A sign of confidence: The EU Member States have adopted the EU-U.S. Privacy Shield

In short:

The EU Member States have given their support to the EU-U.S. Privacy Shield, a renewed framework for transatlantic data flows which is meant to replace the old “Safe Harbor”.  The decision of the Member States was mandatory in order to formally adopt the Privacy Shield in the EU.

In opposite to Safe Harbor, the Privacy Shield imposes clear and strong obligations on companies handling the date and makes sure that these rules are followed and enforced in practice. It is the first time that the United States has committed to written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizen’s personal data.

Continue reading

Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art

Not long after the “Safe Harbor” decision and in the same context (data transfer to the US by Facebook) the Irish Data Protection Commissioner has decided to bring the EU-US data flows before the European Court of Justice (CJEU) (again).

Continue reading

Patrick Breyer v Federal Republic of Germany: Dynamic IP addresses = Personal Data? And Is German Data Protection Law too Restrictive?

Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).

We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:

“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1  — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”

“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”

Continue reading

German DPAs „leak“ EU-US Privacy Shield assessment by European Authorities

On 6th and 7th April 2016, the German Data Protection Authorities (“DPAs”) met to discuss several current privacy topics.

One point on the agenda has of course been the assessment of the proposed EU-US Privacy Shield (the successor of the Safe Harbor regime). Currently, the European Data Protection Authorities (the so called “Article 29 Working Party”) are finalizing their common position on the proposed adequacy decision by the European Commission (pdf).

Today, the resolution of the DPAs for the mandate of the German representatives in the Article 29 Working Party has been published (German, pdf).
Continue reading

German Regional Court: Consent necessary when implementing the Facebook Like-Button

On 9th March 2016, the Regional Court of Dusseldorf issued its ruling (pdf, German) in a proceeding between the consumer protection association of North Rhine-Westphalia and the company Fashion ID which concerned data protection issues surrounding the Facebook Like-Button.

The company had the well-known social plugin included on its website and informed website visitors about the plugin in its privacy policy, which was accessible via a link. In the privacy policy, the company informed that personal might be transmitted to Facebook and also provided a link to the privacy policy of Facebook. Below I will briefly discuss some aspects of the judgment. Continue reading

German DPAs: Situation regarding consent for cookies is “unacceptable”

In February 2015, the German data protection authorities adopted a resolution with the title “Tracking of user behavior on the Internet” (German).

In this resolution, the authorities urge the German government to finally transpose the standards of European directive 2002/58/EC (so called ePrivacy Directive). The authorities are of the opinion that the current German data protection law (especially the German Telemedia Act (Telemediengesetz)) does not correctly implement Art. 5 para 3 of directive 2002/58/EC (in the revised version of directive 2009/136/EC). According to Art. 5 para 3 of the ePrivacy Directive, European “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing”. Continue reading

District Court of Berlin: Google Germany not responsible for ‘right to be forgotten’-requests

On 21 August 2014, the District Court of Berlin ruled (27 O 293/14, German) that the subsidiary of Google in Germany, Google Germany GmbH, is not responsible for the fulfillment of requests of natural persons under the so called ‘right to be forgotten’, created by the European Court of Justice (ECJ) in its much-noticed judgment in May 2014 (C-131/12). The Berlin court held that only the American company, Google Inc., can be regarded as the ‘data controller’ in the sense of European data protection law because only Google Inc. is the operator of the search engine. As a consequence, legal actions must be brought against Google Inc., not the subsidiary in Hamburg. Natural persons who want a link to third party websites to be removed from the search result list following a search made on the basis of a person’s name would therefore have to sue Google Inc. and not the European subsidiary.
Continue reading

Smart cars: Who owns the data?

The ‘Internet of Things’ is one of the current buzzwords in the international data protection sphere. In the future, more and more home appliances will have a connection to the Internet and will serve as sensors in our homes, facilitating our life as one may for example turn on the heating via an app while driving home at night from the office.

Not only will we see more and more smart devices in our homes, but also car manufacturers are increasing their efforts for future solutions of the next generation of smart cars. At this year’s CeBit in Hannover, privacy issues surrounding the smart car were one of the top themes. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother”, said Martin Winterkorn, Chairman of the Volkswagen Group, at the opening ceremony.
Continue reading

Germany is Ready for Cloud Computing? Well, if the BSA says so…

According to the Business Software Alliance’s (BSA) “Global Cloud Computing Scorecard”, Germany is ready for the cloud computing age, ranking at a spectacular No. 3, ahead of such cloud computing powerhouses as the United States, Italy and Poland! If you’re interested in the methodology (a word that my spell check has never heard of) uses by the BSA, go here. Either way, the result is interesting. Because, and I know I’m repeating myself, if you ask data protection practitioners in Germany, “ready” is certainly not the term that comes to mind when dealing with the cloud. Continue reading