Privacy & Information Security Law Blog

On November 26, 2020, the Conference of the German Data Protection Authorities (Datenschutzkonferenz, the “DSK”) issued a press release with conclusions from their 100th anniversary meeting.

Below is a summary of the key issues the DSK discussed, which focused on Schrems II implications:

• Windows 10: According to the press release, the DSK discussed data protection in the context of the Enterprise version of Microsoft’s Windows 10, in particular its telemetry functions, as well as the data protection improvements announced by Microsoft for Office 365. With regards to the telemetry functions, a DSK working group had previously determined in three test scenarios that data controllers use the “security” telemetry level when using the Enterprise version, and as a result, should take contractual, technical or organizational measures to ensure that no personal data is transmitted to Microsoft. With regards to Office 365, the DSK will remain in talks with Microsoft. For both issues, the DSK stated that it will consider the July 16, 2020 judgment of the Court of Justice of the European Union regarding the transfer of personal data to non-adequate countries (C-311/18) (“Schrems II”).
• Encryption: The DSK stated that it clearly opposes the requests of law enforcement authorities and intelligence services for access to encrypted communication in messenger services and private communications. The DSK’s press release criticized the draft resolution of the Council of the European Union, titled “Security through encryption and security despite encryption.” The DSK indicated that it believed the draft to soften the requirements for end-to-end encryption in favor of law enforcement authorities and intelligence services, which would be counter-productive and could easily be circumvented by criminals and terrorists. According to the DSK, secure and trustworthy encryption is an essential requirement for resilient businesses and public administrations. It also stated that encryption is a key tool for the transfer of personal data to non-adequate countries in light of the Schrems II.

Furthermore, the DSK called for legal certainty with respect to two additional issues relevant for German law:

• Telecommunications: The DSK called on the German legislature to implement the requirements of the Federal Constitutional Court’s May 2020 decision, which requires disclosure of telecommunications data by telecommunications providers to public authorities and the access to such data by authorized authorities (e.g., public prosecutors) on a proportionate and standardized basis. The DSK indicated that the current Section 113 of the German Telecommunications Act does not meet these requirements, and therefore, changes are required to the information procedures of public authorities.
• Cookies: The DSK also called on the German legislature to finally implement the ePrivacy Directive in full and in accordance with the EU General Data Protection Regulation. According to Article 5 (3) of the ePrivacy Directive, which has not been implemented fully in German law, the use of cookies requires the positive and informed consent of the user, and therefore, website operators and other parties whose services are designed based on cookies need legal certainty.

View the press release (in German).