Photo of Sven Schonhofen

The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Update on international data transfers
  2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on

After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements:

  • The user’s consent, or
  • The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).

The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.

The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.

In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.Continue Reading When are Reach Measurement Cookies exempt from the consent requirement?

The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. New cookie rules in Germany will apply as of December 1, 2021
  2. German data protection authorities conduct coordinated audits on international data transfers

The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests cannot be relied upon for Cookies anymore. Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law – almost a decade after the deadline passed, and ignoring the extensive discussions on the Cookie provisions in the ePrivacy Regulation (and particularly the exceptions from the consent requirement).
Continue Reading A new recipe for Cookies – The new German Telecommunications and Telemedia Data Protection Act

The Winter 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Strengthening fair competition – changes to the law against unfair competition
  2. Cologne Regional Court on the broad concept of the right to access

The Fall 2020 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

1. Data transfers following Schrems II
2. German Supreme Court: Relationship between the GDPR and the German Act on the Protection of Copyrights

The Summer 2020 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Access rights vs. data backup
  2. Cookie update: Planet49 and cookie walls
  3. Double opt-in required under GDPR
  4. Update on influencer advertisement
  5. German Supreme Court:

On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) to comply with Art. 5(1)(f), 25 and 32(1) of the General Data Protection Regulation (GDPR).

Sending emails containing personal data

Data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects concerned.
Continue Reading Encryption of emails containing personal data – the German supervisory authorities issue guidance

On April 1, 2020, Germany’s federal government published a new draft bill to amend the German Hate Speech Act (Netzwerkdurchsetzungsgesetz – “NetzDG”; see also our earlier blog of October 2, 2017). The draft bill (“Bill”) is available in German here.

The Bill will introduce a number of improvements for users of social networks. It will also supplement the amendments to the NetzDG proposed already on February 19, 2020 in the Draft Bill to Combat Right-wing Extremism and Hate Crime (Gesetzentwurf zur Bekämpfung des Rechtsextremismus und der Hasskriminalität; more information is available in German here). In particular, platform providers will need to arrange for more user-friendly notification procedures, and also establish and maintain procedures that enable users to object to the deletion of comments they have made and have their comments reposted on the platform.Continue Reading German government introduces new bill to amend Germany’s Hate Speech Act, establishing new requirements for social networks and video-sharing platforms

Following the UK Conservatives Party’s landslide victory in December 2019, there were immediate implications for the UK’s Withdrawal from the European Union, which resulted in the UK withdrawing from the EU on 31 January 2020. With the European Parliament’s approval of the Withdrawal Agreement, the UK is now in a transition period until 31 December