No CrossRef data available.
Published online by Cambridge University Press: 06 March 2019
With the negotiation of its Data Protection Regulation, the European Union seeks to reform an outdated set of laws that has failed to address the evolving data protection challenges inherent in new technologies such as social networks, e-commerce, cloud computing, and location-based services. This article addresses the forthcoming Data Protection Regulation as well as the current state of data protection law in the EU, with a particular focus on Germany. The first part of the article examines Germany's robust data protection framework and the EU's existing authority. The article then raises key issues related to data protection in Germany and the EU—namely, discrepancies in data protection standards and enforcement among EU Member States—as illustrated by recent, high profile cases involving household names like Facebook, Apple, Google, and Amazon. Through this analysis, the article attempts to explain how and why companies doing business in Germany, but established in other EU Member States, are subject to less stringent data protection standards than German companies. Lastly, the article synthesizes the issues in debate with regard to the draft Data Protection Regulation and offers perspectives on what the Regulation could and should mean for data protection in the EU.
1 See, e.g., Surveillance Monitor 2011: Assessment of Surveillance across Europe, Privacy International (2011), https://www.privacyinternational.org/reports/surveillance-monitor-2011-assessment-of-surveillance-across-europe (noting Germany's data protection framework is “amongst the best in the world ….”); National Privacy Ranking 2007 – Leading Surveillance Societies Around the World, Privacy International (2007), available at https://www.privacyinternational.org/sites/privacyinternational.org/files/file-downloads/phrcomp_sort_0.pdf (assigning Germany a higher data privacy ranking in the category of data-sharing than all other EU as well as non-EU countries surveyed).Google Scholar
2 Bundesdatenschutzgesetz [BDSG] [Federal Data Protection Act], repromulgated Jan. 14, 2003, Bundesgesetzblatt, Teil I [BGBl. I] at 66, last amended by Gesetz [G], Aug. 14, 2009, BGBl. I at 2814 [hereinafter BDSG].Google Scholar
3 Telemediengesetz [TMG] [Telemedia Act], Feb. 26, 2007, Bundesgesetzblatt, Teil I [BGBl. I] at 179, last amended by Gesetz [G], May 31, 2010, BGBl. I at 692, at art. 1.Google Scholar
4 See supra note 1.Google Scholar
5 Press Release, OVG Schleswig-Holstein: For Facebook Germany Data Protection Law Does Not Apply, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) (Independent State Center for Data Protection Schleswig-Holstein), (Apr. 24, 2013), available at https://www.datenschutzzentrum.de/presse/20130424-facebook-klarnamen-ovg-en.htm.Google Scholar
6 EC Directive 95/46/EC of 24 October 1995, O.J. L 281.Google Scholar
7 See supra note 5.Google Scholar
8 Lischka, Konrad & Stöcker, Christian, Data Protection: All You Need to Know about the EU Privacy, Spiegel Online, 18 Jan. 2013, http://www.spiegel.de/international/europe/the-european-union-closes-in-on-data-privacy-legislation-a-877973.html (surmising the new Data Protection Regulation could “lead to … corporations choos[ing] … European headquarters based on the strength, or lack thereof, of data protection supervision in that country” and noting “competition between countries in attracting companies to locate their offices there has already been a phenomenon in the EU for some time now”).Google Scholar
9 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25 2012) [hereinafter “Data Protection Regulation”].Google Scholar
10 Directive 95/46, 1995 O.J. (L 281) [hereinafter “DPD”] (EC).Google Scholar
11 Directive 2002/58, 2002 O.J. (L 201/37) [hereinafter “E-Privacy Directive”] (EC).Google Scholar
12 The EU acknowledges there is a need to “ensure that the fundamental right to data protection is consistently applied.” Delivering an Area of Freedom, Security and Justice for Europe's Citizens: Action Plan Implementing the Stockholm Programme, at 3, COM (2010) 171 final (Apr. 20 2010).Google Scholar
13 For example, the EU's Working Time Directive, 2003/88/EC, gave workers the right to work no more than 48 hours per week; France passed stricter regulations, limiting working hours to 35 hours per week; See French Labour Code, Art. L.212–1 et seq.; Blake, Heidi, The EU Working Time Directive in Detail, The Telegraph, June 9 2010; See also, infra Part B.II. for a discussion of the differences between EU directives and regulations.Google Scholar
14 See, e.g., Dr. Nils Christian Haag, Court: German Data Protection Law is Not Applicable to Facebook, Privacy Europe, Feb. 15 2013, http://www.privacy-europe.com/blog/court-german-data-protection-law-is-not-applicable-for-facebook.Google Scholar
15 DPD, supra note 10, at Art. 4(1)(a).Google Scholar
16 Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century, at 3, COM (2012) 9 final (Jan. 25 2012) (noting the DPD “was adopted 17 years ago when the internet was in its infancy).Google Scholar
17 Id. at 2.Google Scholar
18 See supra note 2.Google Scholar
19 Id. Google Scholar
20 BDSG, supra note 2, § 1. The BDSG defines “personal data” as “any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject).” Id. § 3.1.Google Scholar
21 Id. § 2.Google Scholar
22 Id. § 2.1–2.Google Scholar
23 Id. § 2Google Scholar
24 Id. § 2.4.Google Scholar
25 Id. § 2.3.Google Scholar
26 Id. § 5 (emphasis added).Google Scholar
27 The EEA is comprised of EU Member States plus three of four European Free Trade Association (EFTA) members, namely, Iceland, Norway, and Lichtenstein, and establishes a single market between the parties, known as the “internal market.” The fourth member of the EFTA that is not a party to the EEA is Switzerland. See Agreement on the European Economic Area, at 3–522, 1994 O.J. (L 1).Google Scholar
28 A “controller” is defined as “any person or body collecting, processing or using personal data on his or its own behalf or commissioning others to do the same.” BDSG, supra note 2, § 3.7.Google Scholar
29 Id. §§ 4.1, 4(a).1Google Scholar
30 Id. § 28.Google Scholar
31 Id. § 42(a).Google Scholar
32 Id. § 4.1.Google Scholar
33 Id. § 4.1.Google Scholar
34 Id. Google Scholar
35 Id. § 4(a).1.Google Scholar
36 Id. Google Scholar
37 Id. Google Scholar
38 Id. § 3.9.Google Scholar
39 Id. § 4(a).3.Google Scholar
40 Id. § 28.3.Google Scholar
41 Rehder, Jorg & Paez, Mauricio, Germany Strengthens its Data Protection Act and Introduces Data Breach Notification Requirement, 16 BNA Int'l World Data Protection Rep. 1 (2010), http://www.jonesday.com/germany-strengthens-data-protection-act-introduces-data-breach-notification-requirement-10–26–2009/.Google Scholar
42 BDSG, supra note 2, §§ 28.3.3, 34.1(a).Google Scholar
43 Id. §§ 28.1.1, 28.3.1.Google Scholar
44 Id. § 28.3.2.Google Scholar
45 Id. § 28.3.3. See also supra note 41.Google Scholar
46 The other three categories are 1) “special types of personal data” as described in Section 3.9, including data on race, ethnicity, political opinions, religious or philosophical beliefs, union membership, health, or sex life. 2) “personal data subject to professional secrecy,” and 3) “personal data related to criminal offences or administrative offences or the suspicion [thereof].” BDSG, supra note 2, § 42(a).Google Scholar
47 Id. Google Scholar
48 Id. Google Scholar
49 Id. Google Scholar
50 Id. Google Scholar
51 Gesetz Gegen den Unlauteren Wettbewerb [UWG] [Act Against Unfair Competition], Mar. 3 2010, Bundesgesetzblatt, Teil I [BGBl. I], last amended by Gesetz [G], Mar. 3, 2010, BGBL. I at 254 [hereinafter UWG].Google Scholar
52 Id. § 1.Google Scholar
53 Id. § 4.1.Google Scholar
54 Id. § 4.2.Google Scholar
55 Id. § 4.3.Google Scholar
56 Id. § 4.10.Google Scholar
57 Id. § 4.11.Google Scholar
58 Id. §§ 5, 5(a).Google Scholar
59 Id. § 7.Google Scholar
60 Id. § 6.Google Scholar
61 Id. § 8.Google Scholar
62 Id. § 8.2(3).Google Scholar
63 Bundesgerichtshof [BGH - Federal Court of Justice], Case No. I ZR 164/09 (Feb. 10, 2011), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=I%20ZR%20164/09; Landgericht [LG (Berlin) - Regional Court], Case No. 15 O 346/06 (Jan. 23, 2007), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=15%20O%20346/06; Amtsgericht [AG – (Berlin-Mitte) - Local Court], Case No. 21 C 43/08 (June 11, 2008), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=21%20C%2043/08; Landgericht [LG (Essen) - Regional Court], Case No. 4 O 368/08 (Apr. 20, 2009), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=4%20O%20368/08. But see, Oberlandesgericht [OLG - (München) Higher Regional Court], Case No. 29 U 1682/12 (Sept. 27, 2012), http://dejure.org/dienste/vernetzung/rechtsprechung?Text=29%20U%201682/12 (holding the “Check-Mail”—the initial email confirming an individual's consent to receive advertising email—of the double opt-in method can constitute spam).Google Scholar
64 Englehardt, Tim, Is Double Opt-In Dead?, German IT Law blog, Nov. 26, 2012, http://germanitlaw.com/?p=902.Google Scholar
65 Id. Google Scholar
66 Id. Google Scholar
67 UWG, supra note 51, § 8.Google Scholar
68 Id. § 12.1.Google Scholar
69 See supra note 3.Google Scholar
70 Defined as “services normally provided for remuneration consisting in, or having as their principal feature, the conveyance of signals by means of telecommunications networks, and includes transmission services in networks used for broadcasting.” Telekommunikationsgesetz [TKG] [Telecommunications Act], June 22, 2004, Bundesgesetzblatt, Teil I [BGBl. I] at 1190, last amended by Gesetz [G], 3 May 2013, BGBl. I at 958, art. 1, § 3.24.Google Scholar
71 TMG, supra note 3, § 1.1.Google Scholar
72 See Sokoll, Karen & Enaux, Christoph, Germany—New Telemedia Act Introduced, Linklaters: Technology, Media & Telecomms. News, Mar. 24, 2007, http://www.linklaters.com/Publications/Publication1403Newsletter/PublicationIssue20070324/Pages/PublicationIssueItem2217.aspx.Google Scholar
73 Gesetz über die Nutzung von Telediensten (Teledienstegesetz) [Teleservices Act], July 22, 1997, Bundesgesetzblatt, Teil I [BGBl. I] at 1870.Google Scholar
74 Staatsvertrag über Mediendienste (Mediendienste-Staatsvertrag) [Federal Media Services Treaty], Jan. 20 – Feb. 12, 1997, ratified June 19, 1997, Niedersachsen Gesetz- und Verordnungsblatt [GVBl.] 280.Google Scholar
75 Gesetz über den Datenschutz bei Telediensten (Teledienstedatenschutzgesetz) [Teleservices Data Protection Act], July 22, 1997, Bundesgesetzblatt, , Teil I [BGBl. I] at 1870. See, e.g., Krieg, Henning, German Telemedia Act Introduces New Rules for New Media, Bird & Bird, Mar. 30, 2007, http://www.twobirds.com/English/News/Articles/Pages/2007/German_Tele_Media_Act_new_rules.aspx.Google Scholar
76 TMG, supra note 3, § 3.Google Scholar
77 The TMG defines “established service provider” as “every provider who uses who uses a fixed facility for an indefinite period to offer or provide telemedia on a commercial basis” and notes further that “the location of the technical facility alone does not determine that the provider is established.” Id. § 2.2.Google Scholar
78 Id. § 3.1.Google Scholar
79 Id. § 3.2.Google Scholar
80 Id. §§ 6.1.1–2.Google Scholar
81 Id. §§ 6.1.3–4.Google Scholar
82 Id. § 6.1.4.Google Scholar
83 Id. § 12.1.Google Scholar
84 Id. § 12.3.Google Scholar
85 Id. § 13.1.Google Scholar
86 Id. § 13.4.1.Google Scholar
87 Id. § 13.4.2.Google Scholar
88 Id. § 13.4.3.Google Scholar
89 Id. § 13.6.Google Scholar
90 Id. § 13.6.Google Scholar
91 Id. § 13.4.6.Google Scholar
92 Id. § 15.3.Google Scholar
93 Id. Google Scholar
94 Id. Google Scholar
95 Consolidated Version of the Treaty on the Functioning of the European Union, Oct. 26, 2012, 2012 O.J. (C 326) 47 [hereinafter “TFEU”].Google Scholar
96 Consolidated Version of the Treaty on European Union, Oct. 26, 2012, 2012 O.J. (C 326) 13 [hereinafter “TEU”].Google Scholar
97 Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Communities, Dec. 13, 2007, 2007 O.J. (C 306) 1 [hereinafter “Lisbon Treaty”].Google Scholar
98 Charter of Fundamental Rights of the European Union, Mar. 30, 2010, 2010 O.J. (C 83) 2 [hereinafter “Charter”].Google Scholar
99 Regulations, Directives, and Other Acts, European Union, http://europa.eu/eu-law/decision-making/legal-acts/index_en.htm.Google Scholar
100 TFEU art. 288. See also, supra note 10.Google Scholar
101 Transposition is “a process by which the European Union's member states give force to a directive by passing appropriate implementation measures.” Transposition (law), Wikipedia, Mar. 9, 2013, http://en.wikipedia.org/w/index.php?title=Transposition_(law)&oldid=543106078.Google Scholar
102 See supra note 100.Google Scholar
103 Id. Google Scholar
104 See supra note 13; see also, Hon, W. Kuan, et. al, Data Protection Jurisdiction and Cloud Computing—When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3, 26 Int'l Rev. of Law, Computers & Tech. 129, 135 (2012).Google Scholar
105 TFEU art. 288.Google Scholar
106 Id. Google Scholar
107 Charter art. 8.Google Scholar
108 Id. at art. 391.Google Scholar
109 Id. at art. 8.1.Google Scholar
110 Id. at art. 8.2.Google Scholar
111 Id. Google Scholar
112 Id. Google Scholar
113 Id. at art. 8.3.Google Scholar
114 Commission Regulation 45/2001, 2000 O.J. (L 8) (EC)Google Scholar
115 See supra note 97.Google Scholar
116 Id. Google Scholar
117 TFEU art. 16.1.Google Scholar
118 TFEU art. 16.1.Google Scholar
119 DPD, supra note 10, § 3.1.Google Scholar
120 Id. at arts. 1.1.-2.Google Scholar
121 Id. Google Scholar
122 Id. at art. 2(a).Google Scholar
123 Id. at art. 2(b).Google Scholar
124 Id. at art. 2(h).Google Scholar
125 Id. at art. 4(1)(a) (emphasis added).Google Scholar
126 Id. See also, W. Kuan Hon, et. al, supra note 104.Google Scholar
127 See infra notes 141–143 and accompanying text for a discussion of the Art. 29 Data Protection Working Party.Google Scholar
128 Opinion of The Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, 2010 O.J. (L 281) at Part III, § 1(b).Google Scholar
129 Id. (emphasis in original).Google Scholar
130 Id. Google Scholar
131 DPD, supra note 10, at art. 7(a).Google Scholar
132 Id. at art. 7(b).Google Scholar
133 Id. at art. 7(c).Google Scholar
134 Id. at art. 7(d).Google Scholar
135 Id. at art. 7(e).Google Scholar
136 Id. at arts. 1.1 & 7(f). Article 1.1 of the DPD refers to the “fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” Id. at art. 1.1.Google Scholar
137 Id. at art. 28.1.Google Scholar
138 Id. at art. 7(a).Google Scholar
139 BDSG, supra note 2, §§ 4.1 & 4(a).1.Google Scholar
140 DPD, supra note 10, arts. 8.1–2(a). See also, BDSG, supra note 2, § 3.9.Google Scholar
141 DPD, supra note 10, at art. 29.Google Scholar
142 Id. at art. 29.1.Google Scholar
143 Id. at art. 29.2; see also, Member of the Article 29 Working Party, European Commission: Justice, June 2, 2014, http://ec.europa.eu/justice/data-protection/article-29/structure/members/index_en.htm#h2–7 (last visited Feb. 22, 2014).Google Scholar
144 Article 30 states, “The Working party shall … examine any question covering the application of the national measures adopted under [the Data Protection Directive] in order to contribute to the uniform application of such measures.” DPD, supra note 10, at art. 30.1(a).Google Scholar
145 Id. at art. 30.1(c).Google Scholar
146 Art. 29 Data Protection Working Party, Opinion 01/2012 on the Data Protection Reform Proposals, 00530/12/EN, WP 191 (Mar. 23, 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp191_en.pdf; see also, e.g., Art. 29 Data Protection Working Party, Opinion 08/2012 Providing Further Input on the Data Protection Reform Discussions, 01574/12/EN, WP199 (Oct. 5, 2012).Google Scholar
147 Council Directive 2002/58, 2002 O.J. (L 201), art. 1.1 (EC) [hereinafter “E-Privacy Directive”], available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML.Google Scholar
148 Id. at art. 4.2.Google Scholar
149 Council Directive 2009/136, 2009 O.J. (L 337/11) (EC) (amending Council Directive 2002/22, 2002 O.J. (L 108) (EC), E-Privacy Directive, supra note 147, and Council Regulation No. 2006/2004, 2009 O.J. (L 337/11) (EC)) [hereinafter “Amendment to E-Privacy Directive”], available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF.Google Scholar
150 Amendment to E-Privacy Directive, supra note 149, at art. 4.3.Google Scholar
151 Amendment to E-Privacy Directive, supra note 149, at art. 2(c).Google Scholar
152 Amendment to E-Privacy Directive, supra note 149, at art. 4.3.Google Scholar
153 Data Protection Regulation, supra note 9, at art. 31–32.Google Scholar
154 E-Privacy Directive, supra note 147, at art. 2(c).Google Scholar
155 E-Privacy Directive, supra note 147, at art. 2(c) (emphasis added).Google Scholar
156 Council Directive 09/31, art. 19, 2000 O.J. (L 178) (EC) (emphasis added).Google Scholar
157 Id. Google Scholar
158 Id. at recital 57.Google Scholar
159 Id. See also, D.H.M. Segers v. Bestuur van de Bedrijfsvereniging voor Bank- en Verzekeringswezen, Groothandel en Vrije Beroepen, CJEU Case C-79/85, 1986 E.C.R I-2375; Centros Ltd v. Erhvervs- og Selskabsstyrelsen, CJEU Case C-212/97, 1999 ECR I-1459.Google Scholar
160 Centros, CJEU Case C-212/97 at para. 24.Google Scholar
161 Id. at para. 25.Google Scholar
162 Id. at para. 29. See also, D.H.M. Segers, CJEU Case C-79/85 at para. 16; Tom O'Shea, Tax Avoidance and Abuse of EU Law, 11 EC Tax J. 77 (2010), http://www.ccls.qmul.ac.uk/docs/staff/oshea/52174.pdf.Google Scholar
163 Centros, CJEU Case C-212/97 at para. 27.Google Scholar
164 TFEU, supra note 95, at art. 49 (stating that “restrictions on the freedom of establishment of nationals of a Member State in the territory of another Member State shall be prohibited”).Google Scholar
165 TFEU, supra note 95, at art. 34–36.Google Scholar
166 TMG, supra note 3, § 13.6.Google Scholar
167 Press Release, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) [Independent State Center for Data Protection Schleswig-Holstein], ULD Issues Orders Against Facebook Because of Mandatory Real Names (Dec. 17, 2012), https://www.datenschutzzentrum.de/presse/20121217-facebook-real-names.htm.Google Scholar
168 See Press Release, ULD, supra note 5.Google Scholar
169 Id. Google Scholar
170 TMG, supra note 3, § 13.6 (guaranteeing an individual's right to anonymous or pseudonymous use of telemedia services).Google Scholar
171 See Press Release, ULD, supra note 5.Google Scholar
172 Id. Google Scholar
173 Verwaltungsgericht [VG - Administrative Court], Case No. 8 B 60/12 (Feb. 14, 2013) (Ger.), https://www.datenschutzzentrum.de/facebook/Facebook-Ireland-vs-ULD-Beschluss.pdf; see also, Schleswig-Holstein Administrative Court, Verwaltungsgericht gibt Eilanträgen von Facebook statt [Administrative Court Grants Facebook's Application for Interim Relief], Feb. 15, 2013, http://www.schleswig-holstein.de/OVG/DE/Service/Presse/Pressemitteilungen/15022013VG_facebook_anonym.html.Google Scholar
174 Supra note 173, See also, BDSG, supra note 2, § 5; DPD, supra note 10, at art. 4(1)(a).Google Scholar
175 Id. Google Scholar
176 The Irish Data Protection Commissioner audited Facebook Ireland Ltd. in December 2011 and published a review of Facebook's implementation of the audit recommendations the following year, reporting that Facebook had “advanced sufficient justification for child protection and other reasons for their policy of refusing pseudonymous access to its services.” Irish Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit 11, 50–51 (Sept. 21 2012), http://dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf.Google Scholar
177 See Press Release, ULD, supra note 5.Google Scholar
178 Council Directive 2000/31, 2000 O.J. (L 178), at recital 22 (EC).Google Scholar
179 The draft Data Protection Regulation utilizes the marketplace principle with regard to third parties located outside the EU, but doing business within or directing services toward the EU: “Those who intend to do business in Europe and want to collect personal data in this context should also be subject to European data protection law when servers and corporate headquarters are located outside the EU (marketplace principle).” Schaar, Peter, EU Data Protection Package: A Real Chance for Better Data Protection!, The Fed. Commissioner for Data Protection & Freedom of Info., Mar. 19, 2012, http://www.bfdi.bund.de/EN/PublicRelations/SpeechesAndInterviews/blog/EUDataprotectionPackage.html?nn=1269676.Google Scholar
180 Landgericht [LG - District Court], Case No. 15 O 92/12 (Apr. 30, 2013), http://www.vzbv.de/cps/rde/xbcr/vzbv/Urteil_des_LG_Berlin_zur_Datenschutzrichtlinie_von_Apple.pdf.Google Scholar
181 Hunton & Williams LLP, German Court Rules Apple's Privacy Policy Violates German Law, May 8, 2013, http://www.huntonprivacyblog.com/2013/05/articles/german-court-rules-apples-privacy-policy-violates-german-law/.Google Scholar
182 Datenklauseln von Apple rechtswidrig [Data Clauses of Apple Illegal], The Consumer Federation (VZBZ), May 7, 2013, http://www.vzbv.de/11558.htm.Google Scholar
183 15 O 92/12 (Ger.).Google Scholar
184 Essers, Loek, Apple's Privacy Policy Violates German Data Protection Law, Computerworld, May 7, 2013, http://www.computerworld.com/s/article/9238978/Apple_39_s_privacy_policy_violates_German_data_protection_law_Berlin_court_rules.Google Scholar
185 15 O 92/12 (Ger.).Google Scholar
186 Essers, supra note 184.Google Scholar
187 See 15 O 92/12 (Ger.).Google Scholar
188 Williams, Christopher, Google Could Face EU “Repressive Action” on Privacy, The Telegraph, Feb. 18, 2013, http://www.telegraph.co.uk/technology/google/9877694/Google-could-face-EU-repressive-action-on-privacy.html.Google Scholar
189 Id. Google Scholar
190 Id. Conditioning use of online services on consent runs afoul of TMG, supra note 3, § 12.3.Google Scholar
191 Williams, , supra note 188.Google Scholar
192 Id. Google Scholar
193 Id. Google Scholar
194 Pfanner, Eric, Google Faces More Inquiries in Europe over Privacy Policy, N.Y. Times, Apr. 2, 2013, http://www.nytimes.com/2013/04/03/technology/google-to-face-national-regulators-over-privacy-policy.html?_r=0.Google Scholar
195 Williams, , supra note 188.Google Scholar
196 Essers, Loek, Berlin Court Rules Google Privacy Policy Violates Data Protection Law, PCWorld, Nov. 20, 2013, http://www.pcworld.com/article/2065320/berlin-court-rules-google-privacy-policy-violates-data-protection-law.html.Google Scholar
197 Landgericht [LG - District Court], Case No. 15 O 402/12 (Nov. 19, 2013), http://www.berlin.de/sen/justiz/gerichte/kg/presse/archiv/20131217.1510.392784.html (Ger.).Google Scholar
198 Meyer, David, German Court Chides Google over Its Vague Privacy Policy and Terms, Gigaom, Nov. 20, 2013, http://gigaom.com/2013/11/20/german-court-chides-google-over-its-vague-privacy-policy/.Google Scholar
199 Bhatti, Jabeen, Berlin Court Rules Google Privacy Policy Too Vague; Internet Giant Set to Appeal, Bloomberg BNA, Nov. 25, 2013, http://www.bna.com/berlin-court-rules-n17179880340/.Google Scholar
200 O'Carroll, Lisa, If Google Is in Ireland for Tax Reasons, Why Are Most of Its Profits in Bermuda?, The Guardian, Mar. 24, 2011, http://www.guardian.co.uk/business/ireland-business-blog-with-lisa-ocarroll/2011/mar/24/google-ireland-tax-reasons-bermuda.Google Scholar
201 Steadman, Ian, Google Fined by German Regulator over Street View Privacy Breach, Wired, Apr. 22, 2013, http://www.wired.co.uk/news/archive/2013–04/22/google-germany-fine.Google Scholar
202 Id. Google Scholar
203 Geiger, Friedrich, German City of Hamburg Fines Google over Street View Service, Wall St. J. Online, Apr. 22, 2013, http://online.wsj.com/article/SB10001424127887324874204578438714112912742.html# (noting the Hamburg Commissioner for Data Protection “ordered [Google] to pay 145,000 euros ($189,000) for collecting data of private Wi-Fi networks when Google's cars drove through the streets [of Hamburg] to take pictures from 2008 until 2010”).Google Scholar
204 Steadman, , supra note 201.Google Scholar
205 The fine “represents about 0.002 percent of [Google's] total net profit in 2012.” Whittaker, Zack, Germany Fines Google for “Unprecedented” Street View Wi-Fi Data Breach, ZDNet, Apr. 22, 2013, http://www.zdnet.com/germany-fines-google-for-unprecedented-street-view-wi-fi-data-breach-7000014337/.Google Scholar
206 Brignall, Miles, Amazon's Luxembourg Base Means Improved Consumer Rights, The Guardian, Apr. 30, 2010, http://www.guardian.co.uk/money/2010/may/01/amazon-luxembourg-improved-consumer-rights.Google Scholar
207 Id. Google Scholar
208 Id. Google Scholar
209 Council Directive 99/44, 1999 O.J. (L 171/12), at art. 5.1 (EC).Google Scholar
210 Two-Year Warranty (EU Law), This is Money, Jan. 26, 2010, http://www.thisismoney.co.uk/money/bills/article-1677034/Two-year-warranty-EU-law.html.Google Scholar
211 See Brignall, , supra note 206.Google Scholar
212 Id. Google Scholar
213 Id. Google Scholar
214 According to the UK European Consumer Centre's website, “[t]he network of European Consumer Centres (ECC-Net) serves EU consumers shopping for goods and services on the European market, providing them with advice on their EU consumer rights and helping them with their disputes with traders in other EU countries.” UK European Consumer Centre, http://www.ukecc.net/about/index.cfm.Google Scholar
215 See Brignall, , supra note 206.Google Scholar
216 Id. Google Scholar
217 Id. Google Scholar
218 Id. Google Scholar
219 Data Protection Regulation, supra note 9, at 2 (referencing Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: A comprehensive approach on personal data protection in the European Union, COM (2010) 609 Final (Nov. 4, 2010)).Google Scholar
220 Id. Google Scholar
221 Id. Google Scholar
222 Id. § 2 of the Explanatory Memorandum.Google Scholar
223 Id. §§ 3.1–.2 of the Explanatory Memorandum. Once the Regulation is passed by the EU, Member States will have an additional two years to bring national laws into line with the Regulation. Id. at art. 91.Google Scholar
224 Examples of other issues currently in negotiation are data portability, the use of plain language by data controllers, penalties for noncompliance, and appointment of a data protection officer at companies over a certain size. Q&A on EU Data Protection Reform, European Parliament (Oct. 22, 2013, 10:13 AM), http://www.europarl.europa.eu/news/en/pressroom/content/20130502BKG07917/html/QA-on-EU-data-protection-reform.Google Scholar
225 Data Protection Regulation, supra note 9, at art. 17.Google Scholar
226 See id. at art. 17.1.Google Scholar
227 See id. at art. 17.3(a).Google Scholar
228 See id. at art. 17.3(b).Google Scholar
229 See id. at art. 17.3(c).Google Scholar
230 See id. at art. 17.3(d).Google Scholar
231 See id. at art. 4.8 & 7.Google Scholar
232 See id. at art. 4.8.Google Scholar
233 See id. at art. 7.3.Google Scholar
234 See id. at art. 7.4.Google Scholar
235 See id. at art. 19.2.Google Scholar
236 Id. Google Scholar
237 See id. at art. 20.1.Google Scholar
238 Id. Google Scholar
239 See id. at art. 20.2(a).Google Scholar
240 See id. at art. 20.2(b).Google Scholar
241 See id. at art. 20.2(c).Google Scholar
242 See id. § 3.4.7.2 of the Explanatory Memorandum.Google Scholar
243 Id. at art. 57.Google Scholar
244 See id. at art. 64.Google Scholar
245 See id. at arts. 58.3–.4.Google Scholar
246 See id. at art. 58.7.Google Scholar
247 See id. at art. 59.1.Google Scholar
248 See id. at arts. 58.8, 59.2, 59.4.Google Scholar
249 See id. at art. 60.Google Scholar
250 See id. at arts. 3.1, 4.13.Google Scholar
251 See id. at art. 3.1; see also, DPD, supra note 10, at art. 4(1)(a).Google Scholar
252 Data Protection Regulation, supra note 9, at art. 3.2.Google Scholar
253 See supra note 224. Several groups have proposed amendments, including MEP Jan Philipp Albrecht, the LIBE rapporteur, on behalf of the Parliament, and Germany. Data Protection Regulation, supra note 9, at art. 3.2. See also, Press Release, German Minister for the Interior Hans-Peter Friedrich and EU Justice Commissioner Viviane Reding Emphasise the Importance of the EU General Data Protection Regulation for the Digital Single Market and the Protection of Fundamental Rights in Europe (Mar. 7, 2013), available at http://europa.eu/rapid/press-release_MEMO-13–177_en.htm?locale=en.Google Scholar
254 See Press Release, German Minister for the Interior Hans-Peter Friedrich and EU Justice Commissioner Viviane Reding Emphasise the Importance of the EU General Data Protection Regulation for the Digital Single Market and the Protection of Fundamental Rights in Europe (Mar. 7, 2013), available at http://europa.eu/rapid/press-release_MEMO-13–177_en.htm?locale=en.Google Scholar
255 Elliott, Simon, The EU Date Protection Regulation: Timing, Privacy & Data Sec. Blog, Feb. 27, 2013, http://www.privacydatasecurityblog.com/2013/02/27/the-data-protection-regulation-where-are-we/.Google Scholar
256 See supra note 224.Google Scholar
257 O'Connor, John, EU Data Protection Vote Delayed, Lexology, May 8, 2013, http://www.lexology.com/library/detail.aspx?g=781c955a-3fbf-40ba-967a-14cbaf7dfb35; see also Press Release, Libe Committee Vote Backs New EU Data Protection Rules (Oct. 22, 2013), available at http://europa.eu/rapid/press-release_MEMO-13–923_en.htm.Google Scholar
258 See Elliott, , supra note 255.Google Scholar
259 Id. Google Scholar
260 Id.; see also, Grande, Allison, EU Regulators Urge Swift Action on Data Protection Reform, Law360, Dec. 4, 2013, http://www.law360.com/articles/493310/eu-regulators-urge-swift-action-on-data-protection-reform.Google Scholar
261 See supra notes 179180 and accompanying text.Google Scholar
262 See O'Carroll, supra note 200.Google Scholar
263 See supra notes 253254 and accompanying text.Google Scholar
264 Data Protection Regulation, supra note 9, at arts. 4.8 & 7.Google Scholar
265 BDSG, supra note 2, §§ 4.1 & 4(a).1.Google Scholar
266 Compare Data Protection Regulation, supra note 9, at arts. 31 & 32, with Amendment to E-Privacy Directive, supra note 147, at art. 4.3.Google Scholar
267 E-Privacy Directive, supra note 147, at Recital 57.Google Scholar
268 Id. Google Scholar
269 See supra notes 159164 and accompanying text.Google Scholar
270 See supra Part C.II.Google Scholar
271 See Hon, W. Kuan, et. al, supra note 104.Google Scholar
272 See supra notes 248251 and accompanying text.Google Scholar
273 Data Protection Regulation, supra note 9, at art. 60.Google Scholar
274 See supra Part D.Google Scholar
275 See DeSimone, Christian, Pitting Karlsruhe Against Luxembourg? German Data Protection and the Contested Implementation of the EU Data Retention Directive, 11 German L.J. 291, 291 (2010) (noting the “evolving corpus of [data protection] law [in Germany] exhibits a singularly-German mindfulness of the historical significance of abrogating fundamental rights within constitutional democracy”).Google Scholar
276 In a Eurobarometer survey, 69% of Germans questioned think their “specific approval” should be sought before any collection and processing of personal data. Attitudes on Data Protection and Electronic Identity in the European Union, European Commission: Eurobarometer 74.3, Jun. 2011, at 3, http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_fact_de_en.pdf. According to that same survey, only 34% of Germans trust online shops will protect their personal data. Id. Google Scholar
277 Over 70% of Germans shop online. Id. at 1.Google Scholar
278 According to a Berlin study, German consumers will choose companies that offer more protection of their data privacy over companies that offer less protection when there is little or no price differential, but the discrepancy between the companies' privacy policies must be clear. Dr. Nicola Jentzsch et al., Study on Monetising Privacy – An Economic Model for Pricing Personal Information (2012), available at http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy (“If there are little to no differences in the prices offered by service providers on homogeneous goods, a competitor who has a reduced data requirement (privacy- friendly service provider) can obtain a competitive advantage as long as this type of differentiation is obvious to the consumer”).Google Scholar
279 For example, a successful movement to challenge the 2007 implementation of the EU Data Retention Directive in Germany “consisted of highly-networked civil and digital rights activists, ideologically-heterogeneous students and academics, and German or European NGOs.” Desimone, supra note 275, at 306.Google Scholar
280 The use of media helped raise awareness for the anti-EU Data Retention Directive movement: “The success of German groups in raising public awareness of a highly-technical topic, publicizing their rarely-at-odds messages, and organizing successful demonstrations and legal actions can be attributed to an extraordinarily effective use of new networked media to convey resources, ideas, and people around Germany and Europe.” Id. at 307.Google Scholar