The Summer 2017 Edition of the quarterly IT & Privacy Newsletter by Reed Smith Germany has just been released.

We cover the German GDPR Implementation Act, new case law on processing on the basis of legitimate interests, marketing consent, and provider liability, as well as the paper on Google Analytics by the Hamburg data protection

In a preliminary judgment of 14 June 2017, Case C-610/15, the Court of Justice of the European Union (‘CJEU’) held that the making available and management of a peer-to-peer sharing platform may constitute a copyright infringement.

Facts of the case

In the underlying main proceedings before the Supreme Court of the Netherlands, Stichting Brein, a Dutch foundation which safeguards the interests of copyright holders, sued two internet access providers to block the domain names and IP addresses of a certain online platform called The Pirate Bay (‘TPB’), in order to prevent the services of the internet access providers from being used to infringe the copyright and related rights of the right holders.Continue Reading CJEU: Operation of peer-to-peer sharing platform may qualify as copyright infringement

The Court of Justice of the European Union (CJEU) recently gave its preliminary ruling on the interpretation of the legitimate interests condition under Article 7(f) of the Data Protection Directive 95/46/EC (the Directive) in the context of processing by a public authority.

A collision

In 2012, a passenger in a taxi in Latvia suddenly opened the door to get out, and proceeded to damage a passing tram owned by Rīgas satiksme (Rīgas). Rīgas requested the personal details of the passenger (full name, ID number and address) in order to sue for damages so as to repair the tram. It was unknown at this stage that the passenger was a minor. The Latvian police provided the passenger’s full name only, on the basis that Latvian law does not provide for the disclosure of other data to people who are not a party to administrative proceedings leading to sanctions. Rīgas challenged this decision, stating that it required further information to enable it to locate the passenger. This challenge was upheld before later being appealed by the police. Eventually, the Latvian Supreme Court, noting doubts as to the meaning of ‘necessity’ in relation to the interpretation of ‘legitimate interests’ under the Directive, requested an opinion as to whether: (i) the Directive imposed an obligation to disclose personal data to a third party to enable it to bring an action for damages; and (ii) the age of the individual had any bearing as to interpretation.Continue Reading Legitimate interests: a balancing act

According to a press release dated 16 May 2017, and following the Court of Justice of the European Union’s (CJEU) preliminary ruling in Case C-582/14 dated 19 October 2016 (see our previous blog), the German Federal Supreme Court (Bundesgerichtshof – FSC) confirmed in a judgment of 15 May 2017, case

The Court of Justice of the European Union (“CJEU”) has ruled that dynamic IP addresses can constitute personal data.

Dynamic IP addresses, registered by a website provider when an individual accesses its website, shall constitute personal data where the operator has the legal means to combine the data with additional data (held by the internet service provider) to identify the data subject.
Continue Reading CJEU says dynamic IP addresses can constitute personal data

In June, the Attorney General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued his opinion (English translation pending) in the case of Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15). The opinion makes potentially important observations about which law should apply to the processing of personal data under the Data

After what seemed like sure defeat, an agreement on Safe Harbor has apparently been reached. Dubbed the “EU-U.S. Privacy Shield”, the regime will, subject to approval processes, replace the existing Safe Harbor arrangement which was invalidated 6 October 2015.

Click here to read more in the issued Client Alert.

On 19 November, the CNIL released an article in order to provide companies impacted by the recent CJEU ruling on invalidation of Safe Harbor with guidance on the next steps. The article was published at the same time the CNIL sent a mailing to all data controllers relying on Safe Harbor to fix the issue.

On 20 November 2015 the UK’s Court of Appeal referred questions on data retention to the Court of Justice of the European Union (CJEU) following a challenge to the Data Retention and Investigatory Powers Act (DRIPA) 2014.

The referral to the CJEU is significant as it could finally provide clarification as to the application of the CJEU’s decision in Digital Rights Ireland, which found Directive 2006/24/EC (Data Retention Directive) invalid, and the extent to which Member States can impose national data retention obligations.
Continue Reading Could the UK see a shake-up of its Data Retention Powers? Questions referred to the CJEU