All posts by Andreas Splittgerber

Today, 12 July 2016, the Privacy Shield was adopted by the EU Commission. Who would have thought that the Privacy Shield would be adopted so fast after the harsh criticism by the Art. 29 WP? The new Privacy Shield Privacy Shield registration shall be available to US companies starting August 1, 2016.  The US Department of Commerce has already provided a HOW TO JOIN GUIDE. Compared to v1 of the Privacy Shield, it got some cosmetics and fine tuning around certain passages, e.g. purpose limitation and terminology. It is, however, not certain whether all points raised by the Art. 29 Working Party or other official bodies that oversee the framework have been cured. See some rather sceptical comments:  or Disqualification is threatened According to unofficial statements, the likelihood of Privacy Shield coming before the ECJ is somewhere between 60 to 70%. This is very (too !) … Continue Reading ››
After years of drafting and debating, the EU General Data Protection Regulation (GDPR) was approved by the European Parliament yesterday (14 April). It is expected to be published in the EU Official Journal in the coming weeks. What? The GDPR sets the new EU-rules for handling of personal data. It will substitute local EU data protection laws. However, the GDPR contains over 50 “door openers” for local member state laws (see this nice graphic which illustrates the point: Life for international companies, therefore, will not get easier as they will not avoid the need to assess local member state laws. When? The GDPR will enter into force 20 days after its official publication, estimated to be between May and July 2016. Companies will then have two years to prepare until the GDPR actually applies (two years after entering into force – i.e. May – July 2018).  Who? All businesses in … Continue Reading ››
Last Friday, the German legislator passed the highly disputed new German Data Retention Act (“GDRA”). The topic has a certain history in Germany as in 2010 the German Constitutional Court declared the previous data retention act invalid. The new GDRA puts quite extensive storage obligations on telecommunications providers. It is expected that claims seeking invalidation of this new GDRA will be launched very soon. In more detail, the act provides for the following: Telecommunication Services - storage of the following data:
  • Numbers of caller and called person;
  • Date, start and end of connection;
  • Location data (stored only for four weeks); and
  • SMS: inevitably, content will also have to be stored.
Internet Services - storage of the following data:
  • IP-address;
  • Identification of telephone connection; and
  • Date, start and end of connection.
Stored data may only be used on the basis of a judicial order for prosecution of severe criminal offences, such as formation of a terrorist group, murder or sexual abuse. The full … Continue Reading ››
Datonomy's correspondents in Germany have just published their latest update on IT and data protection developments. It includes:
  • a status update on the GDPR, on which further trilogue negotiations took place this week
  • fines imposed for illegal data transfers in asset deals
  • fines imposed for insufficiently detailed data processing contracts
  • a recent decision on the legality of framing
  • a recent ruling on take down
Plus other recommended reads and status updates on draft legislation.  You can read it in full here.
Content I. German Data Protection authorities impede data transfers to the US II. Afterquake of Google Spain in Germany: Google is liable for search engine hits III. ECJ: Courts at the place of harmful event are competent for actions against online copyright infringements IV. Implementation of company Facebook fansite does not trigger a co-determination right V. Update Fingerprinting - Article 29 Working Party demands information and user consent VI. Outlook on bills and new laws and recommended reads   I. German Data Protection authorities impede data transfers to the US by Dr. Franziska Schröter In January 2015, data protection authorities of Berlin and Bremen proclaimed the initiation of administrative proceedings (available in German here) against U.S. companies due to Safe Harbor based data transfers. This is the first time that German data protection authorities took legal actions against data transfers based on the Safe Harbor framework. It is important to note that other German authorities (e.g. … Continue Reading ››
The 2014 Year End Newsletter looks at: I. Article 29 Working Party publishes Opinion on "Internet of Things" II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection III. Are IP-addresses personal data? - German Federal Court of Justice ask ECJ IV. Data processing for marketing: new guidelines V. Outlook on current draft laws and recommended reading   A brief summary of each point is below - to read the full newsletter, please click here.   I. Article 29 Working Party publishes Opinion on "Internet of Things" The WP29 considers IoT as generally permitted, but clearly states that any stakeholder is responsible for data protection. Despite of consent requirements and transparency obligations, personal data should be aggregated to the greatest extent possible and the principles of privacy by default and privacy by design shall be applied by the stakeholders. II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection While … Continue Reading ››
Our quarterly IT and data protection newsletter keeps you informed of current legal issues, decisions and events in the technology sector in Germany. We hope you enjoy reading. This edition covers the following topics. I.          Canvas Fingerprinting – Tracking without Cookies II.          District Court of Berlin: WhatsApp must provide terms and conditions in German, and improve the legal notice III.          „No-Spy decree“ of the German Federal Ministry of Interior requires guarantee in procurement procedures IV.          German Supreme Court: Collection of minors’ personal data for marketing purposes in the course of a competition is not permitted V.          ECJ: Copies on the user’s computer screen as well as in the ‘cache’ of a computer’s hard disk, created in the course of viewing a website, do not infringe copyright This is the link to the full version.