Photo of Sven Schonhofen

The Summer 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Summer 2022 Edition)

The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.

Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization

The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Update on international data transfers
  2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on

After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements:

  • The user’s consent, or
  • The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).

The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.

The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.

In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.

Continue Reading When are Reach Measurement Cookies exempt from the consent requirement?

The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. New cookie rules in Germany will apply as of December 1, 2021
  2. German data protection authorities conduct coordinated audits on international data transfers

The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests cannot be relied upon for Cookies anymore. Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law – almost a decade after the deadline passed, and ignoring the extensive discussions on the Cookie provisions in the ePrivacy Regulation (and particularly the exceptions from the consent requirement).
Continue Reading A new recipe for Cookies – The new German Telecommunications and Telemedia Data Protection Act

The Winter 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Strengthening fair competition – changes to the law against unfair competition
  2. Cologne Regional Court on the broad concept of the right to access

The Fall 2020 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

1. Data transfers following Schrems II
2. German Supreme Court: Relationship between the GDPR and the German Act on the Protection of Copyrights