All posts by Christian Leuthner

German data protection authorities have already started issuing proceedings against companies that are still transferring personal data to the US (“Data Transfers”) under Safe Harbor, less than a month after the expiration of the deadline set by the Art. 29 Working Party and the announcement that agreement had been reached on the EU-US Privacy Shield. Companies relying solely on Safe Harbor that have been waiting for the new EU-US Privacy Shield to come into force before changing their approach to Data Transfers should take stock.  Enforcement practice has varied significantly around Europe with the German regulators being some of the most active but it is fair to say that simply waiting for the EU-US Privacy Shield without taking any further steps is an increasingly risky approach. Meanwhile, on 29 February the European Commission unveiled the various texts that will make up the Privacy Shield. Datonomy will be reporting on that … Continue Reading ››
At the end of last year, the German government published an updated version of the draft IT-Security Act.  The latest version is expected to become the final law without major changes - although it is still unclear exactly when it will take effect. This post looks at the latest changes. I reported on the original bill in my September post here.  In general, the revised draft IT-Security Act is similar in scope to the first draft (obligations on notification, security measures, and so on).  However, there are many clarifications and changes in the detailed wording that are worth noting. In particular, the new version of the draft bill is stricter on data protection issues. Key changes to the draft include the following:
  • Providers of critical infrastructures must implement adequate organisational and technical precautions and other measures to protect their IT systems.
  • In a significant change to the former draft bill, the obligations on notification  … Continue Reading ››
On August 19, 2014, more than one year after the first draft bill of an IT Security Act, the German Federal Ministry of the Interior has published the new draft bill of the Act, aimed at boosting the security of information technology systems. The full title of the legislation is “Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme" (IT Sicherheitsgesetz) (“IT Security Act”). The new rules are still subject to change but look likely to come into force in early 2015. General overview In fact, the IT Security Act will not be an individual law, but will amend the Act on the Federal Office for Information Security, the Telecommunication Act, the Telemedia Act and the Act on the Federal Criminal Police Office as well as the Act on the German Federal Office of Information Security. The IT Security Act contains five central topics and provides for:
Unlike in the UK, the implementation of the European Directive 2009/136/EC, also called Cookie-Directive, is not a major point of concern amongst e-commerce businesses in Germany. So far, the Federal government limited the implementation of the directive to amendments of the Telecommunications Act (TKG) that mainly covers the technical process of sending signals and the telecommunications market regulation and sees no need to amend other German legislation due to the directive. In the TKG draft amendment, government stated that individual questions such as the amendment of Art. 5 para 3 of directive 2002/58/EC are still subject to a consultation process on the European level including self regulation solutions by the advertising industry, and that they intend to wait for the results of this consultation process before amending any laws. The Ministry of Economics takes the view that an opt-in solution is already realised by sec. 12 para 1 and 2 … Continue Reading ››