Photo of Arne Senger

The Fall 2020 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

1. Data transfers following Schrems II
2. German Supreme Court: Relationship between the GDPR and the German Act on the Protection of Copyrights

The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) that contains some solid guidance and suggestions for next steps.

Summary of the Guidance: (i) Checklist plus (ii) action items

The LfDI BW iterates that international data transfers shall be subject to an adequacy assessment and, where necessary, additional safeguards must be implemented that supplement the transfer mechanism relied upon. For this assessment, the LfDI BW proposes a checklist and specific action items for the amendment of the SCCs and potentially other data transfers mechanisms.
Continue Reading First official guidance on international data transfers post Schrems II – German data protection authority publishes checklist and action items on international data transfers

The Summer 2020 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Access rights vs. data backup
  2. Cookie update: Planet49 and cookie walls
  3. Double opt-in required under GDPR
  4. Update on influencer advertisement
  5. German Supreme Court:

On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) to comply with Art. 5(1)(f), 25 and 32(1) of the General Data Protection Regulation (GDPR).

Sending emails containing personal data

Data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects concerned.
Continue Reading Encryption of emails containing personal data – the German supervisory authorities issue guidance

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the

On 3 April 2019, the Conference of German Data Protection Authorities (German DPAs) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (Resolution).

According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.” This is considered the concept of ‘broad consent’.

Consent as defined in Article 4 (11) GDPR must be “specific”. This requirement is closely related to the principle of purpose limitation. The German DPAs point out in the Resolution that the term “certain areas of scientific research” is closely linked to the principle of purpose limitation. The term has to be distinguished from the broadly understood term of “scientific research” in Article 89 GDPR and interpreted rather narrowly.

The German DPAs state that such a broad consent can only come into play in exceptional cases, where at the beginning of a scientific research project, it is not possible to fully identify the purpose of the data processing at the time of data collection. However, according to the German DPAs, the broad consent does not exempt the controller from determining certain mechanisms, which limit the collection of personal data in a comprehensible manner. It accordingly should not be sufficient to just refer to a research area, as informed consent at least requires further specifications about the respective research project.
Continue Reading German DPAs publish resolution on concept of ‘broad consent’ and the interpretation of “certain areas of scientific research”