Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
April 25 — Companies doing business in Germany may be facing stricter interpretations by privacy regulators of user consent requirements if recent guidance from German state data protection authorities (DPAs) is any indication.
The guidance is intended to clarify rules and makes business compliance easier under German data protection laws, but it also shows a “more activist” approach by the 16 regional German DPAs, attorneys told Bloomberg BNA. The guidance is a joint effort of the regional DPAs acting together with the federal DPA as the Düsseldorfer Kries.
Over the past six months, the approach of the regional DPAs to transfers of data to countries outside the European Union and data subject consent declarations have been “stricter than the courts,” the attorneys said.
“There is a tendency there to be stricter than the code,” Holger Lutz of Baker & McKenzie's Information Technology Group in Frankfurt said. “It is definitely more active. You see the direction they are heading.”
Sebastian Meyer, a data protection attorney at BRANDI in Bielefeld, Germany, said that regardless of the increased activism, DPAs have been limited by lackluster funding, and companies know that.
“If you're interested in getting more customers and more chances to use personal data, you will from time to time ignore these guidelines,” he said. Companies will realize that the limited funding will hamper the DPAs ability “to go after all the companies which aren't in compliance with” the consent provisions, Meyer said.
The guidance on consent declarations under the Federal Data Protection Act and the German Telemedia Act noted that valid consent requires opt-in rather than opt-out provisions regarding use of personal data. Opt-out provisions had been standard practice.
“If you're interested in getting more customers and more chances to use personal data, you will from time to time ignore these guidelines” from German data privacy regulators on consent obligations.
“It does not create new requirements but merely summarizes existing case law and best practices about how consent should be obtained from individuals in the context of terms and conditions or other pre-formulated contracts,” Anna Pateraki, a data protection attorney at Hunton & Williams in Brussels, said.
The guidance “will help companies better comply with the existing requirements in Germany that when consent is given together with other documents, it should be drafted properly and be placed in a separate and clearly visible position,” she said.
But the guidance is stricter than both German laws and court rulings, Lutz said.
“It's definitely stricter than what we have had before, and it deviates—they are saying you need a separate opt-in version of consent, in principle and in general,” he said. “But the Supreme Court said in principle you don't need an opt-in.”
In response to an inquiry by Lutz about what he sees as a “contradiction,” DPA representatives said “it's not really a contradiction—in principle, there might be an exception and one of the exceptions might be the case set out in the court decisions.”
Lutz said he would advise his clients on the guidance principles but would also mention that the courts have taken a different view thus far, and it is the courts which would make a final and binding interpretation of the law—not the DPAs.
Under the forthcoming European Union General Data Protection Regulation (GDPR), the consent requirements are stricter because it requires as a matter of principle an opt-in consent—a pre-ticked tick box wouldn't be sufficient anymore, he said.
The German DPAs are “kind of taking the data protection regulation already into account” even though there is a two-year implementation period for the GDPR, he said.
Areas of statutory law presenting gray areas for interpretation of proper consent are also being more strictly enforced, attorneys said.
“In many cases, it's not that clear whether you have the statutory permission—if the data controller has a justified interest in processing the data,” Lutz said. “Here there is room to argue, and so many companies try to collect the consent to be secure even though they might not necessarily need it,” he said.
The DPAs “don't want it now,” Lutz said. “They are saying, ‘please don't collect consent for things you are allowed to do.’ The authorities are saying, ‘we don't like these broad overwhelming U.S.-style statements where you include everything—that won't work for us.’”
The ability of data subjects to withdraw consent is also of concern to the German DPAs. The DPAs' guidance advised companies to always tell the data subject they can withdraw consent .
The obligation to inform data subjects of the right to withdraw consent is only specified in the Telemedia Act, which covers website providers. But DPAs are now applying that obligation more broadly, attorneys said.
There has been increased activism by the DPAs over the past six months, Lutz said.
The DPAs—even from the more business-friendly Bavaria—have applied the consent rules much more strictly, an attorney who asked not be named because of current ongoing negotiations with the authorities said. The approach has resulted in many more fines, the attorney said.
DPAs are openly in interviews with media and in their annual reports citing specific companies for privacy violations, something the regulators had previously refrained from doing, he said.
Lutz said that “a lot of the DPAs have sent questionnaires to companies now asking them specific questions," such as, “do you have a data protection officer; do you transfer data abroad; if yes, how do you do that; what mechanism are you using, and so forth,” Lutz said. “And if there is information in the reply they deem strange, they dig deeper, ask other questions or do an audit,” he said.
Meyer said that a recent law that allows consumer protection agencies to sue on grounds of data protection violations may lead the authorities to look for ways to collaborate with these groups to better monitor companies' compliance.”
Having the new consumer redress statute “is basically a good thing because it means that there will be no advantage for companies which are not complying with data protection provisions against those who make the investment to do so,” he said.
To contact the reporter on this story: Jabeen Bhatti in Berlin at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
The data protection consent guidance is available, in German, at https://www.datenschutz-mv.de/datenschutz/publikationen/informat/formular/OH_Formular.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)