News Archives

Saturday, April 29, 2017

Busy Month for German DPAs, Court, Legislators

April saw three significant privacy developments in Germany.  On April 14, the federal and state data protection authorities released a draft Standard Data Protection Model, developed to assist data controllers by providing a practical approach to fulfilling their data security obligations under German law and the General Data Protection Regulation.  An English translation of the 47-page guidance, prepared by the North Rhine-Westphalia DPA, is available here.  Without being prescriptive, the Model contains a catalog of data security measures and a methodology for applying them. It structures legal requirements in terms of data protection goals, such as data minimization, availability, integrity, confidentiality, transparency, unlinkability and intervenability. 

On April 25, the Hamburg administrative court upheld the September 2016 order by Hamburg DPA Johannes Caspar that Facebook stop sharing the data of German WhatsApp users with Facebook, agreeing with him that consent of the 35 million users for such transfers had not been obtained.  While Facebook indicated it would appeal, it has for some time suspended such transfers of WhatsApp user data across Europe.

On April 27, the German Parliament passed a new Data Protection Act, designed to adjust current German data protection laws with the requirements of the GDPR and replace the current Federal Data Protection Act. Taking advantage of the GDPR’s opening clauses to exercise national discretion in certain areas, the Act contains provisions on such matters as the rights of data subjects, data protection officers, data processing in the employment context, and exceptions for processing special categories of personal data.  The Act was passed in spite of considerable criticism, with the European Commission expressing dissatisfaction with it as late as one week prior to its passage.  According to the Commission, the opening clauses were not intended to be used in this manner and doing so undermines the harmonization goals of the GDPR.   For example, while the GDPR sets significant penalties for non-compliance by companies, the Act creates rules allowing for the sanctioning of individuals, leading to potential liability by managers, employees and data protection officers, including the possibility of prison terms of up to three years.

No comments:

Post a Comment