Privacy & Information Security Law Blog

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

Privacy in Connected Cars

The German DPAs highlighted the risks of data processing in the context of “connected cars.” According to the DPAs, automobile manufacturers, distributors, retailers, repair shops and providers of communications and telemedia services must ensure the informational self-determination of drivers. To ensure the informational self-determination of drivers, these entities must:

• Consider the principles of privacy by design and privacy by default in the development phase of new vehicles and communications services for vehicles.
• Observe the principles of data avoidance and data minimization during data processing operations in and around the vehicle. According to the DPAs, the minimum amount of data should be collected and it should be immediately deleted when no longer needed.
• Process data either pursuant to a contract or with the explicit consent of the data subject.
• Ensure transparency for drivers, owners and users of vehicles. This includes ensuring that they are fully informed about (1) the types of data that are collected and processed when driving the vehicle, (2) the data that is transmitted, (3) the particular systems that transmit data, (4) the recipients of the data that is transferred, and (5) the purposes of transfer.
• Ensure that data subjects (e.g., drivers and owners) are able to recognize, control and stop data transfers to service providers, such as the vehicle manufacturer, if the transfer is based on contract or consent. In addition, privacy-friendly system settings must provide data subjects with choices regarding processing and the ability to delete data.
• Ensure data security via appropriate technical and organizational measures, particularly with respect to data communications from cars.

Cooperation Between DPAs and Competition Authorities

The German DPAs agreed with the request of the German Monopolies Commission for stronger cooperation between data protection authorities and competition authorities. The Monopolies Commission also supports the adoption of the proposed EU General Data Protection Regulation.

Additional Resolutions

The German DPAs adopted other resolutions at the conference, including resolutions covering:

• the independency and efficacy of data protection supervision to protect fundamental rights;
• the right to delete search engine results; and
• the effective control of intelligence services.

The previous Conference was held in Hamburg in April 2014.