German data protection authorities: old consents survive under the GDPR if…

On 14th September, the German data protection authorities (“DPAs”), gathering in the so called “circle of Düsseldorf”, issued a non-binding opinion (pdf, German) on the question of the lawfulness of consents under the looming General Data Protection Regulation (“GDPR”), which were obtained under the conditions of the current legal framework.
Continue reading

European Court of Justice rules on applicable data protection law and terms of use

Today the European Court of Justice (ECJ) decided in the case C-191/15 (Verein für Konsumenteninformation vs Amazon EU Sàrl). The ruling sheds light on some interesting questions with regard to consumer protection law and also assesses the European data protection rules on applicable law.

With regard to consumer protection, the case concerned potentially unfair terms in the terms of use of Amazon EU, a company established in Luxembourg. The ECJ clarified that the law applicable to the examination of the unfairness of terms in consumer contracts which are the subject of an action for an injunction (in this case by Verein für Konsumenteninformation) must be determined independently from the law applicable to the action of injunction itself. National courts might therefore face a situation where they would have to assess the unfairness of certain clauses in terms of use on the basis of the law of another Member State. This result is though not entirely surprising but is now affirmed by the ECJ in a case considering e-commerce.
Continue reading

A sign of confidence: The EU Member States have adopted the EU-U.S. Privacy Shield

In short:

The EU Member States have given their support to the EU-U.S. Privacy Shield, a renewed framework for transatlantic data flows which is meant to replace the old “Safe Harbor”.  The decision of the Member States was mandatory in order to formally adopt the Privacy Shield in the EU.

In opposite to Safe Harbor, the Privacy Shield imposes clear and strong obligations on companies handling the date and makes sure that these rules are followed and enforced in practice. It is the first time that the United States has committed to written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizen’s personal data.

Continue reading

Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art

Not long after the “Safe Harbor” decision and in the same context (data transfer to the US by Facebook) the Irish Data Protection Commissioner has decided to bring the EU-US data flows before the European Court of Justice (CJEU) (again).

Continue reading

General Data Protection Regulation: German DPAs demanding more staff and financial resources

On 24 May 2016, the Data Protection Regulation has entered into force. From 25 May 2018 it will be directly applicable in all European Member States. Not only companies or authorities therefore now have two years to adapt their data processing activities to future requirements. The national legislature must consider the applicable data protection regulations in its Member State for compliance with the future regulations.

Against this background, the conference of the independent German data protection authorities (“conference”), in a resolution of 25 May 2016 (German), calls on the German legislator to provide the data protection authorities with more staff and financial resources so they can effectively meet their assigned duties.
Continue reading

Patrick Breyer v Federal Republic of Germany: Dynamic IP addresses = Personal Data? And Is German Data Protection Law too Restrictive?

Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).

We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:

“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1  — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”

“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”

Continue reading

Federal Administrative Court asks ECJ: Who is responsible for data processing on Facebook Fanpages?

With its decision from 25. Februrary 2016, the German Federal Administrative Court referred several interesting data protection questions related to the operation of a Fanpage on Facebook to the European Court of Justice (ECJ) (the whole decision can be accessed here, in German). The case number at the ECJ is C-210/16. Since there does until now not exist an English version of the reference for a preliminary ruling, you will find beneath a rough translation of some of the questions referred.
Continue reading

Adblocker detection scripts vs. Article 5 (3) of the ePrivacy Directive: A German law take

It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.

Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.

https://twitter.com/alexanderhanff/status/722861362607747072

Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time. Continue reading

German DPAs „leak“ EU-US Privacy Shield assessment by European Authorities

On 6th and 7th April 2016, the German Data Protection Authorities (“DPAs”) met to discuss several current privacy topics.

One point on the agenda has of course been the assessment of the proposed EU-US Privacy Shield (the successor of the Safe Harbor regime). Currently, the European Data Protection Authorities (the so called “Article 29 Working Party”) are finalizing their common position on the proposed adequacy decision by the European Commission (pdf).

Today, the resolution of the DPAs for the mandate of the German representatives in the Article 29 Working Party has been published (German, pdf).
Continue reading

Facebook and the abuse of market power or the German Federal Cartel Office as data protection authority

The German Federal Cartel Office (Bundeskartellamt) has started preliminary proceedings against Facebook in early March, trying to find out if Facebook was misusing its market power to enforce abusive terms and conditions because of alleged data protection law violations. What sounds just like what antitrust authorities do, may in fact have a huge impact on Facebook and how it is behaving against its users.

Continue reading

German Regional Court: Consent necessary when implementing the Facebook Like-Button

On 9th March 2016, the Regional Court of Dusseldorf issued its ruling (pdf, German) in a proceeding between the consumer protection association of North Rhine-Westphalia and the company Fashion ID which concerned data protection issues surrounding the Facebook Like-Button.

The company had the well-known social plugin included on its website and informed website visitors about the plugin in its privacy policy, which was accessible via a link. In the privacy policy, the company informed that personal might be transmitted to Facebook and also provided a link to the privacy policy of Facebook. Below I will briefly discuss some aspects of the judgment. Continue reading

Watch out: Consumer protection associations may now sue companies for data protection violations

On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.

Previous situation
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question.
Continue reading

Private use of the internet and the rights of the employer

Employers may collect browser data of their employees without their approval, if (1) there is reasonable suspicion that the employee uses his (business) computer and/or the office internet improperly and (2) there is no other means to prove this improper use than the collection of browser data (LAG Berlin-Brandenburg, Urt. v. 14.01.2016 – 5 Sa 657/15).

Continue reading

Smart Cars: Industry and German authorities agree on certain aspects of data protection

On 26th January 2016, the conference of the German data protection authorities and German Association of the Automotive Industry (VDA) agreed on a joint statement (PDF, in German) concerning aspects of data protection relating to the usage of smart cars.
According to the parties, smart cars and the proceeding digitalization in cars create advantages (safety and comfort) and facilitates car transport canada but also risks for the personal rights of individuals. The German authorities and car manufacturers agreed inter alia on the following aspects:

1. Personal data: During the use of modern cars, data is created permanently. Particularly by using additional information, this data created by smartcars can be attributed to the car owner (check out our website)or to the driver and be considered “personal data” in the sense of European data protection law. Data created during the usage of a vehicle is at least considered “personal data” within the meaning of the Federal Data Protection Act (Act), if it is linked to the vehicle identification number or the license plate. Continue reading

German DPAs: Situation regarding consent for cookies is “unacceptable”

In February 2015, the German data protection authorities adopted a resolution with the title “Tracking of user behavior on the Internet” (German).

In this resolution, the authorities urge the German government to finally transpose the standards of European directive 2002/58/EC (so called ePrivacy Directive). The authorities are of the opinion that the current German data protection law (especially the German Telemedia Act (Telemediengesetz)) does not correctly implement Art. 5 para 3 of directive 2002/58/EC (in the revised version of directive 2009/136/EC). According to Art. 5 para 3 of the ePrivacy Directive, European “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing”. Continue reading

District Court of Berlin: Google Germany not responsible for ‘right to be forgotten’-requests

On 21 August 2014, the District Court of Berlin ruled (27 O 293/14, German) that the subsidiary of Google in Germany, Google Germany GmbH, is not responsible for the fulfillment of requests of natural persons under the so called ‘right to be forgotten’, created by the European Court of Justice (ECJ) in its much-noticed judgment in May 2014 (C-131/12). The Berlin court held that only the American company, Google Inc., can be regarded as the ‘data controller’ in the sense of European data protection law because only Google Inc. is the operator of the search engine. As a consequence, legal actions must be brought against Google Inc., not the subsidiary in Hamburg. Natural persons who want a link to third party websites to be removed from the search result list following a search made on the basis of a person’s name would therefore have to sue Google Inc. and not the European subsidiary.
Continue reading

Will the use of social networks fall outside the scope of future data protection law?

If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation. Continue reading

Smart cars: Who owns the data?

The ‘Internet of Things’ is one of the current buzzwords in the international data protection sphere. In the future, more and more home appliances will have a connection to the Internet and will serve as sensors in our homes, facilitating our life as one may for example turn on the heating via an app while driving home at night from the office.

Not only will we see more and more smart devices in our homes, but also car manufacturers are increasing their efforts for future solutions of the next generation of smart cars. At this year’s CeBit in Hannover, privacy issues surrounding the smart car were one of the top themes. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother”, said Martin Winterkorn, Chairman of the Volkswagen Group, at the opening ceremony.
Continue reading

Are Dynamic IP-Addresses “Personal Data” As Defined By the EU Data Protection Directive?

And if so; May they be recorded? – The German Federal Court of Justice (BGH) in its decision dated October 28, 2014, court ref. VI ZR 135/13 referred to the to the European Court of Justice (ECJ) for a preliminary ruling regarding the interpretation of the EU Data Protection Directive concerning the definition of the term “personal data” therein and recording of dynamic IP-addresses. Continue reading