Category: German Law

Facial recognition on the rise

4. August 2017

At Australian airports new technology will be rolled out which will help processing passengers by means of facial recognition. Peter Dutton, Minister for Immigration and Border Protection, said that 105 smart gates will be provided for this purpose as part of a AU$22.5 million contract with Vision-Box Australia. Vision-Box has already implemented a facial recognition system at New York’s JFK airport.

Australian government’s goal is to automatize 90 % of air traveller processing by 2020. After the implementation, passengers will not have to show their passports, but will be processed by biometric recognition of their faces, irises and/or fingerprints.

Meanwhile, at Berlin’s Südkreuz station the testing of a facial recognition system began. The software can recognise known suspects and alert the police. Currently, the software is only scanning the faces of 250 volunteers. Thomas de Maizière, the German interior minister, aims at improving security in Germany after several terrorist attacks.

However, concerns were raised over this technology by privacy activists as well as by well-respected lawyers. They fear that Germany could head towards a surveillance state. Besides, it is stated there was no constitutional basis for the use of these methods.

Dynamic IP-addresses are personal data

19. May 2017

The German Federal Court (Bundesgerichtshof, BGH) decided, that dynamic IP-addresses are personal data. Also the BGH decides, that website operators are allowed to store the IP-address.

The judgement precedes on a decision of the European Court of Justice (EuGH) from the last year.

The EuGH decides, that a dynamic IP-address is a personal data, when the person concerned can be identified by means of the IP-address.

A German politician worried about the storing of his IP-address, because different federal institutes and authorities stored unasked his IP-address after he visited their websites. He fears, that the institutes and authorities are able to understand what he read and clicked on in the past times. Therefore his fundamental right on informational self-determination is infringed. He wants the court to decide, that his IP-address can be stored during his visit but not above.

The BGH now established, that the dynamic IP-address is personal data and the fundamental rights of the users should not be infringed, but websites are allowed to invest protocols of the surfers who visited their website, after the visitation, but only on the premise of emergency response. Especially in cases of hacker attacks. A criminal prosecution must be possible. The legal foundation is § 15 Telemediengesetz (TMG). § 15 I TMG must be interpreted compliant to the European law. Collection and processing of personal data must be required for the functionality of the service.

It is good to know that the website operator has no possibility of identifying the user by means of his IP-address, only the internet provider is able to identify the user by means of the IP-address, because the provider allocates the IP-address to the user.

New German Data Protection Act

4. May 2017

The new German Federal Data Protection Act (Bundesdatenschutzgesetz – the ‘’new BDSG”), which will replace the Federal Data Protection Act of 2003, was adopted by the German Federal Parliament on April 27th 2017. The new Act´s aim is to adapt the current German data protection law to the GDPR (General Data Protection Regulation).

In a couple of weeks (probably on the May 12, 2017), the approval of the new BDSG by the German Federal Council is expected on plenary meeting. Once the new BDSG is adopted, it will become effective the same day as the GDPR.

In some respects, there are new BDSG requirements that are different from the GDPR. Among those, there are for instance such issues as: Data Protection Officer appointment, employee personal data processing, specific data processing requirements with respect to the video surveillance, scoring and creditworthiness and consumer credit.

For violations regarding exclusively the German law, the new BDSG imposes fines in amount up to 50, 000 EUR.

Category: GDPR · German Law

Talking doll deemed to be “concealed listening device”

21. February 2017

The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).

The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).

After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.

Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.

New law for telecommunication monitoring entered into force

18. January 2017

A new law for telecommunication monitoring entered into force in the New Year´s Eve in Germany. This law grants the German federal intelligence service (BND) extensive monitoring powers. The BND gets a legal basis for the strategic telecommunication monitoring. The BND is allowed to collect, process and store the dates for six month. Also allowed is a targeted monitoring in hazardous situations, like feared terrorist attacks. The collected data must have an international reference, this means, that the data must been send by foreigners abroad.

Being IT-Manager and Data Protection Officer? German Data Protection Authority sees this as a conflict of interest

24. November 2016

Background information:

Due to the fact that the German Federal Data Protection Act states that companies must appoint a Data Protection Officer if at least ten persons are involved in the automated processing of personal data, companies are asked to appoint an employee as an internal Data Protection Officer or appoint an external Data Protection Officer. In general, the Data Protection Officer needs to have the necessary knowledge of data protection law and must also be reliable and independent. Furthermore, a Data Protection Officer is reliability and independency in case he/she does not have other obligations which could lead to a conflict of interest.

What happened?

A German Data Protection Authority just fined a company as it appointed an internal Data Protection Officer who was also the IT-Manager. The Data Protection Authority argued that the position of an IT-Manager is incompatible with the position of the Data Protection Officer due to the fact that the Data Protection Officer would be required to monitor himself/herself. The Data Protection Authority explained that such self-monitoring is contradictory to the required independency that is necessary.

This is a very important statement as the upcoming GDPR requires the appointment of a Data Protection Officer as well and states further that it is not allowed that any further tasks and oblgations of the Data Protection Officer result in a conflict of interests – Having in mind that a violation of this may result in fines of up to 10.000.000 EUR or up to 2 % of the total worldwide annual turnover, whichever is higher.

German Office for Information Security declares: sensitive data is very low protected on smartphones

9. November 2016

The German Office for Information Security (BSI) published a survey concerning the security of personal data on smartphones.

  • 20,7 % of smartphone users do not have any security measures implemented against unauthorized access.
  • However, 74,6 % of smartphone users store sensitive data on their mobile device. This data includes for example pictures, videos, contact inforamtion, passwords and health data.
  • Not even 46,3% of smartphone users have basic protection measures implemented, such as software updates.

Arne Schönbohm, chairman of the BSI, commented in the respective press release that although smartphones can be seen as a computers in your pocket, the necessary security measures have not yet been established on these as on your computer at home.

 

Category: German Law · Personal Data
Tags:

MasterCard: Biometric Corporate Card Program is now also available in Germany

7. October 2016

A new biometric corporate credit card programm, called Identity Check Mobile, has been released by BMO Financial Group (BMO) and MasterCard in Canada and in the U.S. at the beginning of the year.

This programm enables cardholders to verify their transactions by using facial recognition and fingerprint biometrics in case they purchase online.

Introducing this verification process will increase security when purchasing without a face-to-face interaction so that the possibility of a card being used by anyone who is not the cardholder will be reduced.

Steve Pedersen, Vice President, Head, North American Corporate Card Products, BMO Financial Group commented on the programm by saying “The use of biometric technology has become more common for consumers looking for convenient and secure ways to make purchases using their smartphones, so this was the natural next step for us as innovators in the payment security space” he continued  “Mitigating the risk of fraud is always our top priority, and the inclusion of this technology is going to make payment authentication easier, and strengthen the security of the entire payments ecosystem.”

MasterCard just published that starting from the 4th Octobre 2016 this form of payment is also available in Germany.

Hamburg Data Protection Commissioner issues statement on the data exchange between Facebook and WhatsApp

27. September 2016

Today, the Hamburg Data Protection Commissioner (DPA) issued a press release announcing an administrative order that aims at prohibiting the data exchange between Facebook and WhatsApp.

The critical opinion of the Hamburg DPA is based on the following arguments:

  • Facebook and WhatsApp are legally independent companies, each of which has its own service terms and conditions.
  • This data exchange infringes German Data Protection Law, as a legal basis for the collection and processing of personal data is required. In this case, the Hamburg DPA does not identify a legal basis for this data exchange.
  • The legal basis is neither based on the user’s consent because Facebook has not obtained the effective consent of WhatsApp’s users.
  • The ECJ has recently ruled that if a subsidiary processes personal data on behalf of its mother company, the national data protection laws are applicable. Facebook has its subsidiary for German speaking countries in Hamburg. According to this ruling, German data protection law is applicable in this case.

Johannes Caspar, Commissioner of the Hamburg DPA, has remarked that the administrative order protects personal data of around 35 million WhatsApp users in Germany, who have not given their consent for the processing of their personal data by Facebook. Upon this data exchange Facebook would receive personal data of WhatsApp users that do not even have a Facebook account.

German Draft Act concerning the adaption of the upcoming GDPR

14. September 2016

The German Minister of Interior just released a Draft Act concerning the adaptipon of  the General Data Protection Regulation (GDPR), which will come into force in 2018.

However, netzpolitik.org published an article dealing with the critics about the respective draft, which have a crushing impact. Especially, both the Minister of Justice and the Federal Data Protection Officer released statements raising concerns. They worry that due to the Draft Act the data protection level will decrease in Germany so that in the end it will be less than before the GDPR.

Pages: 1 2 Next
1 2