German data protection authorities have already started issuing proceedings against companies that are still transferring personal data to the US (“Data Transfers”) under Safe Harbor, less than a month after the expiration of the deadline set by the Art. 29 Working Party and the announcement that agreement had been reached on the EU-US Privacy Shield. Companies relying solely on Safe Harbor that have been waiting for the new EU-US Privacy Shield to come into force before changing their approach to Data Transfers should take stock. Enforcement practice has varied significantly around Europe with the German regulators being some of the most active but it is fair to say that simply waiting for the EU-US Privacy Shield without taking any further steps is an increasingly risky approach. Meanwhile, on 29 February the European Commission unveiled the various texts that will make up the Privacy Shield. Datonomy will be reporting on that … Continue Reading ››
Last Friday, the German legislator passed the highly disputed new German Data Retention Act (“GDRA”). The topic has a certain history in Germany as in 2010 the German Constitutional Court declared the previous data retention act invalid. The new GDRA puts quite extensive storage obligations on telecommunications providers. It is expected that claims seeking invalidation of this new GDRA will be launched very soon. In more detail, the act provides for the following: Telecommunication Services - storage of the following data:
- Numbers of caller and called person;
- Date, start and end of connection;
- Location data (stored only for four weeks); and
- SMS: inevitably, content will also have to be stored.
- Identification of telephone connection; and
- Date, start and end of connection.
The 2014 Year End Newsletter looks at: I. Article 29 Working Party publishes Opinion on "Internet of Things" II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection III. Are IP-addresses personal data? - German Federal Court of Justice ask ECJ IV. Data processing for marketing: new guidelines V. Outlook on current draft laws and recommended reading A brief summary of each point is below - to read the full newsletter, please click here. I. Article 29 Working Party publishes Opinion on "Internet of Things" The WP29 considers IoT as generally permitted, but clearly states that any stakeholder is responsible for data protection. Despite of consent requirements and transparency obligations, personal data should be aggregated to the greatest extent possible and the principles of privacy by default and privacy by design shall be applied by the stakeholders. II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection While … Continue Reading ››
On August 19, 2014, more than one year after the first draft bill of an IT Security Act, the German Federal Ministry of the Interior has published the new draft bill of the Act, aimed at boosting the security of information technology systems. The full title of the legislation is “Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme" (IT Sicherheitsgesetz) (“IT Security Act”). The new rules are still subject to change but look likely to come into force in early 2015. General overview In fact, the IT Security Act will not be an individual law, but will amend the Act on the Federal Office for Information Security, the Telecommunication Act, the Telemedia Act and the Act on the Federal Criminal Police Office as well as the Act on the German Federal Office of Information Security. The IT Security Act contains five central topics and provides for:
- IT security in companies (see A. below)
- Protection … Continue Reading ››
Our quarterly IT and data protection newsletter keeps you informed of current legal issues, decisions and events in the technology sector in Germany. We hope you enjoy reading. This edition covers the following topics. I. Canvas Fingerprinting – Tracking without Cookies II. District Court of Berlin: WhatsApp must provide terms and conditions in German, and improve the legal notice III. „No-Spy decree“ of the German Federal Ministry of Interior requires guarantee in procurement procedures IV. German Supreme Court: Collection of minors’ personal data for marketing purposes in the course of a competition is not permitted V. ECJ: Copies on the user’s computer screen as well as in the ‘cache’ of a computer’s hard disk, created in the course of viewing a website, do not infringe copyright This is the link to the full version.
At a recent roundtable event hosted by Olswang LLP, Datonomy heard a range of perspectives on the new cookie consent requirements. Readers can find useful resources from the event via the right menu below (scroll down to "Cookie resources") including the headline comments from our panel of speakers. Over 30 in house counsel from a range of consumer facing businesses – all getting to grips with compliance with the UK's new rules – attended the breakfast seminar. Recognising that the legal world is now sick of cookie puns, croissants were on the breakfast menu instead. The UK regulatory perspective was provided by Dave Evans, Group Manager at the Information Commissioner's Office. The clear message to UK website owners, echoing the ICO's recent guidance, is that doing nothing and hoping a browser-based consent solution will come to the rescue is simply not an option. Businesses should be analysing the cookies on their websites, informing … Continue Reading ››
Germany's Interior Minister, Thomas de Maizière, has announced that Germany plans to strengthen its privacy laws in response to public concerns over Google Street View. The statement was made following a meeting with Google and other companies on Monday. Mr de Maizière said the government would introduce the new privacy code at a government information-technology summit in December. Google and other interested parties have been asked by the government to submit suggestions for self-regulation between now and the summit. "I expect the services to commit to strong privacy rules," said Mr. de Maizière. Google's statement said, "Any future legislation must make sure that in addition to the requirements of data protection, the development of innovative business opportunities and modern technology are allowed to flourish." But added it was willing to "contribute constructive conversations" around the debate. Germany is not the only country where Google Street View has run into political and legal … Continue Reading ››