Newsflash IT / Privacy
Stay informed about latest developments, court decisions and news in the IT- and privacy sector.
Notice of EU Commission on transfer of personal data between the EU and Great Britain after Brexit
9 January 2018
Upcoming changes in data privacy requirements for the transfer of personal data to the United Kingdom (“UK”):
With notice from 9 January 2018 the EU Commission pointed out that due to the Brexit European law like the EU General Data Protection Regulation will not apply in the UK as from 30 March 2019. Regarding data privacy the UK will be classified as a third country. For this reason data transfer to the UK will require the proof of an adequate level of data privacy in UK, which can be acquired, e.g. by EU Standard clauses or Binding Corporate Rules.
However, in a statement, the UK Information Commissioner's Office has already announced that despite the Brexit the current EU data protection standards will continue to be a legal standard. Thus, the UK is seeking an adequacy decision by the EU Commission that facilitates data transfer and does not require further proof of an adequate level of data privacy.
Until then companies, that transfer personal data to UK business partners need to be aware of the upcoming changes and should develop a strategy on how to deal with the new situation on time.
BSI publishes management report on IT-Security 2017
23 November 2016
In November, the Federal Office for Information Security (BSI) published its annual management report on IT security in Germany. Following an analysis of the current security situation, the report illustrates recent kinds of attacks, their causes and how to defend against them.
According to the report, the risk situation remains tense. Developments such as the "Internet of Things“, „Industry 4.0" and "Smart Everything" offer cyber criminals a growing target area that they can use to gain access to information, sabotage business and administrative processes or otherwise enrich themselves with criminal activity. In particular, phishing attacks and the use of blackmailing ransomware against authorities and companies have increased.
The BSI notes that antivirus programs often are not up-to-date as malware is being developed in a high pace. In addition, the human factor as a source of danger is important, for example with regard to the so-called "CEO-Fraud". Companies should train their employees more intensively in IT security matters.
The report underlines, that cyber-attacks such as WannaCry or Petya/NotPetya can have immense consequences, which make it necessary to understand information security as a basis for successful digitization.
New compendium on IT security
11 October 2016
The German Federal Office for Information Security (BSI) presented its new compendium on IT security (IT-Grundschutz). It replaces the current IT security catalogues (IT-Grundschutz-Kataloge) and in its first edition contains a modernized version of the most relevant previous components as well as components regarding new IT security topics. It was designed to provide more flexibility and differentiation. The final draft is available here.
Currently the documents are available in German language only.
Recent decisions on covert employee surveillance
11 October 2017
Recently the European Court of Human Rights (ECHR) and the German Federal Labor Court (BAG) ruled on central questions regarding the protection of employee data.
In its decision of 29 June 2017 the BAG ruled that Sec. 32 of the Federal Data Protection Act (BDSG) does not only permit covert surveillance measures by employers to disclose criminal offences, but also to disclose severe breaches of employees’ duties. According to the decision employers on the one hand are allowed to monitor whether an employee complies with its duties and on the other hand are allowed to store and process all data needed to fulfil the burden of proof in a potential proceeding against unlawful dismissal. If all less intrusive measures failed, covert surveillance measures can be permitted to disclose severe breaches of employees’ duties. Such a severe breach can be the pursuit of a competitive business activity during the employment relationship.
The decision by the EGMR from 5 September 2017 indicates criteria on when the surveillance of an employee’s internet communication is permitted. The decision is based on a situation in which an employee’s messenger communication was secretly surveilled in order to detect unauthorized private use. According to the EGMR a covert surveillance of employee communication is permitted only within narrow bounds. The lawfulness in particular depends on
- whether the employee was previously informed about the possibility that its communication can be supervised,
- whether the qualitative and quantitative extent of the surveillance is appropriate,
- whether the surveillance measures are justified by sufficient substantial evidence,
- whether less intrusive measures can be used,
- whether the gathered data are only used to fulfill the rightful aim of the surveillance,
- whether sufficient measures are planned to protect the affected employee. The employer should only access the content of the communication if the employee has been informed in advance.
Covert surveillance measures that do not meet the requirements violate the right to respect for private life and correspondence in Art. 8 of the European Convention of Human Rights.
This decisions complement the recent decision of the BAG that declared the covert use of software key loggers which monitor all keystrokes on employees’ computers inadmissible.
Companies should adjust their compliance systems to the recent jurisdiction. Surveillance measures have to be adequate and proportionate. Transparent internal provisions are a key requirement for the lawfulness of these measures.
Data protection authority investigates use of Facebook Custom Audience
7 October 2017
The Bavarian data protection authority (BayLDA) recently investigated if companies use Facebook Custom Audience in compliance with data protection law. Facebook Custom Audience is an online advertising tool that enables companies to place customer specific advertisement on Facebook by either uploading customer lists or by embedding a Facebook pixel in the company’s website that tracks users’ online behavior.
According to the results of the investigation, the use of Facebook Custom Audience often does not comply with data protection law. In many cases there exists a lack of transparency as companies fail to sufficiently inform the data subject. Furthermore the data subject’s right to object has not or not properly been implemented.
Considering the upcoming EU General Data Protection Regulation and thus high risks of administrative fines companies should review if their use Facebook Custom Audience complies with data protection law. A short guideline published by the BayLDA provides general guidance on this topic.
Court decision: no premature enforcement of the GDPR
13 September 2017
According to a decision of the Administrative Court of Karlsruhe (court) data protection authorities are not allowed to issue orders or sanctions regarding the EU-General Data Protection Regulation (GDPR) yet.
Reason for the legal dispute are upcoming legal changes regarding the storage limitation of creditworthiness data for credit agencies. Unlike the current rule in Sec. 35 of the German Data Protection Act the GDPR does not provide for concrete retention and deletion periods. According to Art. 5 GDPR personal data may be stored (only) as long as it is necessary to fulfil the specific purpose. The impact of the changes and the upcoming Codes of Conduct are currently negotiated by data protection authorities and branch associations.
In this regard the data protection authority of Baden-Wuerttemberg issued an order against a credit agency which was subject-matter of the proceeding. Due to the upcoming changes he determined concrete data retention periods and asked credit agencies in his territory to prospectively comply with these periods and to include them into their deletion concept.
The court abolished the order. According to the decision data protection authorities are not allowed to issue orders regarding the GDPR before its validity on 25 May 2018. Furthermore data protection authorities are not allowed to preventively restrict and enforce rules of the GDPR that leave room for an individual assessment.
German supervisory authorities provide templates for records of processing activities
30 June 2017
The German supervisory authorities have agreed on new templates for the records of processing activities according to Art. 30 of the EU General Data Protection Regulation (GDPR):
- Controller’s records of processing activities (Art. 30 Sec. 1 GDPR),
- Processor’s records of processing activities (Art. 30 Sec. 2 GDPR),
- Overview technical and organizational data protection measures,
- Supplementary notes.
The templates offer guidance for companies regarding the drafting of their records of processing activities and their adaption to the new requirements of the GDPR. In particular with regard to technical and organizational measures companies should establish if and to what extent their current documentation complies with the new requirements.
German Bundestag passes amendment of Sec. 203 StGB
29 June 2017
On 29 June 2017 the German Bundestag passed statutory amendments which facilitate the use of external IT providers by persons subject to professional confidentiality. Major change is the amendment of sec. 203 of the German criminal code (StGB). Sec. 203 StGB penalizes the disclosure of third parties’ secrets by persons subject to professional confidentiality in the course of their professional activity (e.g. lawyers, doctors, members of insurance companies).
The amendment aims to adapt sec. 203 StGB to the new requirements resulting out of the ongoing digitalization and to facilitate the use of external service providers, in particular regarding the establishment, operation, maintenance and adjustment of IT systems and applications. Currently the involvement of external service providers requires explicit consent of the person concerned if the service provider is able to access the secrets. In the future it is permitted to disclose secrets to so-called “contributing persons”, if the disclosure is necessary for the proper exercise of the professional activity and if the external service providers is bound by respective confidentiality clauses. External service provider staff should be aware that the new law holds them personally liable if they disclose secrets that became known to them in the course of their business activity.
The statutory amendments also include changes to the Federal Lawyers’ Act (BRAO), the Federal Notarial Code (BNotO), the Patent Attorneys’ Act (PAO), the Tax Consultants’ Act (StBerG) and the Federal Auditors’ Act (WPO).
Supervisory authorities publish guidelines on privacy in the context of employment
29 June 2017
New guidelines on privacy at work: The Article 29 working group, an association of representatives from the national supervisory authorities as well as the Data Privacy Officer of Baden-Wuerttemberg recently published guidelines on privacy in the context of employment. Another publication by the Data Privacy Officer of Bavaria also deals with this topic (see here, here and here). The Guidelines do not cover the new version of Sec. 26 of the Bundesdatenschutzgesetz (German Privacy Act) yet. However, the topics and recommendations that are addressed in the guidelines will remain relevant under the new law.
German higher administrative court rules on new telecommunications data retention obligation | German Federal Network Agency suspends enforcement
22 June 2017
The higher administrative court of North Rhine-Westphalia ruled that the new German telecommunications data retention obligation does not comply with EU law (22 June 2017, 13 B 238/17).
According to the court the obligation of public telecommunications providers in Sec. 113 b Telekommunikationsgesetz (German Telecommunications Act) to generally store their user’s traffic and location data for ten (traffic data) or four (location data) weeks without occasion does not comply with Art. 15 (1) of the EU directive on privacy and electronic communications (2002/58/EC). The court based its decision on a decision by the European Court of Justice (21 December 2016, C-203/15 and C-698/15). According to that decision national laws on telecommunications data retention have to define limitations based on purposes like the prevention, investigation, detection and prosecution of serious crime or for vital national security interests.
The decision is not subject to appeal, a final decision in the main proceeding has not been adopted yet. So far the decision applies to the applicant company only. However, the Bundesnetzagentur (Federal Network Agency) announced to refrain from any administrative orders and actions regarding the enforcement of the telecommunications data retention obligation until a final decision in the main proceeding is reached.
German Federal Court of Justice rules on storage of IP addresses by website operators
16 June 2017
The Bundesgerichtshof (German Federal Court of Justice) ruled that website operators may store the IP addresses of their users without consent beyond the actual use, if this is necessary to secure the operability of the website (verdict of 16 May 2017, VI ZR 135/13) - in particular if the website is under threat of cyberattacks. However, the question when exactly a website is in danger of cyberattacks remains unclear and will most likely be the subject to future trials. The storage must serve the purpose to prevent attacks and facilitate prosecution.
In October 2016 the European Court of Justice had already ruled that IP addresses do qualify as personal data (C-582/14, NJW 2016, 3579). Article 4 No. 1 of the upcoming General Data Protection Regulation (GDPR) also specifies IP addresses as personal data.
Article 29 working group publishes first statement on EU-US Privacy Shield
15 June 2017
In preparation for the first annual review of the EU-US Privacy Shield by the European Commission the Article 29 working group, an association of representatives from the national data protection supervisory authorities, released a statement.
The working group is concerned if the US Department of Commerce will implement the Agreement correctly and requested the specification of its vague legal definitions. Furthermore, the group expressed its concerns if and how the new US administration will handle the agreement. More information on recent developments in US Privacy law should be provided.
IT-Security: Amendment of the Regulation on identifying critical infrastructures
6 June 2016
New developments in the area of IT security: The German Government has passed an Amendment of the Regulation on identifying critical infrastructures (see here (in German only)). The Amendment determines critical infrastructures for further sectors.
With the Act on IT Security in 2015 various obligations have been established for operators of critical infrastructures, e.g. the obligation to provide and prove an appropriate, state of the art protection of the IT systems, to name a contact point and to notify the German Federal Office for IT-Security (BSI) in case of any substantial disturbances or malfunctions of the IT-Systems (Sec. 8 a and b BSI Act).
To enable operators to determine critical infrastructures the Regulation on identifying critical infrastructures (BSI-KRITIS-Verordnung) has been passed in May 2016. It provided rules for the sectors energy, water and nutrition, information technology and telecommunications. The Amendment supplements rules for the sectors finance and insurance, health, traffic and transportation.
The Amendment will presumably become effective in summer 2017. Subsequently operators of critical infrastructures in the new sectors will have to name a contact point to the BSI within six months and implement as well as prove appropriate technical and operational measures to protect their IT Systems within two years (see BSI guidelines (in German only)).
New rules on the electronic identity card
2 June 2017
On 2 June 2017, the German Bundesrat amended the law governing the use of Germany’s electronic identity card (consolidated version not available yet: draft, changes by the Bundesrat). The aim of the amendment is to simplify its online functionality in a way that increases both acceptance and use by its holders.
In the future the online functionality of the electronic identity card will automatically be activated. The basis of the online functionality, the electronic proof of identity (eID) has already been incorporated since November 2010. However, until now the online functionality was only activated if requested by the holder, which according to evaluations only a third of the holders chose to do.
The amendment also makes it easier for companies to receive an authorization to provide online functionalities of the electronic identity card.
Furthermore, the amendment to the law will provide security authorities automated access to the eID’s biometric photograph. This has faced heavy criticism by privacy activists.
The bill requires the Federal President’s signature to be enacted. Except for the automated access to the biometric photograph which applies in May 2018 it will become effective on the day after its publication.
Update new German Privacy Act
12 May 2017
The new German Privacy Act (BDSG-new) is there: On 12 May 2017 the German Federal Council approved the final draft and finalized the legislative procedure.
The BDSG-new contains rules, e.g. on employee data processing as well as data processing with regard to consumer credits, scoring and credit reference and the obligation to designate a data protection officer. Soon, we will provide more Information on the BDSG-new in our Topics IT/ Privacy.
The BDSG-new will enter into force on 25 May 2018.
Germany is the first EU-country to implement a national law accompanying the EU General Data Protection Regulation (GDPR). Likely the BDSG-new will provide a basis for national Privacy laws in other EU Member States. As the BDSG-new provides comprehensive deviations from the GDPR, there is reason to fear that various Privacy requirements will differ in each EU Member State and that the idea of the GDPR to provide a harmonized Privacy law will not prevail.
German Bundestag adopts new data protection law
27 April 2017
On 27 April 2017, the German Bundestag adopted the EU Data Protection Conformation and Transposition Act (DSAnpUG-EU) in its most recent version, dated 25 April 2017. The legislative package adapts German privacy law to the requirements of the General Data Protection Regulation (GDPR) and the EU-Privacy Directive for Police and Justice (EU-Directive 2016/680). Its centerpiece is the new Federal Data Protection Act (BDSG) that will replace the present BDSG on 25 May 2017. It will complement and specify the GDPR in certain aspects.
With the approval of the draft by the German Bundesrat, which should take place in May 2017 the legislative process will be completed. This makes Germany the first European country to adapt its national rules to the new requirements of EU privacy law.
However, it remains to be seen if the completion of the legislative process will provide the envisioned legal certainty: the European Commission already joined in with the criticism on some rules of the new BDSG and expressed doubts on their legality.
White Paper Digital Platforms
20 March 2017
On 20 March 2017 the German Federal Government released its “White Paper Digital Platforms”. The document presents the results of a stakeholder consultation, in which companies, syndicates, associations and citizens participated. The consultation confronted the general public with several propositions and questions pursuant to the design of a future German digital regulatory policy.
The White Paper was released in the wake of the Digital Strategy 2025 of the Federal Ministry for Economic affairs and Energy (BMWi) from March 2016, which identified central principles and areas of action for the further digitalization of the economy and everyday life in Germany. The White Paper stands for a rapid and EU wide uniform implementation of the European General Data Protection Regulation. Furthermore, the BMWi gives its views on the adoption of a Trust Services Act and considers the establishment of a digital agency.
EU US Privacy Shield and Trumps „Executive Order“
2 March 2017
Within a recent interview by the news agency Bloomberg the EU Commissioner of Justice said she will “not hesitate” to suspend the just established EU US Privacy Shield agreement, “if there is a significant change”.
The Commissioner’s statement is caused by the US President’s executive order on “Enhancing Public Safety in the Interior of the U.S.”, passed January, 25. Due to this order the US “Privacy Act” does not apply to non-US citizens. In answering a request by the EU Commission the US Ministry of Justice confirmed on February, 22 to hold on to the Privacy Shield. However, with respect to the “unpredictability” the EU Commission wants to continue the dialog and the EU Commissioner of Justice will meet with US government representatives in Washington D.C. in the end of March.
Should the Privacy Shield be suspended, the legal basis for data transfers in the US will be uncertain again.
Current GDPR guidelines of the Article 29 Working Party
1 February 2017
In December 2016 the Article 29 Working Party published some Guidelines regarding the implementation of the EU General Data Protection Regulation (GDPR): One Guideline addresses the Right to data portability in Article 20 GDPR (Guideline, FAQ). Another Guideline was published on the topic „data protection officer“ (Guideline, FAQ). The third Guideline concerns the question, which supervisory authority is in lead in cases of cross-border data processing, Article 56 GDPR (Guideline, FAQ). Further Guidelines regarding the topics consent, profiling, transparency, data transfer to third countries and data breach notifications will follow in the course of the year 2017.
The Article 29 Working Party is a European association of representatives from the national data protection supervisory authorities, the European Commission and the European Data Protection Supervisor. It advises the European Commission on data protection and promotes the uniform application of European data protection law. Its opinions and guidelines have to be regarded as mandatory as they reflect the legal opinion of the supervisory authorities in the area of data protection.
German government enacts new German privacy bill
1 February 2017
Today, the German government decided on a new bill, that adapts national privacy law to the new requirements of the EU General Data Protection Regulation (GDPR).
The GDPR contains several opening clauses that enable the national legislators to enact complementary and specifying national law, e.g. in the area of employee data protection or regarding the requirements for the designation of a data protection officer.
The bill still will be subject to the legislative procedure. But the decisions by the German Bundestag und Bundesrat are uncertain as the draft - like the first two drafts - is facing a high amount of criticism, e.g. concerning the planned reduction of the rights of the data subject and the simplification of public video surveillance. Also, critics consider parts of the bill to be contrary to European law, especially insofar as they go beyond the scope of the opening clauses of the GDPR.
IT Security, eGovernment, automated driving: German government votes for new bills
25 January 2017
New developments in the area of IT/Privacy: Today, the German government decided on relevant new bills.
In the area of IT security, a bill implements the EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) into national law. The NIS Directive provides obligations for providers of critical infrastructures as well as digital service providers.
Another bill concerns the topic of eGovernment. A so called “Open-Data-Law” shall promote the free provision of public data by the federal German administrative authorities.
The third bill aims at integrating the topic „automated driving“ into the existing German Road Traffic Act (StVG): In the future highly and fully automated vehicle systems can take over driving tasks autonomously under specific circumstances.
Privacy: Review 2016 and prospects for 2017 | GDPR: Get ready for May 2018!
10 January 2017
EU General Data Protection Regulation (GDPR), new German privacy law, international data transfer, E-Privacy Regulation, rising litigation risks regarding privacy. These have been the privacy topics in 2016 that will still be of high relevance in 2017. In our article „Review 2016 an prospects for 2017“ we provide an overview of what has been important and what to expect in 2017.
Are your ready for May 2018? In May 2018 the GDPR directly applies in all EU Member States, which means that companies and the public authorities need to implement the new rules until then. 2017 marks the kick-off for the implementation of the GDPR. Are you ready? We support you in facing the challenges of the GDPR and in using your chances. Deloitte Legal provides an interdisciplinary approach that helps you to no longer just „stick in compliance“, but to „look ahead“. Get ready for May 2018 – here you can find out more.
New rules on data transfer in international law enforcement cooperations
27 December 2016
There have been new developments concerning the transfer of personal data between investigative and judicial authorities in 2016:
On the European level, the Directive 2016/680 entered into force in April 2016. It harmonizes the rules for the transfer of personal data for the purpose of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties. It includes rules on data processing, the rights of the data subject, data protection and data security. The Directive has to be implemented into national law until May 2018.
On an international level, the so called “Umbrella Agreement” is relevant. It establishes binding rules on data transfer between investigative and judicial authorities of the U.S. and the Member States of the EU. The agreement aims at a better cooperation in law enforcement and fight against terrorism. In addition it shall ensure a better protection of the data subjects. Besides a limitation of retention periods, the data subjects shall have the right to access and rectify their personal data. However, practically the protection is limited: the rights have to be exercised in front of U.S. courts and can be rejected for reasons of inner security. After the European Parliament and the European Council gave their consent on the Agreement in December 2016, the agreement will enter into force after the last procedures, in particular on U.S. side have been completed.