The German government has adopted a draft law that would require telecommunications and internet service providers (ISPs) to retain usage data.

Under the draft law, telecommunications and ISPs would have to retain internet and telephone usage data such as phone numbers, times called, IP addresses and international identifiers of mobile users for a period of 10 weeks. User location would have to be retained for 4 weeks. After this retention period, there is an obligation to destroy the data.

There is also security and localisation requirements to ensure that the data is stored with the highest possible levels of security, within Germany and protected from unauthorised inspection and use

Non-compliance with the requirements would be punishable by a maximum fine of 500,000 Euros.

The Article 29 Data Protection Working Party issues updated guidance on Binding Corporate Rules for data processors

The Article 29 Data Protection Working Party (Working Party) recently issued an update (Update) to its explanatory document that advised data processors (Processors) on the use of Binding Corporate Rules (BCRs).

The Working Party initially published its explanatory note on 19 April 2013 and identified two scenarios in which a non-EU Processor, processing personal data received under BCRs, should notify the controller and the relevant data protection authorities (DPAs) when they are in receipt of a legally binding request for the personal data. These scenarios are:

  • If the non-EU Processor believes that local laws may require it to disclose personal data to non-EU regulators or government agencies it should notify the controller, the processor group’s EU headquarters, and the DPA in the controller’s EU Member State of the local law requirements; and
  • If a non-EU Processor receives a legally binding request for personal data from a non-EU regulator or government agency, the non-EU Processor should notify the controller; the DPA in the controller’s EU Member State; and the lead DPA that approved the processor group’s BCRs.

The Updates do not amend the requirements set out above – instead providing additional guidance including the following:

  • The notification to the DPAs must explain the legal grounds on which disclosure is requested;
  • The competent DPAs must endeavor to respond to notifications from the non-EU processor within a reasonable timeframe; and
  • The disclosures of personal data by a non-EU processor to a local public authority cannot be “massive, disproportionate and indiscriminate in a manner that…would go beyond what is necessary in a democratic society.”

To read a copy of the original explanatory document click here.

To read a copy of the Update click here.