1. German Federal Council approves GDPR Implementation Act
by Sven Schonhofen, LL.M.
On 12 May 2017, the German Federal Council (Bundesrat) passed the GDPR Implementation Act (the “Act”), despite significant opposition. The Act is intended to bring the current German data protection laws in line with the requirements of the General Data Protection Regulation (GDPR). It contains provisions, inter alia, on the rights of data subjects, on data protection officers and on data processing, in the context of the workplace.
Conclusion: Companies looking to get ready for the new data protection regime should focus not only on the GDPR, but also on the national implementation laws. There is less than one year left!
2. CJEU: data processing on the basis of legitimate interests
by Dr. Thomas Fischl
The CJEU was asked to apply Article 7(f) of the Data Protection Directive in its Rigas decision dated 4 May 2017 (C-13/16). Article 7(f) lays down three cumulative conditions: first, the data controller or the third party or parties to whom the data are disclosed must be pursuing a legitimate interest; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.
Conclusion: The CJEU analysis of how legitimate interests may provide a legal basis for the processing of personal data is straightforward. What makes the Rigas decision significant is what it says about the ability of public bodies to process personal data on the basis of such a legitimate interest. The approach of the CJEU in the decision also appears to be consistent with Article 6 of the GDPR.
3. German Supreme Court: consent for marketing communications
by Dr. Alexander Hardinghaus, LL.M.
In a judgment dated 14 March 2017 (VI ZR 721/15), the German Supreme Court held that consent to the receipt of newsletters is invalid, unless the pre-formulated declaration of consent, which also refers to advertising partners, clearly indicates the specific products and services so be advertised by the relevant advertising partner. Unfortunately, the Supreme Court did not provide any guidance on the level of detail which would be required to comply with the requirement to indicate the specific products and services.
Conclusion: Companies should specify the products and services to be advertised in as much detail as possible.
4. New case law on liability for third party content strengthens providers‘ position
by Dr. Andreas Splittgerber
The Regional Court of Cologne decided on 11 January 2017 (28 O 430/15, not yet published) that an online host does not have to start the procedure to take down content if the notice by the allegedly infringed person or entity was insufficiently detailed. The online provider does not even have an obligation to inform such person or entity that the notice was insufficiently detailed.
The Higher Regional Court of Cologne decided on 23 March 2017 (15 U 172/16, not yet published), in furtherance of judgments by the German Supreme Court in New York Times and Seven Days in Moscow, that German law does not apply to an English-language post that deals with events in Switzerland.
Conclusion: After recent judgments of the German Supreme Court in Jameda (VI ZR 34/15) and Holidaycheck (327 O 494/12) which defined notice and take-down obligations more precisely, the German courts ruled in favour of the provider in the above-mentioned recent judgments
5. Hamburg data protection authority: use of Google Analytics
by Christian Leuthner
The Hamburg data protection authority (“DPA”) has updated its paper on the use of the Google Analytics (“Paper”), taking into account the CJEU’s Safe Harbor decision (C-362/14). The DPA confirmed that the lawful use of Google Analytics is still possible if website operators using Google Analytics implement several measures (data processing agreement with Google, deletion of the last octet of the relevant IP addresses, website users must be informed and able to opt out). Data that have not been obtained following the requirements of the Paper must be deleted. This does not apply if website operators already complied with a previous version of the Paper.
Conclusion: The requirements correspond with the current legal situation. Further amendments might be necessary once the GDPR and ePrivacy Regulation enter into force.
6. Draft laws and recommended reads
Draft laws
- Proposal of EU Commission for an ePrivacy Regulation. Counter proposal by EU Parliament. Read our status update on our blog.
- Proposal for a “Hate Speech Act” by the German Minister of Justice and Consumer Protection (available in German). Read more about concerns raised on our blog.
Recommended reads
- Article 29 Working Party published GPDR guidelines on:
- Bavarian data protection authority sent GDPR questionnaire to 150 companies
- Bavarian data protection authority published new GDPR mini-guides (in German):
- Motion for an EU Parliament Resolution on civil law rules on robotics
- ICO paper on big data, artificial intelligence, machine learning and data protection
- Irish data protection authority‘s memo on model clauses litigation
7. Our new Reed Smith app for data breaches: BreachRespondeRS.
Learn more about our app which will help you to quickly respond to data breaches in the U.S: here.
GDPR version will follow.