Reed Smith Newsletters

  1. International data transfers: country assessments for United States, China, India and Russia to assist with data transfer impact assessments
  2. Data protection authorities: cookie updates
  3. Schleswig Higher Administrative Court: fan page violates data protection law
  4. Hamm Court of Appeals: scope and limits of the right to information
  5. Dresden Court of Appeals: retention obligations do not per se justify data retention
  6. Karlsruhe Court of Appeals: online shops that only offer customers the choice of ‘Mrs’ or ‘Mr’ to indicate their gender, discriminate against non-binary people
  7. Essen Regional Court: certain terms and conditions for participating in a competition must be communicated in the original advertising
  8. Stendal Regional Court: no advertising in confirmation emails
  9. Recommended reading in the areas of EU and German IT and data protection law

1. International data transfers: country assessments for United States, China, India and Russia to assist with data transfer impact assessments

by Dr Andreas Splittgerber

Recently the European Data Protection Supervisor (EDPS) and the German data protection authorities published country assessments for the United States, China, India and Russia that will assist data exporters and importers when transferring data from the EU to these countries. The assessments focus on aspects that were previously examined by the European Court of Justice in the Schrems II decision and can be found here: EDPS Study on Government Access and Expert Opinion on the Current State of U.S. Surveillance Law and Authorities. The assessments do not make suggestions for possible supplementary measures, so a non-exhaustive list by the European Data Protection Board (EDPB) in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data will remain the starting point for determining such measures.

Conclusion: The assessments are helpful as a start and it is positive to see that, at the EU and local level, authorities have recognised that private organisations cannot be expected to develop such country assessments themselves. However, the assessments are very general and will need to be applied by the parties to a data transfer on a case-by-case basis. For the countries assessed, the parties will need to determine supplementary measures to enable data transfers, bearing in mind that the EDPB’s list of supplementary measures is not exhaustive.

2. Data protection authorities: cookie updates

by Sven Schonhofen, LL.M.

Data protection authorities are currently very active regarding cookies:

  • The German data protection authorities published their draft guidance on the new cookie provisions in the TTDSG at the end of last year. In the guidance the authorities require, among others, a decline option in the first layer of a cookie management solution. The Baden Württemberg data protection authority has also published a cookie FAQ with lots of practical examples.
  • According to the Belgian data protection authority, the IAB consent system violates the GDPR, especially with regard to legal bases and information requirements. The IAB now has six months to remedy the violations.
  • The Austrian data protection authority has decided that the use of Google Analytics (under the old set-up dating from August 2020) was not compliant with data protection laws because the data transfer mechanism was insufficient. However, the authority did not find that Google Analytics violates data protection law under its current set-up.
  • The French data protection authority also concluded that the use of Google Analytics (likely also based on the old set-up) was illegal due to non-compliant data transfers. The supplementary measures taken by Google were insufficient to prevent access by U.S. surveillance agencies. The CNIL coordinated with other EU data protection authorities on this decision.
  • The EDPS issued a warning to the European Parliament for using Google Analytics and Stripe cookies on a website without demonstrating a sufficient level of data protection in regards to data transfers.
  • On a positive note, there have been reports that the successor to the EU-U.S. Privacy Shield adequacy decision is in its final stages and might be finalised in the second quarter of 2022.

Conclusion: The current topics most debated by authorities are the legal bases for the use of cookies, international data transfers and the design of cookie banners. Organisations must review their cookie setup for compliance with applicable law and regulatory requirements. In view of the wide range of current activities conducted by authorities, it is reasonable to suppose that they will initiate proceedings in cases of non-compliance.