Home office solutions for employees – requirements under German data protection law

Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken.
Continue reading

European data protection law and minors – no legal certainty

The fundamental right to the protection of personal data as enshrined in Art. 8 (1) of the Charter of Fundamental Rights of the European Union (PDF) as well as the right to informational self-determination, derived from Art. 2 (1) and 1(1) of the German Constitution are not exclusive right of adults. Also children’s personal data are protected by these fundamental rights and consequently by the European Data Protection Directive (Directive 95/46/EC) or the respective national laws.

But if it comes to the practical compliance for companies, for example if you want to develop an app for children, European data protection laws currently will leave providers alone with an answer to the question, when a consent by minors might serve as the legal basis for the processing of their data. Continue reading

Court Decision: Companies Allowed to run Fanpages on Facebook

The Administrative Court of Schleswig (Verwaltungsgericht Schleswig) held today in three parallel decisions that companies that run their own fanpages on Facebook are not responsible for the social network’s data collection and processing under German data protection law. Continue reading

7th National IT-Summit in Essen

Last week, several German political leaders, members of the federal administration, academics, IT-businessmen and other members of the German society met in Essen for the 7th National IT-Summit. The summit is an invite-only conference being held once a year by the German Federal Ministry of Economics and Technology. It forms the end and new beginning of an ongoing discussion between the members of the six working groups and several sub-working groups to develop a nation-wide (political) IT-strategy for Germany. Continue reading

Monetary Penalties for Data Protection Breaches: ICO vs. German DP Authorities

I have just stumbled upon the Information Commissioner’s Office’s  page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit. Continue reading

“Google Has Few Concerns About the Right to be Forgotten!”

Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading

69th German Legal Colloquium

During last week’s 69th German Legal Colloquium the association’s members discussed – amongst other topics – the future of IT-law in Germany (you can find all the decisions here – in German). Their decisions on how to fight cyber crime, data protection and liability are supposed to initiate legal reforms. In some cases, you hope the legislator won’t feel inclined. Continue reading

General Data Protection Regulation: Council of the EU’s Amendments to the Commission’s Draft

Last weekend, an amended draft of the Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was published by the British organization statewatch. The proposed changes regard Articles 1-10, 80 (a), 83 and several recitals. While some of them simply clarify the first draft, others – as for example the definition of the term “personal data” in Article 4 Subsection 1 – will have great effects on data protection in Germany. Continue reading

Injunctive relief under competition law

Data protection is big in Europe, especially in Germany. It is not possible to process personal data without a data protection law regulation the data processing. And while data protection laws are primarily supposed to protect the individual’s right to determine how his or her data is being processed, data protection has also become a commercial factor. On the one hand, companies are restricted in their ways of advertisement towards their customers. According to section 28 subsection 3 of the Federal Data Protection Act for example, advertisement is dependent on the individual customer’s consent. On the other hand, data protection compliance demands investments in the implementation of data protection standards within the company, for example to lay down the technical and organizational measures demanded by section 9 of the Federal Data Protection Act. Continue reading

„Implied Consent“ to Cookies Being Set Suffices in the UK

Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading

CNIL’s Sends Second Questionnaire to Google on Google’s New Privacy Policy

Google’s new privacy policy is not that new, as it “went into force” on March 1. It is still big news in data protection terms, though, at least as far as European data protection authorities are concerned. CNIL, commissioned by the Art. 29 Working Party, has now sent a second rather comprehensive questionnaire to Google. Obviously they were not completely sold on Google’s answers to the first set of questions CNIL had sent in March. Continue reading

Tracking and Controlling Your Child’s Mobile Phone Activities

I just came across a post on golem.de (a rather good IT news site – in German only, sadly) about bemilo, a service in the UK that (I quote)

“puts [parents] in full control of [their] child’s mobile service”;

“puts [parents] in the driving seat, 24 hours a day”;

“[gives parents] FULL control [w]ho [their] children can contact and who can contact them, time of das [their] children can use their phone, WHEN they can browse the web”;

“[enables parents to] [r]eview all calls & SMS messages at any time, block bullies at the flick of a switch, control mobile spend with no fuss [emphasis added].”

Do watch the intro on the website. It’s rather, well, unique, besides the fact that it the little toy man in the intro looks suspiciously similar to a typical LEGO design. Continue reading

Germany is Ready for Cloud Computing? Well, if the BSA says so…

According to the Business Software Alliance’s (BSA) “Global Cloud Computing Scorecard”, Germany is ready for the cloud computing age, ranking at a spectacular No. 3, ahead of such cloud computing powerhouses as the United States, Italy and Poland! If you’re interested in the methodology (a word that my spell check has never heard of) uses by the BSA, go here. Either way, the result is interesting. Because, and I know I’m repeating myself, if you ask data protection practitioners in Germany, “ready” is certainly not the term that comes to mind when dealing with the cloud. Continue reading

Fraunhofer Study on the (Lack of) Data Security of Cloud Storage Services

Popular cloud storage sercives often lack data security. This is the result of a detailed study published by MP3 inventor Fraunhofer Institute. Fraunhofer has scrutinized  Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala. Continue reading

Art. 82 of the (Draft) General Data Protection Regulation

The (Draft) General Data Protection Regulation being a Regulation it not only aims at fully harmonizing the field of law it covers (as some Directives do) but would achieve that goal by simply being the (only) directly applicable law as far as its reach goes. Plus the Commission’s “empowerment to adopt delegated acts”, of course, which is a rather intriguing idea from a democracy point of view. But that’s another story.

One of the very few areas where the member states are given a certain amount of legislative leeway is set forth in Art. 82 of the Draft Regulation. Continue reading

Direct Effect of the “Cookie Directive” in Germany?

It has been reported that today Mr. Peter Schaar, head of the Federal Commissioner for Data Protection and Freedom of Information, announced at the Data Protection Congress 2012 that is currently held in Berlin that the EU “Cookie Directive” – which has not yet been implemented into German law – has EU law’s “direct effect” (also known as “immediate applicability”), making Art 5 (3) of the Directive directly applicable and effective under German law. He (as reported) added that therefore Art. 5 (3) of the Directive can be applied and enforced by the German data protection authorities in their day to day business. Ooops! Continue reading

Analytics Cookies to Be Exempt from Consent Requirement in France

As reported by DataGuidance, the UK Information Commissioner the enforcement of the “cookie law” will be “pragmatic and realistic” in the UK. “Pragmatic” and realistic”: Sounds good doesn’t it? Doesn’t sound very German, though, does it? As explained here, the cookie situation in Germany is still unresolved, largely due to the (my take on the matter) inability to come up with a draft for transforming the Directive’s into German law that provides for a workable solution the problem. It seems that at least the current government feels uncomfortable to pass a law the wording of which would effectively rule out a good portion of how websites work today.

Even more interestingly, in the same DataGuidance post they report that the French Data Protection Authority (CNIL) will exempt analytics cookies from the new requirement of prior consent. Continue reading

On Facebook Fan Pages

As you may have heard, as per the self-appointedly competent data protection authorities in Germany you may not set up and maintain a Facebook fan page, nor may you embed Facebook plugins into to your web pages (it’s true, read here, here, here, and here). If you do, you’re acting in violation of German data protection law. Continue reading

The “Sopot Memorandum”: Recommendations on Cloud Computing

The International Working Group on Data Protection in Telecommunications, a working group of the International Conference of Data Protection and Privacy Commissioners (no entry in the Wikipedia. Should that make us think?), established and still run by the head of the data protection authority of the federal state of Berlin, has published a working paper with recommendations regarding the use of cloud computing services by companies and public authorities. They’ve called it the “Sopot Memorandum“. Conference pros never fail to pick one of the nicer and more interesting spots to meet, do they?

Starting from the usual analysis (cloud computing is risky with respect to privacy, data protection “and other legal issues”, you know the deal), the Working Group, essentially, recommends: Continue reading