Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. A BNA, INC. PRIVACY & ! SECURITY LAW REPORT Reproduced with permission from Privacy & Security Law Report, 8PVLR27, 07/06/2009. Copyright 2009 by The Bureau of National Affairs, Inc. (800-372-1033) New Rules, Pending Laws C r e d i t S c o r i n g , Te l e m a r k e t i n g , L o c a t i o n D e v i c e s Against the backdrop of widely reported data breaches, and with the September 2009 fed- eral election drawing close, the German Parliament has voted for significant changes to ex- isting data protection laws, including new requirements for credit checks, location tracking services, and telemarketing. Other amendments, including the introduction of U.S.-style data breach notification procedures and employee privacy rules, together with a prohibition on address trading without consent, are all under discussion. The following article summa- rizes recent privacy-related amendments in Germany, as well as a number of new develop- ments that are in the pipeline. German Data Protection Landscape Is Changing BY KARIN RETZER statistical analysis of a person’s payment history, cur- rent income, etc. to determine the creditworthiness of that person. Banks and credit card companies use credit New Rules for Scoring Techniques scores to evaluate the potential risk posed by lending money to consumers and thus mitigate losses due to ith new rules on scoring techniques adopted bad debt. Credit scoring is, however, not limited to W June 12, the German Parliament has finally regulated a common practice. What is scoring exactly? The most frequently used banks. Other organizations, such as online retailers, mail order services, mobile phone providers, employers and landlords, may use the same techniques. type is a credit score or credit check that is based on a To date, credit scoring had not been specifically regu- lated and, while very common, was carried out in a somewhat grey legislative area. Karin Retzer is of counsel in the Brussels Further, despite pressure from industry and the Ger- office of Morrison & Foerster LLP. man Lander (the federal states) the new rules also ap- ˜ ply to consumer scoring techniques employed mainly COPYRIGHT 2009 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1538-3423
  2. 2. 2 for marketing purposes, such as the use of address data sent. The bill amending the UWG2 requires that such to customize marketing campaigns, but also to insur- consent contain ‘‘a declaration of will,’’ and may not be ance providers for determining insurance eligibility and determined merely based on the individual’s behavior. premiums. The wording of the bill also clearly states that each and The amendments, incorporated in the Federal Data every call by telemarketers, even the very first one, Protection Act (the Bundesdatenschutzgesetz, or would be covered by these restrictions. Telemarketing BDSG)1 will become effectiveApril 1, 2010. to businesses is permitted if it may reasonably be con- cluded that the recipient wishes to be contacted. In an effort to increase transparency, the amend- ments provide that individuals must be notified in ad- Further, marketers who fail to display their telephone vance if their data are to be used for scoring purposes. numbers on caller ID systems may be fined up to Where individuals’ address data are used, the provision a10,000 (approx. $14,000). of notice to the individual must be documented. Upon The amendments also enable consumers, who have request, individuals must be provided with detailed in- not been appropriately informed of their right to with- formation including the data used, an ‘‘understandable draw from a service contract concluded at a distance explanation’’ about the scoring technique employed, (such as over the phone or via the Internet), to exercise and the credit scores that have been recorded over the this right of withdrawal, even in cases where portions of past six months. Moreover, an individual’s credit score the services have already been rendered. This right may not be lowered just because of exercising a right to would only expire when all portions of the services have access credit check information held about him or her been performed at the request of the consumer. (which is common practice in the United States). The right to withdraw could also extend to contracts concluded over the phone relating to the delivery of The new rules allow financial institutions to share newspapers, periodicals, and magazines, or for gaming certain credit data with others, and in particular credit and lottery services. Such contracts are expressly ex- agencies, based on mere notice. Consent is no longer cluded from the right of withdrawal provided for in the necessary. European Union Distance Selling Directive 97/7, but The use of scoring to determine the conclusion, per- withdrawing from them looks set to become easier in formance, or termination of contractual relationships, Germany in the future. As so often happens, German such as the eligibility for a credit, is permitted where (i) consumer law would therefore be going further than there is evidence that data pertaining to an individual corresponding EU law. can be used to conduct certain mathematically scientific The German Federal Network Agency, which moni- probability calculations (a requirement that may be par- tors developments in national telecommunications, gas, ticularly problematic for marketing scoring), and (ii) electricity, and railway markets, has been charged with general data protection requirements have been com- supervising the new law. The generally held view is that plied with. For the latter, opt-in consent may be re- these requirements will apply to telemarketing to Ger- quired. man recipients, irrespective of the location of the pro- The new rules also establish, for the first time, when vider. These amendments are expected to enter into credit information may be used for scoring purposes. In force, without any transition period, at the end of July brief, an individual’s payment history information may once published in the Official Journal. be used and shared for scoring purposes if a previously adjudicated court insolvency order is in place, if an in- dividual has formally acknowledged a debt, or if an in- Location Tracking Services dividual has been provided with two or more unpaid de- Amendments to the Telecommunications Act (the mand letters sent over a time span of at least four Telekommunikationsgesetz, or TKG)3 which were ap- weeks. Sharing of payment history information be- proved recently by the German Parliament will seri- tween affiliated entities is subject to the same require- ously impede navigation, friend-finder, and other mo- ments. bile services that require the continuous transferring of Substantial financial penalties for failure to comply the user’s location. with the new requirements have been introduced. The amendments first require that telecommunica- tions providers obtain ‘‘express, distinct, and written’’ consent from subscribers if the location of his/her de- Opt-In for Consumer Telemarketing vice is tracked and transferred to other subscribers, in- The German Parliament also approved penalties cluding to third parties (other than the value added- amounting to a50,000 (approx. $71,000) for failure to service provider). As a result, providers who offer sub- obtain opt-in consent prior to contacting consumers by scribers the option of having their locations determined telephone for marketing purposes. According to the leg- and forwarded (e.g., for friend-finder services or for islative materials, these penalties may be imposed on tracking a misplaced device) will need to obtain dis- telemarketing agents and service providers, their cus- tinct, written consent from these subscribers. Under tomers, or any other organization engaged in telemar- German law, this means pen on paper or qualified digi- keting. Under the existing Act against Unfair Trade Practices 2 Gesetz zur Bekampfung unerlaubter Telefonwerbung und ¨ (the Unlauterer Wettbewerbsgesetz, or UWG), telemar- zur Verbesserung des Verbraucherschutzes bei besonderen keting to consumers is already subject to opt-in con- Vertriebsformen. Available (in German) at http:// 3 ¨ Erstes Gesetz zur Aderung des Telekommunikationsge- 1 ¨ Gesetz zur Aderung des Bundesdatenschutzgesetzes. setzes und des Gesetzes uber die elektromagnetische Vertra- ¨ ¨ Available (in German) at glichkeit on Betriebsmitteln. Available (in German) at http:// 2009/0536-09.pdf. 7-6-09 COPYRIGHT 2009 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423
  3. 3. 3 tal signatures, since e-mail or click through consent is sure). In cases where a broad public is concerned, not sufficient. Moreover, the word ‘‘distinct’’ indicates public announcements in at least two national newspa- that the consent wording may not be included in gen- pers may replace individual notices. These announce- eral subscriber terms and conditions, but must be sepa- ments must be at least half a page tall. The notice rated from such text. should include information on the data leakage, pos- Second, the amendments permit providers to track a sible results of the leakage as well as measures being subscriber’s location a maximum of five times. After the taken to mitigate damages. fifth time, the subscriber must be notified before further The breach notification requirement also extends to location tracking can take place (unless he/she has electronic communications providers and telecommuni- opted out of such notice). In addition, the law requires cations operators in any case where user data (e.g., reg- providers to accommodate the needs of disabled per- istration data obtained by a Web site operator) are sons, such as by providing specific telephone tools for leaked. Interestingly, public authorities are exempt hearing-impaired persons. from breach notification. The Network Agency has been charged with enforc- The provision of potentially greatest commercial sig- ing these rules, and failure to comply with the consent nificance is the abolition of the ‘‘list privilege,’’ whereby and notice requirements may result in penalties of up to contact details are traded amongst marketers. Accord- a300,000 (approx. $420,000). Arguably, all location ing to industry representatives, the proposed amend- tracking services currently aimed at the German mar- ments would effectively kill legal trade in marketing ket are within the scope of the new requirements, in- data. Data collected prior to the entry into force of the cluding services provided by operators outside Ger- amendments may continue to be processed until July many. 2012. After that date, opt-in consent will be required, These amendments will become effective once signed even for existing databases in which organizations may by the German president and published in the Official have invested significant resources, and data may need Journal. No transition period is provided for in the law. to be destroyed. Under the list privilege system, data brokers as well as other organizations, process data lists consisting of Breach Notification, Strict Rules for names, addresses, dates of birth, professions, and other Marketing, and Other Amendments specified data for marketing and market research pur- poses, without prior opt-in consent. The draft amend- Designed to prevent and address recent data ments would make any processing of such data for mar- breaches, the German government has proposed fur- keting purposes, including market research, subject to ther amendments to the Federal Data Protection Act4 opt-in consent. that, if approved by the Parliament, will provide for (i) The draft does provide an exception allowing pro- the introduction of a mandatory breach notification cessing based on opt-out consent in cases where (i) the regimen, (ii) the requirement to obtain opt-in consent details are used for marketing and market research pur- for the secondary use of contact details for marketing poses in relation to products or services of the data con- purposes and in particular for data trading, (iii) in- troller (which presumably excludes marketing and mar- creased enforcement, as well as (iv) a voluntary data ket research for affiliates), and (ii) all data have been protection audit scheme. However, due to the ongoing collected directly from the individual. Marketing for debate in Parliament and much criticism from industry, charities as well as business-to-business (B2B) market- the bill amending the BDSG may not be voted into law ing seem to be exempt too, provided that the marketing before the summer break and the general elections. is sent to the individual’s work address and that it re- This means that under German constitutional rules the lates solely to products and services intended for com- new government will have to present the bill anew. mercial use. However, the wording for the B2B excep- As stated, one of the central elements of the proposal tion is awkward in that it restricts the exception to en- is the introduction of U.S.-style breach notification re- trepreneurs and contractors, and does not seem to quirements in cases where any of the following sets of permit marketing to employees of larger enterprises. data are leaked: sensitive data, criminal records, bank Where marketing or market research is permitted with account or credit card data, or personal data subject to opt-out consent, individuals must be able to opt out legal privilege (e.g., data held by lawyers, doctors, jour- upon establishment of the relationship. Under existing nalists, etc.). The proposed rules only require notifica- law, opt-out options only had to be provided when fol- tion in cases where the data leakages may lead to ‘‘seri- low up marketing contacts were made, not beforehand. ous impediments for privacy and other individual inter- Where opt-in consent is required, consent must be ests.’’ The legislative commentary states that the types provided in writing or through qualified digital signa- of data, as well as the possible results of the breach ture. Electronic consent is permitted if documented and (such as damages or identity theft), must be taken into if individuals are easily able to retrieve the wording of account when assessing whether such ‘‘serious impedi- their consent and or withdraw it at any point in time. ments’’ exist. Both the data protection authorities, as Where specific circumstances render oral consent per- well as all individuals concerned, must be notified ‘‘im- missible, for example during a telephone conversation, mediately’’ (as soon as reasonably possible) after con- the amendments now propose that such oral consent tainment and as soon as such notification no longer im- must be confirmed in writing. pedes law enforcement (principle of responsible disclo- Marketing consent must also be separate from other declarations (including the general data protection con- 4 Gesetz zur Regelung des Datenschutzaudits und zur Ad-¨ sent), and a separate signature, tick or click must be erung datenschutzrechtlichr Vorschriften. Available (in Ger- provided (and the confirmation obtained) in order to man) at process data for marketing and market research pur- 1612011.pdf. poses. Withdrawal of consent may not be subject to PRIVACY & SECURITY LAW REPORT ISSN 1538-3423 BNA 7-6-09
  4. 4. 4 stricter requirements than those governing the entering Employee Privacy into of the agreement. The rule under German law is that consent must be in writing, meaning pen on paper The German government has also reopened the de- or by use of a qualified digital signature. bate on a proposed law to protect employee data, in re- Last, the provision of products or services may not be sponse to recent breaches. Secretary of the Interior, made conditional upon providing consent for market- Wolfgang Schauble, who made the announcement Feb. ˜ ing, unless the individual may purchase similar prod- 16, stated that this law should address issues relating to ucts or services under reasonable conditions elsewhere, the monitoring of employee communications and Inter- that is, where the provider has no monopoly and mar- net usage in the workplace, as well as the use of video ket conditions are not such that other providers impose surveillance and GPS navigators tracking workers in the same requirement for consent. No further guidance company cars, and, in particular, the processing of per- is provided as to what would constitute ‘‘reasonable sonnel files and health data. ‘‘In certain cases, employ- conditions’’ or ‘‘similar’’ products or services. ers need to have the right to control employees,’’ The draft also contains a number of proposals that Schauble said, ‘‘but it is a question of the right propor- ˜ are aimed at strengthening compliance and enforce- tionality.’’ ment: Internal data protection officers (DPOs) may not be terminated during their term as DPOs, or during the Peter Schaar, head of Germany’s Data Protection 12 months thereafter, unless there is an ‘‘important Commissioner’s Office in Bonn, alluded to recent cause’’ requiring immediate termination. Organizations breaches of employee data, stating that data ‘‘provided must also compensate DPOs for training courses. Pen- in the context of a work relationship should not be used alties are increased to a50,000 for failure to comply with for other matters,’’ and that the new law, if passed, formalities and to a300,000 for other data protection would tighten restrictions on employee data in Ger- breaches (approximately $70,000 and $420,000, respec- many. tively). The draft expressly stipulates that higher penal- The proposed law would come after a decade of fruit- ties should be assessed to ensure that the penalties ex- less lobbying by privacy advocates about the need for ceed the commercial gains that organizations may an employee data protection act in Germany. Given make from breaches. Further new penalties have been this, it is still unclear whether the law will ultimately be introduced, including for failure to comply with the re- enacted. Schauble himself has warned that substantive ˜ strictions on processing for marketing and market re- discussions will only begin after the general elections. search purposes; or for failure to have detailed written Until then, Schauble has merely invited the German La- ˜ data processing agreements in place with a data proces- bor Minister, the Minister for Economics, the Federal sor, irrespective of the location of that processor, and ir- Data Protection Commissioner, and representatives of respective of whether the processor is an independent trade and industry to evaluate ‘‘whether there is a need service provider or an affiliated entity. According to the for an employee data protection law.’’ German authorities, a master agreement between the parent and the provider is insufficient in cases where data relating to the German affiliate are processed. Conclusion Finally the amendments propose the introduction of Given the current economic circumstances and the a voluntary data protection audit with auditing and cer- volatility of the German data protection landscape, or- tification conducted by independent certified firms, in ganizations need to remain vigilant regarding data pro- turn monitored by data protection authorities. The gov- tection issues. Compliance with data protection and se- ernment would be charged with setting up a regulatory curity requirements, while more and more challenging, committee to develop guidelines for data security regu- is clearly the focus of growing scrutiny, and penalties lations covering private sector companies. for non-compliance are increasing. 7-6-09 COPYRIGHT 2009 BY THE BUREAU OF NATIONAL AFFAIRS, INC. PVLR ISSN 1538-3423