German DPAs audit 500 Companies on Data Exports to countries outside the EU
On November 3, 2016, the Berlin data protection authority (DPA) in cooperation with the rest of the German DPAs (to be precise, a total of 10 German DPAs) announced in a press released that they will send formal questionnaires to approximately 500 small, medium-sized and large German companies to evaluate their cross-border data transfers.
The DPAs pointed out in the formal press release that all German companies involved in the processing of personal data must pay adequate attention to data privacy issues raised by cloud computing and software as a service (SaaS).
In this regard, DPAs warn that some German companies are not fully aware of applicable data privacy laws as they are frequently operating with cross-border data exports in cloud and SaaS services and the personal data collected is frequently being transferred to third countries outside the European Union (EU) without complying with data protection laws.
Should IP addresses be considered personal data subject to EU data privacy law?
On 12 May 2016, Advocate General (AG) Manuel Campos Sánchez-Bordona released an Opinion in the Case P. Breyer v. Germany. For the AG, dynamic IP addresses should be considered as personal data even if the website operator in question is not able to identify the user using the IP address, since the users’ internet access providers have data which can, by linking it with the IP address, identify the users in question. Moreover, the AG considered that both the use and collection of IP address data could be justified on the grounds of “balancing of legitimate interests” test under the Data Protection Directive 95/46/EC (DPD), despite more restraining national legislation in Germany.
Background of the case
The case involves Patrick Breyer (a member of the Pirate Party) and the Federal Republic of Germany (the “BRD”). The BRD operates a number of websites and records the IP addresses of users visiting them. The plaintiff sued the BRD as he considers that IP addresses qualify as personal data following article 2 of the DPD and hence, the BRD would be compelled to have consent for processing such data. Indeed, by retaining IP addresses the BDR could profile the visitors of its websites. The Regional Court of Berlin ruled on appeal that IP addresses held by website operators should be considered as personal data when users provide supplementary information to the website operator (for instance: telephone number, address, etc.). The General Federal Court of Justice took responsibility of the case after both the plaintiff and the defendant appealed the Regional Court decision. The Federal Court referred two preliminary questions to the CJEU: whether, under article 2a of the DPD, IP addresses qualify as personal data when the IP address is stored by a website provider and a third party possesses sufficient additional information to identify the user and, whether article 7 of the DPP precludes to a provision in National Law according to which a website provider may collect and process personal data of users without their consent only to the extent it is necessary to enable the functioning of the website or to arrange payment.
Draft law to improve the civil enforcement of consumer protection of data protection law
On 17 December 2015 the German Bundestag adopted a draft law enabling class actions for data protection violations. This law will allow registered consumer associations to bring claims against companies for braches of German data protection law by introducing class actions. The law will enter into force after signature by the Federal President and one day after announcement in the Federal Law Gazette.
Information on the Safe Harbour ruling of the Court of Justice
The Hamburg Commissioner for Data Protection and Freedom of Information recently released a statement regarding the judgment of the European Court of Justice on the Safe Harbour scheme in the case Schrems v. Facebook. This statement provides useful guidelines and instructions addressed to businesses and practitioners on how the judgment should be interpreted and on the next steps this supervisory authority will take in order to ensure compliance with the ruling.
Key data protection points for the trialogue on the General Data Protection Regulation
On 14 August 2015 the Conference of the German Data Protection Commissioners of the Federal Government and the Federal States issued a position paper (as well as a press release) inviting the European Commission, the Parliament and the Council to address specific issues in the trialogue negotiations on the General Data Protection Regulation. The position paper, whose main points are illustrated here, is basically a critical analysis of aspects that according to the Conference have been disregarded or overlooked in the Regulation.
Analytical evaluation of information systems gives rise to recordsPosition Paper of the ULD on the judgment of the Court of Justice of the European Union of 6 October 2015, Schrems v. Facebook (C-362/14)
On 14 October 2015 the DPA of the German state of Schleswig-Holstein issued a position paper commenting on the judgment of the Court of Justice of the EU in the case Schrems v. Facebook. Although the position paper reflects the stance of this DPA exclusively and has limited reach, it contains interesting arguments which criticise the views of the European Commission on the transfer of personal data to the US. According to the DPA data protection standards in the US are inadequate to protect EU citizens and data transfer mechanism other than the Safe Harbour will pose the same problems raised by the Court of Luxembourg in Schrems v. Facebook.
Position paper of the German federal and state data protection authorities on the Safe Harbour
In the wake of the judgment of the European Court of Justice on the Safe Harbour scheme in the case Schrems v. Facebook German federal and state data protection authorities gathered together and issued a joint position paper. Their common position follows the judgment and views expressed by the Court of Luxembourg. In addition, it sheds light on some key aspects of the ruling and on its interpretation by DPAs, governmental authorities and private companies.