Notifications data security breaches - Germany

06 February 2007

Dr Jan-Peter Ohrtmann

The legislation

The Data Protection Directive is implemented in Germany through the Federal Data Protection Act (“Bundesdatenschutzgesetz”). Section 9 of the Federal Data Protection Act states that data processors and data controllers must take adequate technical and organisational measures to protect personal data. In an annex to Section 9 the legislator specifies in more detail eight control measures which must be complied with. These include among other things access control, transmission control, data keying control, processing control and availability control.

The E-Communication Directive is implemented in Germany through various Acts. For ISPs the provisions have been implemented in the Tele Services Data Protection Act (“TDDSG”) and the Media Services States Treaty (“MDStV”). Section 4 (4) of the TDDSG and 18 (4) of the MDstV in almost identical wording address the technical and organisational measures that must be taken.

For network operators the Directive’s provisions can be found in the Telecommunications Act (“TKG”). Section 109 of the TKG places an obligation on communication service providers to take appropriate technical and other measures to safeguard the security and confidentiality of information and personal information. Network operators must also protect telecommunication and data processing systems against authorised access.

What is the technological standard for electronic communications networks in Germany?

Under the Federal Data Protection Act service providers must take appropriate technical and organisational measures to safeguard the security of their processing. The obligation is subject to a proportionality test. This means that service providers only have to implement measures where the implementation costs are proportionate to the risks against which it shall safeguard. Service providers that comply with ISO/IEC 17799 are likely regarded to comply with this obligation.

Who must disclose security breaches in Germany?

On 30 November 2006 the German legislator adopted an Act which will implement the disclosure obligation from the E-Communication Directive for network operators. The Act will introduce a second paragraph into Section 93 of the Telecommunications Act which, with one exception, has the same wording for the disclosure obligation in Article 4 (2) of the E-Communication Directive. The exception is that Section 93 (2) of the Telecommunications Act will not only apply to network operators that offer publicly available electronic communications services, but also to any telecommunications network operator. In summary, public telecommunications network operators (e.g Deutsche Telekom and Vodafone) are caught by the disclosure obligation as well as closed group telecommunications network operators (e.g company networks). The amendment is likely to come into effect at the end of January 2007.

There is no specific comparable obligation relating to Internet Service Providers in German law. We are not aware of any plans by the legislator to introduce such an obligation.

What must they disclose and when?

The forthcoming amended Section 93 (2) of the Telecommunications Act will state that where “there remains a particular risk to the network security”, the service provider shall inform the subscribers concerned of:

  • the risk;

  • any remedies against that risk; and

  • the likely costs to the subscriber involved in the taking of such remedies.

This information should be provided to the user free of charge, (except for the nominal costs a subscriber incurs while receiving or collecting the information, such as the charge for receiving emails). There is no guidance yet available as to how this obligation is to be interpreted.

To whom must they disclose the information?

Breaches only need to be disclosed to the subscribers, and not to all users of the service.

Except for exceptional circumstances (which are circumstances such as situations which may negatively effect national security (see Section 4 (4) of the Act for Maintaining Post and Telecommunication Services)), there is at present no obligation on the network to disclose to the Federal Data Protection Commissioner (“Bundesbeauftragter für Datenschutz und Informationsfreiheit”), or to a competent State Data Protection Authority or to another public authority, that there has been a breach.

Germany’s response to the Commission’s proposal

The German response to the Commission’s proposal is not yet publicly available.