On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.
During the Conference, four Resolutions were adopted. The following two are of particular interest to the private sector:
The Resolution on this topic expresses the DPAs’ support of the European Commission’s efforts in harmonizing data protection law on a European level. In light of recent comments made by the German government and the European Council, the DPAs emphasize the following concepts:
- Personal data can be processed only if the data subject has provided consent or if there is a legal basis for the processing. The DPAs explicitly reject calls by the private sector to create exceptions to this principle, including exceptions for data sets that ostensibly are “inconsequential.”
- Data protection in the public and private sectors should continue to follow the same principles. It would be sensible to set out in the new EU Regulation minimum requirements for employee data protection.
The Resolution on this topic sets forth the principles which manufacturers and providers should follow in connection with ongoing efforts to migrate from Internet Protocol Version 4 (“IPv4”) to Internet Protocol Version 6 (“IPv6”). These principles are supported by a comprehensive guideline (in German) for data protection in the context of IPv6, published on October 26, 2012.
Some of the principles detailed in the Resolution by the DPAs include:
- As a general rule, IPv6 prefixes should be assigned dynamically to end users.
- End users must be able to easily change static IPv6 prefixes assigned to them.
- IPv6 privacy extensions should be enabled by default on user devices. If that is not possible, a user-friendly means of enabling the extensions should be provided.
- Operating system manufacturers must implement strong encryption algorithms in their Transmission Control Protocol (“TCP”) and Internet Protocol (“IP”) stacks.
- Manufacturers of end-user devices should provide appropriate and sensible IPv6-enabled packet filters.
Notably, the DPAs reiterate that, like IPv4 addresses, IPv6 addresses are personal data. The DPAs state that collecting the addresses for uses other than those required in the context of the relevant services must be strictly compliant with data protection legislation and performed on an anonymized basis. Similarly, the IPv6 address may be used determine the approximate location of an end user device only if the address is anonymized. Anonymizing an IPv6 currently requires, at a minimum, the deletion of the last 88 bits.
The previous Conference was held in Potsdam earlier this year, and the DPAs issued Resolutions on the proposed EU reform package, publicly-funded research projects to detect abnormal behavior in public, and the European Investigation Order in criminal matters.