German data protection authorities: old consents survive under the GDPR if…

On 14th September, the German data protection authorities (“DPAs”), gathering in the so called “circle of Düsseldorf”, issued a non-binding opinion (pdf, German) on the question of the lawfulness of consents under the looming General Data Protection Regulation (“GDPR”), which were obtained under the conditions of the current legal framework.
Continue reading

European Court of Justice rules on applicable data protection law and terms of use

Today the European Court of Justice (ECJ) decided in the case C-191/15 (Verein für Konsumenteninformation vs Amazon EU Sàrl). The ruling sheds light on some interesting questions with regard to consumer protection law and also assesses the European data protection rules on applicable law.

With regard to consumer protection, the case concerned potentially unfair terms in the terms of use of Amazon EU, a company established in Luxembourg. The ECJ clarified that the law applicable to the examination of the unfairness of terms in consumer contracts which are the subject of an action for an injunction (in this case by Verein für Konsumenteninformation) must be determined independently from the law applicable to the action of injunction itself. National courts might therefore face a situation where they would have to assess the unfairness of certain clauses in terms of use on the basis of the law of another Member State. This result is though not entirely surprising but is now affirmed by the ECJ in a case considering e-commerce.
Continue reading

Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art

Not long after the “Safe Harbor” decision and in the same context (data transfer to the US by Facebook) the Irish Data Protection Commissioner has decided to bring the EU-US data flows before the European Court of Justice (CJEU) (again).

Continue reading

Patrick Breyer v Federal Republic of Germany: Dynamic IP addresses = Personal Data? And Is German Data Protection Law too Restrictive?

Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).

We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:

“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1  — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”

“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”

Continue reading

Adblocker detection scripts vs. Article 5 (3) of the ePrivacy Directive: A German law take

It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.

Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.

https://twitter.com/alexanderhanff/status/722861362607747072

Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time. Continue reading

Facebook and the abuse of market power or the German Federal Cartel Office as data protection authority

The German Federal Cartel Office (Bundeskartellamt) has started preliminary proceedings against Facebook in early March, trying to find out if Facebook was misusing its market power to enforce abusive terms and conditions because of alleged data protection law violations. What sounds just like what antitrust authorities do, may in fact have a huge impact on Facebook and how it is behaving against its users.

Continue reading

German Regional Court: Consent necessary when implementing the Facebook Like-Button

On 9th March 2016, the Regional Court of Dusseldorf issued its ruling (pdf, German) in a proceeding between the consumer protection association of North Rhine-Westphalia and the company Fashion ID which concerned data protection issues surrounding the Facebook Like-Button.

The company had the well-known social plugin included on its website and informed website visitors about the plugin in its privacy policy, which was accessible via a link. In the privacy policy, the company informed that personal might be transmitted to Facebook and also provided a link to the privacy policy of Facebook. Below I will briefly discuss some aspects of the judgment. Continue reading

Will the use of social networks fall outside the scope of future data protection law?

If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation. Continue reading

Smart cars: Who owns the data?

The ‘Internet of Things’ is one of the current buzzwords in the international data protection sphere. In the future, more and more home appliances will have a connection to the Internet and will serve as sensors in our homes, facilitating our life as one may for example turn on the heating via an app while driving home at night from the office.

Not only will we see more and more smart devices in our homes, but also car manufacturers are increasing their efforts for future solutions of the next generation of smart cars. At this year’s CeBit in Hannover, privacy issues surrounding the smart car were one of the top themes. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother”, said Martin Winterkorn, Chairman of the Volkswagen Group, at the opening ceremony.
Continue reading

Are Dynamic IP-Addresses “Personal Data” As Defined By the EU Data Protection Directive?

And if so; May they be recorded? – The German Federal Court of Justice (BGH) in its decision dated October 28, 2014, court ref. VI ZR 135/13 referred to the to the European Court of Justice (ECJ) for a preliminary ruling regarding the interpretation of the EU Data Protection Directive concerning the definition of the term “personal data” therein and recording of dynamic IP-addresses. Continue reading

Home office solutions for employees – requirements under German data protection law

Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken.
Continue reading

European data protection law and minors – no legal certainty

The fundamental right to the protection of personal data as enshrined in Art. 8 (1) of the Charter of Fundamental Rights of the European Union (PDF) as well as the right to informational self-determination, derived from Art. 2 (1) and 1(1) of the German Constitution are not exclusive right of adults. Also children’s personal data are protected by these fundamental rights and consequently by the European Data Protection Directive (Directive 95/46/EC) or the respective national laws.

But if it comes to the practical compliance for companies, for example if you want to develop an app for children, European data protection laws currently will leave providers alone with an answer to the question, when a consent by minors might serve as the legal basis for the processing of their data. Continue reading

Court Decision: Companies Allowed to run Fanpages on Facebook

The Administrative Court of Schleswig (Verwaltungsgericht Schleswig) held today in three parallel decisions that companies that run their own fanpages on Facebook are not responsible for the social network’s data collection and processing under German data protection law. Continue reading

7th National IT-Summit in Essen

Last week, several German political leaders, members of the federal administration, academics, IT-businessmen and other members of the German society met in Essen for the 7th National IT-Summit. The summit is an invite-only conference being held once a year by the German Federal Ministry of Economics and Technology. It forms the end and new beginning of an ongoing discussion between the members of the six working groups and several sub-working groups to develop a nation-wide (political) IT-strategy for Germany. Continue reading

Monetary Penalties for Data Protection Breaches: ICO vs. German DP Authorities

I have just stumbled upon the Information Commissioner’s Office’s  page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit. Continue reading

“Google Has Few Concerns About the Right to be Forgotten!”

Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading

General Data Protection Regulation: Council of the EU’s Amendments to the Commission’s Draft

Last weekend, an amended draft of the Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was published by the British organization statewatch. The proposed changes regard Articles 1-10, 80 (a), 83 and several recitals. While some of them simply clarify the first draft, others – as for example the definition of the term “personal data” in Article 4 Subsection 1 – will have great effects on data protection in Germany. Continue reading

„Implied Consent“ to Cookies Being Set Suffices in the UK

Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading

CNIL’s Sends Second Questionnaire to Google on Google’s New Privacy Policy

Google’s new privacy policy is not that new, as it “went into force” on March 1. It is still big news in data protection terms, though, at least as far as European data protection authorities are concerned. CNIL, commissioned by the Art. 29 Working Party, has now sent a second rather comprehensive questionnaire to Google. Obviously they were not completely sold on Google’s answers to the first set of questions CNIL had sent in March. Continue reading