Tag Archive: compliance

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.



The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.


The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

FRANCE: CNIL Adopts New “Compliance Pack” for the Insurance Sector

In November 2014, the French Data Protection Authority (“CNIL”) issued a new “compliance pack” for the insurance sector, following consultations with trade associations.

By Carol Umhoefer and Mathilde Hallé

The CNIL has started promoting compliance packs as a new tool for regulating the processing of personal data in specific sectors. The packs, adopted by the CNIL after stakeholder consultations, are intended to offer actionable information (notably with respect to CNIL filings) to comply with French data protection law.

The new compliance pack for the insurance sector has been prepared in collaboration with several major trade associations representing the largest French insurance groups. The pack includes (i) two preexisting Simplified Standards for the insurance industry, No. 16 relating to insurance policy management and No. 56 relating to client data management (both revised on July 11, 2013, see our previous post here), as well as (ii) three more recent Single Authorizations: Single Authorization No. 31 for the collection of social security numbers and access to the French National Directory of Identification of the Individuals (adopted on January 23, 2014), Single Authorization No. 32 for the collection of data concerning criminal offenses, (adopted on January 23, 2014), and Single Authorization No. 39 for the implementation by the insurance sector of anti-fraud measures (adopted on July 17, 2014).

The compliance pack also includes several practical information sheets to enable insurers and other professionals in the sector to better understand the legal framework applicable to personal data collection and processing in connection with their business.

The compliance pack also announces the creation of a “compliance club” in which the CNIL will to continue to work with the main stakeholders to develop and adapt filing requirements to regulatory  changes.

Readers will recall that Simplified Standards enable companies without internal data protection officers that choose to adhere to the conditions set forth in such Standards to make simplified filings with the CNIL, thus avoiding having to file the much more detailed normal filing. Similarly, the Single Authorization procedure allows companies that intend to process personal data for certain specific purposes to  implement such processing in compliance with French data protection law if they self-certify to the CNIL that the processing will comply with the specific conditions set forth by the CNIL. Insurance, capitalization, and reinsurance companies and insurance intermediaries that already filed on the basis on the aforementioned Simplified Standards and Single Authorizations are not required to make any additional filing with the CNIL.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-cnil-adopts-new-compliance-pack-for-the-insurance-sector/

Global: App providers, beware of sweeping privacy watchdogs!

By Patrick Van Eecke & Julie De Bruyn

The Global Privacy Enforcement Network (GPEN) is organizing an international privacy sweep between 12 and 18 May 2014, specifically targeted at mobile applications, involving 27 data protection authorities around the world .

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-app-providers-beware-of-sweeping-privacy-watchdogs/

Belgium: Beware of the barking Privacy Watchdog, she’s biting.


By Patrick Van Eecke and Julie De Bruyn (DLA Piper – Brussels)

The quietness in the privacy landscape in Belgium is about to drastically change.  Reason for the change of pace are the recent major data breaches that were published by the media. The Privacy Commission announced it will establish a dedicated task force to carry out proactive audits focusing on different sectors, such as financial and insurance institutions, hospitals and other health providers, and telecom operators.

Draft Belgian legislation will grant the Privacy Commission the power to independently impose monetary fines and other sanctions, such as the blocking of access to certain databases by non-compliant companies, or the withdrawal of the permits to make use of such (public) databases. The expansion of powers would transform the Privacy Commission from passive bystander to an actual ‘Privacy Police’.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/belgium-beware-of-the-barking-privacy-watchdog-she-starts-biting/

FRANCE: The French Data Protection Authority (CNIL) Issues NEW Guidance on Cookies

By Carol Umhoefer, Jeanne Dauzier & Mathilde Hallé

The CNIL has issued new guidance on cookies compliance, marking a clear departure from its previous position and effectively adopting an opt-out approach consistent with the UK’s Information Commissioner’s Office (ICO).

In October 2011, and again in April 2012, the CNIL issued recommendations that interpreted French law as requiring express opt-in acceptance of cookies. In a decision dated December 5, 2013, the CNIL has now taken an opt-out approach to consent requirements:

  • The CNIL recommends posting a dedicated banner on the home page that states that by continuing to use the website, the user agrees to have cookies set on his/her terminal. The banner also needs to state the exact purpose(s) of the cookie(s), as well as the possibility to refuse cookies or modify cookies settings by clicking on a dedicated link. The banner is to remain displayed as long as the user stays on the home page. According to the CNIL, a cookie may never be placed if the user goes to the home page but does not browse the website (except when an express consent has otherwise been given), or if he/she clicks on the link in the banner to modify the cookies settings and refuses all cookies. 
  • By clicking on the link displayed on the banner, users must be provided with complete, clear and legible information about how to accept or refuse cookies. The user’s consent is valid only if the information provided is sufficient. To limit the risk of invalid consent due to unclear or insufficient information, it is recommended not to use any complex legal or technical terminology.

According to the CNIL, the user’s consent shall be considered valid for a maximum of 13 months. As a consequence, cookies cannot have a longer life. Upon the expiration of this period, the user’s consent must be obtained again.

The CNIL guidance also stresses that all actors involved in the process of setting cookies, such as website publishers and commercial partners e.g., advertising agencies, are liable for compliance with all cookies laws. As a consequence, users are entitled to exercise their rights of access and opposition against any such person who holds, directly or indirectly, cookies that include personal data.

The CNIL has not modified its previous position that cookies that are strictly necessary for the provision of a service requested by the user (e.g., session cookies, authentication cookies or basket cookies) are exempted from the consent requirement. However, the CNIL now also acknowledges an exception for cookies used exclusively to measure web traffic that do not allow user identification. For this type of cookie, users must be informed and have the possibility to refuse cookies, but their prior consent is not required. Moreover, if such cookies enable the geolocation of the user via her/his IP address, the information gathered cannot be more specific than the city where she/he is located.

Finally, the CNIL acknowledges that French law provides that user consent may result from web browser settings, but considers such consent is valid only if (i) the user has been given the opportunity to modify the browser settings and (ii) the user has been informed, before his/her terminal is accessed or any cookie is set, of the cookies’ purpose and how to refuse them. The CNIL further considers that, in the current state of technology, web browser settings preferences for non-HTTP cookies  (such as “flash” or “web bugs” cookies) are insufficient and user consent must be based on information provided in a banner, as explained above.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com), Jeanne Dauzier (jeanne.dauzier@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-issues-new-guidance-on-cookies/

GLOBAL: Data Protection and Privacy Compliance Considerations For Retailers

By Carol Umhoefer

It’s obvious that retail e-sales raise issues around personal data collection and processing:  Compiling customer lists and preferences, tracking and profiling site visitors and app users, generating revenue from static and mobile ad servers, targeting offers to customers on the right devices at the right time, accurate online order fulfillment and useful after-sales service all depend on personal data processing.

But brick and mortar retailers are also capturing and processing more personal data, such as data from customers, employees, landlords, security systems and multiple service providers, even the neighborhood seamstress. And as these traditional retailers create their own virtual sales networks, the opportunities to capitalize on both in-store and on-line customer data multiply in tandem with the risks associated with hacking and data loss.

The price of getting data protection wrong is high. Retailers may pay dearly if they misuse customer lists, lose employee data, or are “named and shamed” by a regulator for having failed to meet basic data protection requirements. Moreover, Asian and South American countries are adopting European-inspired data protection laws while the EU moves to strengthen its own laws with reforms that will introduce significant new fines for companies that fail to comply.

Retailers’ first step toward compliance should be taking stock of data protection and privacy practices in stores, warehouses, security stations, back offices and the data centers where personal data is continuously processed. Retailers should examine their data handling at every point from collection to processing, replication, storage, transfer and eventual destruction, as well as their obligations under applicable regulations, laws and contracts, with a view to devising compliance solutions that are tailored to the operational realities of the industry, the retailer’s specific needs, and the risks associated with regulatory enforcement.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-data-protection-and-privacy-compliance-considerations-for-retailers/