PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 1 PRIVACY TICKER 1. Legislative Changes +++ EU COMMISSION PROPOSES REGULATIO N ON material damages, the violation must have led to a concrete, not DATA GOVERNANCE +++ just insignificant or perceived violation of the personal rights of The EU Commission has published a proposal for a regulation on the affected data subject. The court also rejected a claim for data governance. The intention is to facilitate and promote the ex- damages against the data protection officer because the latter change of data within the EU by creating a trustworthy framework was not a "controller" within the meaning of the GDPR. to better exploit the ever-growing data pools and stimulate data sharing. In addition, a legal framework for so-called data inter- To the judgement (of 6 November 2020, file ref. 51 O 513/20) mediaries (neutral intermediaries for data sharing) is to be created. These must meet high standards of neutrality, transparency and security. + + + H I G H E R A D M I N I S TR ATI V E CO U RT O F LU E N E B U RG : U N L AW F U LN E S S O F P O LI C E V I D E O S U RV E I LL A N C E To the EU Commission's proposal D U E TO I N S U F F I C I E NT D I S C LO S U R E + + + The Higher Administrative Court of Lueneburg has ruled that video surveillance is unlawful if it is not adequately disclosed. Admittedly, 2. Case Law the infringement of the right to informational self-determination by the video surveillance was justified. Nonetheless, the court did not consider the requirements for the disclosure of the surveillance +++ GERMAN FEDERAL COURT OF JUSTICE (BGH): to be fulfilled. The information stickers attached to posts by the N O R I G HT TO I N F O R M ATI O N U N D E R CO PY R I G HT L AW police for this purpose were not suitable. Due to the curvature of W ITH R E G A R D TO E - M A I L A N D I P A D D R E S S E S +++ the posts and the multitude of other stickers and notes regularly The Federal Court of Justice has ruled that the copyright claim to affixed to these posts, the indications were not sufficiently per- information on "name and address" does not at the same time in- ceptible to the average traffic participant. clude information on e-mail addresses, IP addresses and telephone numbers. The term used in the relevant provision coincides with To the court's press release the term "addresses" used in the European Directive on the Enforce- ment of Intellectual Property Rights and, according to a ruling by the European Court of Justice, does not also include this specific + + + R E G I O N A L C O U R T O F R O S TO C K : P R E - S E T data of users. There were no indications that the legislator intended C O O K I E B A N N E R I S I N A D M I S S I B LE + + + to go beyond the EU regulation with the standard of the German The Regional Court of Rostock has ruled that a cookie banner Copyright Act. with pre-set permission that is only to be confirmed by clicking on "OK" is illegal. The user regularly does not take the effort to have To the court's press release details displayed and to deselect individual cookies. The court did not accept the option to limit the consent to technically necessary cookies by clicking on "Use only necessary cookies", as the button + + + R E G I O N A L C O U R T O F L A N D S H U T: N O in question was not recognisable as a clickable button due to its C O M P E N S AT I O N F O R DA M AG E S M E R E LY O N discreet design next to the "Allow cookies" button. Moreover, the AC C O U N T O F V I O L AT I O N S O F DATA P R OTE C T I O N court considered the website operator and Google to be joint L AW + + + The Regional Court of Landshut has ruled that the mere violation of data protection law is not sufficient for a claim for damages. Rather, material damage must be claimed and quantified. For non-
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 2 controllers for the data processing of Google Analytics. The court because it placed all employees under general suspicion. The thus follows the predominant opinion of the authorities (see unauthorised cameras had covered, among other things, workplaces, BB Privacy Ticker of June 2020). sales rooms, warehouses and common areas, and thus mainly affected employees, but also customers. To the judgement (published by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband)) To the press release of LfD Lower Saxony of 8 January 2021 + + + AU S T R I A N P O S T E S C A P E S G D P R F I N E D U E TO + + + C N I L I M P O S E S M I LLI O N D O LL A R F I N E O N FORMAL ERROR +++ CARREFOUR +++ In 2019, Austrian Post had actually collected a fine of EUR 18 million The French data protection authority (CNIL) has imposed a fine of (see BB Privacy Ticker of November 2019). Now, the Austrian around EUR 3 million on the retail and wholesale group Carrefour Federal Administrative Court has overturned the decision of the for a number of breaches of data protection. Among other things, data protection authority due to a formal error because no specific retention periods were not observed and customer data was stored person had been designated as ultimately responsible in the for far too long. There were data of more than 28 million customers decision. The naming of several possible employees with key who had been inactive for five to ten years. In addition, the group functions at Austrian Post is not sufficient, as the person acting also violated information obligations, did not comply with regulations must be specifically identified. The court had developed this case on the use of cookies, did not guarantee the protection of data law only after the decision of the competent data protection subjects' rights easily enough and violated other French data pro- authority in another case but applied it here, so that Austrian Post tection regulations. no longer has to pay the fine. To the press release of CNIL (French) To the ruling of the Austrian Federal Administrative Court (W258 2227269-1/14E) + + + S W E D I S H DATA P R OT E C T I O N AG E N CY F I N E S H E A LT H C A R E P R OV I D E R S + + + The Swedish Data Protection Authority has imposed several fines 3. Regulatory Investigations ranging from EUR 240,000 to 2.9 million for lack of a needs and risk analysis regarding staff access to electronic health records. Such and Enforcement Actions analyses are necessary in order to be able to assign a correct authorisation level to staff so that in turn the patients' right to privacy can be ensured. It was criticised in particular that staff members' + + + C N I L I M P O S E S R E C O R D F I N E S O N G O O G LE access authorisation to the respective system had not been limited A N D A M A ZO N + + + to what was strictly necessary for the performance of their duties. The French data protection authority (CNIL) has imposed fines totalling EUR 100 million on Google and EUR 35 million on Amazon. To the press release of the supervisory authority (English) The reason was that no prior consent was obtained for the use of cookies on the sites google.fr and amazon.fr. The existing cookie banners also did not provide sufficient information about which cookies would be stored on the users' end devices. CNIL 4. Opinions justified the amount of the fine with the high number of affected users, the seriousness of the violation and the high profits that the companies make from advertising revenue generated by the + + + S TATE C O M M I S S I O N E R F O R DATA P R OTE C TI O N advertising cookies. ( LF D) LOW E R S A XO N Y P U B LI S H E S G U I DA N C E F O R COOKIE BANNERS +++ To the press release of CNIL regarding Google (French) The Lower Saxony data protection authority has published guidance for the design of consent banners on websites. Here, the re- To the press release of CNIL regarding Amazon (French) quirements for an effective consent are presented for cookies as well as for the integration of third-party service providers. The authority also warns against the design of cookie banners and + + + F I N E I N TH E M I LLI O N S AG A I N S T website designs that strongly manipulate behaviour and are N OTE B O O K S B I LLI G E R . D E I N LOW E R S A XO N Y + + + intended to control user behaviour ("nudging"); these could also The State Commissioner for Data Protection (LfD) of Lower Saxony lead to the invalidity of consent. Another criticism is that it is often has imposed a fine of EUR 10.4 million on notebooksbilliger.de for not sufficiently simple to revoke consent and that rejecting unlawful video surveillance of its employees. The company had cookies is often too complicated. monitored its employees by video for at least two years without a legal basis for doing so. The fact that the video surveillance was To the notes of LfD intended to prevent and investigate criminal offences and to track the flow of goods in the warehouse was not sufficient justification
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 3 + + + 1 0 0TH DATA P R OTE C TI O N C O N F E R E N C E + + + S TATE M E NT O F TH E E U R O P E A N DATA A D D R E S S E S W I N D OW S 1 0, S E C U R IT Y AUTH O R ITI E S ' P R OTE C TI O N B OA R D ( E D P B ) O N TH E e P R I VACY AC C E S S TO E N C RY P TE D C O M M U N I C ATI O N S , R E G U L ATI O N + + + P R O C E D U R E F O R O B TA I N I N G S U B S C R I B E R DATA The European Data Protection Board (EDPB) has published a A N D e P R I VACY D I R E C TI V E + + + statement on the planned ePrivacy Regulation. The regulation In its anniversary meeting, the Data Protection Conference (DSK) should in no way lower the level of protection provided by the dealt, among other things, with telemetry functions and data pro- current ePrivacy Directive, but should complement the GDPR by tection in the use of Windows 10 and published an examination providing additional safeguards for the confidentiality and pro- scheme for use in compliance with data protection laws. tection of all types of electronic communications. The EDPB also warns against fragmentation of supervision, procedural complexity The DSK rejects the demand for access by security authorities to and a lack of consistency and legal certainty for individuals and encrypted communications. It views this as an undermining of the businesses. encryption solution, although this is an essential prerequisite for a resilient digitalisation in the economy and administration. The To the statement of the EDPB (English) DSK also criticises the authorities' access powers in the current procedure for obtaining subscriber data as being too far-reaching and not in conformity with the constitution. The German Federal Constitutional Court has already issued guidelines in this regard, which the legislature has not yet implemented. In addition, the DSK appealed to the legislator to implement the ePrivacy Directive in full and in accordance with the GDPR. In the DSK's view, there is currently legal uncertainty regarding the applicability of the German Telemedia Act in addition to the GDPR and the ePrivacy Directive. To the general press release of the DSK To the resolution of the DSK regarding Windows 10 To the DSK's Windows 10 review scheme To the resolution of the DSK regarding encrypted communication To the DSK resolution on access to information on subscriber data To the DSK resolution on the ePrivacy Directive
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1 4 If you have any questions, please address the BEITEN BURKHARDT lawyer of your choice or contact the BEITEN BURKHARDT Privacy Team directly: MUNICH Dr Axel von Walter Partner | CIPP/E | CIPM | Licensed Specialist Laureen Lee Lawyer | LL.M. for Copyright and Media Law | Licensed Spe- Laureen.Lee@bblaw.com cialist for Information Technology Law Tel.: +49 89 35065-1307 Axel.Walter@bblaw.com Tel.: +49 89 35065-1321 Gudrun Hausner Lawyer Gudrun.Hausner@bblaw.com Tel.: +49 89 35065-1307 FRANKFURT AM MAIN Dr Andreas Lober Lennart Kriebel Lawyer Lawyer Lennart.Kriebel@bblaw.com Andreas.Lober@bblaw.com Tel.: +49 69 756095-477 Tel.: +49 69 756095-582 Susanne Klein Lawyer | LL.M. Licensed Specialist for Information Technology Law Susanne.Klein@bblaw.com Tel.: +49 69 756095-582 DUSSELDORF Mathias Zimmer-Goertz Christian Frederik Döpke Lawyer Lawyer | LL.M. | LL.M. Mathias.Zimmer-Goertz@bblaw.com Christian.Doepke@bblaw.com Tel.: +49 211 518989-144 Tel.: +49 211 518989-144 Imprint This publication is issued by © BEITEN BURKHARDT Rechtsanwaltsgesellschaft mbH. BEITEN BURKHARDT All rights reserved 2021. Rechtsanwaltsgesellschaft mbH Ganghoferstrasse 33 | D-80339 Munich PLEASE NOTE Registered under HR B 155350 at the Regional Court Mu- This publication cannot replace consultation with a trained legal nich/VAT Reg. No.: DE811218811 professional. If you no longer wish to receive this newsletter, you For more information see: can unsubscribe at any time by e-mail (please send an e-mail with https://www.beiten-burkhardt.com/en/imprint the heading “Unsubscribe” to newsletter@bblaw.com) or any other declaration made to BEITEN BURKHARDT. EDITOR IN CHARGE Dr. Andreas Lober | Lawyer | Partner beijing | berlin | brussels | dusseldorf frankfurt am main | hamburg | moscow | munich w w w.be ite nburk h a rdt.com
You can also read