TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Privacy Shield legality 'rather doubtful,' says German DPA Related reading: German DPA Takes Steps After Safe Harbor Decision




The activist data protection authority from the German city-state of Hamburg has cast doubt on the legality of the new Privacy Shield agreement between the U.S. and EU.

The U.S. government and the European Commission unveiled the final text for the agreement, which would replace the struck-down Safe Harbor deal at the end of February.

Before the process moves forward, the EU's many data protection authorities (DPAs) need to assess its wording and see whether it will pass the tests for legality set out by the European Court of Justice last year, when it struck down Safe Harbor. They are due to report back in mid-April.

"If the agreement will meet the high level of the requirements the ECJ postulated in the Schrems ruling is rather doubtful," Johannes Caspar said in an interview. "This has to be assessed very closely by the [DPAs]."

If the DPAs do not like what they see, there is little point in the Commission issuing the so-called adequacy decision that would establish the Privacy Shield agreement. The main thrust of the ECJ's Schrems ruling was to bolster the regulators' ability to investigate and even suspend data transfers regardless of the Commission's adequacy decisions, if they think citizens' rights are not being respected in the third country.

The big question is whether the DPAs are satisfied with reforms made by the Obama administration since Edward Snowden's mass surveillance revelations, namely Presidential Policy Directive 28 and the USA Freedom Act, both of which are supposed to introduce greater targeting into the surveillance process. A lot hinges on whether American promises to limit the "use" of bulk signals intelligence meets the ECJ's requirements for restrictions on "access" to that data as well.

In the meantime, Safe Harbor is dead, and the Hamburg DPA has become the first to start cracking down on companies that still rely on it for their transatlantic data transfers. Last month it confirmed that it was preparing fines against three U.S. multinationals, and investigating another two.

According to Caspar, all this activity is stretching his office to the limit.

"The control of the companies we inspected related to Safe Harbor costs a lot of time," he said. "Especially at a time [when] we have to overview Privacy Shield and prepare the General Data Protection Regulation simultaneously, we are completely overloaded."

Caspar's office also suffered something of a setback this month when the Hamburg administrative court ruled against it in a case involving Facebook's real-names policy.

Facebook won't let its users hide behind pseudonyms, and Caspar has long been trying to get the social network to drop that policy, as German privacy law allows pseudonymous activity. Specifically, it tried to stop Facebook from blocking the account of a woman who used a fake name.

However, the court issued a provisional ruling on March 3 which said Facebook's establishment in Germany was only marketing-related, so Facebook was only answerable to the DPA in Ireland, where its international operations are headquartered.

This ruling ran counter to recent decisions by the ECJ (in the Google Spain and Weltimmo cases) and the Brussels Court of First Instance (regarding Facebook and its tracking cookies), so Caspar said he would continue to fight for the ability to enforce German law regarding pseudonyms.

Meanwhile, the DPA has had a spot of luck in his long-running battle with Facebook, which he has also hassled over issues such as facial-recognition technology and the Friend Finder feature.

At the start of March, the German federal competition authority, the Bundeskartellamt, opened an antitrust probe into Facebook over what it suspects are unfair user terms. The terms in question give Facebook the right to collect user data for ad-targeting purposes. The investigation is highly unusual, as it uses competition law to address what is essentially a data protection issue.

"In the Internet economy there are new questions on how competition law should be enforced," Bundeskartellamt president Andreas Mundt told The Privacy Advisor. "The access to data has developed into a significant competition parameter und potential source of market power."

Caspar heartily agrees. "I welcome the activities of the Bundeskartellamt in that matter. It is a logical consequence of the fact that user data is the very core of the business model of companies like Facebook," he said.

"If those companies base their growth upon ignoring legal obligations, particularly privacy-related ones — and according to highest German courts Facebook has done so [for example] in friend finding — law-abiding competitors are in a tough position."

It remains to be seen whether the German antitrust authorities will try this tack with other companies — Mundt would not be drawn on this, which is understandable as this is a new legal avenue.

However, the move certainly has others concerned. A Google economist, Fabien Curto Millet,  said this week that it "wouldn't be logical" to have competition officials delve into privacy issues. 

photo credit: Germany Grunge Flag via photopin (license)


If you want to comment on this post, you need to login.

  • comment John Berard • Mar 24, 2016
    It is no surprise that local authorities given the right to investigate, would, and that EU citizens given the right to sue, will, too.  Neither is it a surprise that Germany was and is first and fast out of the gate.  No surprise.
    Neither is it a surprise that the Privacy Shield (or whatever it is ultimately called) is essential. Data is the lingua franca of both society and business.  
    There will be a time (I suspect three-to-five years) where the shield will seem more like a sword. Fines will be levied, suits settled, market departures threatened and regulators' offices expanded.  But cooler heads will (likely) prevail.
    Until that time, it will be best for companies to focus on the privacy needs of their customers and be constantly clear about why the practices they deploy are the right ones.  Even Facebook's real names policy, under attack in jurisdictions where anonymity is a right, can and should be active in extolling the virtue and value of the practice.
    Until all is resolved, companies are best to take a page from a book on yoga: Be Present. It is difficult to vilify people you know.
  • comment Duncan Smith • Mar 29, 2016
    As EU DPAs take a different approach to enforcing the current overseas transfer rules, it is now impossible to adequately advise clients as to the risk and actions they should be taking. Businesses are now effectively forced into investing heavily in model contracts, BCRs or attempting a very complex re-consenting exercise. If DPAs are legally capable of acting independently, they should issue a clear, unambiguous statement, as to whether they will or will not pursue businesses for breach of extra EEA data transfer. "Get off the fence, everybody!"