Y!:1I9!A2-4#Aß7 A BfDI-1... · 2016. 12. 1. · HIPAA Onrnlbtrc RuIe Amendments On September 23,...

VS - Nur für den Dienstgebrauch

Die Bundesbeauftragtefür den Datenschutz unddie lnf orrnationsfreiheit

PüSTANSCHRIFT Die BundesbeaufEagte für den DatenschuE und die Informationsfteiheit,Posrfach t+68 530ü'+ Bonn

Deutscher BundestagSekretariat des1 . UntersuchungsausschussesPlatz der Republik 1

1 101 1 Berlin

BETREFF

HIER

Rtr7t tn

HAUSANSCHRTFT Husarenstraße 30, 531 17 Bonn

vrRarxouNcseüRo Friedrichstraße 50, 10117 Berlin

TELEFoN (0228) 997799-515

TELEFAX (0228) 997799-550

E-MAIL [email protected]

BEARBETTETVoN Birgit Perschke

TNTERNET www,datenschutz.bund.de

DATUM Bonn, 17.06.2014

GESCHAnSz PGNSA-660-2/001#0001 VS-NfD

Bitte geben Sie das vorstehende Geschäftszeichen bei

allen Antwortschreiben unbedingt an.

Deutscher Bundestag1. IJntersuchungs aus s chuss'

der 1-8. WahlPeriode

uesa splzu A-Drs.: ü

tie"nü sBeweiserhebungsbeschlüsse BfDI-1 und BfDl-zÜbersendung der Beweismittel

:Beweisbeschluss BfDl-1 sowie BfDI-2 vom 10. Aprü 2A14

ln der Anlage übersende ich Ihnen die offenen bzw. gem. Sicherheitsüberprüfungs-gesetz (SÜG) i. V. m. der Allgemeinen Venrualtungsvorschrift des Bundesministeri-ums des lnnern zum materiellen und organisatorischen Schutz von Verschlusssa-chen (VS-Anweisung - VSA) als VS-Nur für den Dienstgebrauch eingestuften und

von den o.g. Beweisbeschtüssen umfassten Beweisrnittel.

lch möchte darauf hinweisen, dass die in der zusätzlich anliegenden Liste bezeichne-ten Unterlagen des Referates VIll (Datenschutz bei Telekornmunikations-, Tele-medien- und Postdiensten) Betriebs- und Geschäftsgeheimnisse'der jeweils be-

troffenen Unternehmen beinhalten und bitte um eine entsprechende Einstufung und

Kennzeichnung des Materials.

ZUSTELL- UND LIEFERANSCHRIFT Husarenstraße 30, 531 17 Bonn

VERKEHRSANBINDUNG Sfaßenbahn 61, Husarenstraße

utecher Bundestagt, Untereuchungsausschuss

1 9. Juni 201It

20919na14

MAT A BfDI-1-2-VIIIj.pdf, Blatt 1

Die Bundesbea uftragtefür den Dätenschutz"unddie,lnformationsfreiheit j,:;.-

:

:


sErrE2v0Nl lnsgesamt werden folgende Akten bzw. Aktenbestandteile und sonstige Unterlagenübermittelt:

-=G*q-q-qhqfl-§-ugighgüj.=i*Bsjrefi --: --: -- =...--i1,,'.,- =.:.-,--.-r--,.-i,.-G-üi.--Eätü$/4-ei!ia.u[i:--t-041t14#0014 Wissenschaftl. Beirat GDD, Proto- 16.10.2013

koll

l-100#/001#0025 Asqw-ef us--Ke-?li!e!-s-vp_rlrru-__________19-1?2p_13

!:Iffii I929t9}ta.l_.l_sZo_oE_q_o_qI

r-1 32/001#0087 Ihene-ne-nfl -e-L{u-rs--v-e-r-Ee-r-le--ter}r__?g!9:Uql-132,tA01#0087 Ib en_e_ilaln_{q q§ _8 § K 22.08.2013

l-132t0a1#0087 P§-6:U-mlaulfflq--c-lließuns .- 38=q-q2q:lQI-1 32/001 #0087

l-132/001#0087

l-1321001#0087 Protokoll der 86. DSK 03.02.24Ml-1 32i001#0087 Pressemitteilung zutTt B. Europ. 12.02.2A14

-o--9:f-as----r-1 32/001#0087 Protokoll der 86. DSK, Korr. Fas- 04.04.2014

I ::1 ? ?9 _ol t q_0_8_-B_ _

r-1 32/001 #0088

To-Anmeldunq 87. DSK1g_9J.lJ*--b.Ä 17.03.2414

Vorl. TO 87. DSK a9..qpjq:L+ _

02.09.2013l-133/001#0058 Vorbereitende U nterlag en

D.dorfer Kreis

l-1 33i001#0058 Protokoll D.dorfer Kreis, Endfas- 13.01 .2014

_§_L{119-

I-133/001#0061 Vorbereitende U nterlagen 18.02.24ßD.dorfer Kreis

lll-460BMA/O15#1196 Personalwesen Jobcenter ab 1 8.12.201318.12.2013

v.660/007#0007 Datenschutz in den USA

Si cherheitsgesetzgebu ng und

Datenschutz in den USAJPatriot

Act/PRISM

v-660i0a7ffi420 BfV Kontrolle Überrnittlung von

_-__ _ U_N__z-_u_ au g_La$1_ssh _eI §l_41 ruv-660/007#1424 Kontrolle der deutsch-

amerikan ischen Kooperation

-E-N P _Er nfls.hi ulg_ F a[-A LF iirr g

Y!:1I9!A2-4#Aß7 Grundschutztool, Rolle dqs BS! Juli-August 2013


Die Bundesbeauftragtefür den Datenschutz unddie_ Inf orrn ationsf reih e it


sErTE 3voN - '{äirräll!-iEi.tuh-;:--." i.r--=j,------"--=''':-=f_r.i.',':cilüiulliiädäuüfl,

Vl-170i007-34113 GEH. Sicherheit in Bad Aibtinq 18.A2.2014

._ur j_r*ü"§t_qe.ry_qosi_..n;i;;;;h,t=iil;üil_--

Yih?9l.oj-ryq:1-1q -.-.'**n"aeil= - -..-..-...:....-........ ..-"---.. "..-.".--.- ...vil-261/A72#0320 I nternationale Datentransfers -

Zugriff von Exekutivbehörden im

Empfängerland oder in Drittstaa-

tenvll-260/413#0214 Zusatzprotokoll zum internationa-

[en Pakt über bürgerliche und poli-

Irsslp- ßpqhie 0_c9_f ru _

Deutsche Telekom AG (DTAG) 24.06.-17.09.2013

Kontrolle Yahoo Deutschland 07.1 1 .2013-

04. 03.20 1 4

StrategischeFernmeldeübelwa- 25.06. -12122013

vlH-191i086#0305*.,} . +J I\i4 *'r,;Y .i v

.rrt .PYh*1j

-4,i.Y' ;:', - 'Jt

a!lg--e-rq:lI nformatIons besuch Syn iverse 24.09. - 12.11.2Aß

I_eqEreLss!es

" vt fi-192t11 5#01 45

_:ts vil l-1 931006#1 399

ellurc

l{!11-Lgg9a§fl420 _._ DE-cx_ ____.__?.9:q8.-23.08.2013 __ylUl_gggq§fl 426 _._.-_ Level (CI__--______q!'0_9.:lgq9_?g1x __-ä urr-1eg_QqQ4119-9__-\&deto-!9_Ba§§9!q!!9!qn ___gg.1o_..--__l_q.11.20ß-.- v5-(141L1999!].4]-s§§__.___-.rou!ixg_rs!s!9mnc41!4!err_ 0_3.0e. - 18.1.q!!]!_ _.14.!.L1931929E9?9.3__.!_ss!$lF_Lelelqr!_(Ec.BL_____05.07. - 08.08.2013___

_VIlll9t-2t091ü99r __J.pdinende(o_!r__-_*__._.__q!,L0_e.qL2 !_1 3___Vlll-193-2/006#0603 Google Mail 09.07.2013 -

-ür'!4qq1*[email protected] ---_---_+_\1lL§Q.1_:1_l91Qtql3Z__§itzc!ser 30l!.___. _ v$ vvrrt-501-1/010#4450___-_!!!9ßre!9!aliy3l!!9jl9!p_?q13___-1z08:_L2J?ZoJ3 _

j[]I.§q];!|0l_a#9-92__lnternational r{orkins-St9y!./qf__ 1q.04. - 05.0q.2q14 __-_

J_yUfpftfpßto73J_ lnternettaskforce og.O7.-21.1o-2o,t3 VöYVIII-S01-11OZG#0738 AK Medien 13 06.2013 -


:.:

:i

VS - Nur für den DienstgebrauchDie Bundesbeauftragte'für den Datenschutz unddie lnformationsfreiheit

-U lll[:l-e9-4ll§q vq Era s-qB e{el4ff c ryi ewq 21 .01.2A14

09.10. - 28. 11 .2A13-v-lLL-U:-2---q:U9#q9l-q

EU DS-Rili Art. 29

Vlll-M-40/s#0001 Ptg_S_t_p_gI_lEg_?I_ 18.07. - 12.08.2013

lx-725t0003 lr#01 1 18 BI(A-DS 13.08.2013

Darüber hinaus werden Unterlagen, die VS-Vedraulich bzw. GEHEIM eingestuft sind

mit separater Post übersandt.

lm Auftrag

SEITE 4 VON 4

,4-{-oi

\-%,Etr^v'

Löwnau


Müller Jüruen Hennini

Von:

Gesendet:An:Betreff:Anlagen:

v{ü -{ü,!*.i{$qa #+{fr_iwg d pt- I lst- bo u nces@ datensch utz-berl i n.de i m Auftra g vo n

,/TöJfi?44r)Montäg, 5. Mai 24L418:09iwgd pt-l ist@datenschutz-berl in.de

fiwgdpt-list] IWGDPT--Country Report --US Supplemental UpdateIWGDPT--US Supplemental Update (Joan Antokol) --spring Meeting2014.pdf

Dear All,

I have attached the US Supplemental Report, which includes an update on some of the (non-FTC) key developmentsin the US since the last meeting.

I am very sorry that a last minute client obligation prevented me from attending the meeting this time, and lookfonvard to seeing you in Berlin in September.

Please do not hesitate to let me know if you have any questions about the report or would like any additionalinformation.

I wish you a very productive meeting, nice trip, and safe travels.

Regards,

rn

Partner

Park Legal LLC

10401 N. Meridian St., Suite 300

Indianapolis, lndiana 46290

(317) 'ice)

(317) )

iintJ,com


Jarklegalllc.com

Iwgdpt-list mailing list

lwed pJ-l ist(ad ate nsch utz-be rl i n.de

https://TG-m a il-BIn BD l. b lnbd i.de/ma!l.ma nllistinfp_/iwqdnt-list


Supplemental Country Report for the United Stateslnternational Working Group on Data Protection in Telecommunications

55th Meeting - Skojpe, Macedonia' 4-6 May 2OL4

Prepared by - --, Park Legal L[C

HETLTH pRtVACy (HtpAA OMNTBUS RULE)

Federal Health Privacy laws and Enforcement Landscape

HIPAA Onrnlbtrc RuIe Amendments

On September 23, 2013, the HIPAA Ornnibus Rule changes went into effect. The changes includethe following.

' Exnansion of the scgpe of the law. The definition of a ubusiness associate" was expandedto include: (1) subcontractors and downstream subcontractors of business associates, to theextent that they receive access to "Protected Health lnformation" (patient data); (2) organizationsthat store Protected Health lnformation on behalf of a covered entity or business associate,regardless of whether the or$anization storin§ the data requires access to the data as part of theservices that they provide; and (3) health information exchanges. All of those organizations (whichnow include cloud providers storing Protected Health lnformation) are responsihle for complyingwith the HIPAA Privacy and Securi§ Rules, as amended by the Health Information Technology forEconomic and Clinical Health (HITECH) Act and by the Omnibus Rule

' ExpanqiQn of scope of enforcement. Under the Ornnibus Rule changes, the US Departmentof Health and Hurnan Seruices Office of Civit Rights (*OCR"), which enforces the HIPAA Privacy andSecurity Rules, now has direct enforcement and inspection rights over business associates,includinp[their subcontractors who receive access to Protected Health lnformation from them.

' More,inclusive standard for..hfeach notification. Under the Omnibus Rute, the urisk of harm'breach notification test has been replaced with a more stringent urebuttable presumption of harm"standard. Now, a covered entity must start with the presumption that every breach is reportable,and then apply a four-part test to determine whether the facts and circumstances of the particularbreach are such that they are exempt from the reporting obligation. ln situations where theor$anization concludes that the breach does not meet the reporting level, it must document thereasons for that conclusion.

' Exnansion of other rights of patients. The Omnibus Rute changes atso include a number ofother expansions of patient rights, such as additional protections for genetic data, the ability of thepatient to request their records electronically, and additional restrictions on the use of patient datafor marketing and fundraising.


H I PAA-HIIECH P rlvacy Rule Enforcement §taüstlcs

Since April 2003 (when the HIPAA Privacy Rule took effect):

o 95,000 HIPAA Privacy Rule complaints have been filed with OCR

o 89,000 of those complaints have been evatuated to date; 6,000 remain pending[

o 22,500 of the evaluated complaints resulted in some type of corrective action or changes

to privacy practices as a result of OCR's investigfation

o 10,000 were dismissed after evaluation because no violation was identified by OCR

o 56,500 were dismissed for failure to state a cause of action under HIPAA (e.g., the accused

company was not a 'covered entity' or 'business associate', or the issue took place before

the statute took effect, or the claimed issue did not violate the statute.)

HIPÄA4{IIIECH Securlty RuIe Enfo rcement SüatlsÜlcs

Since October 2009, when responsibitity for HIPAA Security Rule enforcement was transferred to

OCR, there have been 830 Security Rule complaints filed. Of those, 630 have been resolved. Aside

from the small percentage of published enforcements, OCR has not provided a breakdown of the

outcomes of the Security Rule enforcements.

H I PAA-H ITECH Settleme nts a nd Reso I u tlon Aglreements

To date, there have been 20 HIPAA-HITECH settlements between the U.S. Department of Health

and Human Services and healthcare organizations in the U.S. ln 2O13, there were flve settlements,

and thus far in 2OL4, there have been three settlements:

o A local flfovernment agency in Washington state for inadvertently publishing patient data

on a publically available website ($215,000 fine)

o Co.ncentra Health Services of Springfield, Missouri, for a lost unencrypted laptop

containing patient data ($1,725,220)

ö QCA Health Plan of Arkansas, for a lost unencrypted laptop ($250,000).

The OCR settlements include resolution agreements which require the covered entities to en$a$e in

remediation measures to address their insufficient HIPAA compliance.

TELFPHONE RECORDS DATA RETENTION

New leg[islation lJnderwa.y to Address the IVSA Phone Data Refention Issues

The Obama administration is preparing tegislation that would end the National Security Agency's

widespread coltection of Americans' phone data while, officials say, preserving the governrnent's

ability to gain information about terrorists. The legislation reportedly will allow data about phone

calls made to and from Americans to be kept with the phone companies, rather than stored with


the government. The companies would not be required to hold the data longer than they normallywould, which is typically 18 months. The proposal would also require phone companies to providedata about suspected terrorist numbers under a court order, The Foreign Intelligence SurveillanceCourt, which will oversee the program, would have to approve each number as having likely ties toa suspected terrorist or terrorist group, with some balanced limitations for emergency situations.The current program of retaining phone records for 5 years will rernain in effect for g0 days, withthe hope that this new legislation will be passed by Congress during or shortly after that period oftime.

TARG Er-§ EC U R ITY B R EACH

Si$nificant Security Breach lrigigiers US Congfressional Inyestlgation, CIO and CEO Resigin ation

ln November 2O13, Target Stores (a discount US retailer chain) experienced a massive securitybreach relating to the credit card data of 4O million customers, and possibly the emails and otherdata of up to 70 million customers. The hackers reportedly gained access to the company'snetwork through sophisticated malware along with the loEI on credentials from a heating and air-conditioning vendor used by Target, which had been granted permission to their network. Thesecurity reports issued about the breach suggest that the retailer did not properly segregate itscredit card data from other parts of its electronic systems, as required by the Payment Cardlndustry Data Security Standards as well as state privacy laws (and FTC expectations under Section5 of the FTC Act.) Since the breach was announced, Target has been calted to testify beforeGongress, has suffered a drop in its stock price and reputation, and has been named in muttiplelawsuits (discussed below). !n addition, its Chief lnformation Officer, who had a business but not anlT background, was asked to resign, and its Chief Executive Officer has now also resigned. Both theCIO and CEO had been with the company for many years.

STATE pR.tVACy AN D S ECU RtTy LAN D.§§APE

Expandingi Protections for I ndivid uals

Kentuclty 47th State Enacts Breach l\lotlflcatlo n Law - lncludes Unlque R gäe for $tudenß

ln April 2OL4, Kentucky becarne the 47th state in the United States to enact a data breachnotification law. Alabama, New Mexico and South Dakota are now the only three states that do notrequire breach notification. (The District of Columbia and Puerto Rico also have breach notificationlaws.) While Kentuc§ adopted a similar standard for breach notification as that found in manyother state laws, its law has some unique provisions. In particular, it is the first state notificationlaw restrict the way in which "student data" stored on cloud systems can be used. The law pr-ohibits

cloud, providers from nrocessin{ lstorgd-.sludent data" (which is defined to include not orllyinformation identilvinE the student. hut A.[So "anv dgcuments. photos. or unique.-identifiers relatingto the student'), without narental permission..fqr "any purp-p-ss öther than providing. improving,developinEl or maintainin$ the integrity of its cloud computinElsqryices." As such, the law restrictsthe activities of cloud services developed specifically for academic use as well as other widely usedservices such as Google Docs. lt also appears to contain more restrictions than the FTC's recentguidance on the Children's Online Privacy Protection Act (COPPA), which outlines permissible uses


i

of children's data and allows schools to consent to thd disclosure of children's personal information

on behalf of parents

hllfornla Expands Onllne R gt ts of Mlnons

California became the first state to enact a law governing the privacy rights of minors with respect

to online advertising by websites and third party advertisers. The new law prohibits operators of

websites and other online services and applications from marketing[or advertisinS certain products

to minors. The website owner or operator must take reasonable actions in $ood faith designed to

ayoid marketing or reasonable actions in gfood faith designed to avoid marketing or advertisin$ the

identified products a minor. (The list includes products such as alcohol, ci$arettes, e+igarettes,

tattoos, fireworks, firearms, and pornography.) lt also gives minors the ri$ht "to request and obtain

removal of, content or information posted on the operator's lnternet Web site, online service, online

application, or mobile application by the user." The rninor's ri§hts to remove data are limited tosituations where the minor is a registered user of the Elte and where the information was posted by

the minor. The new law will come into effect on January 1, 2015.

Prlvacy and Secudty Lltlg[atlon on the RIse

Privacy and security lawsuits continue to be filed in the U.S., in increasing numbers, and particularly

followi n$ largfe security breaches.

vylrn respeül ro tarEer,; overuu rawsutt§ nave Deen -TIIeo m tne u.5., lncluülng a reteffily fugd

lawsuit brouSht by two banks who have named Tar§et along with its external lT consultant firm forcredit card data security, Trustwave. Trustwave holds itself out a§ having expertise in credit card

security, yet apparently overlooked a number of critical security vulnerabilities that existed at

Target, including data segregation. ln the past, rnany of the large retailer breaches (such as theTJMaxx breach) did not result in major awards to the affected individuals. ln the TJMaxx case, thestore offered discount vouchers to the individuals, which had the opposite impact of increasing

sales.

With respect to Google, the Northern District of California recently denied class certification to agroup of plaintiffs suing Google over the company's practice of scannin$ emails for advertising

purposes in its Gmail service. The judge held that individualized issues of consent would

predominate over any common issues of law in the liti§ation, and denied Plaintiffs' request to

certify four classes and three subclasses of plaintiffs. Plaintiffs sougfht to bring clairns under the

federal Wiretap Act and analogous state anti-wiretapplng statutes. Plaintiffs contend that Google's

practice of scanning emails for advertising purposes violates these anti-wiretapping laws because

the practice involves Google's "interception" of users'communications. The \,Viretap Act prohibits

the interception of wire, oral, or electronic comrnunications, but contains several exceptions that

render such interceptions lawful, including an exception based on the consent of one of the parties

to the communication. The state anti-wiretapping laws contain similar exceptions, thotigh the

consent exceptions in some states require the consent of all parties to the communication. The

Court found that .individualized questions with respect to consent, which will likely be Google's


principal affirmative defense, are likely to overwhelm any common issues", Accordingly, it heldthat none of the proposed classes could satisfy the requirement that common issues of lawpredominate over individual issues for a case to proceed as a class certification.


Müret tütsentennis tr\il - ,{ü4-4/0nd4ff}[email protected] im Auftrag von Dr. AlexanderDix < d [email protected] >

Donnerstag, 3-0. April 2014 12:54iwgd pt-l ist@d atenschutz- ber.l i n.de

[wgdpt-list] An article on the history and work of the Berlin GroupChapter10_Dix.doc

Von:

Gesendet:An:Betreff:Anlagen:

Dear colleagues,

please find attached an article which I have written on the history andwork of the lnternational working Group on Data protection inTelecommunications which will appear later this year in th book"Enforcing Privacy" edited by David wright and paul de Hert.

Best regards,

lexander Dix

Dr. Alexander Dix

gertin*, Beauft ragter fürDatenschutz und lnformationsfreiheit

Berlin Commissioner forData Protectionand Freedom of lnformation

An der Urania 4-10D-10787 Berlin

Tel. ++49.30.13889-0

x ++49.30.2155050

lwgdpt-list mailing list

h,ttps ://TG-ma il-B I n BD t. b I n bd i.d e/ma i r m a n'' isli nfo/iwed pt-l ist

4z{+ü t {f


10. The International Working Group on Data Protection in Telecommunications -contributions to transnational enforcement

ABSTRACT

Privacy today can no longer be enforced on a national level only. This was the motive toinitiate the lnternational Working Group on Data Protection in Telecommunications (alsoknown as the "Berlin Group"). For more than thirty years the Group has worked in a specificbut ever more important sector to formulate principles, recornmendations and guidance forregulators, controllers and data subjects. Such principles are the first prerequisite for eo-ordinated enforcement. At the same time the Group has provided a unique global platform foran extensive exchange of information which has led to cornmon and co-ordinatedenforcement actions against controllers such as Google.

INTRODUCTION

Data Protection Authorities have recently shifted their focus nationally and internationallyfrom consultation and persuasion to enforcement. Indeed, some authorities even argue thatthey cannot do both: use a carrot and carry a big stick at the same time. However, the majorityof privacy regulators - depending of course on the legal framework within which they areoperating - take the view that they can and should combine the two methods. Indeed,consultation and persuasion can be seen as one - and sometimes the most effective - way ofenforcing privacy. In some jurisdictions supervisory authorities have no (or at least nomeaningfuliefficient) sanctioning powers at their disposal. This unsatisfactory state of affairswill in Europe be changed with the adoption of the General Data Protection Regulation. Atany rate enforcement in the stricter legal sense of imposing sanctions on controllers (if thelegal framework provides for it) will always be the lasi step ln a process. At the beginning ofthis process especially in the transnational context there is a need to analyse theconrmonalities and differences in national legal systems and to find ways to narrowdifferences in interpretation or to formulate a possible consensus on policies where there areno legal rules yet.

In this field the International Working Group on Data Protection in Telecommunications (alsoknown as "Berlin Group", sinca the Berlin Cornmissioner initiated this Group in 1980 and hasconvened it ever since) has made considerable impact on the consensus building in theincreasingly important telecoms and Internet sector within the community of data protectionauthorities. This Working Group has also turned into an important platform to shareinformation which could be essential for national enforcement actions. Finalty the Group hasprovided for useful practical exchanges and comparisons between different enforcementcultures.

3. HISTORY AND REMIT OF THB WORKTNG GROUP

When in 1980 the Berlin Data Protection Commissioner for the first time invited colleaguesand experts to discuss the consequences of the so-called "new media" for the protection ofprivacy he did so to allow for an informal exchange of views and to provide a platforrn toshare experiences in different legal systems. At that time telecommunications and mediaseemed to be a rather specialised area of data processing and data protection. With the advent


of the Internet and its development into a '*global mass medium" large parts of the processing

of personal data take place via telecommunications and very often Internet-based. The 1980

rneeting turned out to be the nucleus of the Internptional Working Group on Data protectionin Telecommunications. This Group continues to lneet twice per year (in Berlin in autumnand abroad in spring) and due to its regular venue it is internationally also known as the

"Berlin Group"

In 1989 - incidentally only weeks before the Berlin Wall collapse,C - the llth InternationalConference of Data Protection and Privacy Commissioners meeting in Berlin adopted threeresolutions. In the "Berlin Resolution"l the Conference referred to the rapid development ofworldwide telecommunications and for rules regulating trans-border data flows following the

Convention 108 of the Council of Europe. In a iecond resolution2 the Conference specificallyaddressed the International Working Group on Data Protection and Telecommunications and

chose the following words:"Wlen we express opinions or make decisions on our countries, we have to take into accountthe international dimension of telecommunicqtions networks and services. Information on

events taking place beyond our national borders cannot be provided to us by our nationaloperators only. It[etworlcs and services do not always develop at the same time or at the same

pace in our countries. Experience has shown that the fficiency of data protection in this fiel'ddepends - beyond mere principles - on practical measures... This is why the Conference

agrees that this Working Group should continue its work in Berlin. Each delegation shouldhave the opportunity to present its experiences in detail (analysis of the problems, possible

solutions, adopted solutions)... " These sentences describe well the remit of the Berlin Groupand the resolution as a whole is to be considered as the founding document of this group

although it was only adopted nine years after the flrrst meeting. In a third resolution the BerlinConference adopted recommendations drafted by the Working Group on data protection

issues related to Integrated Services Digital Networks'. Along these lines the European

members of the Working Group in 1990 adopted a Memorandurn on the Proposal of the ECCommission for a Council Directive on ISDN4. This was the first and last time that the BerlinGroup specifically addressed a European regulatory issue. From then on it focussed onsubjects of an international nature. Today the üroup includes participants from outside

Europe as well as Europeans. It has so far met in all continents except Africa.

3 STRENGTH THROIJGH INFORMALITY

Since its first meeting the Berlin Group has maintained its informal character. There are nowritten rules of procedure and therefore no formal process of invitation or admission.

However, certain practices have been developed over the years. The Secretariat of the Groupprepares the meetings and sends out the agenda which is agreed at the start of each meeting.The Group includes representatives of Data Protection Authorities, memters of Internetgovernance bodies such as the IETF', independent experts and scientists. Representatives of

' Cf. Berliner Beauftragter flir Datenschutz und Informationsfreiheit, International Documents on Data

Protection in Telecommunications and Media 1983-2006, p. 18. The book contains all resolutions, workingpapers and memoranda adopted by the International Conference and the Berlin Group until 2006. An updated

edition will be published in 2014. These and all later documents are available at http://datenschutz-

berlin.de/content/europa-inte.rnational/international-working-prroup-on-data-protection:in-telecommunications-iwedplt (as seen on Maerch 30,2014)

' lbid., p.22.'rbid., p.zs.o Ibid., p. 68. The ISDN-Directive was later replaced by the E-Privacy-Directive 2002/58lEC.


Internet service providers such as Google, Facebook and Twitter have been invited to themeetings to present their policies and services.

Traditionally the first item on the agenda are country reports from each jurisdiction which inmost case§ are circulated before the meeting. Highlights of these reports are discussed in theGroup. These country reports contain vaiuable practical information on issues, cases andenforcement procedures. They are therefore not only an inventory of different enforcementcultures but contribute also to harmonised responses to global controllers, particularly Internetservice providers. One noteable example of how impor{ant this information sharing tool hasbeen in the history of the Group took place in 2010 at the Granada meeting of the WorkingGroup. It was here that the French CNIL for the first time informed members of the Groupabout their findings that Google while shooting pictures for their Street View service at thesame time covertly collected data (including payload data such as passwords) from wirelessaccess points. This led to administrative enforcement as well as criminal proceedings in anumber of countries around the gl-obe (including the United States). In severäI countri*i firr*,were imposed and paid by Google'. The practice was stopped worldwide.

The Group has adopted a large number of Reports, Opinions, Working Papers andMemoranda on a 'wide range of telecommunications- or Internet-related l5o"r. Thesedocuments are drafted by one or more delegations and then discussed during the meetings.After informal agreement on the contents the document goes into a written procedure where it'is circulated by the Secretariat not only to the participants in the meeting where it has beendiscussed but to all data protection authorities and experts that have participated in previousmeetings. The Secretariat integrates proposed changes into the final text if they do noi changethe substance and publishes the final version online. In all other cases the draft document istabled again at the following meeting of the Group.

Initially the Berlin Group adopted Common Positions, Since autumn 2001 the documentsadopted by the Group are described as Working Papers or Reports and Guidance. This doesnot signal a change in substance and is in line with the practice of the Ar1 29-Working partyof European data protection authorities. The documents accepted by the Berlin Group hlave nolegally binding character. This may facilitate the consensus-building process in the Group butit does not mean that the documents are without practical effect. Noteably the Budapest-Berlin-Memorandum (Report and Guidance on Data Protection and Privacy on the Internet,19966), the Rome Memorandum (Report and Guidance on prir--y i" Social NetworkServices, 2008) 7, the Sofia Memorandum (Report and Guidance on Road Pricing, 2009), theGranada Charter of Privacy in a Digital World (2010) and the Sopot Memorandum on CloudComputing - Privacy and data protection issues (2012) had Considerable impact on theintenrational legal discourse as well as on policy-making and enforcing existing standards incertain countries. The Budapest-Berlin-Memorandum was first discussed in Budapest in l gg5and finally adopted in Berlin 1996.It is one of the earliest documents addressing general andspecific privacy issues linked with Internet use. The Memorandum quoteä Prof. JoelReidenberg's statement as o'elements of network infrastructure as well as participants eachhave physical locations , states have the ability to impose and, enforce a öertairr degree of

ir*highest fine amounted to I Million Euros and was imposed by the Italian Dara Protection Authority inlprit 2014 and paid by Google.o Cf. footnote l, p. 84' This and the three following documents mentioned in the text are available online, cf. footnote l.


liability on networks and their participants". In many instances the decision to enter the

Internet and how to use it is subject to lägal conditions under national data protection 1aw8..,

On several occasions Working Papers adopted by the Berlin Group preceded and triggered

similar and more extensive or specific papers in the Art. 2g-Working Parfy or resolutions

adopted by the International Conference of Data Protection and Privacy Commissioners to

which the Berlin Group regularly reports. The example of ISDN (1998) was mentioned

above. Later examples included search engines, the ISO privacy standard and social network

services. Numerous other Working Papers dealt with topics such as:

- telecommunications and privacy in labour relations (1997),- cryptography (Igg7\,- reverse directories (1998),- interception of private coulmunications (1998),- privacy-enhancing technologies on the WorldWideWeb (1998),- intelligent software agents (1999),- speaker recognition and voice analysis technology intelecommunications ( 1 9 9 9),- detection of fraud in telecommunications (2000),- infomediaries (2000),- copyright management (2000),- online profiles (2000),- registration of domain names (2000),- publication of personal data contained in publicly available documents on the Internet

(2000),- data protection aspects of the Convention on Cyber-Crime pf the Council of Europe (2000

and 2008),- privacy and location information in mobile communication services (2001),

- data protection and online voting in parliamentary and other governmental elections (2001

and 2005),- data protection aspects of digital certificates and public-key infrastructures (2001),

- childrens' privacy online - the role of parental consent (2002),

- use of unique identifiers in telecommunication terminal equipments: the example of IPv6

(2002),- web-based telemedicine (2002),- intrusion detection systems (2003),- privacy and processing of images and sounds by multimedia messaging services (2004),

- potential privacy risks associated with wireless nertworks (2004),

- freedom of expression and right to privacy regarding online publications (2004),

- means and procedures to combat cyber-fraud in a privacy -friendly way (2004),

- cyber security curricula integrating national, cultural and jurisdictional (including privacy)

imperatives (2004),- web browser caching of personal information in cybercafes (2005),

- online availability of electronic health records (2005),

- internet telephony (VoIP) (2006),- trusted computing, associated digital rights management technologies and privacy (2006),

- cross-border telemarketing (2007),

8 Cf. footnote 1, p. 9l' This Common Statement was in fact the only statement which was not adopted unanimously by the WorkingGroup; the French CNIL did not take part in the adoption and the UK Data Protection Registrar had reservations.


- e-ticketing in public transport (2007)- privacy issues in the distribution of digital media content and digital television (2007)- data protection and e-waste (2009),- privacy risks in the re-use of email accounts and similar information society services (2009)- use of deep packet inspection for marketing purposes (2010),- mobile processing of personal data and security (2010),- Event Data Recorders (EDR) on vehicles (2011),- electronic micropayment on the internet (201 I ),- privacy by design and smart metering: minimize personal information to maintain privacy(2011),- web tracking and privacy (2012),- publication of personal data on the web, website contents indexing and the protection ofprivacy (2013),- privacy and aerial surveillance (2013).

The Berlin Group has discussed alternatives to faceto-face meetings such as videoconferencing. Due to the disproportionate costs (compared to travel costs) such technologywould cause particularly for small data protection authorities the Group has decided to meetin person. As long as the costs technology do not decrease decisively compromise solutionssuch as virtual workspaces and telephone conferences will be envisaged.

4 HARMONISTNG NATIONAL ENFORCEMENT STRÄTEGIES: THREEBXÄMPLES

An early example of the kind of influence the Berlin Group had on national enforcementgtrategies concerns databases of images depicting buildings. The Group as early as in t999adopted a Common Positionto on this issue in whiih it discussed the emirging buiiness modelof companies shooting pictures with cameras mounted on cars and selling them in digitisedform on CD-ROMs. The Group stressed that there was a difference between an individualtaking pictures of buildings and a company systematically collecting images of all buildingsin a city or in all greater cities of a country for commercial purposes. The Group expresslyrecommended that national legislation - where this is not already the case - should providethe data subject (house owners, tenants) with a right to object against the systematic collectionof such image data referring to his dwelling for commercial purposes.

This recoulmendation was taken up by German data protection authorities when Googlestarted collecting data for the Street View service in 20Ö8. They managed to get assurancesfrom Google that a right to object would be implemented which actually happened. However,despite the fact that the German members of the Berlin Group shared this information at theGranada meeting in 20 10 Google did not implement such a right to object in otherjurisdictions. A Swiss Federal Court imposed specific requirements on Google regarding theStreet View service which did not include the right to object. Later Google stopped theservice in Germany and'switzerland altogether without giving any specific reasons. Germandata protection authorities are still requiring the right to object whenever other companiesoffer comparable services.

'o Cf. footnote I, p. 134.


In the field of cloud computing it can be demonstrated how national enforcement may lead tointernational coordination in the framework of the Berlin Group. The Danish data protectionauthority (Datatilsynet) took the lead when they §topped a project by the City of Odensewhich had planned to outsource the whole processilng of citizen's and staff data to a large U.S.cloud service provider. However since this company refused to disclose to the city in whichjurisdiction the data were to be processed the Datatilsynet stopped the project because it wasimpossible to evaluate the legality of this cloud computing exercise. Triggered by this casethe Berlin Group in 2012 adopted the Sopot Memorandum on Cloud Computing - Privacyand data protection issuesll in which it stressed that the jurisdiction and place whire a cloudprovider is processing personal data may not be kept secret. Moreover the level of dataprotection should not be lower in the cloud than with the original controller. After therevelations by Edward Snowden in 2013 this has becor,ne even more important.

In the fleld of social network services the Berlin Group with the Rome Memoranduml2adopted another early set of recoilrmendations on privacy in social network services whichinfluenced the discussions in the International Conferenc*" as well as in the Art. 29 WorkingP*try'n. The Rome Memorandum called on regulators inter alia to introduce the right topseudonymous use - i.e. to act in a social network service under a pseudonym - where notalready part of the regulatory framework. In Germany this has been part of the legalframework since 1997 . The big social networks Facebook, Google+ and Twitter differ in theirtreatment of pseudonyms. Whereas Twitter has allowed for pseudonyms from the start,Facebook has always excluded the use of pseudonyms. Google in their social network serviceinitially excluded pseudonyms as well but have changed their policy in 201 1. Since then theyallow for pseudonyms which are visible on the the platform after registration under real name.So two large social network service providers have followed the recommendation by theBerlin Group in this respect. Facebook however upholds its policy of excluding pseudonymsaltogether and has been backed in this respect by the Irish Data Protection Comrnissioner inhis extensive audit because the Irish legislature has not provided for a right to pseudonymoususe. This shows that the recommendations adopted by the Berlin Group cannot by themselvesbring an international harmonisation of legal standards about. But they can at least influencethe discussion and describe best practices which should be adopted by corporations acting inthis field

Pseudonymous use is only one of numerous privacy issues linked \Mith social networkservices. The Facebook case has highlighted a more generic problem of enforcing privacyrules against global players. The office of the Irish Data Protection Commissioner isundoubtedly understaffedls compared to other European jurisdictions such as France orGermany. This may have influenced the decision of Facebook and other US providers such as

Google and Linkedln to have their European headquarters in Ireland although otherconsiderations (e.g. tax legislation) could well have played a more prominent role in thisdecision. It is obvious that auditing large companies such as Facebook strains the scarceresources of a small data protection authority to its limits. The Irish Commissioner's audit of

11 Available online, cf. footnote 1.

" Cf. footnote 1.

" Cf. Resolution of the 30th International Conference of Data Protection Commissioners on privacy in socialnetwork servtces (2008), availablehttp://www.bftli.bund.de/ENßublicRelalions/Publications/functionsilntDSK_table.html?nn:4 I 0 160&grtp=4101 I6%3DZ (as seen on March 30, 2014)14 Cf. Opinion 5/20a9 on online social networking (WP 163)

(as seen on March 30, 2014)15 The offltce had 30 members of staff at the time of the Facebook audit, among them no legal expert.


Facebook led to some changes in the service of the company e.g. in the field of facerecognition. However, basically the Commissioner accepted the argument brought forward byFacebook that users had no choice but to pay for the service with their personal data. Withoutdisputing that this was a correct interpretation of Irish law the example shows two majordeficiencies in transnational enforcement: as long as the material rules on data protection as

well as the resources of data protection authorities differ even within Europe: there isconsiderable room for forum shopping for companies (European or non-European).Furthermore data protection laws and the agencies enforcing them need support from anti-trust law and anti -trust regulators. Facebook has nearly a monopoly in Europe (withdifferences in the EU member states)16. Therefore users have no real ihoice: if they want tostay in contact with most of their friends who are on Facebook they cannot simply leave theplatform and look for a more privacy-friendly network

It is to be hoped that the new EU General Data Protection Regulation - once adopted - willsolve sorne of these issues. In particular it will harmonize the regulatory standards andprovide for a consistency mechanism between national data protection authorities in Europe.If there is a lead authority dealing with non-European companies as a o'one-stop shop" it willhave to cooperate more closely with other data protection authorities in other Europeancountries to which these companies are directing their services.

5. THE NEED FOR INTERNATIONAL STANDARDS AS BASIS FOR GLOBALENFORCEMENT

Apart from the more specific examples mentioned above the International Working Group hasfrom the outset stressed the importance of common international legal standards in particularon telecommunications secresy. This is particularly relevant after Edward Snowden'srevelations have shown that even intelligence agencies in democratic states are massivelycollecting metadata as well as content data routinely without any specific suspicion on thebasis of the "haystack" principle: In order to find a needle you first have to pile up a haystack.Keylvords such as "Full take" or "Mastering the Intemet" indicate that these agencies accepthardly any legal limitations in their pursuit to guarantee "national security". They haveapparently gone out of control. The European Data Protection Supervisor has aptly labelledthis as "wild-west methods". There has been a massive loss of tnrst in Intemet andtelecommunications services as a consequence.

The papers adopted by the Berlin Group consistently show how important the guarantee oftelecommunications secrecy is in the information age. The Budapest-Berlin Memorandum ofIgg6t7 cailed for national and international law to state unequivocally that the process ofcommunicating (e.g. via electronic mail) is also protected by the secrecy oftelecommunications and correspondence. The Berlin Group then elren suggested that "aninternational oversight mechanism should be established which could build on the existingstructures such as the Intemet Society and other bodies."l8 In their "Ten Commandments toprotect Privacy in the Internet World" of 20001e the Group referred to the remarks made byJustise Michael Kirby in his keynote speech aI the International Conference of Data

'u This is discussed in greater detail by Pamela lones Harbour, The Transatlantic Perspective: Data Protectionand Competition Law, in: Hijmans/I(ranenborg (eds.), Data Protection Anno 2014 * How To Restore Trust ?,

Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004-2014),p.225.

ll Cf footnote l, p. 84, 85.

'* Ibid.

" Cf. footnote l, p. 180.


Protection and Privacy Commissioners 1999 in Hong Kong where he had called for newprivacy principles apt to contemporary technology. To this end the Berlin Group proposed tenprinciples to be incorporated in multilateral privacy agreements or to be adopted as a separatedocument. These principles were

- lnformational separation of powers (the equivalent of network neutrality)- Telecommunications secrecy- Data Austerity (the equivalent of privacy by design)- Right to Anonymity- Virtual Right to be Alone (e.e. the right not to be found by u search engine)- Right to Security (specifically the right to encrypt one's messages)- Restriction on Secondary Use- Transparency- Subject Access to personal data- InternationalComplaintsResolution.

These principles are still valid and necessary today but they have not been taken up bydrafters of international agreements. In 2002 the Berlin Group in Auckland adopted aWorking Paper on Telecommunications Surveillance'o supporting the proposals made by theEuropean Parliament in its resolution on the existence of a global system of interception ofprivate and commercial communications (ECHELON) and called for their worldwideimplementation. The Group stressed that these proposals had not lost their validity after theterrorist attacks of September I I , 2001 . However, it was not until the whistleblower EdwardSnowden in summer 2013 made the world aware that the U.S. National Security Agency andthe other intelligence agencies of the "Five Eyes" that had initiated ECHELON weresystematically collecting metadata as well as content data on an industrial basis without anyeffective control.

The Berlin Group reacted to these revelations by adopting the Working Paper on the HumanRight to Telesommunications Secrecy in September 2013. Only weeks later the 35thInternational Conference of Data protection and Privacy Commissioners in Warsaw called foranchoring data protection and the protection privacy in international la#l, thereby reiteratingcalls which the Conference had made on earlier occasions in Montreux (2005), Madrid (2009)and Jerusalem (2010). Eventually the Snowden revelations led to an initiative by thegovefilments of Brazil, Germany, Switzerland and other countries to introduce a resolutioninto the UN General Assembly on the protection of Privacy in the Digital Age which wasunanimously adopted on December 18, 20t322. Although this document as all GeneralAssembly Resolutions lacks legally binding effect and as "soft law" - is a politicalcompromise it starts the process of discussing possible intemational agreements to extend andenforce the protection of privacy in the 21't century. This process will take time but itsbeginning has been long overdue.

'o Cf, footnote l, p. 200.21 http://www.bfdi.bund.de/EN/PublicRelations/Publications/functions/IntDSK-table.html?nn:4.10160 (as seenon March 30, 2014)22 http:/iwww.in.com/news/scitech/united-nations-adopts-resolution-to:protest:privapy-in-digital-aee-51995799-in-l.htrnl (as seen on March 30, 2014)


6. CONCLUSIONS

The International Working Group on Data Protection in Telecommunications has madesignificant contributions to the international enforcement of privacy rules. It's remit isconfined to telecommunications but this limitation is becoming more and more irtelevant dueto the spread of online communications, particularly on the Internet, "at break-neck speed", äs

the European Commission once put it. In an era of ubiquitous surveillance on an industrialscale the development and visible enforcernent of global rules on telecommunications secrecyis crucial to regain the necessffy trust in any form of remote communication provided by thirdparties.


Y!:1I9!A2-4#Aß7 A BfDI-1... · 2016. 12. 1. · HIPAA Onrnlbtrc RuIe Amendments On September 23,...

Documents

Transcript of Y!:1I9!A2-4#Aß7 A BfDI-1... · 2016. 12. 1. · HIPAA Onrnlbtrc RuIe Amendments On September 23,...