Worldwide: Use of Data for Criminal Proceedings in Germany, Update to Controller to Processor Model Clauses, Powers of Entry and Audit Without Warrant, Proactive Privacy Protection
Communications, Media and Technology Updater

Data Protection / Privacy

Storage and use of data for the purpose of criminal proceedings in Germany deemed unconstitutional

With effect from 1 January 2008, the German parliament implemented EU directive 2006/24/EC on the "retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks" (EU Directive).

Pursuant to the German implementing law, communication providers in Germany were obliged to store without having to show cause for six months all (1) call detail records of telephony and (2) internet traffic and transaction data of their users. Under the legislation, the German authorities were entitled to recall and use such data for the purpose of actual criminal proceedings and the avoidance of imminent danger.

After the German implementing law became effective, more than 35,000 constitutional complaints (Verfassungsbeschwerden) were filed against the law on the grounds that it violated fundamental constitutional rights.

On 2 March 2010, the German Federal Constitutional Court (Bundesverfassungsgericht / BVerfG) decided that the data storage obligations would no longer have effect. The German implementing law was ruled as unconstitutional with immediate effect.

The BVerfG was of the opinion that the German implementing law did not preserve the principle of proportionality. The storage of data without actual cause was deemed to constitute a breach of the fundamental rights of the users and therefore would only be legal if stringent conditions for the forwarding of such data to the German authorities were defined. Such conditions were not contained in the German implementing law. In addition, the law did not sufficiently define the purpose for which the data might be used and did not sufficiently ensure the security of the data. As the forwarding and use of the stored data had not been settled correctly the storage of the data was unconstitutional.

However, the BVerfG also stated that, in principle, data storage laws are permissible if the above-mentioned requirements are met. The provisions of the EU Directive give enough scope to implement the EU Directive in line with the German constitution. Therefore, the BVerfG was not obliged to refer the German implementing law by way of a preliminary ruling procedure to the European Court of Justice. The interpretation of the provisions of the EU Directive was not relevant to the case.

Communication providers in Germany must now immediately (1) stop the storage of data in accordance with the old law and (2) delete all stored data.

Although the deadline for the implementation of the EU Directive has already expired (15 September 2007 for telephone data and 15 March 2009 for internet data) the EU Directive will not have direct effect in Germany. An EU directive may have direct effect after the expiration of the relevant deadline for implementation where relevant to the rights of EU citizens included in the EU Directive. In this case, however, the EU directive only includes restrictions on individuals (and not rights) so it cannot have direct effect.

The German parliament is in the process of discussing and passing a new implementation law which meets the requirements defined in the judgment.

European Commission updates controller to processor model clauses

The European Commission-approved standard contractual clauses for the transfer of personal data from an EU data controller to either data controllers or to data processors based outside the European Economic Area have been the only practical option to enable many transfers of personal data to countries that do not provide adequate protection for personal data to be made lawfully in the years since they were approved.

The European Commission issued a press release in February confirming that it had adopted Decision 2010/87/EU to update the controller to processor clauses. This decision will repeal and replace Decision 2002/16/EC, which approved the old data processor model clauses, with effect from 15 May 2010.

The new model clauses are intended to take account of the expansion of processing activities and new business models for international processing of personal data, for example increased outsourcing and cloud computing.

The new clauses explicitly allow 'sub-processing' for the first time, although some control must always be maintained by the data exporter by being informed of and consenting to the sub-processing. There are requirements for sub-processors to keep the data secure and to follow the same standards as those imposed on the data importer. There are also additional obligations on the data importer. There are still rights for the data subjects to enforce several of the contractual obligations and rights for the regulatory authorities to audit compliance by the sub-processors.

Contracts using the old model clauses can still be used where they were in force before 15 May and where the transfers and processing activities remain unchanged. However, the new model clauses must be used for any new arrangements from this date or where there are any changes to the processing. For those organisations that have in place framework agreements incorporating model clauses for all their international data processing operations, updates to those agreements (and, where relevant, approvals by regulators) will be needed, as the processing is likely to change over time.

Despite the additional obligations on the parties and updating required for some existing agreements, the updates to the clauses are broadly positive as they better reflect the realities of many transactions.

UK Information Commissioner to be given powers of entry and audit without a warrant effective on 6 April 2010

In November 2009, the UK legislature introduced provisions allowing the Information Commissioner (ICO) to compel government departments, designated public bodies and (where the Secretary of State agrees) designated types of private sector bodies to submit to a compulsory audit. In February 2010 the ICO issued a draft code of practice on how he would exercise these new powers for public comment (see http://www.ico.gov.uk).The final code of practice is due to come into force with the underlying amendment to the Data Protection Act on 6 April 2010.

Currently these powers are restricted to government departments. Their extension to private sector bodies was hotly debated during the legislative process and the draft code of practice states that the ICO will only seek this designation where there is a risk of non-compliance with the potential for damage and distress to a significant number of individuals. Health and credit referencing agencies might be potential candidates if the ICO makes this request.

The draft code of practice states that the ICO's preference will be to continue to conduct such audits on a consensual basis. Of interest to both public and private sector bodies, the ICO's code of practice on the exercise of his new powers to impose civil monetary penalties, states that he is more likely to impose such a penalty where the data controller has not consented to a consensual audit and subsequently infringements come to light. Resisting such a request is likely to be a high risk strategy.

The Privacy Dividend: the business case for investing in proactive privacy protection

On 3 March 2010, the UK Information Commissioner launched a report entitled "The Privacy Dividend" (the Report) which outlines the business case for organisations to invest in proactive privacy protection. It highlights the need for direction and accountability on the part of senior management for a company's privacy strategy.

The Report provides practical tools to help produce a financial business case for data protection which integrates privacy protection into the organisation's culture and governance. Public and private organisations can use the business case to engage senior management and justify spending on privacy protection.

The Report argues that: (i) personal information has commercial value; (ii) good data protection can bring business benefits; and (iii) there are significant drawbacks and potential costs to ignoring data protection. It highlights the key components of a privacy program and offers a structured approach for data protection officers to build their own business case to secure investment and build a privacy culture. It offers guidance on creating business cases for the implementation of a new system or to change an existing system.

There are appendices which assist in the construction of a customised business case, including calculation sheets covering: (i) value of personal information (from perspectives of organisation, individual, other parties and society); (ii) costs of privacy failure; and (iii) benefits of privacy protection.

Upon launch of this Report, the Information Commissioner, Christopher Graham, quoted: "No organisation can neglect to protect people's privacy. Not only is it the law, but there is also a hard-headed business imperative". Privacy officers can find convincing their organisations to invest in privacy procedures, training and reviews an uphill struggle, and the Information Commissioner is right to focus on giving those enthusiastic or responsible for compliance assistance with this task that goes beyond scare tactics.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.