A sign of confidence: The EU Member States have adopted the EU-U.S. Privacy Shield

In short:

The EU Member States have given their support to the EU-U.S. Privacy Shield, a renewed framework for transatlantic data flows which is meant to replace the old “Safe Harbor”.  The decision of the Member States was mandatory in order to formally adopt the Privacy Shield in the EU.

In opposite to Safe Harbor, the Privacy Shield imposes clear and strong obligations on companies handling the date and makes sure that these rules are followed and enforced in practice. It is the first time that the United States has committed to written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizen’s personal data.

Continue reading

Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art

Not long after the “Safe Harbor” decision and in the same context (data transfer to the US by Facebook) the Irish Data Protection Commissioner has decided to bring the EU-US data flows before the European Court of Justice (CJEU) (again).

Continue reading

Patrick Breyer v Federal Republic of Germany: Dynamic IP addresses = Personal Data? And Is German Data Protection Law too Restrictive?

Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).

We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:

“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1  — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”

“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”

Continue reading

Adblocker detection scripts vs. Article 5 (3) of the ePrivacy Directive: A German law take

It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.

Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.

https://twitter.com/alexanderhanff/status/722861362607747072

Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time. Continue reading

Facebook and the abuse of market power or the German Federal Cartel Office as data protection authority

The German Federal Cartel Office (Bundeskartellamt) has started preliminary proceedings against Facebook in early March, trying to find out if Facebook was misusing its market power to enforce abusive terms and conditions because of alleged data protection law violations. What sounds just like what antitrust authorities do, may in fact have a huge impact on Facebook and how it is behaving against its users.

Continue reading

Private use of the internet and the rights of the employer

Employers may collect browser data of their employees without their approval, if (1) there is reasonable suspicion that the employee uses his (business) computer and/or the office internet improperly and (2) there is no other means to prove this improper use than the collection of browser data (LAG Berlin-Brandenburg, Urt. v. 14.01.2016 – 5 Sa 657/15).

Continue reading

Smart cars: Who owns the data?

The ‘Internet of Things’ is one of the current buzzwords in the international data protection sphere. In the future, more and more home appliances will have a connection to the Internet and will serve as sensors in our homes, facilitating our life as one may for example turn on the heating via an app while driving home at night from the office.

Not only will we see more and more smart devices in our homes, but also car manufacturers are increasing their efforts for future solutions of the next generation of smart cars. At this year’s CeBit in Hannover, privacy issues surrounding the smart car were one of the top themes. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother”, said Martin Winterkorn, Chairman of the Volkswagen Group, at the opening ceremony.
Continue reading

Are Dynamic IP-Addresses “Personal Data” As Defined By the EU Data Protection Directive?

And if so; May they be recorded? – The German Federal Court of Justice (BGH) in its decision dated October 28, 2014, court ref. VI ZR 135/13 referred to the to the European Court of Justice (ECJ) for a preliminary ruling regarding the interpretation of the EU Data Protection Directive concerning the definition of the term “personal data” therein and recording of dynamic IP-addresses. Continue reading