Privacy & Information Security Law Blog

On February 28, 2024, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action on the right of access. Through the course of 2024, 31 data protection authorities across the European Economic Area, including seven German state-level authorities, will take part in this initiative on the implementation of the right of access. The EDPB selected the right access for its third coordinated enforcement action as it is “at the heart of data protection,” is a right that is very frequently exercised by individuals, and one that is often the basis of complaints to authorities.

On December 7, 2023, the Court of Justice of the European Union (“CJEU”) ruled that credit scoring constitutes automated decision-making, which is prohibited under Article 22 of the EU General Data Protection Regulation (“GDPR”) unless certain conditions are met. In a case stemming from consumer complaints against German credit bureau SCHUFA, the CJEU found that the company’s reliance on fully automated processes to calculate creditworthiness and extend credit constitutes automated decision-making which produces a legal or similarly significant effect within the meaning of Article 22 of the GDPR.

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On November 26, 2020, the Conference of the German Data Protection Authorities (Datenschutzkonferenz, the “DSK”) issued a press release with conclusions from their 100th anniversary meeting.

On October 1, 2020, the Hamburg Data Protection Authority (“DPA”) fined Hennes & Mauritz AB (“H&M”) € 35.3 million for unlawful employee monitoring practices in the company’s service center concerning several hundred employees. According to the DPA’s press release, H&M was maintaining excessive details about employees’ private lives since 2014. This includes notes taken by managers regarding (1) employees’ vacation experiences, illnesses, diagnoses and symptoms as discussed with managers during welcome-back talks after employees’ vacation or sick leave, and (2) information ranging from employees’ family problems to religious beliefs obtained by managers during floor talks. The information was stored digitally and could be read by up to 50 managers throughout the company. According to the DPA, the managers’ notes were sometimes made with a high level of detail and maintained over great periods of time. The press release states that the information was used to evaluate the performance of employees, create employee profiles and make other employment-related decisions.

On September 4, 2020, the European Data Protection Board (the “EDPB”) announced that it established two taskforces following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On August 24, 2020, the Data Protection Authority (“DPA”) of the German federal state of Baden-Württemberg issued guidance on international data transfers following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (decision C-311/18 of July 16, 2020). As we previously reported, the judgment of the CJEU invalidated the EU-U.S. Privacy Shield framework and confirmed the ongoing validity of the controller-to-processor EU Standard Contractual Clauses (“SCCs”), subject to an adequacy assessment and, if necessary, additional safeguards to protect the personal data transferred pursuant to the SCCs. The guidance is notable because it is the first substantive guidance from a DPA following the Schrems II judgment (although the guidance is only applicable to companies established in the federal state of Baden-Württemberg).

On June 23, 2020, the German Federal Court of Justice (the Bundesgerichtshof, or “BGH”) issued a decision confirming the enforceability, in preliminary proceedings, of the order of the German Federal Cartel Office (the “Bundeskartellamt”) against Facebook’s data practices.

On June 3, 2020, the Presidency of the Council of the European Union (“the Presidency”) published a progress report on the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation” (the “Progress Report”).

On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.

The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (“the Berlin Commissioner,” Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had imposed a fine of €14.5 million (approximately $16 million) on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.

On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”).  The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.

On March 21, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the Case C-673/17 of Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (i.e., the Federation of German Consumer Organizations, the “Bundesverband”), which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views on how to obtain valid consent to the use of cookies in the case.

On November 7, 2018, the Data Protection Authority of Bavaria for the Private Sector (the “BayLDA”) issued a press release describing audits completed and pending in Bavaria since the EU General Data Protection Regulation (“GDPR”) took force.

On February 7, 2018, representatives of European Data Protection Authorities (“DPAs”) met in Brussels to appoint the new leader of the current Article 29 Data Protection Working Party (the “Working Party”). Andrea Jelinek, head of the Austrian DPA, was elected to the post and will replace Isabelle Falque-Pierrotin, leader of the French DPA, who has represented the Working Party over the past four years.

What were the hottest privacy and cybersecurity topics for 2017? Our posts on the EU General Data Protection Regulation (“GDPR”), EU-U.S. Privacy Shield, and the U.S. executive order on cybersecurity led the way in 2017. Read our top 10 posts of the year.

On November 8, 2017, the United States District Court for the Northern District of California ordered German defendants in an ongoing patent suit, BrightEdge Technologies, Inc. v. Searchmetrics GmbH, to produce a particular database, despite the defendants’ claims that such production would violate German privacy laws.

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.

Recently, the fourth edition of the book, The International Comparative Legal Guide to: Data Protection 2017, was published by the Global Legal Group. Hunton & Williams’ Global Privacy and Cybersecurity lawyers prepared several chapters in the guide, including the opening chapter on “All Change for Data Protection: The European Data Protection Regulation,” co-authored by London partner Bridget Treacy and associate Anita Bapat. Several other global privacy and cybersecurity team members also prepared chapters in the guide, including David Dumont (Belgium), Claire François (France), Judy Li (China), Manuel E. Maisog (China), Wim Nauwelaerts (Belgium), Anna Pateraki (Germany), Aaron P. Simpson (United States), Adam Smith (United Kingdom) and Jenna Rode (United States).

Media sources have reported that the UK Department for Culture, Media & Sport has confirmed its plans to present its Data Protection Bill to Parliament when MPs return to Parliament in early September. The Bill follows commitments made in the Queen’s Speech in June, and will effectively copy the EU General Data Protection Regulation (“GDPR”) into the UK statute book. The Bill’s primary aim is to ensure that the UK retains the same data protection laws as the rest of the EU once it leaves the EU, which is likely to be in March 2019.

On June 20, 2017, the German Federal Ministry of Transport and Digital Infrastructure issued a report on the ethics of Automated and Connected Cars (the “Report”). The Report was developed by a multidisciplinary Ethics Commission established in September 2016 for the purpose of developing essential ethical guidelines for the use of automated and connected cars.

On May 24, 2017, the Bavarian Data Protection Authority (“DPA”) published a questionnaire to help companies assess their level of implementation of the EU General Data Protection Regulation (“GDPR”).  

This post has been updated. 

On April 27, 2017, the German Federal Parliament adopted the new German Federal Data Protection Act (Bundesdatenschutzgesetz) (“new BDSG”) to replace the existing Federal Data Protection Act of 2003. The new BDSG is intended to adapt the current German data protection law to the EU General Data Protection Regulation (“GDPR”), which will become effective on May 25, 2018.

On April 13, 2017, the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information published an English translation of the draft Standard Data Protection Model (“SDM”). The SDM was adopted in November 2016 at the Conference of the Federal and State Data Protection Commissioners. 

On October 19, 2016, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland, following the Opinion of Advocate General Manuel Campos Sánchez-Bordona on May 12, 2016. The CJEU followed the Opinion of the Advocate General and declared that a dynamic IP address registered by a website operator must be treated as personal data by that operator to the extent that the user's Internet service provider ("ISP") has - and may provide - additional data that in combination with the IP address that would allow for the identification of the user.

On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).

This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.

On June 22, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (“GDPR”). The GDPR will become effective on May 25, 2018.

This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding.

Hunton & Williams announces its participation with the Global Legal Group in the publication of the third edition of the book The International Comparative Legal Guide to: Data Protection 2016. The guide provides corporate counsel and international practitioners with a comprehensive worldwide legal analysis of the laws and regulations relating to data protection. Bridget Treacy, partner and head of the UK privacy and cybersecurity practice, served as the contributing editor of the guide and co-authored the UK chapter.

On May 12, 2016, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued an opinion stating that Internet Protocol (“IP”) addresses are personal data and data protection law should apply to IP addresses. Specifically, the AG urged the CJEU to rule that a dynamic IP address is personal data to the extent that an Internet access provider has additional data that in combination with the IP address would allow for the re-identification of the user.

On February 25, 2016, the Court of Justice of the European Union (“CJEU”) heard arguments on two questions referred by the German Federal Court of Justice (Bundesgerichtshof). The first question was whether or not IP addresses constitute personal data and therefore cannot be stored beyond what is necessary to provide an Internet service.

On December 17, 2015, the German Federal Diet (Bundestag) adopted a draft law introducing class action-like claims that will enable consumer protection associations to sue companies for violations of German data protection law.

On Monday, November 2, 2015, Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) Senior Policy Advisor, Fred H. Cate, moderated an academic panel on The Data Dilemma: A Transatlantic Discussion on Privacy, Security, Innovation, Trade, and the Protection of Personal Data in the 21st Century. The event was sponsored by Indiana University and took place at the CIEE Global Institute in Berlin, Germany.

On October 26, 2015, the German federal and state data protection authorities (the “German DPAs”) published a joint position paper on Safe Harbor and potential alternatives for transfers of data to the U.S. (the “Position Paper”).

On October 16, 2015, the German Parliament adopted a new data retention law requiring telecommunications operators and Internet service providers to retain customer Internet and phone usage data, including phone numbers, call times, IP addresses, and the international identifiers of mobile users (if applicable) for 10 weeks. The law requires user location data obtained in connection with mobile phone services to be retained for four weeks. Telecommunications and Internet service providers also are required to ensure that the retained data is stored within Germany.

On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).

On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.

On August 14 and August 26, 2015, the Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder) issued a detailed position paper (“Position Paper”) and a press release on the main issues for the trilogue negotiations on the proposed EU General Data Protection Regulation (the “Regulation”). In the Position Paper and press release, the participating German Data Protection Commissioners (“German DPAs”) request the trilogue partners to focus on the following issues:

On July 30, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on both the seller and purchaser in an asset deal for unlawfully transferring customer personal data as part of the deal.

Hunton & Williams is pleased to announce its participation with the Global Legal Group in the publication of the second edition of the book The International Comparative Legal Guide to: Data Protection 2015. Members of the Hunton & Williams Global Privacy and Cybersecurity team prepared several chapters in the guide, including the opening chapter on “Legislative Change: Assessing the European Commission’s Proposal for a Data Protection Regulation,” and chapters on Belgium, China, France, Germany, the United Kingdom and the United States.

On May 28, 2015, the German government adopted a draft law that would require telecommunications and Internet service providers to retain Internet and telephone usage data. The initiative comes more than a year after the European Court of Justice declared the EU Data Retention Directive invalid, which had been implemented previously by German law. The German law implementing the EU Data Protection Directive had been declared unconstitutional by the German Federal Constitutional Court five years ago.

On May 11, 2015, the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (”ICO”) announced that they will participate in a coordinated online audit to assess whether websites and apps that are directed toward children, and those that are frequently used by or popular among children, comply with global privacy laws. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

On February 4, 2015, the German government adopted a draft law to improve the enforcement of data protection provisions that are focused on consumer protection. As reported earlier, the new law would bring about a fundamental change in how German data protection law is enforced.

On January 28, 2015, the German conference of data protection commissioners hosted a European Data Protection Day event called Europe: Safer Harbor for Data Protection? – The Future Use of the Different Level of Data Protection between the EU and the US.

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

On December 29, 2014, the Commissioner for Data Protection and Freedom of Information of the German state Rhineland-Palatinate issued a press release stating that it imposed a fine of €1,300,000 on the insurance group Debeka. According to the Commissioner, Debeka was fined due to its lack of internal controls and its violations of data protection law. Debeka sales representatives allegedly bribed public sector employees during the eighties and nineties to obtain address data of employees who were on path to become civil servants. Debeka purportedly wanted this address data to market insurance contracts to these employees. The Commissioner asserted that the action against Debeka is intended to emphasize that companies must handle personal data in a compliant manner. The fine was accepted by Debeka to avoid lengthy court proceedings.

On October 28, 2014, the German Federal Court of Justice referred the question of whether an IP address constitutes personal data under the EU Data Protection Directive 95/46/EC (“EU Data Protection Directive”) to the European Court of Justice (“ECJ”). The German court referred the question to the ECJ for a preliminary ruling in connection with a case that arose in 2008 when a German citizen challenged the German federal government’s storage of the dynamic IP addresses of users on government websites. The citizen’s claim initially was rejected by the court of first instance. The claim was granted, however, by the court of second instance to the extent it referred to the storage of IP addresses after the users left the relevant government websites. Subsequently, both parties appealed the decision to the German Federal Court of Justice.

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

On September 16, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including updates in the EU and Germany, highlights on the UK Information Commissioner’s Office annual report and an APEC update.

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

An Israeli security firm recently uncovered a hacking operation that had been active for more than a decade. Over that period, hackers breached government servers, banks and corporations in Germany, Switzerland and Austria by using over 800 phony front companies (which all had the same IP address) to deliver unique malware to victims’ systems. The hackers purchased digital security certificates for each phony company to make the sites appear legitimate to visitors. Data reportedly stolen included studies on biological warfare and nuclear physics, plans for key infrastructure, and bank account and credit card data.

On August 19, 2014, the German Federal Ministry of the Interior published a revised draft cybersecurity law (the “Draft Law”). An earlier version of the law was published in March 2013. The Draft Law is intended to serve as a cornerstone of Germany’s recently-announced digital agenda.

On July 1, 2014, the Federal Court of Justice of Germany ruled that website operators cannot be compelled to disclose a user’s personal data to third parties in the context of civil defamation proceedings. The case is notable as it clarifies the limits Germany’s Telemedia Act places on how and when personal data can be disclosed in an online context.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

On February 11, 2014, Germany’s Federal Minister of Justice and Consumer Protection announced that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Such additional powers had already been contemplated by the German governing coalition’s agreement and the Minister now expects to present a draft law in April of this year to implement them.

On January 28, 2014, the Federal Court of Justice of Germany clarified the scope of a data subject’s right of access to personal data in the context of credit scoring. Germany’s Federal Data Protection Act contains detailed and expansive provisions on the right of access where personal data are processed and shared to determine a data subject’s future behavior.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 4, 2013, the data protection authority (“DPA”) of the German state of Rhineland-Palatinate announced two sets of recommendations for mobile payment systems, including contactless payments. The recommendations were prepared in conjunction with the state consumer protection agency, the Ministry of Justice for Rhineland-Palatinate, the mobile payment industry and research organizations.

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On September 30, 2013, Hunton & Williams LLP hosted representatives from the U.S. Department of Commerce for a timely discussion of the Safe Harbor Framework, the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (“CBPRs”), and the Transatlantic Trade and Investment Partnership (“TTIP”) negotiations. The panel also addressed the development of privacy codes of conduct and privacy legislation being developed by the Department of Commerce.

On September 6, 2013, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding traveled to Berlin where she commented on the status of the negotiations on the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Commissioner Reding indicated that she was looking for Germany to become involved in the discussions about the Proposed Regulation at the highest level, and she argued in favor of stricter regulations given recent revelations about surveillance programs such as PRISM. Because the vote on the Proposed Regulation only requires a majority to pass, she also emphasized that it would not be necessary to obtain the agreement of all of the EU Member States (for example, the UK or Ireland).

On September 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the first webcast in its new Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation, recent Safe Harbor issues from both European and American perspectives, and cybersecurity developments on both sides of the Atlantic.

Listen to a recording of the September Hunton Global Privacy Update.

Hunton Global Privacy Update sessions are 30-minutes in length and are scheduled to take place every two months.

On September 5, 2013, the 16 German state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information (the “DPAs”) passed a resolution concerning recent revelations about the PRISM, Tempora and XKeyscore surveillance programs.

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

On June 6, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding key issues concerning the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The discussions were based on the Irish Presidency’s draft compromise text on Chapters I to IV of the Proposed Regulation, containing the fundamentals of the proposal and reflecting the Presidency’s view of the state of play of negotiations. At the Council meeting, the Presidency was seeking general support for the conclusions drawn in their draft compromise text on the key issues in Chapters I to IV.

On April 30, 2013, the UK government announced guidance on its consultation on cybersecurity standards (the ”Consultation”). The Consultation was launched in March 2013, and follows the UK government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information-sharing on cyber threats.

In March 2013, the UK government launched its consultation on cybersecurity standards (the “Consultation”) following the government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information sharing on cyber threats.

On April 30, 2013, the regional court of Berlin enjoined Apple Sales International, which is based in Ireland, (“Apple”) from relying on eight of its existing standard data protection clauses in contracts with customers based in Germany. The court also prohibited Apple’s future use of such clauses.

On May 3, 2013, the German Federal Council (Bundesrat) passed a new bill regarding access to telecom user data, such as names, addresses, passwords and credit card PIN codes. This comes after the German Federal Diet (Bundestag) passed the German government’s bill on March 21, 2013, which amends, among other laws, Germany’s Federal Telecommunications Act.

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

On March 8, 2013, the German government published a response to a formal inquiry from one of the German Parliament’s parties on the international security, data protection and surveillance implications of cloud computing. The response describes international cooperation between German and foreign law enforcement agencies that have used mutual legal assistance treaties to obtain cloud data in foreign jurisdictions. An earlier study by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs considered the scope of U.S. laws that allow surveillance of non-U.S. residents in a cloud computing context. The German government’s response now provides information on how German law enforcement agencies obtain data from clouds outside their jurisdiction (e.g., in the United States) pursuant to mutual legal assistance treaties.

On March 27, 2013, the UK Government announced the Cyber Security Information Sharing Partnership (“CISP”), a partnership between government and industry to share intelligence on cybersecurity threats.

Introduction of the CISP follows a successful pilot program across key UK sectors and is part of the UK’s Cyber Security Strategy to facilitate information-sharing on cyber threats. It introduces a secure web portal where government and industry partners can exchange real-time information regarding threats and vulnerabilities they have identified. It also sets up a team of expert analysts, the Fusion Cell, to draw together a single intelligence picture of cyber threats across the UK. It is understood that the Fusion Cell will be staffed by analysts drawn from industry, as well as the law enforcement and intelligence communities.

On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.

On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 5, 2013, the German Federal Ministry of the Interior published proposed amendments (in German) to the German Federal Office for Information Security Law. These proposed amendments are significant because they establish a new duty to notify the German Federal Office for Information Security in the event of a cybersecurity breach.

Two recently-published German court decisions have clarified German employee data protection law. The decisions validate the independence of works councils in determining how to comply with data protection law and clarify when unused employee email accounts can be deleted.

On March 1, 2013, the German Federal Council (Bundesrat) passed a new registration law after insisting on a number of important amendments (in German). Among other issues covered in the bill, the new law regulates how businesses can obtain the registered addresses of individuals in Germany from Germany’s public authorities (“official address data”) and use that information for commercial purposes.

On February 4, 2013, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) published a paper (in German) providing an overview of the information technology risks inherent in consumerization and bring your own device (“BYOD”) strategies. The Paper responds to what the BSI views as a growing trend of employees making personal use of employer IT systems as well as using their personal IT devices for work purposes.

On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.

On November 23, 2012, the German Federal Council (Bundesrat or the “Council”) published its comments on the European Commission’s strategy on cloud computing and also submitted them to the Commission.

On November 19, 2012, 40 German advertising associations launched the “German Data Protection Council for Online Advertising,” a new initiative to coordinate and enforce self-regulation in the German online behavioral advertising (“OBA”) sector. The initiative is linked to the European Interactive Digital Advertising Alliance (“EDAA”), which manages the self-regulation efforts of the European online advertising industry.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On November 10, 2012, the German working group on technical and organizational data protection matters published guidelines (in German) on the technical and organizational separation requirements for automated data processing on shared IT systems (the “Guidelines”). The working group is part of the Conference of the German Data Protection Commissioners, which recently concluded its 84th Conference in Frankfurt (Oder).

On October 15, 2012, Privacy Commissioner of Canada Jennifer Stoddart and the Federal Commissioner for Data Protection and Freedom of Information in Germany, Peter Schaar, signed an agreement to increase intra-authority collaboration between their organizations. The agreement covers the exchange of information between the two data protection authorities, for example by informing each other of pending complaints. Notably, the agreement also addresses coordination between the DPAs with respect to their supervision of international data processing activities.

On September 27, 2012, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), together with the German Federal Commissioner for Data Protection, published a guide on traffic data retention. The guide, which is aimed at telecom providers, includes a comprehensive chart that clarifies data retention periods for different types of services, such as telephone, SMS, Internet and email, and their respective types of traffic data (e.g., mobile identification numbers, IP addresses and International Mobile Equipment Identity data) based on the purposes for the data storage.

As of September 1, 2012, all personal data in Germany may only be processed and used for marketing purposes (including address trading) with the express opt-in consent of the affected individuals. Furthermore, the consent language must have been specifically drawn to the attention of the relevant individual as part of the terms and conditions governing the use of his or her personal data.

On June 27, 2012, the Conference of the German Federal and State Data Protection Commissioners (the “Conference”) issued a Resolution and a comprehensive guidance paper regarding data protection compliance with respect to smart metering.

Smart metering is the use of intelligent energy networks and meters for monitoring and billing purposes. According to the Resolution, smart meter systems help guarantee a sustainable energy supply in terms of resource efficiency, environmental friendliness and the efficient production, distribution and use of energy. The guidance paper issued by the Conference describes and analyzes the individual processing activities involved in the various uses of smart metering in light of German data protection law. In particular, the guidance paper describes the “use cases” in terms of the respective level of data protection involved.

On May 24, 2012, the German Federal Government submitted to the Parliament (Bundestag) a proposal to amend the Geodatenzugangsgesetz, a federal law concerning access to geographical data that has been in force since 2009.

The current law implements Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (“INSPIRE”). In addition to establishing a national geographical data infrastructure, the law aims to provide a legal framework for (1) accessing geographical data, geographical data services and metadata of organizations that maintain such data, and (2) using such data and services, in particular with regard to measures that may affect the environment. The law applies to federal agencies and corporations under public law.

Following a meeting in Sopot, Poland, on April 24, 2012, the International Working Group on Data Protection in Telecommunications (the “Working Group”), led by the Berlin Commissioner for Data Protection and Freedom of Information, issued a Working Paper that focuses on privacy and data protection issues related to the use of cloud computing in the international context. The Working Paper aims to reduce uncertainty regarding the definition of cloud computing and how the technology intersects with privacy, data protection and other legal issues.

On March 8, 2012, during the CeBIT international IT trade show, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) accepted the German Insurance Association’s application for certification of the “Trusted German Insurance Cloud,” a project that aims to establish a secure IT platform for the German insurance industry.  The parties previously had agreed to work together to develop practical requirements for a secure cloud solution, and to implement appropriate security measures in the “Trusted ...

On March 22, 2012, the 83rd Conference of the German Data Protection Commissioners came to an end in Potsdam. The attendees indicated their general support for the European Commission’s proposed reform package aimed at modernizing and harmonizing data protection laws in the EU, but insist that Member States should have the authority to implement more stringent data protection measures for the area of public administration.