Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong. Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required. The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices." See the full article here.
by Hanno Timner
On February 16, 2011, the Higher Labor Court of Berlin-Brandenburg Germany ruled that an employer has the right to access and review work-related email correspondence of an employee during his/her absence from work (e.g. for reasons of illness or vacation). According to this ruling, such a review of the employee’s email is not prevented by an employee’s right to use the company email system for private correspondence as well. Through its decision, the Higher Labor Court has contributed to the ongoing debate in Germany about whether permitting an employee to use company equipment for private email correspondence leads to an application of the so-called "secrecy of telecommunications" (Telekommunikationsgeheimnis) and thus effectively precludes an employer's right to access the employee’s email correspondence at all, including the business correspondence.
In the case at hand, the plaintiff was unable to work due to a long-term illness. The employer unsuccessfully tried to contact the employee to obtain her consent to the employer accessing and reading her business-related email correspondence in order to respond to customers’ requests. After several weeks, the employer circumvented the employee’s password and, in the presence of a member of the local works council and the company’s internal data protection officer, read and printed the employee’s business related email correspondence. The employer did not read or print email correspondence labeled “private.” The employee’s attempt to obtain a court order prohibiting her employer from accessing her email account during any future absences without her explicit consent was unsuccessful. The Higher Labor Court did not accept the plaintiff's reasoning that, due the fact that the plaintiff, as well as all other employees, was permitted to use the company’s computer system for private email correspondence, her employer should be considered a so-called “provider of telecommunication services” and thus be required to observe the “secrecy of telecommunications” according to Sec. 88 Telecommunications Act (Telekommunikationsgesetz).
The Higher Labor Court ruling supports a number of recent court decisions which are opposed to the prevailing view in the legal literature and to the position of the German Federal Government (which commented on the issue recently in connection with the law-making procedure for the Employee Data Protection Act), holding that an employer does qualify as a "provider of telecommunication services" and therefore must observe the “secrecy of telecommunications” if the employer permits private email correspondence using the employer’s IT-system. Such secrecy of telecommunications permits only a professional provider of telecommunication services to collect call detail records or any other information relating to telecommunication services, insofar as required for billing purposes or in order to cure technical defects.
The Higher Labor Court's view is based on the reasoning that allowing use of a company email system for private communication is merely a side effect of the employment relationship and does not fall under the scope of the Telecommunications Act. Additionally, the Court correctly pointed to the fact that the secrecy of telecommunications, if applicable, would only protect ongoing email traffic and not prevent the employer from accessing business-related email correspondence which has already arrived in the email inbox.
It remains to be seen whether the German Federal Labor Court will have an opportunity to decide this question, thereby putting an end to the ongoing debate about an employer's rights to access its employees' email correspondence. In the absence of such final ruling by the Federal Labor Court, the Higher Federal Labor Court ruling should constitute a sound basis for employers to access employees' business-related email correspondence, even without the employees' explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.
(See: LAG Berlin-Brandenburg, ruling of 16 February 2011, file number: 4 Sa 2132/19, DB 2011, 1281-1282.)
The German Federal Court of Labor ruled on 23 March 2011 that an internal data protection officer's appointment may not be validly terminated because the employer wants to transfer this function to a service provider as external data protection officer. Internal and external data protection officers are widely used in Germany, partly because their appointment is mandatory due to the number of employees processing personal data, partly because their appointment frees the company from filing registrations with local data protection authorities. The use of service providers as external service providers has become more popular after September 2009, when the amendments to the German Federal Data Protection Act provided stronger protection for employees acting as internal data protection officers against termination or withdrawal of their function. This ruling strengthens the position of the employee exercising this function and limits any German employer's ability to outsource this function to an external service provider.
The data protection officer's function includes the right to contact local data protection authorities if in doubt, and the officer mandatorily reports directly to the company's management.
In the case at hand, the plaintiff had been appointed as data protection officer at the defending company in 1992. She spent 30 % of her working time to fulfil her tasks as data protection officer. The defending company decided to appoint an external data protection officer for its group of companies and, therefore, withdrew the appointment of the plaintiff. The plaintiff's claim against this withdrawal was successful. Under German law, internal data protection officers (if their appointment is mandatory) may only be terminated for cause. The German Federal Court of Labor argued that the appointment of an external data protection officer was no such cause. (The plaintiff was also a member of the works council since 1994. This did neither justify the termination of her function as data protection officer for cause.)
Inhouse data protection officers are used not only in Germany, but also in other EU countries like France or Sweden. Part of the EU program on its legislation for 2011 is the more widespread use of data protection officers. The EU Commission is currently contemplating to make the appointment of an independent data protection officer mandatory and to harmonise the rules related to their tasks and competences, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises (see the EU Commission's communication " A comprehensive approach on personal data protection in the European Union", COM(2010) 609).
German data protection authorities are cautious about the switch to external service providers. In a resolution published by the German State data protection authorities of 24/25 November 2010 for external DPOs, it is accepted to stipulate a term of 1-2 years as a trial or testing period, and subsequently a minimum period of 4 years (without the company's right to terminate earlier for convenience). The long contract term should enable the external service provider to exercise his function as independently and as free from the fear of termination as an internal data protection officer.
Link to the (German language) press release of the German Federal Court of Labor.
Dr. Stefan Schuppert in the Hogan Lovells Munich office prepared this entry. Stefan is a member of the Hogan Lovells Privacy practice and the IP, Media & Technology group and advises companies in the fields of information technology and new media concerning intellectual property, contract law and data protection.
On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine [link in German] against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent. The case – which attracted much negative publicity in Germany, including page 1 headlines and "top spots" in television news – may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany.
Factual background
Between 2005 and 2010, Hamburger Sparkasse disclosed its customers' bank account data regarding incoming and outgoing payments to customer consultants on a regular basis. In addition, the bank used customer, sociodemographic, account balance, and product use data to create personality profiles of its customers. For this purpose, the bank made use of modern neuromarketing and brain sciences techniques. The customers were classified in different categories, such as “adventurer” or “connoisseur." Based on this information, the bank extended custom-tailored offers to its customers. The customers hade not been informed of and had not consented to the bank's activities.
National implications
The BDSG was amended in 2009 to introduce a stricter enforcement regime and to increase the maximum violation to €300,000 for each instance of unlawful processing of personal data. According to the Hamburg DPA, the disclosure of bank account data to the external consultants as well as the creation of customer profiles constituted serious breaches of the BDSG, warranting the steep €200,000 fine. According to the DPA, the fine may well have been even higher had the bank not cooperated rapidly in the disclosure of the incidents and made a strong commitment to comply with data protection law in future.
This case shows that the disclosure of bank account data is highly "sensitive" and German regulators have been and remain seriously concerned whenever consumer, personality, or other profiles of a person are aggregated without valid consent. Indeed, according to the head of the Hamburg DPA, Prof. Johannes Caspar, the intent was to send a clear signal to the market against the use of modern neuromarketing and comparable methods in violation of data protection law. The case also clearly illustrates that German regulators are willing to enforce the new data protection regime and are well prepared to impose significant fines upon companies rather than giving them merely a warning notice.
To avoid such sanctions and negative publicity, banks and other company's using neuromarketing techniques should be transparent and base respective activities on informed consents which are freely given. Also, the case demonstrates that cooperation with authorities is highly advisable.
International implications
The decision of the Hamburg DPA may also attract attention beyond Germany and influence the interpretation of data protection laws in other countries, in particular with respect to the compliance of neuromarketing and brain sciences techniques with data protection laws. Due to the sensitivity of such activities, it is likely that regulators in the EU will follow the approach taken by the Hamburg DPA.
Florian Unseld in the Hogan Lovells Munich office prepared this entry. Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.
Introduction
The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States.
This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed. Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.
The Düsseldorfer Kreis is a working group of representatives from Germany's sixteen state data protection authorities that provides a uniform "German" approach to data protection questions. It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes.
The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.
The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant. See our previous report on FTC enforcement activity. It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.
What more is needed when the Safe Harbor is used for Germany-US personal data transfers?
German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:
(1) German companies exporting personal data must confirm that the US entity actually is registered on the Safe Harbor, and is not just claiming that it is registered.
(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.
(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.
(4) In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.
Perspective
European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose -- or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis. It remains to be seen whether this additional level of Safe Harbor diligence will be required by other European regulators.
On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009.
The legal obligation of a data controller to notify data breaches to the affected individuals and to the relevant data protection authorities (usually, the state’s data protection commissioner – Landesdatenschutzbeauftragter) is restricted to the loss or unlawful transmission of sensitive data, i.e. personal data revealing (i) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and information on an individual’s health or sex life, (ii) information that constitutes a professional secret, (iii) information regarding criminal activities or administrative offenses, or (iv) information relating to bank accounts or credit card accounts.
In addition to the requirement that the personal data subject to the data breach must fall within one of the categories specified above, the loss or unlawful transmission of such personal data to a third party must constitute a severe threat to the rights or legitimate interests of the individuals involved. If these two requirements are met, the data controller must, first of all, immediately (“without undue delay”) inform the competent data protection commissioner of the data breach, providing (i) a precise description of the data breach itself, (ii) information regarding the potential consequences and risks of such breach, as well as (iii) measures that have been or will be taken by the data controller in order to mitigate the negative impacts of such breach. As a second step, the data controllers must notify the individuals involved without undue delay, provided, however, that the controller has located the leak which has lead to the data breach and taken all measures in order to avoid unlawful access of third parties using such leak (“responsible disclosure”). In case personal data relating to potential criminal acts or administrative offenses has been breached, the individuals involved will only be informed by the controller provided that such information does not put an ongoing criminal investigation at risk.
Generally, each individual whose personal data has been breached must be informed by the data controller. However, if the information duty would lead to extraordinary and unreasonable costs (i.e. if the data breach affects a large number of people), the data controller can meet its obligation by publishing a detailed notification (of at least half a page) in two newspapers which are published throughout Germany.
The amendment to the FDPA, which is clearly inspired by U.S. data breach notification laws, is an important contribution to the protection of consumers. It remains to be seen, however, how corporations and data protection authorities will deal with the fact that notification obligations only apply if a data breach poses a severe threat to important rights and legitimate interests of individuals.
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
Enter keywords:
