Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken. Continue reading →
The fundamental right to the protection of personal data as enshrined in Art. 8 (1) of the Charter of Fundamental Rights of the European Union (PDF) as well as the right to informational self-determination, derived from Art. 2 (1) and 1(1) of the German Constitution are not exclusive right of adults. Also children’s personal data are protected by these fundamental rights and consequently by the European Data Protection Directive (Directive 95/46/EC) or the respective national laws.
But if it comes to the practical compliance for companies, for example if you want to develop an app for children, European data protection laws currently will leave providers alone with an answer to the question, when a consent by minors might serve as the legal basis for the processing of their data. Continue reading →
The Administrative Court of Schleswig (Verwaltungsgericht Schleswig) held today in three parallel decisions that companies that run their own fanpages on Facebook are not responsible for the social network’s data collection and processing under German data protection law. Continue reading →
On February 14th, 2013 the Administrative Court of Schleswig held in two decisions that German data protection laws do not apply to data processing by Facebook (file numbers 8 B 60/12 and 8 B 61/1). Continue reading →
Last week, several German political leaders, members of the federal administration, academics, IT-businessmen and other members of the German society met in Essen for the 7th National IT-Summit. The summit is an invite-only conference being held once a year by the German Federal Ministry of Economics and Technology. It forms the end and new beginning of an ongoing discussion between the members of the six working groups and several sub-working groups to develop a nation-wide (political) IT-strategy for Germany. Continue reading →
Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading →
During last week’s 69th German Legal Colloquium the association’s members discussed – amongst other topics – the future of IT-law in Germany (you can find all the decisions here – in German). Their decisions on how to fight cyber crime, data protection and liability are supposed to initiate legal reforms. In some cases, you hope the legislator won’t feel inclined. Continue reading →
Last weekend, an amended draft of the Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was published by the British organization statewatch. The proposed changes regard Articles 1-10, 80 (a), 83 and several recitals. While some of them simply clarify the first draft, others – as for example the definition of the term “personal data” in Article 4 Subsection 1 – will have great effects on data protection in Germany. Continue reading →
Data protection is big in Europe, especially in Germany. It is not possible to process personal data without a data protection law regulation the data processing. And while data protection laws are primarily supposed to protect the individual’s right to determine how his or her data is being processed, data protection has also become a commercial factor. On the one hand, companies are restricted in their ways of advertisement towards their customers. According to section 28 subsection 3 of the Federal Data Protection Act for example, advertisement is dependent on the individual customer’s consent. On the other hand, data protection compliance demands investments in the implementation of data protection standards within the company, for example to lay down the technical and organizational measures demanded by section 9 of the Federal Data Protection Act. Continue reading →
Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading →
According to the Business Software Alliance’s (BSA) “Global Cloud Computing Scorecard”, Germany is ready for the cloud computing age, ranking at a spectacular No. 3, ahead of such cloud computing powerhouses as the United States, Italy and Poland! If you’re interested in the methodology (a word that my spell check has never heard of) uses by the BSA, go here. Either way, the result is interesting. Because, and I know I’m repeating myself, if you ask data protection practitioners in Germany, “ready” is certainly not the term that comes to mind when dealing with the cloud. Continue reading →
Popular cloud storage sercives often lack data security. This is the result of a detailed study published by MP3 inventor Fraunhofer Institute. Fraunhofer has scrutinized Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala. Continue reading →
The (Draft) General Data Protection Regulation being a Regulation it not only aims at fully harmonizing the field of law it covers (as some Directives do) but would achieve that goal by simply being the (only) directly applicable law as far as its reach goes. Plus the Commission’s “empowerment to adopt delegated acts”, of course, which is a rather intriguing idea from a democracy point of view. But that’s another story.
One of the very few areas where the member states are given a certain amount of legislative leeway is set forth in Art. 82 of the Draft Regulation. Continue reading →
As reported by DataGuidance, the UK Information Commissioner the enforcement of the “cookie law” will be “pragmatic and realistic” in the UK. “Pragmatic” and realistic”: Sounds good doesn’t it? Doesn’t sound very German, though, does it? As explained here, the cookie situation in Germany is still unresolved, largely due to the (my take on the matter) inability to come up with a draft for transforming the Directive’s into German law that provides for a workable solution the problem. It seems that at least the current government feels uncomfortable to pass a law the wording of which would effectively rule out a good portion of how websites work today.
Even more interestingly, in the same DataGuidance post they report that the French Data Protection Authority (CNIL) will exempt analytics cookies from the new requirement of prior consent. Continue reading →
As you may have heard, as per the self-appointedly competent data protection authorities in Germany you may not set up and maintain a Facebook fan page, nor may you embed Facebook plugins into to your web pages (it’s true, read here, here, here, and here). If you do, you’re acting in violation of German data protection law. Continue reading →
Starting from the usual analysis (cloud computing is risky with respect to privacy, data protection “and other legal issues”, you know the deal), the Working Group, essentially, recommends: Continue reading →