Hostname: page-component-cd9895bd7-dk4vv Total loading time: 0 Render date: 2024-12-28T02:28:30.912Z Has data issue: false hasContentIssue false

Data Protection in the Federal Republic of Germany and the European Union: An Unequal Playing Field

Published online by Cambridge University Press:  06 March 2019

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

With the negotiation of its Data Protection Regulation, the European Union seeks to reform an outdated set of laws that has failed to address the evolving data protection challenges inherent in new technologies such as social networks, e-commerce, cloud computing, and location-based services. This article addresses the forthcoming Data Protection Regulation as well as the current state of data protection law in the EU, with a particular focus on Germany. The first part of the article examines Germany's robust data protection framework and the EU's existing authority. The article then raises key issues related to data protection in Germany and the EU—namely, discrepancies in data protection standards and enforcement among EU Member States—as illustrated by recent, high profile cases involving household names like Facebook, Apple, Google, and Amazon. Through this analysis, the article attempts to explain how and why companies doing business in Germany, but established in other EU Member States, are subject to less stringent data protection standards than German companies. Lastly, the article synthesizes the issues in debate with regard to the draft Data Protection Regulation and offers perspectives on what the Regulation could and should mean for data protection in the EU.

Type
Articles
Copyright
Copyright © 2014 by German Law Journal GbR 

References

1 See, e.g., Surveillance Monitor 2011: Assessment of Surveillance across Europe, Privacy International (2011), https://www.privacyinternational.org/reports/surveillance-monitor-2011-assessment-of-surveillance-across-europe (noting Germany's data protection framework is “amongst the best in the world ….”); National Privacy Ranking 2007 – Leading Surveillance Societies Around the World, Privacy International (2007), available at https://www.privacyinternational.org/sites/privacyinternational.org/files/file-downloads/phrcomp_sort_0.pdf (assigning Germany a higher data privacy ranking in the category of data-sharing than all other EU as well as non-EU countries surveyed).Google Scholar

2 Bundesdatenschutzgesetz [BDSG] [Federal Data Protection Act], repromulgated Jan. 14, 2003, Bundesgesetzblatt, Teil I [BGBl. I] at 66, last amended by Gesetz [G], Aug. 14, 2009, BGBl. I at 2814 [hereinafter BDSG].Google Scholar

3 Telemediengesetz [TMG] [Telemedia Act], Feb. 26, 2007, Bundesgesetzblatt, Teil I [BGBl. I] at 179, last amended by Gesetz [G], May 31, 2010, BGBl. I at 692, at art. 1.Google Scholar

4 See supra note 1.Google Scholar

5 Press Release, OVG Schleswig-Holstein: For Facebook Germany Data Protection Law Does Not Apply, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) (Independent State Center for Data Protection Schleswig-Holstein), (Apr. 24, 2013), available at https://www.datenschutzzentrum.de/presse/20130424-facebook-klarnamen-ovg-en.htm.Google Scholar

6 EC Directive 95/46/EC of 24 October 1995, O.J. L 281.Google Scholar

7 See supra note 5.Google Scholar

8 Lischka, Konrad & Stöcker, Christian, Data Protection: All You Need to Know about the EU Privacy, Spiegel Online, 18 Jan. 2013, http://www.spiegel.de/international/europe/the-european-union-closes-in-on-data-privacy-legislation-a-877973.html (surmising the new Data Protection Regulation could “lead to … corporations choos[ing] … European headquarters based on the strength, or lack thereof, of data protection supervision in that country” and noting “competition between countries in attracting companies to locate their offices there has already been a phenomenon in the EU for some time now”).Google Scholar

9 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25 2012) [hereinafter “Data Protection Regulation”].Google Scholar

10 Directive 95/46, 1995 O.J. (L 281) [hereinafter “DPD”] (EC).Google Scholar

11 Directive 2002/58, 2002 O.J. (L 201/37) [hereinafter “E-Privacy Directive”] (EC).Google Scholar

12 The EU acknowledges there is a need to “ensure that the fundamental right to data protection is consistently applied.” Delivering an Area of Freedom, Security and Justice for Europe's Citizens: Action Plan Implementing the Stockholm Programme, at 3, COM (2010) 171 final (Apr. 20 2010).Google Scholar

13 For example, the EU's Working Time Directive, 2003/88/EC, gave workers the right to work no more than 48 hours per week; France passed stricter regulations, limiting working hours to 35 hours per week; See French Labour Code, Art. L.212–1 et seq.; Blake, Heidi, The EU Working Time Directive in Detail, The Telegraph, June 9 2010; See also, infra Part B.II. for a discussion of the differences between EU directives and regulations.Google Scholar

14 See, e.g., Dr. Nils Christian Haag, Court: German Data Protection Law is Not Applicable to Facebook, Privacy Europe, Feb. 15 2013, http://www.privacy-europe.com/blog/court-german-data-protection-law-is-not-applicable-for-facebook.Google Scholar

15 DPD, supra note 10, at Art. 4(1)(a).Google Scholar

16 Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century, at 3, COM (2012) 9 final (Jan. 25 2012) (noting the DPD “was adopted 17 years ago when the internet was in its infancy).Google Scholar

17 Id. at 2.Google Scholar

18 See supra note 2.Google Scholar

20 BDSG, supra note 2, § 1. The BDSG defines “personal data” as “any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject).” Id. § 3.1.Google Scholar

21 Id. § 2.Google Scholar

22 Id. § 2.1–2.Google Scholar

23 Id. § 2Google Scholar

24 Id. § 2.4.Google Scholar

25 Id. § 2.3.Google Scholar

26 Id. § 5 (emphasis added).Google Scholar

27 The EEA is comprised of EU Member States plus three of four European Free Trade Association (EFTA) members, namely, Iceland, Norway, and Lichtenstein, and establishes a single market between the parties, known as the “internal market.” The fourth member of the EFTA that is not a party to the EEA is Switzerland. See Agreement on the European Economic Area, at 3–522, 1994 O.J. (L 1).Google Scholar

28 A “controller” is defined as “any person or body collecting, processing or using personal data on his or its own behalf or commissioning others to do the same.” BDSG, supra note 2, § 3.7.Google Scholar

29 Id. §§ 4.1, 4(a).1Google Scholar

30 Id. § 28.Google Scholar

31 Id. § 42(a).Google Scholar

32 Id. § 4.1.Google Scholar

33 Id. § 4.1.Google Scholar

35 Id. § 4(a).1.Google Scholar

38 Id. § 3.9.Google Scholar

39 Id. § 4(a).3.Google Scholar

40 Id. § 28.3.Google Scholar

41 Rehder, Jorg & Paez, Mauricio, Germany Strengthens its Data Protection Act and Introduces Data Breach Notification Requirement, 16 BNA Int'l World Data Protection Rep. 1 (2010), http://www.jonesday.com/germany-strengthens-data-protection-act-introduces-data-breach-notification-requirement-10–26–2009/.Google Scholar

42 BDSG, supra note 2, §§ 28.3.3, 34.1(a).Google Scholar

43 Id. §§ 28.1.1, 28.3.1.Google Scholar

44 Id. § 28.3.2.Google Scholar

45 Id. § 28.3.3. See also supra note 41.Google Scholar

46 The other three categories are 1) “special types of personal data” as described in Section 3.9, including data on race, ethnicity, political opinions, religious or philosophical beliefs, union membership, health, or sex life. 2) “personal data subject to professional secrecy,” and 3) “personal data related to criminal offences or administrative offences or the suspicion [thereof].” BDSG, supra note 2, § 42(a).Google Scholar

51 Gesetz Gegen den Unlauteren Wettbewerb [UWG] [Act Against Unfair Competition], Mar. 3 2010, Bundesgesetzblatt, Teil I [BGBl. I], last amended by Gesetz [G], Mar. 3, 2010, BGBL. I at 254 [hereinafter UWG].Google Scholar

52 Id. § 1.Google Scholar

53 Id. § 4.1.Google Scholar

54 Id. § 4.2.Google Scholar

55 Id. § 4.3.Google Scholar

56 Id. § 4.10.Google Scholar

57 Id. § 4.11.Google Scholar

58 Id. §§ 5, 5(a).Google Scholar

59 Id. § 7.Google Scholar

60 Id. § 6.Google Scholar

61 Id. § 8.Google Scholar

62 Id. § 8.2(3).Google Scholar

63 Bundesgerichtshof [BGH - Federal Court of Justice], Case No. I ZR 164/09 (Feb. 10, 2011), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=I%20ZR%20164/09; Landgericht [LG (Berlin) - Regional Court], Case No. 15 O 346/06 (Jan. 23, 2007), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=15%20O%20346/06; Amtsgericht [AG – (Berlin-Mitte) - Local Court], Case No. 21 C 43/08 (June 11, 2008), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=21%20C%2043/08; Landgericht [LG (Essen) - Regional Court], Case No. 4 O 368/08 (Apr. 20, 2009), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=4%20O%20368/08. But see, Oberlandesgericht [OLG - (München) Higher Regional Court], Case No. 29 U 1682/12 (Sept. 27, 2012), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=29%20U%201682/12 (holding the “Check-Mail”—the initial email confirming an individual's consent to receive advertising email—of the double opt-in method can constitute spam).Google Scholar

64 Englehardt, Tim, Is Double Opt-In Dead?, German IT Law blog, Nov. 26, 2012, http://germanitlaw.com/?p=902.Google Scholar

67 UWG, supra note 51, § 8.Google Scholar

68 Id. § 12.1.Google Scholar

69 See supra note 3.Google Scholar

70 Defined as “services normally provided for remuneration consisting in, or having as their principal feature, the conveyance of signals by means of telecommunications networks, and includes transmission services in networks used for broadcasting.” Telekommunikationsgesetz [TKG] [Telecommunications Act], June 22, 2004, Bundesgesetzblatt, Teil I [BGBl. I] at 1190, last amended by Gesetz [G], 3 May 2013, BGBl. I at 958, art. 1, § 3.24.Google Scholar

71 TMG, supra note 3, § 1.1.Google Scholar

72 See Sokoll, Karen & Enaux, Christoph, Germany—New Telemedia Act Introduced, Linklaters: Technology, Media & Telecomms. News, Mar. 24, 2007, http://www.linklaters.com/Publications/Publication1403Newsletter/PublicationIssue20070324/Pages/PublicationIssueItem2217.aspx.Google Scholar

73 Gesetz über die Nutzung von Telediensten (Teledienstegesetz) [Teleservices Act], July 22, 1997, Bundesgesetzblatt, Teil I [BGBl. I] at 1870.Google Scholar

74 Staatsvertrag über Mediendienste (Mediendienste-Staatsvertrag) [Federal Media Services Treaty], Jan. 20 – Feb. 12, 1997, ratified June 19, 1997, Niedersachsen Gesetz- und Verordnungsblatt [GVBl.] 280.Google Scholar

75 Gesetz über den Datenschutz bei Telediensten (Teledienstedatenschutzgesetz) [Teleservices Data Protection Act], July 22, 1997, Bundesgesetzblatt, , Teil I [BGBl. I] at 1870. See, e.g., Krieg, Henning, German Telemedia Act Introduces New Rules for New Media, Bird & Bird, Mar. 30, 2007, http://www.twobirds.com/English/News/Articles/Pages/2007/German_Tele_Media_Act_new_rules.aspx.Google Scholar

76 TMG, supra note 3, § 3.Google Scholar

77 The TMG defines “established service provider” as “every provider who uses who uses a fixed facility for an indefinite period to offer or provide telemedia on a commercial basis” and notes further that “the location of the technical facility alone does not determine that the provider is established.” Id. § 2.2.Google Scholar

78 Id. § 3.1.Google Scholar

79 Id. § 3.2.Google Scholar

80 Id. §§ 6.1.1–2.Google Scholar

81 Id. §§ 6.1.3–4.Google Scholar

82 Id. § 6.1.4.Google Scholar

83 Id. § 12.1.Google Scholar

84 Id. § 12.3.Google Scholar

85 Id. § 13.1.Google Scholar

86 Id. § 13.4.1.Google Scholar

87 Id. § 13.4.2.Google Scholar

88 Id. § 13.4.3.Google Scholar

89 Id. § 13.6.Google Scholar

90 Id. § 13.6.Google Scholar

91 Id. § 13.4.6.Google Scholar

92 Id. § 15.3.Google Scholar

95 Consolidated Version of the Treaty on the Functioning of the European Union, Oct. 26, 2012, 2012 O.J. (C 326) 47 [hereinafter “TFEU”].Google Scholar

96 Consolidated Version of the Treaty on European Union, Oct. 26, 2012, 2012 O.J. (C 326) 13 [hereinafter “TEU”].Google Scholar

97 Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Communities, Dec. 13, 2007, 2007 O.J. (C 306) 1 [hereinafter “Lisbon Treaty”].Google Scholar

98 Charter of Fundamental Rights of the European Union, Mar. 30, 2010, 2010 O.J. (C 83) 2 [hereinafter “Charter”].Google Scholar

99 Regulations, Directives, and Other Acts, European Union, http://europa.eu/eu-law/decision-making/legal-acts/index_en.htm.Google Scholar

100 TFEU art. 288. See also, supra note 10.Google Scholar

101 Transposition is “a process by which the European Union's member states give force to a directive by passing appropriate implementation measures.” Transposition (law), Wikipedia, Mar. 9, 2013, http://en.wikipedia.org/w/index.php?title=Transposition_(law)&oldid=543106078.Google Scholar

102 See supra note 100.Google Scholar

103 Id. Google Scholar

104 See supra note 13; see also, Hon, W. Kuan, et. al, Data Protection Jurisdiction and Cloud Computing—When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3, 26 Int'l Rev. of Law, Computers & Tech. 129, 135 (2012).Google Scholar

105 TFEU art. 288.Google Scholar

106 Id. Google Scholar

107 Charter art. 8.Google Scholar

108 Id. at art. 391.Google Scholar

109 Id. at art. 8.1.Google Scholar

110 Id. at art. 8.2.Google Scholar

111 Id. Google Scholar

112 Id. Google Scholar

113 Id. at art. 8.3.Google Scholar

114 Commission Regulation 45/2001, 2000 O.J. (L 8) (EC)Google Scholar

115 See supra note 97.Google Scholar

116 Id. Google Scholar

117 TFEU art. 16.1.Google Scholar

118 TFEU art. 16.1.Google Scholar

119 DPD, supra note 10, § 3.1.Google Scholar

120 Id. at arts. 1.1.-2.Google Scholar

121 Id. Google Scholar

122 Id. at art. 2(a).Google Scholar

123 Id. at art. 2(b).Google Scholar

124 Id. at art. 2(h).Google Scholar

125 Id. at art. 4(1)(a) (emphasis added).Google Scholar

126 Id. See also, W. Kuan Hon, et. al, supra note 104.Google Scholar

127 See infra notes 141–143 and accompanying text for a discussion of the Art. 29 Data Protection Working Party.Google Scholar

128 Opinion of The Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, 2010 O.J. (L 281) at Part III, § 1(b).Google Scholar

129 Id. (emphasis in original).Google Scholar

130 Id. Google Scholar

131 DPD, supra note 10, at art. 7(a).Google Scholar

132 Id. at art. 7(b).Google Scholar

133 Id. at art. 7(c).Google Scholar

134 Id. at art. 7(d).Google Scholar

135 Id. at art. 7(e).Google Scholar

136 Id. at arts. 1.1 & 7(f). Article 1.1 of the DPD refers to the “fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” Id. at art. 1.1.Google Scholar

137 Id. at art. 28.1.Google Scholar

138 Id. at art. 7(a).Google Scholar

139 BDSG, supra note 2, §§ 4.1 & 4(a).1.Google Scholar

140 DPD, supra note 10, arts. 8.1–2(a). See also, BDSG, supra note 2, § 3.9.Google Scholar

141 DPD, supra note 10, at art. 29.Google Scholar

142 Id. at art. 29.1.Google Scholar

143 Id. at art. 29.2; see also, Member of the Article 29 Working Party, European Commission: Justice, June 2, 2014, http://ec.europa.eu/justice/data-protection/article-29/structure/members/index_en.htm#h2–7 (last visited Feb. 22, 2014).Google Scholar

144 Article 30 states, “The Working party shall … examine any question covering the application of the national measures adopted under [the Data Protection Directive] in order to contribute to the uniform application of such measures.” DPD, supra note 10, at art. 30.1(a).Google Scholar

145 Id. at art. 30.1(c).Google Scholar

146 Art. 29 Data Protection Working Party, Opinion 01/2012 on the Data Protection Reform Proposals, 00530/12/EN, WP 191 (Mar. 23, 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp191_en.pdf; see also, e.g., Art. 29 Data Protection Working Party, Opinion 08/2012 Providing Further Input on the Data Protection Reform Discussions, 01574/12/EN, WP199 (Oct. 5, 2012).Google Scholar

147 Council Directive 2002/58, 2002 O.J. (L 201), art. 1.1 (EC) [hereinafter “E-Privacy Directive”], available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML.Google Scholar

148 Id. at art. 4.2.Google Scholar

149 Council Directive 2009/136, 2009 O.J. (L 337/11) (EC) (amending Council Directive 2002/22, 2002 O.J. (L 108) (EC), E-Privacy Directive, supra note 147, and Council Regulation No. 2006/2004, 2009 O.J. (L 337/11) (EC)) [hereinafter “Amendment to E-Privacy Directive”], available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF.Google Scholar

150 Amendment to E-Privacy Directive, supra note 149, at art. 4.3.Google Scholar

151 Amendment to E-Privacy Directive, supra note 149, at art. 2(c).Google Scholar

152 Amendment to E-Privacy Directive, supra note 149, at art. 4.3.Google Scholar

153 Data Protection Regulation, supra note 9, at art. 31–32.Google Scholar

154 E-Privacy Directive, supra note 147, at art. 2(c).Google Scholar

155 E-Privacy Directive, supra note 147, at art. 2(c) (emphasis added).Google Scholar

156 Council Directive 09/31, art. 19, 2000 O.J. (L 178) (EC) (emphasis added).Google Scholar

157 Id. Google Scholar

158 Id. at recital 57.Google Scholar

159 Id. See also, D.H.M. Segers v. Bestuur van de Bedrijfsvereniging voor Bank- en Verzekeringswezen, Groothandel en Vrije Beroepen, CJEU Case C-79/85, 1986 E.C.R I-2375; Centros Ltd v. Erhvervs- og Selskabsstyrelsen, CJEU Case C-212/97, 1999 ECR I-1459.Google Scholar

160 Centros, CJEU Case C-212/97 at para. 24.Google Scholar

161 Id. at para. 25.Google Scholar

162 Id. at para. 29. See also, D.H.M. Segers, CJEU Case C-79/85 at para. 16; Tom O'Shea, Tax Avoidance and Abuse of EU Law, 11 EC Tax J. 77 (2010), http://www.ccls.qmul.ac.uk/docs/staff/oshea/52174.pdf.Google Scholar

163 Centros, CJEU Case C-212/97 at para. 27.Google Scholar

164 TFEU, supra note 95, at art. 49 (stating that “restrictions on the freedom of establishment of nationals of a Member State in the territory of another Member State shall be prohibited”).Google Scholar

165 TFEU, supra note 95, at art. 34–36.Google Scholar

166 TMG, supra note 3, § 13.6.Google Scholar

167 Press Release, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) [Independent State Center for Data Protection Schleswig-Holstein], ULD Issues Orders Against Facebook Because of Mandatory Real Names (Dec. 17, 2012), https://www.datenschutzzentrum.de/presse/20121217-facebook-real-names.htm.Google Scholar

168 See Press Release, ULD, supra note 5.Google Scholar

169 Id. Google Scholar

170 TMG, supra note 3, § 13.6 (guaranteeing an individual's right to anonymous or pseudonymous use of telemedia services).Google Scholar

171 See Press Release, ULD, supra note 5.Google Scholar

172 Id. Google Scholar

173 Verwaltungsgericht [VG - Administrative Court], Case No. 8 B 60/12 (Feb. 14, 2013) (Ger.), https://www.datenschutzzentrum.de/facebook/Facebook-Ireland-vs-ULD-Beschluss.pdf; see also, Schleswig-Holstein Administrative Court, Verwaltungsgericht gibt Eilanträgen von Facebook statt [Administrative Court Grants Facebook's Application for Interim Relief], Feb. 15, 2013, http://www.schleswig-holstein.de/OVG/DE/Service/Presse/Pressemitteilungen/15022013VG_facebook_anonym.html.Google Scholar

174 Supra note 173, See also, BDSG, supra note 2, § 5; DPD, supra note 10, at art. 4(1)(a).Google Scholar

175 Id. Google Scholar

176 The Irish Data Protection Commissioner audited Facebook Ireland Ltd. in December 2011 and published a review of Facebook's implementation of the audit recommendations the following year, reporting that Facebook had “advanced sufficient justification for child protection and other reasons for their policy of refusing pseudonymous access to its services.” Irish Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit 11, 5051 (Sept. 21 2012), http://dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf.Google Scholar

177 See Press Release, ULD, supra note 5.Google Scholar

178 Council Directive 2000/31, 2000 O.J. (L 178), at recital 22 (EC).Google Scholar

179 The draft Data Protection Regulation utilizes the marketplace principle with regard to third parties located outside the EU, but doing business within or directing services toward the EU: “Those who intend to do business in Europe and want to collect personal data in this context should also be subject to European data protection law when servers and corporate headquarters are located outside the EU (marketplace principle).” Schaar, Peter, EU Data Protection Package: A Real Chance for Better Data Protection!, The Fed. Commissioner for Data Protection & Freedom of Info., Mar. 19, 2012, http://www.bfdi.bund.de/EN/PublicRelations/SpeechesAndInterviews/blog/EUDataprotectionPackage.html?nn=1269676.Google Scholar

180 Landgericht [LG - District Court], Case No. 15 O 92/12 (Apr. 30, 2013), http://www.vzbv.de/cps/rde/xbcr/vzbv/Urteil_des_LG_Berlin_zur_Datenschutzrichtlinie_von_Apple.pdf.Google Scholar

181 Hunton & Williams LLP, German Court Rules Apple's Privacy Policy Violates German Law, May 8, 2013, http://www.huntonprivacyblog.com/2013/05/articles/german-court-rules-apples-privacy-policy-violates-german-law/.Google Scholar

182 Datenklauseln von Apple rechtswidrig [Data Clauses of Apple Illegal], The Consumer Federation (VZBZ), May 7, 2013, http://www.vzbv.de/11558.htm.Google Scholar

183 15 O 92/12 (Ger.).Google Scholar

184 Essers, Loek, Apple's Privacy Policy Violates German Data Protection Law, Computerworld, May 7, 2013, http://www.computerworld.com/s/article/9238978/Apple_39_s_privacy_policy_violates_German_data_protection_law_Berlin_court_rules.Google Scholar

185 15 O 92/12 (Ger.).Google Scholar

186 Essers, supra note 184.Google Scholar

187 See 15 O 92/12 (Ger.).Google Scholar

188 Williams, Christopher, Google Could Face EU “Repressive Action” on Privacy, The Telegraph, Feb. 18, 2013, http://www.telegraph.co.uk/technology/google/9877694/Google-could-face-EU-repressive-action-on-privacy.html.Google Scholar

189 Id. Google Scholar

190 Id. Conditioning use of online services on consent runs afoul of TMG, supra note 3, § 12.3.Google Scholar

191 Williams, , supra note 188.Google Scholar

192 Id. Google Scholar

193 Id. Google Scholar

194 Pfanner, Eric, Google Faces More Inquiries in Europe over Privacy Policy, N.Y. Times, Apr. 2, 2013, http://www.nytimes.com/2013/04/03/technology/google-to-face-national-regulators-over-privacy-policy.html?_r=0.Google Scholar

195 Williams, , supra note 188.Google Scholar

196 Essers, Loek, Berlin Court Rules Google Privacy Policy Violates Data Protection Law, PCWorld, Nov. 20, 2013, http://www.pcworld.com/article/2065320/berlin-court-rules-google-privacy-policy-violates-data-protection-law.html.Google Scholar

197 Landgericht [LG - District Court], Case No. 15 O 402/12 (Nov. 19, 2013), http://www.berlin.de/sen/justiz/gerichte/kg/presse/archiv/20131217.1510.392784.html (Ger.).Google Scholar

198 Meyer, David, German Court Chides Google over Its Vague Privacy Policy and Terms, Gigaom, Nov. 20, 2013, http://gigaom.com/2013/11/20/german-court-chides-google-over-its-vague-privacy-policy/.Google Scholar

199 Bhatti, Jabeen, Berlin Court Rules Google Privacy Policy Too Vague; Internet Giant Set to Appeal, Bloomberg BNA, Nov. 25, 2013, http://www.bna.com/berlin-court-rules-n17179880340/.Google Scholar

200 O'Carroll, Lisa, If Google Is in Ireland for Tax Reasons, Why Are Most of Its Profits in Bermuda?, The Guardian, Mar. 24, 2011, http://www.guardian.co.uk/business/ireland-business-blog-with-lisa-ocarroll/2011/mar/24/google-ireland-tax-reasons-bermuda.Google Scholar

201 Steadman, Ian, Google Fined by German Regulator over Street View Privacy Breach, Wired, Apr. 22, 2013, http://www.wired.co.uk/news/archive/2013–04/22/google-germany-fine.Google Scholar

202 Id. Google Scholar

203 Geiger, Friedrich, German City of Hamburg Fines Google over Street View Service, Wall St. J. Online, Apr. 22, 2013, http://online.wsj.com/article/SB10001424127887324874204578438714112912742.html# (noting the Hamburg Commissioner for Data Protection “ordered [Google] to pay 145,000 euros ($189,000) for collecting data of private Wi-Fi networks when Google's cars drove through the streets [of Hamburg] to take pictures from 2008 until 2010”).Google Scholar

204 Steadman, , supra note 201.Google Scholar

205 The fine “represents about 0.002 percent of [Google's] total net profit in 2012.” Whittaker, Zack, Germany Fines Google for “Unprecedented” Street View Wi-Fi Data Breach, ZDNet, Apr. 22, 2013, http://www.zdnet.com/germany-fines-google-for-unprecedented-street-view-wi-fi-data-breach-7000014337/.Google Scholar

206 Brignall, Miles, Amazon's Luxembourg Base Means Improved Consumer Rights, The Guardian, Apr. 30, 2010, http://www.guardian.co.uk/money/2010/may/01/amazon-luxembourg-improved-consumer-rights.Google Scholar

207 Id. Google Scholar

208 Id. Google Scholar

209 Council Directive 99/44, 1999 O.J. (L 171/12), at art. 5.1 (EC).Google Scholar

211 See Brignall, , supra note 206.Google Scholar

212 Id. Google Scholar

213 Id. Google Scholar

214 According to the UK European Consumer Centre's website, “[t]he network of European Consumer Centres (ECC-Net) serves EU consumers shopping for goods and services on the European market, providing them with advice on their EU consumer rights and helping them with their disputes with traders in other EU countries.” UK European Consumer Centre, http://www.ukecc.net/about/index.cfm.Google Scholar

215 See Brignall, , supra note 206.Google Scholar

216 Id. Google Scholar

217 Id. Google Scholar

218 Id. Google Scholar

219 Data Protection Regulation, supra note 9, at 2 (referencing Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: A comprehensive approach on personal data protection in the European Union, COM (2010) 609 Final (Nov. 4, 2010)).Google Scholar

220 Id. Google Scholar

221 Id. Google Scholar

222 Id. § 2 of the Explanatory Memorandum.Google Scholar

223 Id. §§ 3.1–.2 of the Explanatory Memorandum. Once the Regulation is passed by the EU, Member States will have an additional two years to bring national laws into line with the Regulation. Id. at art. 91.Google Scholar

224 Examples of other issues currently in negotiation are data portability, the use of plain language by data controllers, penalties for noncompliance, and appointment of a data protection officer at companies over a certain size. Q&A on EU Data Protection Reform, European Parliament (Oct. 22, 2013, 10:13 AM), http://www.europarl.europa.eu/news/en/pressroom/content/20130502BKG07917/html/QA-on-EU-data-protection-reform.Google Scholar

225 Data Protection Regulation, supra note 9, at art. 17.Google Scholar

226 See id. at art. 17.1.Google Scholar

227 See id. at art. 17.3(a).Google Scholar

228 See id. at art. 17.3(b).Google Scholar

229 See id. at art. 17.3(c).Google Scholar

230 See id. at art. 17.3(d).Google Scholar

231 See id. at art. 4.8 & 7.Google Scholar

232 See id. at art. 4.8.Google Scholar

233 See id. at art. 7.3.Google Scholar

234 See id. at art. 7.4.Google Scholar

235 See id. at art. 19.2.Google Scholar

236 Id. Google Scholar

237 See id. at art. 20.1.Google Scholar

238 Id. Google Scholar

239 See id. at art. 20.2(a).Google Scholar

240 See id. at art. 20.2(b).Google Scholar

241 See id. at art. 20.2(c).Google Scholar

242 See id. § 3.4.7.2 of the Explanatory Memorandum.Google Scholar

243 Id. at art. 57.Google Scholar

244 See id. at art. 64.Google Scholar

245 See id. at arts. 58.3–.4.Google Scholar

246 See id. at art. 58.7.Google Scholar

247 See id. at art. 59.1.Google Scholar

248 See id. at arts. 58.8, 59.2, 59.4.Google Scholar

249 See id. at art. 60.Google Scholar

250 See id. at arts. 3.1, 4.13.Google Scholar

251 See id. at art. 3.1; see also, DPD, supra note 10, at art. 4(1)(a).Google Scholar

252 Data Protection Regulation, supra note 9, at art. 3.2.Google Scholar

253 See supra note 224. Several groups have proposed amendments, including MEP Jan Philipp Albrecht, the LIBE rapporteur, on behalf of the Parliament, and Germany. Data Protection Regulation, supra note 9, at art. 3.2. See also, Press Release, German Minister for the Interior Hans-Peter Friedrich and EU Justice Commissioner Viviane Reding Emphasise the Importance of the EU General Data Protection Regulation for the Digital Single Market and the Protection of Fundamental Rights in Europe (Mar. 7, 2013), available at http://europa.eu/rapid/press-release_MEMO-13–177_en.htm?locale=en.Google Scholar

254 See Press Release, German Minister for the Interior Hans-Peter Friedrich and EU Justice Commissioner Viviane Reding Emphasise the Importance of the EU General Data Protection Regulation for the Digital Single Market and the Protection of Fundamental Rights in Europe (Mar. 7, 2013), available at http://europa.eu/rapid/press-release_MEMO-13–177_en.htm?locale=en.Google Scholar

255 Elliott, Simon, The EU Date Protection Regulation: Timing, Privacy & Data Sec. Blog, Feb. 27, 2013, http://www.privacydatasecurityblog.com/2013/02/27/the-data-protection-regulation-where-are-we/.Google Scholar

256 See supra note 224.Google Scholar

257 O'Connor, John, EU Data Protection Vote Delayed, Lexology, May 8, 2013, http://www.lexology.com/library/detail.aspx?g=781c955a-3fbf-40ba-967a-14cbaf7dfb35; see also Press Release, Libe Committee Vote Backs New EU Data Protection Rules (Oct. 22, 2013), available at http://europa.eu/rapid/press-release_MEMO-13–923_en.htm.Google Scholar

258 See Elliott, , supra note 255.Google Scholar

259 Id. Google Scholar

260 Id.; see also, Grande, Allison, EU Regulators Urge Swift Action on Data Protection Reform, Law360, Dec. 4, 2013, http://www.law360.com/articles/493310/eu-regulators-urge-swift-action-on-data-protection-reform.Google Scholar

261 See supra notes 179180 and accompanying text.Google Scholar

262 See O'Carroll, supra note 200.Google Scholar

263 See supra notes 253254 and accompanying text.Google Scholar

264 Data Protection Regulation, supra note 9, at arts. 4.8 & 7.Google Scholar

265 BDSG, supra note 2, §§ 4.1 & 4(a).1.Google Scholar

266 Compare Data Protection Regulation, supra note 9, at arts. 31 & 32, with Amendment to E-Privacy Directive, supra note 147, at art. 4.3.Google Scholar

267 E-Privacy Directive, supra note 147, at Recital 57.Google Scholar

268 Id. Google Scholar

269 See supra notes 159164 and accompanying text.Google Scholar

270 See supra Part C.II.Google Scholar

271 See Hon, W. Kuan, et. al, supra note 104.Google Scholar

272 See supra notes 248251 and accompanying text.Google Scholar

273 Data Protection Regulation, supra note 9, at art. 60.Google Scholar

274 See supra Part D.Google Scholar

275 See DeSimone, Christian, Pitting Karlsruhe Against Luxembourg? German Data Protection and the Contested Implementation of the EU Data Retention Directive, 11 German L.J. 291, 291 (2010) (noting the “evolving corpus of [data protection] law [in Germany] exhibits a singularly-German mindfulness of the historical significance of abrogating fundamental rights within constitutional democracy”).Google Scholar

276 In a Eurobarometer survey, 69% of Germans questioned think their “specific approval” should be sought before any collection and processing of personal data. Attitudes on Data Protection and Electronic Identity in the European Union, European Commission: Eurobarometer 74.3, Jun. 2011, at 3, http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_fact_de_en.pdf. According to that same survey, only 34% of Germans trust online shops will protect their personal data. Id. Google Scholar

277 Over 70% of Germans shop online. Id. at 1.Google Scholar

278 According to a Berlin study, German consumers will choose companies that offer more protection of their data privacy over companies that offer less protection when there is little or no price differential, but the discrepancy between the companies' privacy policies must be clear. Dr. Nicola Jentzsch et al., Study on Monetising Privacy – An Economic Model for Pricing Personal Information (2012), available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy (“If there are little to no differences in the prices offered by service providers on homogeneous goods, a competitor who has a reduced data requirement (privacy- friendly service provider) can obtain a competitive advantage as long as this type of differentiation is obvious to the consumer”).Google Scholar

279 For example, a successful movement to challenge the 2007 implementation of the EU Data Retention Directive in Germany “consisted of highly-networked civil and digital rights activists, ideologically-heterogeneous students and academics, and German or European NGOs.” Desimone, supra note 275, at 306.Google Scholar

280 The use of media helped raise awareness for the anti-EU Data Retention Directive movement: “The success of German groups in raising public awareness of a highly-technical topic, publicizing their rarely-at-odds messages, and organizing successful demonstrations and legal actions can be attributed to an extraordinarily effective use of new networked media to convey resources, ideas, and people around Germany and Europe.” Id. at 307.Google Scholar