III. Privacy topics
Internet & Consumer Privacy
On 29 April 2010, the Düsseldorfer Kreis, an informal group of German federal state data protection authorities, published a decision1clarifying some due diligence responsibilities for German companies that export personal data to US companies that have self-certified themselves under the EU-US "Safe Harbour" Agreement.2One of the due diligence requirements is for German companies exporting personal data to the United States to check if the US data importer does indeed comply with the Safe Harbor Framework.3
On December 1, 2010, the Minister of Interior Thomas de Maizière presented a draft law intended to improve data protection and the protection of individual rights from serious infringements in the Internet.4The draft law proposes to introduce regulation of individual profiling for which personal data from online services has been collected and combined for commercial purposes and define a “red line” which would require expressive and informed consent of the person concerned.
Direct marketing issues are addressed by Section 7 of the German Unfair Competition Act.5According to its general clause, it is unfair to annoy market players, e.g., consumers, inappropriately. By default this applies to clearly unwanted advertisements, unsolicited commercial phone calls, marketing methods making use of automated calling machines, fax machines or e-mail (spam) without prior consent, and any direct marketing that cannot be linked back to the senders' identity. Direct marketing via e-mail is not prohibited as spam under the conditions that (1) an organization has received the e-mail address in the context of selling goods or services to the customer; (2) the organization uses the e-mail contact for marketing of very similar products and services; (3) the customer has not opposed the use of his e-mail for further direct marketing; and (4) at the time of the collection and each usage of the e-mail address clearly sets out the right to opt-out from direct marketing via e-mail. Cold calling of consumers is a violation of Unfair Competition Law6and, since 2009, a misdemeanor that is punishable by a fine up to 50.000 EUR.
The Telemedia Act (TMG) was passed in March 2007, and applies toall electronic information and communications services which are not merely concerned with the conveyance of signals.7Telemedia service providers must inform users about the "character, extent and reason" of the collection and processing of user-related data. Service providers are required under the TMG to produce user data, such as user names or addresses, upon request of the German secret services. Further, user data may be demanded if necessary for the enforcement of intellectual property rights.8
Online social networks and virtual communities
Mid 2010, Hamburg’s Data Protection Commissioner has launched an investigation against Facebook and its Friend Finder application which provides for the synchronization of email and mobile phone address books.9In a nutshell, the practice to process entries with personal data of people who don't use the respective social networking site was scrutinized in the light of the applicable German data protection legislation. On January 22, 2011, Facebook made concessions which address the privacy concerns by giving every Facebook member transparent control over the addresses he or she imports into the network and to whom invitations to join the social network will be sent.10It is unclear whether the changes will be introduced only for the German Facebook services or across the platform.
Online youth safety
Children and youth data protection is not separately regulated but the general data protection framework applies. Many initiatives concentrate on awareness raising and empowerment of young Internet users.11Certain social network sites operating in Germany such as Facebook and VZNet have signed the EU Safer Social Networking Principles which aim at enhancing the protection of child users on this platforms.12
New employee data protection rules has been discussed since 2008. A first article (§ 32, Beschäftigtendatenschutz, Employee Data Protection Rules) has been added in 2009 to the BDSG. A more detailed draft of the Employee Data Protection Rules has been adopted in August 2010 by the Cabinet of Ministers, but that the Parliament hasnot adopted yet.13
Article 19 of the Genetic Diagnostic Law (Gendiaknostikgesetz) bans the request of genetic examinations or the use of results from genetic examinations before or during employment relationships.14
The Federal Labour Court (Bundesarbeitsgericht) ruled that the use of biometrics at entrance controls of workplaces is subject to compulsory employee participation (Mitbestimmung) and thus only legal after approval of the respective workers’ council or arbitration board.15Importantly, this also applies if the biometric system is placed at the premises of a third party (e.g. the customer of a service company), when the employer instructs his/her employees to use the system.
Health & Genetic Privacy
Since 2005, gematik, a joint venture of doctors’, hospitals, pharmacies’ and health insurances’ associations, is responsible for the development and introduction of the electronic health card (elektronischen Gesundheitskarte, eGK) and supporting infrastructure in Germany.16In November 2009, the Federal Ministry of Health put the roll-out of the electronic health card temporarily on hold out of data security concerns mainly raised by doctors.17The new priorities are a secure patient data management system and a voluntary possibility to store emergency data; other applications have to prove its utility, practicability and security.
In April 1998, a law was passed that allows the Bundeskriminalamt (Federal Police) to run a nationwide database of genetic profiles related to criminal investigations and convicted offenders.18
In 2009, the German Parliament passed the Genetic Diagnostic Law (Gendiaknostikgesetz) which covers genetic examinations for medical purposes, clarifications of parentage and descent as well as in the insurance and employment sector.19The law is founded on the principle of informational self-determination which comprises also the right not to know. Article 18 concerns the genetic examinations and the use of its results in the insurance sector which is with a few exceptions unlawful. Article 19 of the law bans the request of genetic examinations or the use of results from genetic examinations before or during employment relationships.
In Germany, financial privacy (so called Bankgeheimnis) is not especially codified but acknowledged as customary law. Banks and other financial institutions have a duty of confidentiality about the financial affairs of their customers. In 2002, new legislation imposes an obligation on banks and financial institutions to set up a new database which allows for automated access to customer information by the competent financial supervisory authority Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin).20German authorities have acquired datasets revealing German citizens bank account information abroad, in particular of banks in Lichtenstein and Swizz (so called “Steuersünder-CDs”). According to a decision of the Federal Constitutional Court (Bundesverfassungsgericht) the use of these personal data for law enforcement is permissible even if the acquisition has not been lawful.21
- 1. Düsseldorfer Kreiss, "Beschluss der obersten Aufsichtsbehörden für den Datenschutz im nichtöffentlichen
Bereich am 28./29. April 2010 in Hannover", 28-29 April 2010, available at <http://securitybreaches.files.wordpress.com/2010/12/100428_29-dusseldorf... (in German). English version: "Supreme Supervisory Authorities for Data Protection in the Nonpublic Sector (Germany), Examination of the Data Importer’s Self-Certification According to the Safe-Harbor-Agreement by the Company Exporting Data (revised version of Aug. 23, 2010), available at <http://www.datenschutzberlin.de/attachments/710/Resolution_DuesseldorfCi....
- 2. US Department of Commerce, "Safe Harbor" website <https://www.export.gov/safeharbor/>.
- 3. For more details, see Marie-Andrée Weiss & Cédric Laurant, "The Safe Harbor Framework: not a 'Safe Harbor' anymore for US Companies? German Expert Body Insists on Stronger Compliance Stance". Information Security Breaches & The Law Blog, 9 July 2010 <http://blog.security-breaches.com/2010/07/09/safe_harbor_framework_not_a... and Willkie Farr & Gallagher, "German Authorities Issue Privacy Decision Clarifying Due Diligence That Must Be Conducted on Companies Using the Safe Harbor Framework to Transfer Personal Data to the U.S.", 17 June 2010, available at <http://www.willkie.com/files/tbl_s29Publications%5CFileUpload5686%5C3392....
- 4. See “Datenschutz im Internet – Gesetzentwurf des BMI zum Schutz vor besonders schweren Eingriffen in das Persönlichkeitsrecht”. Available at <http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Verwaltung/Inf... (in German).
- 5. The German Act Against Unfair Competition, available at <http://www.gesetze-im-internet.de/englisch_uwg/index.html>.
- 6. Id.
- 7. For example "webshops, mobile commerce, newsgroups, music download platforms, video on demand (VOD), internet search engines, emails and even simple company websites, but not to live-streaming of video, web-casting, IPTV (Internet Protocol TV) or VoIP (Voice Over Internet Protocol - internet telephony)." See Henning Kreig, “German Telemedia Act introduces new rules for New Media,” Bird & Bird Articles, 5 March 2007, available at <http://www.twobirds.com/english/publications/articles/German_Tele_Media_....
- 8. Id.
- 9. EDRIgram of July 14, 2010: “Facebook Faces Serious Fines In Germany”. Available at <http://edri.org/edrigram/number8.14/facebook-germany-investigation-dpa>.
- 10. See press release of Hamburg’s Data Protection Commissioner of 24 January 2011: „Facebook ändert Verfahren des Friend-Finding Verbesserungen für den Datenschutz vereinbart“, available at <http://18.104.22.168/2011-01-24_Facebook.pdf> (in German); Spiegel Online International of January 22, 2011: “Facebook Agrees to Change 'Friend Finder' Feature”. Available at <http://www.spiegel.de/international/business/0,1518,741027,00.html>.
- 11. See for example <https://www.klicksafe.de>.
- 12. See for further information <http://ec.europa.eu/information_society/activities/social_networking/eu_....
- 13. <http://www.bundesrat.de/SharedDocs/Drucksachen/2010/0501-600/535-10.html>.
- 14. Law on Genetic Examinations of Humans (Gesetz über genetische Untersuchungen bei Menschen). Available at <http://www.gesetze-im-internet.de/gendg/index.html> (in German).
- 15. Federal Court for Employment (Bundesarbeitsgericht), 1 ABR 7/03, 24 January 2004, available at <http://www.judicialis.de/Bundesarbeitsgericht_1-ABR-7-03_Beschluss_27.01... (in German).
- 16. See at <http://www.gematik.de/cms/de/startseite/index.jsp>.
- 17. See Heise online, November 19, 2009: “Elektronische Gesundheitskarte: Abgespeckt bis aufs Gerippe”. Available at <http://www.heise.de/newsticker/meldung/Elektronische-Gesundheitskarte-Ab... (in German).
- 18. "New Powers for the Border Police: Checks Anywhere at Any Time," Fortress Europe, FECL 56 (December 1998), available at <http://www.fecl.org/circular/5605.htm>.
- 19. Law on Genetic Examinations of Humans (Gesetz über genetische Untersuchungen bei Menschen). Available at <http://www.gesetze-im-internet.de/gendg/index.html> (in German).
- 20. Federal Commissioner for Data Protection and Freedom of Information (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit), “Kontenabrufverfahren - Staatliche Überwachung von privaten Konten “. Available at <http://www.bfdi.bund.de/cln_134/DE/Themen/WirtschaftUndFinanzen/Kredit-u... (in German).
- 21. See press release of the Federal Constitutional Court (Bundesverfassungsgericht) of November 30, 2010. Available at <http://www.bverfg.de/pressemitteilungen/bvg10-109.html> (in German).