (in comparison to the Safe Harbor Arrangement more strict) surveillance by the U.S. Department of Commerce and Federal Trade Commission (USFTC) of companies that are commissioning data the stem from Europe. As a key commitment, the US has given the EU written assurances that the access of data by public authorities will be permissible only to the extent necessary and proportionate. Further, indiscriminate mass surveillance on the personal data transferred to the US has been explicitly ruled out. Any EU citizens who consider that their data has been misused will have the possibility to bring forward direct complaints towards the FTC or to assert claims in the course of alternative dispute resolution procedures (which shall be free of charge). For potential complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

As of today, with the agreement on the EU-US Privacy Shield the discussions between the EU Commission and the US come to an end. The EU-US Privacy Shield will now be subject to a review by the Art. 29-Working Party and needs to be finally adopted by the Member States. Also on US side certain tasks need to be completed until the EU-US Privacy Shield will enter into force.

Safe Harbor

1 Februray 2016

The Art. 29 Working Party’s deadline regarding the negotiations on a new Safe Harbor Agreement between the US government and the EU Commission expired today. From now on sanctions by the public authorities with respect to unlawful transfers of personal data to the US are possible, further official information are announced: A briefing of the EU parliament by the the EU Commission regarding the results of the negotiations with the US government is scheduled for later today. The Art. 29 Working Party will hold a meeting on 2 February 2016 and announced its statement for 3 February 2016.

e-Commerce

9 January 2016 

Due to the Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes (Regulation on consumer ODR) new duties to inform within the e-commerce are in place. The reason is the implementation of an EU ODR-platform (Online dispute resolution platform), which enables online merchants and consumers to resolve their disputes online. Online merchants are obliged to link the ODR-platform and to provide an e-mail-address on their website. Although the EU Commission announced the launch of the ODR-platform not until 15 February 2016 the new duties are already binding.

Safe Harbor

21 December 2015

The German Federal Government has answered a minor interpellation of the parliamentary group DIE LINKE that personal data transfers from Europe to companies located in the USA can be performed on basis of the remaining legal grounds (standard contracts, consent, binding corporate rules (BCR)). The German Federal Government, however, declared in its statement that the Art. 29 Working Party currently examines the impact of the ECJ ruling on these remaining legal grounds.

Learn more in our Legal Dbriefs Webcast on 17 Febraury 2016.

Safe Harbor

17 December 2015

On basis of an amendment of the German Act on Cease and Desist Actions (Unterlassungs­klagengesetz – UklaG) specific authorized consumer protection associations become entitled to file an action against companies and company owners in case of data privacy infringements. The UKlaG states that data protection authorities need to be heard ex officio in the course of the lawsuit. The cease and desist actions will most likely trigger after math in terms of administrative summary proceedings. Due to a transition period unlawful data transfers to the USA which were permissible until the ECJ ruling of 6 October 2015 on basis of “Safe Harbor” can be challenged only as from 1 October 2016.

Learn more in our Legal Dbriefs Webcast on 17 Febraury 2016.

EU Data Protection Regulation (EU-DPR)

15 December 2015

On 15 December 2015 the responsible EU institutions agreed on a joint text for the new EU Data Protection Regulation (EU-DPR). The agreement is a milestone in the reform of European Data Protection Law and at the same time start signal of strategies for EU Data Protection compliance. For the creation of a uniform framework for data protection in the EU only the final adoption by the European Parliament is still needed. This is expected in early 2016.

IT-Security

7 December 2015

At the end of the year 2015 the EU achieved a political consent on a draft of a European Network and Information Security Directive (NIS). Germany already transformed at least parts of the NIS into a German IT Security Law, which already came into force on 25 July 2015. But a number of question remain, in particular regarding the scope of application of the IT Security Law and the impact of the NIS on the IT Security Law.

Safe Harbor 2.0

26 October 2015

Further to the „Safe Harbor“-decision of the ECJ of 6 October 2015 the independent data protection authorities of the German federation and states (so-called Data Protection Conference) declared within a position paper dated 26 October 2015 that on the one hand Binding Corporate Rules (BCR) shall for the time being not be accepted for the legitimization of personal data transfers to the USA and on the other hand to review BCR and the EU Standard Contractual Clauses in the light of the decision of the ECJ. A binding statement is announced to come from the German as well as from the European data protection authorities (Art. 29 Working Party) for the end of January 2016. Should the decision be, that neither EU Standard Contractual Clauses nor BCR are capable of legitimizing a transfer of personal data from the EU to the USA anymore, only individual declarations of consent may qualify as legitimization in the future.

“Safe Harbor” decision of the European Court of Justice (ECJ)

6 October 2015

In its judgment of 6 October 2015 (ref. C-362/14), the European Court of Justice (ECJ) declared what is known as the “safe harbor” decision of the EU Commission to be invalid. This means that as from this date the transfer of personal data from Europe to companies in the USA can no longer be based on the safe harbor decision.
Many companies will thus lose the legal basis chosen by them to date for the transfer of personal data to service providers and companies in the USA. In particular, it will no longer be possible for European and US affiliates to transfer personal data between them on the basis of “safe harbor”.