On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.
During the Conference, several Resolutions were adopted. The following are of particular interest:
The DPAs state that the self-regulatory efforts of certain social networks may not be sufficient to ensure that users’ data protection rights are protected. Accordingly, the DPAs have drawn up detailed practical guidelines (in German) to help social networks comply with German data protection laws. In the guidelines, the DPAs also discuss the circumstances under which German data protection law applies in an international context, an issue that is the subject of proceedings currently before the administrative courts of the city of Schleswig.
Commenting on the recently-launched initiative to create a transatlantic free trade zone between the U.S. and the EU, the DPAs urge the European Commission to ensure that European data protection standards are not compromised by any agreement regarding such a zone.
The DPAs warn that carve-outs in the proposed data protection legislative framework proposal (“Proposed Regulation”) should be avoided. Whether the carve-outs concern the type of data classified as “personal data” or the types of businesses classified as “data controllers,” the DPAs advocate retaining strong requirements for things such as explicit consent, purpose limitation and profiling. In their further comments (in German), the DPAs also discuss the requirements related to data protection officers, as well as the Proposed Regulation’s new “Lead Authority” concept.
This short Resolution is generally limited to how cancer data in Germany should be pseudonymized. The comments on pseudonymization algorithms provide practical guidance on this specific type of data processing.
The previous Conference was held in Frankfurt (Oder) in November 2012. At that time, the DPAs issued Resolutions on the proposed EU reform package and the introduction of Internet Protocol Version 6.