Photo of Friederike Wilde-Detmering

Background

On 1 August 2022, the Court of Justice of the European Union (“CJEU”) issued a decision (“Decision”) clarifying how the indirect disclosure of sexual orientation data is protected as special category data under Article 9 of the EU General Data Protection Regulation (“GDPR”). “Special Category Data” is defined within Article 9(1) of the GDPR and includes (for example) a data subject’s racial or ethnic origin or data concerning a natural person’s sex life or sexual orientation. The processing of such sensitive personal data is expressly prohibited, unless the processing is exempted from the prohibition in the sense of Article 9(2) GDPR.

Continue Reading CJEU rules on interpretation of EU GDPR special categories of data

The German Data Protection Authorities (German DPAs) released a “Report on the Experience Gained in the Implementation of the GDPR”, which was adopted at their conference on November 6, 2019 (Report; available in German here and English here). In this blog, we summarize the key issues that the German DPAs have raised in the Report.

Background

Under Article 97 of the EU General Data Protection Regulation (GDPR), the EU Commission is required to submit an evaluation and review report on the implementation of the GDPR by May 25, 2020 – so two years after the GDPR became applicable. The German DPAs want to share their experience to contribute to this process and have thus published the Report. The German DPAs opine that the GDPR’s regulatory concept and objectives have largely proved successful and that the heavy GDPR fines are a driver for developing broad-based awareness of data protection. However, they also acknowledge that some uncertainty remains when it comes to GDPR implementation and that there still is a need for guidance from the supervisory authorities.

Continue Reading Evaluation of the GDPR – The German supervisory authorities weigh in

Today, the European Court of Justice (ECJ) handed down its decision in Google v. CNIL, dealing with the remit of the ‘right to be forgotten’ (RTBF). In short, the ECJ held that the operator of a search engine is not required to carry out de-referencing on all domain extensions of its search engine when dealing with a RTBF request. It is required, however, to carry out de-referencing on the versions of its search engine corresponding to all member states and take measures to protect the data subject’s fundamental rights. Though the decision was made under the former Data Protection Directive, it will have implications for data subjects under the General Data Protection Regulation (GDPR) as the RTBF was codified by GDPR Article 17.

Continue Reading Forget-me-not: Google v. CNIL defines territorial scope of the right to be forgotten

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

In its recent decision of 11 June 2019 (docket no.: 4 U 760/19, available here), the Dresden Court of Appeals (Oberlandesgericht Dresden – Court of Appeals) had to decide on claims for damages under Article 82 GDPR with regard to minor violations of the GDPR.

Background

The defendant, the provider of a social

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the

“The internet’s not written in pencil, it’s written in ink.”

Advocate General (AG) Szpunar commenced his opinion dated 4 June 2019 in Case C-18/18 (Opinion, available here) with the above quote from the movie The Social Network. In the Opinion the AG analysed the substantive scope of injunctions, in particular if social network providers “may be required to delete, with the help of a metaphorical ink eraser, certain content placed online by users of that platform”, as well as its territorial scope.

I. Background
An Austrian politician applied at the Vienna Commercial Court (Austria) for an injunction requiring a social network provider to cease the publication of a – in her view – defamatory comment about her. A user of the social network shared an article from a news website on their personal page on the network, whereupon the social network generated a ‘thumbnail’ of that post, containing the title, a brief summary of the article and a photograph of the politician. The user also published a disparaging comment about the politician alongside the post (Content in Question). Any user of the social network was able to access the Content in Question.

The Vienna Commercial Court issued the requested injunction and ordered the social network provider to delete and to stop disseminating the Content in Question. Subsequently, the social network provider disabled access to the content in Austria, but not for other countries. After the Vienna Higher Regional Court upheld the injunction, the case was brought to the Austrian Supreme Court. The Austrian Supreme Court referred to the Court of Justice of the European Union (CJEU) the questions of whether the injunction can be extended (i) worldwide, and (ii) to statements with identical wording and/or equivalent content. The Austrian Supreme Court ultimately asked the CJEU to interpret the Directive on electronic commerce (eCommerce Directive) in this context.

Continue Reading Advocate General’s opinion on social networks’ obligations on (worldwide) deletion of illegal content

25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we

The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.

Local implementation efforts

Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called ‘opening clauses’. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.

EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.

Local implementation highlights

Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:

  • In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
  • France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
  • Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
  • Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
  • Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
  • The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.

You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en.
Continue Reading One year of GDPR – How have EU member states implemented and enforced the new data protection regime?

The GDPR is just around the corner and will be effective in less than three months – on 25 May 2018. Organizations are therefore in the midst of preparations to comply with the new Regulation in order to avoid the potentially high fines. Non-EU organizations have to assess whether the GDPR is applicable to them