Photo of Paul Melot de Beauregard

Dr. Paul Melot de Beauregard provides legal advice on all labor and employment law matters, including litigation. He is head of McDermott’s Employment practice in Munich. Paul advises clients on the entire spectrum of national and international labor and employment law, focusing on restructuring, transactions and negotiations with trade unions and works councils. He also advises on benefits and service agreements with board members, managing directors and senior executives, as well as on compliance issues, operational pensions and outsourcing. Read Dr. Paul Melot de Beauregard's full bio.

After intense negotiations, and after the official deadline had passed on Sunday, 31 January 2016, the United States and the European Union have finally agreed on a new set of rules—the “EU-U.S. Privacy Shield”—for data transfers across the Atlantic. The Privacy Shield replaces the old Safe Harbor agreement, which was struck down by the European Court of Justice (ECJ) in October 2015. Critics already comment that the Privacy Shield will share Safe Harbor’s fate and will be declared invalid by the ECJ; nevertheless, until such a decision exists, the Privacy Shield should give companies legal security when transferring data to the United States.

While a text of the new agreement is not yet published, European Commissioner Věra Jourvá stated that the Privacy Shield should be in place in the next few weeks. According to a press release from the European Commission, the new arrangement

…will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

One of the most known critics of the U.S. data processing practices and initiator of the ECJ Safe Harbor decision, Austrian Max Schrems, already reacted to the news. Schrems stated on social media that the ECJ Safe Harbor decision explicitly says that “generalized access to content of communications” by intelligence agencies violates the fundamental right to respect for privacy. Commissioner Jourová, referring to the Privacy Shield, stated that “generalized access … may happen in very rare cases”—which could be viewed as contradictory to the ECJ decision. Critics also argue that an informal commitment by the United States during negotiations with the European Union is not something on which European citizens could base lawsuits in the United States if their data is transferred or used illegally.

The European Commission will now prepare a draft text for the Privacy Shield, which still must be ratified by the Member States. The EU Parliament will also review the draft text. In the meantime, the United States will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsperson.

 

The German Federal Labor Court (Bundesarbeitsgericht (BAG)) has published the reasons for its two decisions about whether an employee can revoke consent given to his or her employer for public use of the employee’s image in photos, videos or other marketing materials (BAG 19 February 2015, 8 AZR 1011/13; BAG 11 December 2014 – 8 AZR 1010/13). The BAG held that (1) an employer can rely on an employee’s voluntary consent under German data privacy laws and (2) an employee must take into account the employer’s interests when justifying his or her revocation of a valid consent.  The BAG’s decisions are notable because they are contrary to the widely-held opinion that employee consent given in the context of the employment relationship is not completely voluntary.

German data privacy and copyright laws require an employer to obtain an employee’s consent to use the employee’s image in photos or videos developed for marketing or similar purposes.  The consent must be voluntarily given and not tied to the employee’s employment status.  Before the BAG’s decisions, some German data privacy law commentators argued that an employee’s consent is not always freely given because of the employee’s subordinate status in the employment relationship.

Now, under the BAG’s decisions, the existence of the employer-employee relationship does not cause an employee’s individual consent to be per se ineffective. The BAG determined that employees can freely choose whether to consent or not. If an employee believes that he or she is subject to discrimination for withholding consent, remedies are available under other German laws. The BAG emphasised that the consent must be in writing and include certain information to be valid and that whether the consent is subsequently revocable depends on the facts and circumstances.

Key Takeaway:

An employer should obtain individual written consent from an employee to use the employee’s image or likeness in marketing materials. To help prevent future revocation, the written consent must state (among other specific requirements) that the employer’s rights survive termination of the employment relationship.

After over four years of negotiations, the European Union and the United States have agreed on a framework data protection agreement on 8 September 2015 (Umbrella Agreement). The Umbrella Agreement covers all personal data exchanged between the European Union and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. According to the Q&A’s posted on the EU Commission’s website, the Umbrella Agreement shall “provide safeguards and guarantees of lawfulness for data transfers.”

During the negotiations, the Umbrella Agreement was widely criticized throughout the EU because EU citizens could not file lawsuits in the United States to enforce their data protection rights. The U.S. Privacy Act allows only U.S. residents to obtain redress for data privacy and protection violations. As part of the Umbrella Agreement, the U.S. Congress introduced an amendment to the U.S. Privacy Act known as the “Judicial Redress Bill.”   If adopted, the Judicial Redress Bill will permit an EU citizen to use U.S. courts to (for example) have his or her name deleted from U.S. blacklists if the name was mistakenly included.

In Germany, first reactions by political commentators on the agreement are moderately optimistic and an important step to rebuild trust after the National Security Agency (NSA) spying revelations.  More importantly, the Umbrella Agreement includes many of the   same general data privacy and protection principles followed in Germany and other EU countries, including:

  • Limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences.
  • Onward transfer – Any onward transfer to a non-U.S., non-EU country or international organisation requires the prior consent of the competent data protection authority of the country from which the personal data was originally transferred.
  • Retention periods – Personal data may not be retained for longer than necessary or appropriate. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests.  Retention periods must be published or otherwise made publicly available.
  • Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and to request corrections.

While the increased data protection and proposed Judicial Redress Bill are positive developments, some commentators in Germany criticize the Umbrella Agreement’s lack of a clear and easy process for data protection enforcement in the United States for EU citizens.   The critics claim that most individuals will not even know when and if their data protection rights are violated.

The U.S. Congress and the EU Parliament and Council still must ratify the Umbrella Agreement, the full text of which is not yet available, but we expect that the Umbrella Agreement will unite the European Union and the United States on an increased level of data protection.   We will report on the Umbrella Agreement again once its full text is made public.

German data protection authorities published new guidelines in December 2013 about the collection and processing of personal data for advertising purposes.  The 2013 advertising guidelines (available here in German) supplement another set of advertising guidelines published in October 2012 (available here in German). Together, the 2012 and 2013 guidelines help to clarify how German data protection law relates to advertising activities.

The 2013 guidelines cover the following three main topics:

  1. The “list-privilege” exception. The Bundesdatenschutzgesetz (Germany’s Data Protection Act) provides an exception to the rule that consent is required before personal data is processed for advertising. Certain personal data, such as name, address and year of birth, may be used for an organisation’s own marketing purposes without prior consent as long as the data is aggregated. The 2013 guidelines provide useful information on this exception by, for example, clearly stating that e-mail addresses and telephone numbers do not qualify for this exemption, and by providing commentary on how long the information qualifies for this exception after the last time it is used to contact the person to whom the data relates (generally two years, but the 2013 guidelines state that the time period can vary based on the facts).
  2. Consent. The 2013 guidelines confirm that leaving business cards at a trade show for the express purpose of receiving information from business contacts constitutes consent to contact  the person named on the business card for advertising purposes. For the digital world, the 2013 guidelines advise a double opt-in for consent provided electronically (e.g., via e-mail or SMS).  Under the 2013 guidelines, double opt-in consent means that the person providing personal data about himself or herself must: (i) affirmatively consent (e.g., by clicking a button or checking an unchecked box on a website) at the time of data collection; and (ii) confirm his/her consent after receiving a written request for confirmation of consent (e.g., a detailed e-mail requiring confirmation by clicking a link) that includes enough information to enable the person to provide informed consent.
  3. Right to object to use of personal data for advertising purposes. The 2013 guidelines state that when a person indicates (whether in writing or otherwise) that he/she no longer wishes to be contacted for advertising purposes, the organisation holding the data should take action in accordance with such a request without “undue delay.” (The 2013 guidelines don’t specify what time period is acceptable for undue delay.)  The 2013 guidelines do, however, recognise that stopping all communications immediately may not be feasible, and advises organisations to inform individuals of any time lag to avoid complaints. The 2013 guidelines also remind organisations that a statement publicising an individual’s right to object should be included on every marketing communication, not just in (often lengthy) website terms and conditions.