Privacy & Information Security Law Blog

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

During the Conference, Resolutions concerning the following topics were adopted:

New Employee Data Protection Law Required

The DPAs reiterated their call for a new employee data protection law, particularly since it will still take several years before the proposed General Data Protection Regulation (“Proposed Regulation”) becomes binding in Germany. In their view, in light of the ever-increasing monitoring of employees, the current uncertainties in the Federal Data Protection Act need to be resolved.

Biometric Facial Recognition Online

The growing use and accuracy of facial recognition technologies pose a significant risk to the public’s protected interests. Accordingly, the DPAs emphasized that such technology must meet rigorous legal standards:

• Consent is the sole applicable legal basis for processing such data if permanent biometric templates for facial recognition are created. The standard for valid consent required here is the same as for the processing of sensitive personal data (i.e., explicit, informed, opt-in consent). The purpose for the processing may not be changed, and it is not possible to obtain consent by reference to general terms and conditions or a privacy policy.
• Legitimate interest can provide a legal basis for the processing where biometric templates are temporarily created (“for a logical second”) to compare them with existing templates that were created after obtaining valid consent. Temporary templates must be deleted immediately after such comparison, and the data subject must always be sufficiently informed.
• The storage of biometric templates relating to third parties who cannot provide consent is unlawful.

Future Structure of Data Protection Supervision in Europe

This Resolution concerns the Proposed Regulation’s “One-Stop-Shop” regulatory model, as well as other proposals currently being considered by the European Council. Regarding these proposals, the DPAs outlined certain key elements that should be reflected in the future regulatory model, including:

• Wherever data subjects in a particular EU member state are affected by data processing, the relevant national DPA should be responsible, regardless of whether the data controller has an establishment in the relevant state or not.
• The “One-Stop-Shop” principle should apply where a company maintains establishments in several different EU Member States. The DPA responsible for compliance at the company’s headquarters should be the lead authority, and should closely cooperate with the other relevant DPAs, but data subjects should always be free to contact their local DPAs. The lead authority should work toward consensus with the other relevant DPAs.
• There is no need for a formal, time-limited procedure to obtain EU-wide privacy decisions. Responsibility for data protection compliance should not be shifted to the data protection authorities.

Human Rights and Electronic Communications

Building on their earlier Resolution concerning mass surveillance by the U.S. National Security Agency, the DPAs have provided a more detailed set of measures to be implemented. Their demands, which are listed in an Annex to the Resolution, include:

• Increased use of encryption technologies in a variety of scenarios;
• Further development of measures to protect traffic data (including metadata);
• More anonymous communications products;
• Development of optional localized Internet routing;
• Higher encryption standards for mobile communications and restrictions on geolocation;
• Restriction of cloud computing to trustworthy and certified providers if personal data are processed;
• Increased use of certified and open source software; and
• Increased public spending on IT security.

Police Requests for Assistance to Locate Suspects via Social Media

In this detailed Resolution, the DPAs reiterated their position that public authorities using social networks for prosecution purposes is highly problematic, emphasizing public authorities can only use social networks for prosecutions if the networks fully comply with the provisions of the German Telemedia Act, especially as regards anonymization and pseudonymization.

The previous Conference was held in Bremen in October 2013.