PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 1
PRIVACY TICKER
1. Legislative Changes
+++ EU COMMISSION PROPOSES REGULATIO N ON material damages, the violation must have led to a concrete, not
DATA GOVERNANCE +++ just insignificant or perceived violation of the personal rights of
The EU Commission has published a proposal for a regulation on the affected data subject. The court also rejected a claim for
data governance. The intention is to facilitate and promote the ex- damages against the data protection officer because the latter
change of data within the EU by creating a trustworthy framework was not a "controller" within the meaning of the GDPR.
to better exploit the ever-growing data pools and stimulate data
sharing. In addition, a legal framework for so-called data inter- To the judgement (of 6 November 2020, file ref. 51 O 513/20)
mediaries (neutral intermediaries for data sharing) is to be created.
These must meet high standards of neutrality, transparency and
security. + + + H I G H E R A D M I N I S TR ATI V E CO U RT O F LU E N E B U RG :
U N L AW F U LN E S S O F P O LI C E V I D E O S U RV E I LL A N C E
To the EU Commission's proposal D U E TO I N S U F F I C I E NT D I S C LO S U R E + + +
The Higher Administrative Court of Lueneburg has ruled that video
surveillance is unlawful if it is not adequately disclosed. Admittedly,
2. Case Law the infringement of the right to informational self-determination
by the video surveillance was justified. Nonetheless, the court did
not consider the requirements for the disclosure of the surveillance
+++ GERMAN FEDERAL COURT OF JUSTICE (BGH): to be fulfilled. The information stickers attached to posts by the
N O R I G HT TO I N F O R M ATI O N U N D E R CO PY R I G HT L AW police for this purpose were not suitable. Due to the curvature of
W ITH R E G A R D TO E - M A I L A N D I P A D D R E S S E S +++ the posts and the multitude of other stickers and notes regularly
The Federal Court of Justice has ruled that the copyright claim to affixed to these posts, the indications were not sufficiently per-
information on "name and address" does not at the same time in- ceptible to the average traffic participant.
clude information on e-mail addresses, IP addresses and telephone
numbers. The term used in the relevant provision coincides with To the court's press release
the term "addresses" used in the European Directive on the Enforce-
ment of Intellectual Property Rights and, according to a ruling by
the European Court of Justice, does not also include this specific + + + R E G I O N A L C O U R T O F R O S TO C K : P R E - S E T
data of users. There were no indications that the legislator intended C O O K I E B A N N E R I S I N A D M I S S I B LE + + +
to go beyond the EU regulation with the standard of the German The Regional Court of Rostock has ruled that a cookie banner
Copyright Act. with pre-set permission that is only to be confirmed by clicking on
"OK" is illegal. The user regularly does not take the effort to have
To the court's press release details displayed and to deselect individual cookies. The court did
not accept the option to limit the consent to technically necessary
cookies by clicking on "Use only necessary cookies", as the button
+ + + R E G I O N A L C O U R T O F L A N D S H U T: N O in question was not recognisable as a clickable button due to its
C O M P E N S AT I O N F O R DA M AG E S M E R E LY O N discreet design next to the "Allow cookies" button. Moreover, the
AC C O U N T O F V I O L AT I O N S O F DATA P R OTE C T I O N court considered the website operator and Google to be joint
L AW + + +
The Regional Court of Landshut has ruled that the mere violation
of data protection law is not sufficient for a claim for damages.
Rather, material damage must be claimed and quantified. For non-
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 2
controllers for the data processing of Google Analytics. The court because it placed all employees under general suspicion. The
thus follows the predominant opinion of the authorities (see unauthorised cameras had covered, among other things, workplaces,
BB Privacy Ticker of June 2020). sales rooms, warehouses and common areas, and thus mainly
affected employees, but also customers.
To the judgement (published by the Federation of German Consumer
Organisations (Verbraucherzentrale Bundesverband)) To the press release of LfD Lower Saxony of 8 January 2021
+ + + AU S T R I A N P O S T E S C A P E S G D P R F I N E D U E TO + + + C N I L I M P O S E S M I LLI O N D O LL A R F I N E O N
FORMAL ERROR +++ CARREFOUR +++
In 2019, Austrian Post had actually collected a fine of EUR 18 million The French data protection authority (CNIL) has imposed a fine of
(see BB Privacy Ticker of November 2019). Now, the Austrian around EUR 3 million on the retail and wholesale group Carrefour
Federal Administrative Court has overturned the decision of the for a number of breaches of data protection. Among other things,
data protection authority due to a formal error because no specific retention periods were not observed and customer data was stored
person had been designated as ultimately responsible in the for far too long. There were data of more than 28 million customers
decision. The naming of several possible employees with key who had been inactive for five to ten years. In addition, the group
functions at Austrian Post is not sufficient, as the person acting also violated information obligations, did not comply with regulations
must be specifically identified. The court had developed this case on the use of cookies, did not guarantee the protection of data
law only after the decision of the competent data protection subjects' rights easily enough and violated other French data pro-
authority in another case but applied it here, so that Austrian Post tection regulations.
no longer has to pay the fine.
To the press release of CNIL (French)
To the ruling of the Austrian Federal Administrative Court (W258
2227269-1/14E)
+ + + S W E D I S H DATA P R OT E C T I O N AG E N CY F I N E S
H E A LT H C A R E P R OV I D E R S + + +
The Swedish Data Protection Authority has imposed several fines
3. Regulatory Investigations ranging from EUR 240,000 to 2.9 million for lack of a needs and risk
analysis regarding staff access to electronic health records. Such
and Enforcement Actions analyses are necessary in order to be able to assign a correct
authorisation level to staff so that in turn the patients' right to privacy
can be ensured. It was criticised in particular that staff members'
+ + + C N I L I M P O S E S R E C O R D F I N E S O N G O O G LE access authorisation to the respective system had not been limited
A N D A M A ZO N + + + to what was strictly necessary for the performance of their duties.
The French data protection authority (CNIL) has imposed fines
totalling EUR 100 million on Google and EUR 35 million on Amazon. To the press release of the supervisory authority (English)
The reason was that no prior consent was obtained for the use
of cookies on the sites google.fr and amazon.fr. The existing
cookie banners also did not provide sufficient information about
which cookies would be stored on the users' end devices. CNIL 4. Opinions
justified the amount of the fine with the high number of affected
users, the seriousness of the violation and the high profits that
the companies make from advertising revenue generated by the + + + S TATE C O M M I S S I O N E R F O R DATA P R OTE C TI O N
advertising cookies. ( LF D) LOW E R S A XO N Y P U B LI S H E S G U I DA N C E F O R
COOKIE BANNERS +++
To the press release of CNIL regarding Google (French) The Lower Saxony data protection authority has published guidance
for the design of consent banners on websites. Here, the re-
To the press release of CNIL regarding Amazon (French) quirements for an effective consent are presented for cookies as
well as for the integration of third-party service providers. The
authority also warns against the design of cookie banners and
+ + + F I N E I N TH E M I LLI O N S AG A I N S T website designs that strongly manipulate behaviour and are
N OTE B O O K S B I LLI G E R . D E I N LOW E R S A XO N Y + + + intended to control user behaviour ("nudging"); these could also
The State Commissioner for Data Protection (LfD) of Lower Saxony lead to the invalidity of consent. Another criticism is that it is often
has imposed a fine of EUR 10.4 million on notebooksbilliger.de for not sufficiently simple to revoke consent and that rejecting
unlawful video surveillance of its employees. The company had cookies is often too complicated.
monitored its employees by video for at least two years without a
legal basis for doing so. The fact that the video surveillance was To the notes of LfD
intended to prevent and investigate criminal offences and to track
the flow of goods in the warehouse was not sufficient justification
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 3
+ + + 1 0 0TH DATA P R OTE C TI O N C O N F E R E N C E + + + S TATE M E NT O F TH E E U R O P E A N DATA
A D D R E S S E S W I N D OW S 1 0, S E C U R IT Y AUTH O R ITI E S ' P R OTE C TI O N B OA R D ( E D P B ) O N TH E e P R I VACY
AC C E S S TO E N C RY P TE D C O M M U N I C ATI O N S , R E G U L ATI O N + + +
P R O C E D U R E F O R O B TA I N I N G S U B S C R I B E R DATA The European Data Protection Board (EDPB) has published a
A N D e P R I VACY D I R E C TI V E + + + statement on the planned ePrivacy Regulation. The regulation
In its anniversary meeting, the Data Protection Conference (DSK) should in no way lower the level of protection provided by the
dealt, among other things, with telemetry functions and data pro- current ePrivacy Directive, but should complement the GDPR by
tection in the use of Windows 10 and published an examination providing additional safeguards for the confidentiality and pro-
scheme for use in compliance with data protection laws. tection of all types of electronic communications. The EDPB also
warns against fragmentation of supervision, procedural complexity
The DSK rejects the demand for access by security authorities to and a lack of consistency and legal certainty for individuals and
encrypted communications. It views this as an undermining of the businesses.
encryption solution, although this is an essential prerequisite for a
resilient digitalisation in the economy and administration. The To the statement of the EDPB (English)
DSK also criticises the authorities' access powers in the current
procedure for obtaining subscriber data as being too far-reaching
and not in conformity with the constitution. The German Federal
Constitutional Court has already issued guidelines in this regard,
which the legislature has not yet implemented.
In addition, the DSK appealed to the legislator to implement the
ePrivacy Directive in full and in accordance with the GDPR. In the
DSK's view, there is currently legal uncertainty regarding the
applicability of the German Telemedia Act in addition to the GDPR
and the ePrivacy Directive.
To the general press release of the DSK
To the resolution of the DSK regarding Windows 10
To the DSK's Windows 10 review scheme
To the resolution of the DSK regarding encrypted communication
To the DSK resolution on access to information on subscriber data
To the DSK resolution on the ePrivacy Directive
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 4
If you have any questions, please address the BEITEN BURKHARDT lawyer of your choice or contact the
BEITEN BURKHARDT Privacy Team directly:
MUNICH
Dr Axel von Walter
Partner | CIPP/E | CIPM | Licensed Specialist
Laureen Lee
Lawyer | LL.M.
for Copyright and Media Law | Licensed Spe-
Laureen.Lee@bblaw.com
cialist for Information Technology Law
Tel.: +49 89 35065-1307
Axel.Walter@bblaw.com
Tel.: +49 89 35065-1321
Gudrun Hausner
Lawyer
Gudrun.Hausner@bblaw.com
Tel.: +49 89 35065-1307
FRANKFURT AM MAIN
Dr Andreas Lober Lennart Kriebel
Lawyer
Lawyer
Lennart.Kriebel@bblaw.com
Andreas.Lober@bblaw.com
Tel.: +49 69 756095-477
Tel.: +49 69 756095-582
Susanne Klein
Lawyer | LL.M.
Licensed Specialist
for Information Technology Law
Susanne.Klein@bblaw.com
Tel.: +49 69 756095-582
DUSSELDORF
Mathias Zimmer-Goertz Christian Frederik Döpke
Lawyer Lawyer | LL.M. | LL.M.
Mathias.Zimmer-Goertz@bblaw.com Christian.Doepke@bblaw.com
Tel.: +49 211 518989-144 Tel.: +49 211 518989-144
Imprint
This publication is issued by © BEITEN BURKHARDT Rechtsanwaltsgesellschaft mbH.
BEITEN BURKHARDT All rights reserved 2021.
Rechtsanwaltsgesellschaft mbH
Ganghoferstrasse 33 | D-80339 Munich PLEASE NOTE
Registered under HR B 155350 at the Regional Court Mu- This publication cannot replace consultation with a trained legal
nich/VAT Reg. No.: DE811218811 professional. If you no longer wish to receive this newsletter, you
For more information see: can unsubscribe at any time by e-mail (please send an e-mail with
https://www.beiten-burkhardt.com/en/imprint the heading “Unsubscribe” to newsletter@bblaw.com) or any other
declaration made to BEITEN BURKHARDT.
EDITOR IN CHARGE
Dr. Andreas Lober | Lawyer | Partner
beijing | berlin | brussels | dusseldorf
frankfurt am main | hamburg | moscow | munich
w w w.be ite nburk h a rdt.com
You can also read
