Photo of Friederike Wilde-Detmering

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter,

On 1 October 2017, the German Netzwerkdurchsetzungsgesetz (Network Enforcement Act, „NetzDG“) that we already reported on in April and May, entered into force (English version here). The NetzDG shall be an “act to improve enforcement of the law in social networks”, and aims at combating fake news and hate speech. Regulatory offences may be fined by up to EUR 5 million for individuals and up to EUR 50 million for the platform provider itself.

The NetzDG has been criticised since the beginning of the legislative process, as a great number of lawyers deem the law incompatible with the principle of freedom of expression and the upcoming EU E-Privacy Directive that will be effective 25 May 2018. Therefore, everyone is waiting in suspense for the first complaints brought up against this law to the German Federal Constitutional Court, or even the European Court of Justice.

We compiled the five key aspects of the NetzDG for social networks to make you NetzDG-ready.
Continue Reading Germany’s new hate speech act in force: what social network providers need to do now

The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it (Judgment of 6 July 2017, docket no. 10 K 7698/16).


On 25 November 2016, the Data Protection Authority of the state of Baden-Württemberg (“DPA”) imposed an administrative order on a credit agency, concerning an infringement of the GDPR.

The credit agency stored personal identifiable data, such as claims and related information, in compliance with Section 35 (2) sentence 2 no. 4 of the currently valid German Federal Data Protection Act (“FDPA”). The provision contains precise deadlines for the examination for the erasure of data.

The DPA referred to future violations of the GDPR that the DPA expected to occur after 24 May 2018, as the legal framework will change. Under Recital 39 of the GDPR, controllers are obligated to establish time limits for erasure or for a periodic review. According to the order issued by the DPA, the credit agency must erase the stored data, after 24 May 2018, after the expiry of three years at the latest, beginning with the due date of the claim, except for the insolvency or unwillingness of the data subject to pay. In the opinion of the DPA, the declaration of the credit agency to implement the GDPR provisions to its data erasure system by 25 May 2018, was not sufficient.

The DPA indicated to rely on Section 38 (5) sentence 1 of the FDPA, arguing that measures can be issued from the date that future violations of data protection laws can be inferred.

Continue Reading First judgment on GDPR by German administrative court

During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it is likely that, among others, the U.S. Department of State and the U.S. Department of Justice will participate.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. On 6 October 2015, the European Court of Justice (“CJEU”) invalidated the “Safe Harbour” decision by the European Commission, the predecessor to the Privacy Shield, in its Schrems v Data Protection Commissioner (Ireland) judgment (“Schrems Judgment”). By decision of 12 July 2016, the European Commission adopted a new transfer mechanism: the EU-U.S. Privacy Shield (“Adequacy Decision”).

Certified organisations

On a voluntarily basis, U.S. organisations can register for a self-certification to the U.S. Department of Commerce, and publicly assure to comply with the requirements under the Privacy Shield. A list of the certified organisations can be found here.

While about 5,500 organisations had signed up to Safe Harbour, about 2,500 organisations, including many large organisations, have already self-certified to the Privacy Shield in its first year. Apart from that, organisations still consider EU Model Clauses, as well as Binding Corporate Rules, as a good alternative to the Privacy Shield.

Continue Reading Upcoming first annual review of the EU-U.S. Privacy Shield