Olswang Germany IT and Data Protection Newsletter - Year End Edition 2014

Germany

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

Content

I. Article 29 Working Party publishes Opinion on "Internet of Things"

II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection

III. Are IP-addresses personal data? - German Federal Court of Justice ask ECJ

IV. Data processing for marketing: new guidelines

V. Outlook on current draft laws and recommended reading

I. Article 29 Working Party publishes Opinion on "Internet of Things"

On September 16, 2014, the Article 29 Working Party (WP29) published an Opinion on "Internet of Things" (IoT). By IoT, the WP29 means an infrastructure in which a multitude of sensors are embedded in common, everyday devices, such as watches or TVs, which are designed to record, process, store and transfer personal data of the user by using network capabilities. The WP29 stresses the risk of very detailed user profiles which go along with a possible identification of the users and their unawareness of this data collection and processing. The WP29 limits its assessment to three current IoT developments (Wearables, Quantified Self Things, such as fitness trackers, and Smart Home Devices). By referring to specific examples the WP29 assesses these developments from a data protection perspective.

Conclusion: The WP29 considers IoT as generally permitted, but clearly states that any stakeholder is responsible for data protection. Despite of consent requirements and transparency obligations, personal data should be aggregated to the greatest extent possible and the principles of privacy by default and privacy by design shall be applied by the
stakeholders.

II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection

At the 88. Conference of the Federal and State Commissioners for Data Protection in Germany on 8/9 October 2014  the Commissioners issued a statement on the topic of market power and informational self-determination (only available in German). Therein, the Commissioners in particular advocated closer cooperation between data protection and competition authorities. They further spoke out in favour of a stringent General Data Protection Regulation to help restrict positions of power based on big data.

The Commissioners' statement comes in light of data playing an increasingly important role in competition investigations, especially when internet-based companies are concerned.

Conclusion: While competition authorities should not turn into data protection authorities (and vice versa), the nexus between data and competition needs to be given more attention in future competition investigations in data-driven high-tech markets.

III. Are IP-addresses personal data? - German Federal Court of Justice ask ECJ

Now that many had accepted that all kinds of IP-addresses (static and also dynamic) are considered personal data in Germany, the German Federal Court of Justice (FCJ) asked end of October for confirmation by the ECJ. The FCJ asked the ECJ the following two questions: (i) Are IP-addresses personal data even if the connection to the individual can only be established with non-available third party information? (ii) Is it permitted for a website operator to store server logs that contain IP-addresses even after end of the web-session for purposes of IT-security?

As always, the original wording of the questions is much more complex. Please see here for the (German only) full version of the questions.

Conclusion: The decision by the ECJ will above all affect all EU operators of Websites that allow surfing without personal registration. The decision by ECJ is not expected before well into 2015, but perhaps the European legislator takes the topic into account in the course of finalising the European Data Protection Regulation.

IV. Data processing for marketing: new guidelines

The "Düsseldorfer Kreis", a committee of the Conference of the Federal and State Commissioners for Data Protection in Germany, has updated the "Guidelines on data processing for marketing purposes" ("Guidelines", only available in German) to reflect the latest developments in this field. The Guidelines include common positions of the 16 national data protection authorities. The Guidelines include recommendations with regard to the data controller's transparency obligations, B2B marketing and marketing activities specifically in the area of e-commerce, e.g. that marketing to existing customers (an exception from consent requirement) is not permitted without consent if third party products are marketed. In addition, the Guidelines indicate the handling of consent and data subject access requests. The data protection authority of Bavaria also announced to increase prosecution of data protection infringements with regard to marketing.

Conclusion: The Guidelines provide solid assistance and relatively secure guidelines with regard to data protection and marketing.

V. Outlook on current draft laws and recommended reading

Draft laws in IT security and Data Protection:
• Draft Directive on the Protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure
• Draft bill of the IT-Security Act (IT-Sicherheitsgesetz)
• Draft of the General Data Protection Regulation (inofficial consolidated version)

New papers by the Article 29 Working Party:
• Guidelines on the implementation of the Court of Justice of the European Union judgment on "Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González" c-131/121 - WP 225
• Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting - WP 224
• Working Document on surveillance of electronic communications for intelligence and national security purposes - WP228

For more information please contact: Andreas Splittgerber