1. International data transfers: country assessments for United States, China, India and Russia to assist with data transfer impact assessments
by Dr Andreas Splittgerber
Recently the European Data Protection Supervisor (EDPS) and the German data protection authorities published country assessments for the United States, China, India and Russia that will assist data exporters and importers when transferring data from the EU to these countries. The assessments focus on aspects that were previously examined by the European Court of Justice in the Schrems II decision and can be found here: EDPS Study on Government Access and Expert Opinion on the Current State of U.S. Surveillance Law and Authorities. The assessments do not make suggestions for possible supplementary measures, so a non-exhaustive list by the European Data Protection Board (EDPB) in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data will remain the starting point for determining such measures.
Conclusion: The assessments are helpful as a start and it is positive to see that, at the EU and local level, authorities have recognised that private organisations cannot be expected to develop such country assessments themselves. However, the assessments are very general and will need to be applied by the parties to a data transfer on a case-by-case basis. For the countries assessed, the parties will need to determine supplementary measures to enable data transfers, bearing in mind that the EDPB’s list of supplementary measures is not exhaustive.
2. Data protection authorities: cookie updates
by Sven Schonhofen, LL.M.
Data protection authorities are currently very active regarding cookies:
- The German data protection authorities published their draft guidance on the new cookie provisions in the TTDSG at the end of last year. In the guidance the authorities require, among others, a decline option in the first layer of a cookie management solution. The Baden Württemberg data protection authority has also published a cookie FAQ with lots of practical examples.
- According to the Belgian data protection authority, the IAB consent system violates the GDPR, especially with regard to legal bases and information requirements. The IAB now has six months to remedy the violations.
- The Austrian data protection authority has decided that the use of Google Analytics (under the old set-up dating from August 2020) was not compliant with data protection laws because the data transfer mechanism was insufficient. However, the authority did not find that Google Analytics violates data protection law under its current set-up.
- The French data protection authority also concluded that the use of Google Analytics (likely also based on the old set-up) was illegal due to non-compliant data transfers. The supplementary measures taken by Google were insufficient to prevent access by U.S. surveillance agencies. The CNIL coordinated with other EU data protection authorities on this decision.
- The EDPS issued a warning to the European Parliament for using Google Analytics and Stripe cookies on a website without demonstrating a sufficient level of data protection in regards to data transfers.
- On a positive note, there have been reports that the successor to the EU-U.S. Privacy Shield adequacy decision is in its final stages and might be finalised in the second quarter of 2022.
Conclusion: The current topics most debated by authorities are the legal bases for the use of cookies, international data transfers and the design of cookie banners. Organisations must review their cookie setup for compliance with applicable law and regulatory requirements. In view of the wide range of current activities conducted by authorities, it is reasonable to suppose that they will initiate proceedings in cases of non-compliance.
3. Schleswig Higher Administrative Court: fan page violates data protection law
by Christian Leuthner
After 10 years of proceedings up to the ECJ, the Higher Administrative Court Schleswig (judgment of November 25, 2021, docket no.: 4 LB 20/13) has finally ruled that the Schleswig-Holstein Business Academy must shut down the Facebook fan page it operates. The deficiencies in transparency of data processing identified by the supervisory authority as well as further lack of legal basis were confirmed by the Higher Administrative Court. After the ECJ had ruled on joint responsibility, the Higher Administrative Court found that the operator of a fan page can also be the addressee of measures taken by the supervisory authority within the scope of joint responsibility.
Conclusion: Users of social media platforms must ensure data protection-compliant processing and in particular provide transparent information
4. Hamm Court of Appeals: scope and limits of the right to information
by Dr Thomas Fischl
On 15 November 2021 (docket no.: 20 U 269/21), the Hamm Court of Appeals ruled that a request for information pursuant to article 15 of the GDPR is to be regarded as an abuse of rights if it does not directly concern the question of whether the processing of personal data is permissible under data protection laws. In such cases, the data controller may refuse to provide information. The decision was based on a request by a plaintiff with private health insurance who wanted to check the correctness of a premium increase by requesting information. The court considered this to be an abuse of rights and granted the defendant insurance company a right of refusal.
Conclusion: The scope and limits of the right to information are still subject to debate, and many courts and data protection authorities have already had to tackle the issue. For companies, it is still important to be well prepared and to have policies and processes in place so that they can act in compliance with the law.
5. Dresden Court of Appeals: retention obligations do not per se justify data retention
by Friederike Wilde-Detmering, M.A.
With a decision dated 14 December 2021 (docket no.: 4 U 1278/21), the Dresden Court of Appeals ruled that statutory retention obligations do not constitute a justification for permanently storing data that has not been lawfully collected. The court ruled that data controllers must organise their data files in such a way that auditors can only access data that is required to be recorded and retained. Supplementary data that allows identification of individuals must be deleted.
Conclusion: Data controllers must firmly establish whether certain data and documents they store are subject to statutory retention obligations.
6. Karlsruhe Court of Appeals: online shops that only offer customers the choice of ‘Mrs’ or ‘Mr’ to indicate their gender, discriminate against non-binary people
by Dr Philipp Süss, LL.M./Dr Alexander Hardinghaus, LL.M.
On 14 December 2021 (docket no.: 24 U 19/21) the Karlsruhe Court of Appeals ruled that the option of selecting one of two forms of address (‘Mrs’ or ‘Mr’) when shopping online unacceptably discriminates against a person of non-binary gender identity in violation of the German Act on Equal Treatment. In the underlying case, a non-binary person sued a clothes manufacturer for damages and injunctive relief. In the court’s view, the breach was not of a sufficiently severe nature to justify damages. However, the court clarified that, in principle, injunctive relief can be sought by the person concerned.
Conclusion: To avoid discriminating against non-binary people in e-commerce, companies should provide an option to select a gender-neutral form of address (e.g. Diverse / No salutation).
7. Essen Regional Court: certain terms and conditions for participating in a competition must be communicated in the original advertising
by Joana Becker
In its judgment of 2 October 2021 (docket no.: 44 O 6/20), the Essen Regional Court ruled that the advertisements in dispute, which related to a competition, were anti-competitive because the only general reference to another medium in regards to “all details and terms of participation in the competition” was insufficient. In the view of the court, customers must be able to make an informed business decision regarding competitions. The necessary information must be provided to them in good time, that is, in the original advertisement itself. Information that is important to the customer when making a decision includes, in particular, the terms of participation, e.g., the forms of participation and the method of determining the prize.
Conclusion: Those terms for participating in a competition that are important if a customer is to make an informed business decision, such as restrictions on the number of participants or the method of determining the prize, should be communicated in the original advertisement.
8. Stendal Regional Court: no advertising in confirmation emails
by Irmela Dölle
In its ruling of 12 May 2021 (docket no.: 22 S 87/20), the Stendal Regional Court decided that emails sent as part of a double opt-in procedure (DOI) must not contain any advertising. In this context, the concept of advertising should be interpreted broadly.
The plaintiff had objected to the confirmation email sent by the defendant as part of the DOI procedure. The court expressly found the sending of a straightforward confirmation email to be permissible. However, the defendant’s advertising statements (“Welcome to XY” and “Do you have any questions about the newsletter? Contact us at: info@XY.de”) contained therein, including the use of its logo, was inadmissible. The disputed confirmation email thus acquired the “the characteristics of an advertisement” since its content went beyond that of a permissible, simple confirmation email. As a result of the further wording, the disputed confirmation email was unlawful as a whole.
Conclusion: Confirmation emails sent as part of the DOI procedure should not contain any information beyond the specific confirmation.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- Draft Data Act – more in our client alert
- European Data Protection Board
- German data protection authorities
- Guidelines on direct marketing
- FAQ on the processing of employee data in connection with the Covid-19 pandemic
- Saxony-Anhalt data protection authority
- Bavarian data protection authority:
- CNIL: Access rights of employees
- Adequacy decision for South Korea – more on our blog
- German Federal Constitutional Court on hate speech in social media – more on our blog
- Our blog on binding corporate rules and standard contractual clauses