PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt

Page created by Paul Butler
 
CONTINUE READING
PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1                                                                          1

PRIVACY TICKER
1. Legislative Changes

+++ EU COMMISSION PROPOSES REGULATIO N ON                                   material damages, the violation must have led to a concrete, not
DATA GOVERNANCE +++                                                         just insignificant or perceived violation of the personal rights of
The EU Commission has published a proposal for a regulation on              the affected data subject. The court also rejected a claim for
data governance. The intention is to facilitate and promote the ex-         damages against the data protection officer because the latter
change of data within the EU by creating a trustworthy framework            was not a "controller" within the meaning of the GDPR.
to better exploit the ever-growing data pools and stimulate data
sharing. In addition, a legal framework for so-called data inter-           To the judgement (of 6 November 2020, file ref. 51 O 513/20)
mediaries (neutral intermediaries for data sharing) is to be created.
These must meet high standards of neutrality, transparency and
security.                                                                   + + + H I G H E R A D M I N I S TR ATI V E CO U RT O F LU E N E B U RG :
                                                                            U N L AW F U LN E S S O F P O LI C E V I D E O S U RV E I LL A N C E
To the EU Commission's proposal                                             D U E TO I N S U F F I C I E NT D I S C LO S U R E + + +
                                                                            The Higher Administrative Court of Lueneburg has ruled that video
                                                                            surveillance is unlawful if it is not adequately disclosed. Admittedly,
2. Case Law                                                                 the infringement of the right to informational self-determination
                                                                            by the video surveillance was justified. Nonetheless, the court did
                                                                            not consider the requirements for the disclosure of the surveillance
+++ GERMAN FEDERAL COURT OF JUSTICE (BGH):                                  to be fulfilled. The information stickers attached to posts by the
N O R I G HT TO I N F O R M ATI O N U N D E R CO PY R I G HT L AW           police for this purpose were not suitable. Due to the curvature of
W ITH R E G A R D TO E - M A I L A N D I P A D D R E S S E S +++            the posts and the multitude of other stickers and notes regularly
The Federal Court of Justice has ruled that the copyright claim to          affixed to these posts, the indications were not sufficiently per-
information on "name and address" does not at the same time in-             ceptible to the average traffic participant.
clude information on e-mail addresses, IP addresses and telephone
numbers. The term used in the relevant provision coincides with             To the court's press release
the term "addresses" used in the European Directive on the Enforce-
ment of Intellectual Property Rights and, according to a ruling by
the European Court of Justice, does not also include this specific          + + + R E G I O N A L C O U R T O F R O S TO C K : P R E - S E T
data of users. There were no indications that the legislator intended       C O O K I E B A N N E R I S I N A D M I S S I B LE + + +
to go beyond the EU regulation with the standard of the German              The Regional Court of Rostock has ruled that a cookie banner
Copyright Act.                                                              with pre-set permission that is only to be confirmed by clicking on
                                                                            "OK" is illegal. The user regularly does not take the effort to have
To the court's press release                                                details displayed and to deselect individual cookies. The court did
                                                                            not accept the option to limit the consent to technically necessary
                                                                            cookies by clicking on "Use only necessary cookies", as the button
+ + + R E G I O N A L C O U R T O F L A N D S H U T: N O                    in question was not recognisable as a clickable button due to its
C O M P E N S AT I O N F O R DA M AG E S M E R E LY O N                     discreet design next to the "Allow cookies" button. Moreover, the
AC C O U N T O F V I O L AT I O N S O F DATA P R OTE C T I O N              court considered the website operator and Google to be joint
L AW + + +
The Regional Court of Landshut has ruled that the mere violation
of data protection law is not sufficient for a claim for damages.
Rather, material damage must be claimed and quantified. For non-
PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1                                                                            2

controllers for the data processing of Google Analytics. The court          because it placed all employees under general suspicion. The
thus follows the predominant opinion of the authorities (see                unauthorised cameras had covered, among other things, workplaces,
BB Privacy Ticker of June 2020).                                            sales rooms, warehouses and common areas, and thus mainly
                                                                            affected employees, but also customers.
To the judgement (published by the Federation of German Consumer
Organisations (Verbraucherzentrale Bundesverband))                          To the press release of LfD Lower Saxony of 8 January 2021

+ + + AU S T R I A N P O S T E S C A P E S G D P R F I N E D U E TO         + + + C N I L I M P O S E S M I LLI O N D O LL A R F I N E O N
FORMAL ERROR +++                                                            CARREFOUR +++
In 2019, Austrian Post had actually collected a fine of EUR 18 million      The French data protection authority (CNIL) has imposed a fine of
(see BB Privacy Ticker of November 2019). Now, the Austrian                 around EUR 3 million on the retail and wholesale group Carrefour
Federal Administrative Court has overturned the decision of the             for a number of breaches of data protection. Among other things,
data protection authority due to a formal error because no specific         retention periods were not observed and customer data was stored
person had been designated as ultimately responsible in the                 for far too long. There were data of more than 28 million customers
decision. The naming of several possible employees with key                 who had been inactive for five to ten years. In addition, the group
functions at Austrian Post is not sufficient, as the person acting          also violated information obligations, did not comply with regulations
must be specifically identified. The court had developed this case          on the use of cookies, did not guarantee the protection of data
law only after the decision of the competent data protection                subjects' rights easily enough and violated other French data pro-
authority in another case but applied it here, so that Austrian Post        tection regulations.
no longer has to pay the fine.
                                                                            To the press release of CNIL (French)
To the ruling of the Austrian Federal Administrative Court (W258
2227269-1/14E)
                                                                            + + + S W E D I S H DATA P R OT E C T I O N AG E N CY F I N E S
                                                                            H E A LT H C A R E P R OV I D E R S + + +
                                                                            The Swedish Data Protection Authority has imposed several fines
3. Regulatory Investigations                                                ranging from EUR 240,000 to 2.9 million for lack of a needs and risk
                                                                            analysis regarding staff access to electronic health records. Such
and Enforcement Actions                                                     analyses are necessary in order to be able to assign a correct
                                                                            authorisation level to staff so that in turn the patients' right to privacy
                                                                            can be ensured. It was criticised in particular that staff members'
+ + + C N I L I M P O S E S R E C O R D F I N E S O N G O O G LE            access authorisation to the respective system had not been limited
A N D A M A ZO N + + +                                                      to what was strictly necessary for the performance of their duties.
The French data protection authority (CNIL) has imposed fines
totalling EUR 100 million on Google and EUR 35 million on Amazon.           To the press release of the supervisory authority (English)
The reason was that no prior consent was obtained for the use
of cookies on the sites google.fr and amazon.fr. The existing
cookie banners also did not provide sufficient information about
which cookies would be stored on the users' end devices. CNIL               4. Opinions
justified the amount of the fine with the high number of affected
users, the seriousness of the violation and the high profits that
the companies make from advertising revenue generated by the                + + + S TATE C O M M I S S I O N E R F O R DATA P R OTE C TI O N
advertising cookies.                                                        ( LF D) LOW E R S A XO N Y P U B LI S H E S G U I DA N C E F O R
                                                                            COOKIE BANNERS +++
To the press release of CNIL regarding Google (French)                      The Lower Saxony data protection authority has published guidance
                                                                            for the design of consent banners on websites. Here, the re-
To the press release of CNIL regarding Amazon (French)                      quirements for an effective consent are presented for cookies as
                                                                            well as for the integration of third-party service providers. The
                                                                            authority also warns against the design of cookie banners and
+ + + F I N E I N TH E M I LLI O N S AG A I N S T                           website designs that strongly manipulate behaviour and are
N OTE B O O K S B I LLI G E R . D E I N LOW E R S A XO N Y + + +            intended to control user behaviour ("nudging"); these could also
The State Commissioner for Data Protection (LfD) of Lower Saxony            lead to the invalidity of consent. Another criticism is that it is often
has imposed a fine of EUR 10.4 million on notebooksbilliger.de for          not sufficiently simple to revoke consent and that rejecting
unlawful video surveillance of its employees. The company had               cookies is often too complicated.
monitored its employees by video for at least two years without a
legal basis for doing so. The fact that the video surveillance was          To the notes of LfD
intended to prevent and investigate criminal offences and to track
the flow of goods in the warehouse was not sufficient justification
PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1                                                                  3

+ + + 1 0 0TH DATA P R OTE C TI O N C O N F E R E N C E                     + + + S TATE M E NT O F TH E E U R O P E A N DATA
A D D R E S S E S W I N D OW S 1 0, S E C U R IT Y AUTH O R ITI E S '       P R OTE C TI O N B OA R D ( E D P B ) O N TH E e P R I VACY
AC C E S S TO E N C RY P TE D C O M M U N I C ATI O N S ,                   R E G U L ATI O N + + +
P R O C E D U R E F O R O B TA I N I N G S U B S C R I B E R DATA           The European Data Protection Board (EDPB) has published a
A N D e P R I VACY D I R E C TI V E + + +                                   statement on the planned ePrivacy Regulation. The regulation
In its anniversary meeting, the Data Protection Conference (DSK)            should in no way lower the level of protection provided by the
dealt, among other things, with telemetry functions and data pro-           current ePrivacy Directive, but should complement the GDPR by
tection in the use of Windows 10 and published an examination               providing additional safeguards for the confidentiality and pro-
scheme for use in compliance with data protection laws.                     tection of all types of electronic communications. The EDPB also
                                                                            warns against fragmentation of supervision, procedural complexity
The DSK rejects the demand for access by security authorities to            and a lack of consistency and legal certainty for individuals and
encrypted communications. It views this as an undermining of the            businesses.
encryption solution, although this is an essential prerequisite for a
resilient digitalisation in the economy and administration. The             To the statement of the EDPB (English)
DSK also criticises the authorities' access powers in the current
procedure for obtaining subscriber data as being too far-reaching
and not in conformity with the constitution. The German Federal
Constitutional Court has already issued guidelines in this regard,
which the legislature has not yet implemented.

In addition, the DSK appealed to the legislator to implement the
ePrivacy Directive in full and in accordance with the GDPR. In the
DSK's view, there is currently legal uncertainty regarding the
applicability of the German Telemedia Act in addition to the GDPR
and the ePrivacy Directive.

To the general press release of the DSK

To the resolution of the DSK regarding Windows 10

To the DSK's Windows 10 review scheme

To the resolution of the DSK regarding encrypted communication

To the DSK resolution on access to information on subscriber data

To the DSK resolution on the ePrivacy Directive
PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
B E I T E N B U R K H A R DT | N E W S T I C K E R | J A N UA R Y 2 0 2 1                                                                         4

If you have any questions, please address the BEITEN BURKHARDT lawyer of your choice or contact the
BEITEN BURKHARDT Privacy Team directly:

MUNICH
                       Dr Axel von Walter
                       Partner | CIPP/E | CIPM | Licensed Specialist
                                                                                                Laureen Lee
                                                                                                Lawyer | LL.M.
                       for Copyright and Media Law | Licensed Spe-
                                                                                                Laureen.Lee@bblaw.com
                       cialist for Information Technology Law
                                                                                                Tel.: +49 89 35065-1307
                       Axel.Walter@bblaw.com
                       Tel.: +49 89 35065-1321

                       Gudrun Hausner
                       Lawyer
                       Gudrun.Hausner@bblaw.com
                       Tel.: +49 89 35065-1307

FRANKFURT AM MAIN

                       Dr Andreas Lober                                                         Lennart Kriebel
                                                                                                Lawyer
                       Lawyer
                                                                                                Lennart.Kriebel@bblaw.com
                       Andreas.Lober@bblaw.com
                                                                                                Tel.: +49 69 756095-477
                       Tel.: +49 69 756095-582

                       Susanne Klein
                       Lawyer | LL.M.
                       Licensed Specialist
                       for Information Technology Law
                       Susanne.Klein@bblaw.com
                       Tel.: +49 69 756095-582

DUSSELDORF

                       Mathias Zimmer-Goertz                                                   Christian Frederik Döpke
                       Lawyer                                                                  Lawyer | LL.M. | LL.M.
                       Mathias.Zimmer-Goertz@bblaw.com                                         Christian.Doepke@bblaw.com
                       Tel.: +49 211 518989-144                                                Tel.: +49 211 518989-144

    Imprint
    This publication is issued by                                           © BEITEN BURKHARDT Rechtsanwaltsgesellschaft mbH.
    BEITEN BURKHARDT                                                        All rights reserved 2021.
    Rechtsanwaltsgesellschaft mbH
    Ganghoferstrasse 33 | D-80339 Munich                                    PLEASE NOTE
    Registered under HR B 155350 at the Regional Court Mu-                  This publication cannot replace consultation with a trained legal
    nich/VAT Reg. No.: DE811218811                                          professional. If you no longer wish to receive this newsletter, you
    For more information see:                                               can unsub­scribe at any time by e-mail (please send an e-mail with
    https://www.beiten-burkhardt.com/en/imprint                             the heading “Unsubscribe” to news­letter@bblaw.com) or any other
                                                                            dec­la­­­ration made to BEITEN BURKHARDT.

    EDITOR IN CHARGE
    Dr. Andreas Lober | Lawyer | Partner

beijing | berlin | brussels | dusseldorf
frankfurt am main | hamburg | moscow | munich

w w w.be ite nburk h a rdt.com
PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt PRIVACY TICKER 1. Legislative Changes - Beiten Burkhardt
You can also read