The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used thirdparty tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent. Continue Reading German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its long-awaited Facebook fan page judgement (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the page. Only a day later, the Conference of German Data Protection Authorities (German DPAs) released a statement, titled ‘Time is up for not being responsible’ (Statement, available in German here), arguing that organisations do not meet data protection standards when operating a fan page on Facebook. Marketers in Germany and Europe are now uncertain whether they should take down their Facebook fan pages and any other social media presence. In this blog, we provide you with a first interpretation and a ‘first aid kit’.


Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie) operates a Facebook fan page and was ordered by the Schleswig-Holstein Data Protection Authority to deactivate the fan page. Neither Facebook Ireland Ltd nor Wirtschaftsakademie had been informing visitors of the functioning of cookies and subsequent processing of their data. Wirtschaftsakademie took this case to court, arguing essentially that it was not responsible for the processing of data by Facebook or cookies installed by Facebook.

CJEU decision

The CJEU ruled that the operator of a fan page hosted on a social network must be considered a ‘data controller’.

The court began by noting that the concept of controller must be defined broadly as an entity that alone or jointly with others determines the purposes and means of the processing of personal data. It observed that, for the European Union, Facebook Ireland must be regarded as controller responsible for the processing of personal data of Facebook users and persons visiting the fan pages hosted on Facebook.

Next, the CJEU stated that the operator of a fan page hosted on Facebook is also a (co-) controller. The operator contributes to the processing of the visitors’ personal data by defining parameters in the creation of the fan page. In particular, the operator can request the processing of demographic data relating to its target audience (for example, age, sex, information on lifestyle and interests) and geographical data that allow the operator to target best the information it offers.

The case has now been referred back to the German Federal Administrative Court, which will decide whether the specific use of Facebook fan pages by Wirtschaftsakademie was compliant.Continue Reading How big is the risk to operate Facebook fan pages in Germany?

On 26 April 2018, the Conference of German Data Protection Authorities (German DPAs) released a highly criticised position paper on the applicability of the German Telemedia Act (TMA) after 25 May 2018 (Position Paper). The Position Paper clearly states that tracking and profiling cookies now require informed prior opt-in consent.

Position Paper

Webtracking is governed by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. The ePrivacy Directive is currently being revised. A new ePrivacy Regulation was supposed to enter into force in tandem with the GDPR on 25 May 2018, but it is delayed and we do not expect it to enter into force before the end of 2019. The German legislator has not updated the TMA due to the upcoming ePrivacy Regulation.

The Position Paper outlines the German DPAs’ view on the relationship of the GDPR and the TMA and its consequences on the use of cookies. The Position Paper states that the GDPR shall take precedent unless national law prevails because of an opening clause or conflict of law rule. Article 95 of the GDPR is such a conflict of law rule. It provides that the GDPR shall not impose additional obligations regarding processing data in connection with the provision of publicly available electronic communications services in public communication networks in relation to matters for which they are subject to specific obligations with the same objective set out in the ePrivacy Directive. However, the German DPAs explain that Article 95 of the GDPR does not apply with regard to the provisions in the TMA that govern tracking and reach measurement.Continue Reading German authorities: tracking and profiling cookies require opt-in consent

On 10 January, the EU Commission proposed a new Regulation on Privacy and Electronic Communications (“proposed Regulation”) to replace Directive 2002/58 (known as the “ePrivacy Directive”).

The proposed Regulation

The proposed Regulation aims to align the rules that apply to electronic communications services with the forthcoming General Data Protection Regulation (GDPR).
Continue Reading EU Commission publishes its proposals for new e-Privacy Regulation

In 2007, Google bought online ad network DoubleClick, which uses cookies to collect and store data about Google users from their browsing history, to best place clients’ ads. This past June, Google revised its privacy policy to state that users’ activities on other sites tracked by DoubleClick “may be associated with [their] personal information.”  This

The Federal Trade Commission is currently the most aggressive enforcement agency on privacy and data security. The agency kicked off 2016 with PrivacyCon on January 14, which put the spotlight on academic research on consumer privacy and security.

The conference, which drew 400 attendees to Southwest D.C. and 1,500 more streaming online, showcased 19 papers on topics ranging from mismatched consumer privacy expectations online to the costs and causes of cyber incidents, with many papers focusing on the technology of online tracking. While the papers presented do not necessarily reflect the view of the FTC, it is likely that they selected presenters and findings that are consistent with their enforcement priorities.
Continue Reading FTC’s PrivacyCon Highlights Consumer Privacy Perceptions and Targeting

Exploiting loopholes in Internet users’ cookie-blocking settings while claiming to protect them from cookies is a serious and deceitful invasion of privacy, the Third Circuit held November 10.

Ruling on an appeal from consumer plaintiffs, whose multi-district litigation against Google and several other companies that run Internet advertising businesses was dismissed in Delaware District Court, the Third Circuit in In re Google Inc. Cookie Placement Consumer Privacy Litigation affirmed the dismissal of the federal law claims and some state law claims, but kept the California privacy claims alive. When Google told users in its Privacy Policy that using the cookie blockers in the Safari and Internet Explorer browsers was effective, and then took advantage of loopholes in those blockers to allow the placement of cookies, it was deceptively engaging in actionable invasion of privacy under California law, the court held.  
Continue Reading Third Circuit Slams Google’s Allegedly ‘Deceitful’ Cookie Practices

Though the National Association of Attorneys General (NAAG) Presidential Initiative “Privacy in a Digital Age” expired in June 2013 when a new NAAG president took over, the state attorneys general have maintained their sharp focus on all things privacy, with no signs that that focus will shift anytime soon. Most recent case in