Category: German Law
21. October 2020
In the beginning of October, the Hamburg Data Protection Commissioner (“HmbBfDI”) imposed a record-breaking 35,258,707.95 Euro GDPR fine on the German branch of the Swedish clothing-retail giant H&M. It is the highest fine, based on a GDPR violation, a German Data Protection Authority has ever issued.
Since 2014, the management of the H&M service centre in Nuremberg extensively monitored the private lives of their employees in various ways. Following holidays and sick leaves of employees, team leaders would conduct so-called “Welcome Back Talks” in which they recorded employees’ holiday experiences, symptoms of illnesses and medical diagnoses. Some H&M supervisors gathered a broad data base of their employees’ private lives as they recorded details on family issues and religious beliefs from one-on-one talks and even corridor conversations. The recordings had a high level of detail and were updated over time and in some cases were shared with up to 50 other managers throughout the whole company. The H&M supervisors also used this Personal Data to create profiles of their employees and to base future employment decisions and measures on this information. The clandestine data collection only became known as a result of a configuration error in 2019 when the notes were accessible company-wide for a few hours.
After the discovery, the H&M executives presented the HmbBfDI a comprehensive concept on improving Data Protection at their Nuremberg sub-branch. This includes newly appointing a Data Protection coordinator, monthly Data Protection status updates, more strongly communicated whistleblower protection and a consistent process for granting data subject rights. Furthermore, H&M has apologised to their employees and paid the affected people a considerable compensation.
With their secret monitoring system at the service centre in Nuremberg, H&M severely violated the GDPR principles of lawfulness, fairness, and transparency of processing pursuant to Art. 5 no. 1 lit. a) and Art. 6 GDPR because they did not have a legal basis for collecting these Personal Data from their employees. The HmbBfDI commented in his statement on the magnitude of the fine saying that “the size of the fine imposed is appropriate and suitable to deter companies from violating the privacy of their employees”.
16. June 2020
In a court ruling from May 19th 2020 with regards to the German Federal Intelligence Service (BND) and their manner of operation, the German Constitutional Court has proclaimed that the BND is bound by fundamental rights in cases of surveillance of foreigners, even outside of Germany’ federal territory.
Background
The case, which was brought to the court in the manner of a constitutional complaint by a collective of foreign journalists, found its origin initially through the disclosures made by Edward Snowden back in 2013, where some of the BND’s practices in relation to strategic foreign surveillance came to light. In 2016, German legislators passed a new law with the purpose to regulate surveillance done by the BND. However, that new law mainly restricted surveillance of German citizens, as well as foreigner living in Germany. It has been criticized that the new law did nothing to restrict and regulate the BND’s actions abroad by not having to abide by any legal provisions. The constitutional complaint brought to the German Constitutional Court deals with strategic surveillance from foreign reporters and journalists with regards to their highly confidential data necessary to perform their work through the BND, which risks to be exchanged with their own country’s intelligence agencies and in the process put them at risk of federal measures taken against them.
The key points
Territorial Scope. One of the biggest points of the court ruling has been the definition of the territorial scope of the fundamental rights at risk in this case. Since the complainants are journalists from outside the German territory, the Constitutional Court had to specify if the constitutional rights that would shield them from surveillance by the BND would find application in the matter. In this instance, the court has ruled that the fundamental rights are not limited to the German territory, but rather apply wherever the German state authority is acting. This is derived from Art. 1 III of the German Constitution (GG), which binds the German state authority to conformity with the Constitution. In such, as the fundamental rights from Art. 10 I, Art. 5 I GG are not simply applicable to Germans, the Constitutional Court has extended the range of application to foreigners in foreign countries, and given them international importance.
Current legislation is unconstitutional. In effect, the Constitutional Court has further analysed the new intelligence law from 2016, and ruled it unconstitutional in the current state. The main reason is that, due to the fact that the legislators assumed that the fundamental rights did not apply, they did not conform with the requirements set out in the Constitution for such law. In such, the new law violates the privacy of telecommunications and its requirements from Art. 10 I GG, and in addition does not meet the key requirements deriving from other fundamental rights, such as Art. 19 I GG. However, the Constitutional Court has stated that the law can be amended to follow fundamental rights and comply with the constitution. The court declared several points which are necessary to implement in the amended law, some of which we will present further below.
Independent oversight. The Constitutional Court stated that in order to ensure conformity with the Constitution and regulate the BND in a way that would ensure the protection of fundamental rights of the people under surveillance, it would be necessary to establish a new, independent oversight regime that would act to judge and regulate strategic surveillance. Its main purposes would be the legal oversight of the BND and protection of the surveillance subjects, as well as the control of the surveillance process, from the analysing of data to the transfer of information between agencies, etc.
Legislative suggestions. In the ruling of the case, the Constitutional Court also made a few suggestions in regards to potential statutory regulation in order to regulate the BND and its area of action better than it was in the past. Part of those suggestions were the necessity of defining the purpose of surveillance measures with precision and clarity, in order to ensure transparency, as well as the necessity for the legislator to set out essential framework for the analysis of the collected data, like a cease in analysis as soon as it becomes clear that the surveillance has touched the core of private life. The court also suggested that special requirements have to apply to the protection of professional groups with communications of increased confidentiality, and that the surveillance in these cases must be tied to qualified thresholds. The court also mentioned the storage and deletion of surveillance data, stating that the traffic data obtained should not be stored for longer than six months, while a systematic deletion policy needs to be established. In the terms of the transfer of information to other (foreign) intelligence agencies, the Constitutional Court made it clear that such transfers will need an official statutory basis in order to be lawful.
The court has given the German government until the end of 2021 to amend the law and make statutory changes to comply with the ruling and the decision of the international scope of the fundamental rights. While this may seem like a big set back for the BND, it is a chance to show that intelligence agencies can work on a high constitutional standard while also being successful in their purpose.
16. December 2019
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of 9.55 Million Euro on the major telecommunication services provider 1&1 Telecom GmbH (1&1). This is the second multimillion Euro fine that the Data Protection Authorities in Germany have imposed. The first fine of this magnitude (14.5 Million Euro) was imposed last month on a real estate company.
According to the BfDI, the reason for the fine for 1&1 was an inadequate authentication procedure within the company’s customer service department, because any caller to 1&1’s customer service could obtain extensive information on personal customer data, only by providing a customer’s name and date of birth. The particular case that was brought to the Data Protection Authority’s attention was based on a caller’s request of the new mobile phone number of an ex-partner.
The BfDI found that this authentication procedure stands in violation of Art. 32 GDPR, which sets out a company’s obligation to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had pointed 1&1 to the their deficient procedure, the company cooperated with the authorities. In a first step, the company changed their two-factor authentication procedure to a three step authentication procedure in their customer service department. Furthermore, they are working on a new enhanced authentication system in which each customer will receive a personal service PIN.
In his statement, the BfDI explained that the fine was necessary because the violation posed a risk to the personal data of all customers of 1&1. But because of the company’s cooperation with the authorities, the BfDI set the fine at the lower end of the scale.
1&1 has deemed the fine “absolutely disproportionate” and has announced to file a suit against the penalty notice by the BfDI.
9. April 2019
Just recently, a German Labour Court (LAG Baden-Württemberg) has decided on the extent of Article 15 of the European General Data Protection Regulation (GDPR) with regard to the information that is supposed to be handed out to the data subject in case such a claim is made.
The decision literally reflects the wording of Art. 15 (1) GDPR which, amongst other things, requires information on
- the purposes of data processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data have been or will be disclosed
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- where the personal data are not collected from the data subject, any available information as to their source.
In contrast to the previous views of the local data protection authorities, which – in the context of information about recipients of personal data – deem sufficient that the data controller discloses recipient categories, the LAG Baden-Württemberg also obliged the data controller to provide the data subject with information about each individual recipient.
In addition, the LAG Baden-Württemberg ordered the data controller to make available to the data subject a copy of all his personal performance data. However, the court did not comment on the extent of copies that are to be made. It is therefore questionable whether, in addition to information from the systems used in the company, copies of all e-mails containing personal data of the person concerned must also be made available to the data subject.
Since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it remains to be seen whether such an approach will still be valid after a Federal Labour Court decision.
25. March 2019
On 21 of March Maciej Szpunar, Advocate General of the European Court of Justice, delivered his Opinion in the case of Planet24 GmbH against Bundesverband Verbraucherzentralen und Vebraucherverbände – Verbaucherzentrale Bundesverband e.V. (Federal Association of Consumer Organisations). In the Opinion, Szpunar explains how to obtain valid consent for the use of cookies.
In the case in question, Planet24 GmbH has organised a lottery campaign on the internet. When registering to participate in the action lottery, two checkboxes appeared. The first checkbox, which did not contain a pre-selected tick, concerned permission for sponsors and cooperation partners to contact the participant in order to inform him of their offers. The second checkbox, which was already ticked off, concerned the consent to the setting of cookies, which evaluate the user’s surfing and usage behaviour.
The Federal Association held that the clauses used infringed german law, in particular Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG and filed a lawsuit in 2014 after an unsuccessful warning.
In the course of the instances, the case ended up at the German Federal Supreme Court in 2017. The German Federal Court considers that the success of the case depends on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679. For that reason, it asked the European Court of Justice the following questions for a preliminary ruling:
(1) Does consent given on the basis of a pre-ticked box meet the requirements for valid consent under the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the GDPR)?
(2) What information does the service provider have to provide to the user and does this include the duration of the use of cookies and whether third parties have access to the cookies?
According to the Advocate General, there is no valid consent if the checkbox is already ticked. In such case, the user must remove the tick, i.e. become active if he/she does not agree to the use of cookies. However, this would contradict the requirement of an active act of consent by the user. It is necessary for the user to explicitly consent to the use of cookies. Therefore, it is also not sufficient if one checkbox is used to deal with both the use of cookies and participation in the action lottery. Consent must be given separately. Otherwise the user is not in the position to freely give a separate consent.
In addition, Szpunar explains that the user must be provided with clear and comprehensive information that enables the user to easily assess the consequences of his consent. This requires that the information provided is unambiguous and cannot be interpreted. For this purpose, the information must contain details such as the duration of the operation of cookies, as well as whether third parties have access to the cookies.
7. February 2019
The Bundeskartellamt announced in a press release on their website on Febraury 7, 2019 that it imposes far-reaching restrictions on Facebook.
Up to now Facebook’s terms and conditions stated that users have only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. Therefore, all data collected on the Facebook website, by Facebook-owned services which includes Instagram and WhatsApp as well as on third party websites can be combined and assigned to the account of a Facebook user.
The authority’s decision affects said processing of user data in Germany and covers different sources of data.
Firstly, all social networks/services can continue to collect data under the existing laws. But the collected data can only be transferred to Facebook itself if consent is given by the data subject (the user). If such a consent is not given, the data cannot be assigned to an existing Facebook account. Secondly, the same applies to collecting data from third party websites.
Consequently, without the above mentioned consent Facebook will face far-reaching restrictions concerning collecting and combining data.
The Bundeskartellamt states as reason for this decision that in December 2018 Facebook had 1.52 billion daily active users and 2.32 billion monthly active users and therefore also occupies a dominant position in the German market for social networks. It further claims that the market share of Facebook concerning social networks in Germany is more than 95 % (daily active users) and more than 80 % (monthly active users). Therefore, the conclusion is drawn that the group with its subsidiaries WhatsApp and Instagram occupy a key position in the market which indicates a monopolisation process. Competitors like Google+, Snapchat, YouTube or Twitter or professional networks like LinkedIn or Xing provide only components of the services offered by the Facebook Group.
The authority’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court. The company has already announced that it will appeal against the decision.
4. August 2017
At Australian airports new technology will be rolled out which will help processing passengers by means of facial recognition. Peter Dutton, Minister for Immigration and Border Protection, said that 105 smart gates will be provided for this purpose as part of a AU$22.5 million contract with Vision-Box Australia. Vision-Box has already implemented a facial recognition system at New York’s JFK airport.
Australian government’s goal is to automatize 90 % of air traveller processing by 2020. After the implementation, passengers will not have to show their passports, but will be processed by biometric recognition of their faces, irises and/or fingerprints.
Meanwhile, at Berlin’s Südkreuz station the testing of a facial recognition system began. The software can recognise known suspects and alert the police. Currently, the software is only scanning the faces of 250 volunteers. Thomas de Maizière, the German interior minister, aims at improving security in Germany after several terrorist attacks.
However, concerns were raised over this technology by privacy activists as well as by well-respected lawyers. They fear that Germany could head towards a surveillance state. Besides, it is stated there was no constitutional basis for the use of these methods.
19. May 2017
The German Federal Court (Bundesgerichtshof, BGH) decided, that dynamic IP-addresses are personal data. Also the BGH decides, that website operators are allowed to store the IP-address.
The judgement precedes on a decision of the European Court of Justice (EuGH) from the last year.
The EuGH decides, that a dynamic IP-address is a personal data, when the person concerned can be identified by means of the IP-address.
A German politician worried about the storing of his IP-address, because different federal institutes and authorities stored unasked his IP-address after he visited their websites. He fears, that the institutes and authorities are able to understand what he read and clicked on in the past times. Therefore his fundamental right on informational self-determination is infringed. He wants the court to decide, that his IP-address can be stored during his visit but not above.
The BGH now established, that the dynamic IP-address is personal data and the fundamental rights of the users should not be infringed, but websites are allowed to invest protocols of the surfers who visited their website, after the visitation, but only on the premise of emergency response. Especially in cases of hacker attacks. A criminal prosecution must be possible. The legal foundation is § 15 Telemediengesetz (TMG). § 15 I TMG must be interpreted compliant to the European law. Collection and processing of personal data must be required for the functionality of the service.
It is good to know that the website operator has no possibility of identifying the user by means of his IP-address, only the internet provider is able to identify the user by means of the IP-address, because the provider allocates the IP-address to the user.
4. May 2017
The new German Federal Data Protection Act (Bundesdatenschutzgesetz – the ‘’new BDSG”), which will replace the Federal Data Protection Act of 2003, was adopted by the German Federal Parliament on April 27th 2017. The new Act´s aim is to adapt the current German data protection law to the GDPR (General Data Protection Regulation).
In a couple of weeks (probably on the May 12, 2017), the approval of the new BDSG by the German Federal Council is expected on plenary meeting. Once the new BDSG is adopted, it will become effective the same day as the GDPR.
In some respects, there are new BDSG requirements that are different from the GDPR. Among those, there are for instance such issues as: Data Protection Officer appointment, employee personal data processing, specific data processing requirements with respect to the video surveillance, scoring and creditworthiness and consumer credit.
For violations regarding exclusively the German law, the new BDSG imposes fines in amount up to 50, 000 EUR.
21. February 2017
The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).
The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).
After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.
Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.
