Servus from Munich!
As everyone is recovering from 25 May (having realized that the world is still turning) and cleaning up their inboxes, I wanted to add a few words from the local privacy scene in Germany.
It has been a crazy year for privacy professionals around the world so far, and Germany is no exception. Companies, privacy advisers and data protection authorities faced big challenges in addressing the requirements arising from the EU General Data Protection Regulation. Bitkom (a major German association for IT and telecommunications) estimated on 17 May 2018 that only 25 percent of companies in Germany were on track with GDPR compliance. That might sound surprising for a country that should have been familiar with privacy regulations for quite some time. It makes me wonder how the numbers might add up in other EU countries.
I also wanted to highlight a few decisions that might have been overlooked in the last month:
- German privacy authorities decided to issue guidance on webtracking on 26 April 2018, leaving companies in ambiguity whether and to which extent especially webtracking on the basis of pseudonymized data requires explicit consent or not. The decision was broadly discussed as a political decision to anticipate the ePrivacy Regulation. Sounds like this could end up in court and/or the European Data Protection Board.
- Almost unnoticed, the German Federal Administrative Court decided on 31 May 2018, that the Federal German Intelligence Service, BND, has — upon request of the Federal Ministry of the Interior — the right to surveil and record international telecommunications routed via DE-CIX in Frankfurt, the largest internet exchange point worldwide.
- And on 5 June 2018, the EU Court of Justice confirmed the position of the Schleswig-Holstein data protection authority: Administrators of Facebook pages are jointly responsible for data processing operations of Facebook. So companies basically are currently unable to use Facebook fan pages in a privacy-compliant way from this perspective.
So, lots of things to discuss! These are definitely interesting times for privacy experts. Personally, I am trying to calm down clients and keep them away from the hysteria we saw around 25 May. Companies can expect that data protection authorities in Germany will check whether companies have structurally prepared themselves for the GDPR and addressed the topics above. But it is unlikely that they will have a detailed check on every single aspect of the GDPR beyond this at this point in time.
It is perhaps ideal, then, to highlight the fact that the IAPP is launching our first multilingual (German and English) privacy event, DPI Deutschland, on 18–19 Sept. in my hometown of Munich.
With the CIPP/E and CIPM certifications and trainings now available in German, the IAPP is offering an event specifically for the German-speaking world and the countries surrounding Germany. Needless to say, the Oktoberfest starts on 22 Sept. I would be delighted to welcome as many privacy experts as possible to our event this fall.
Stay in touch and Auf Wiedersehen,
If you want to comment on this post, you need to login.