The German Data Protection Authorities’ Requests Regarding Cloud Computing, New IP Addresses and Social Networks

We are pleased to share a guest post by dr. Ákos Süle – managing partner of Süle Law Firm.

On 28-29 September 2011, the German federal and state data protection authorities (DPAs) held they 82nd conference in Munich. They warned the cloud service providers to render such services only if they are in the position to fully comply with data protection laws.

The DPAs listed the following main criteria (our summary):

– the cloud service providers should give users detailed, open and easy-to-follow information about the technical, organizational and legal aspects

– the related service agreements should make it unambiguous where exactly the data processing will be rendered and how this could be changed

– the data security and data protections requirements should be strictly followed and preferably independent certificates should be obtained on these aspects as well

Besides, the DPAs have assured the cloud service providers about their support and called their attention to the online accessible German guide on cloud computing.


The conference also dealt with the data protection aspects of the introduction of the new internet addresses (IPv6 instead of IPv4). Main problematic of the change for the new system is probably that a much higher number of static IP addresses will be used which enables the instant identification of web users and the building up of personal user profiles even by some homepage owners. In the old IPv4 system, a large percentage of the IP addresses were dynamic, changing daily and allowing a limited anonymity to users. Several recommendations have been given as per the change to the IPv6 system, please find below the most crucial ones in our opinion:

– access providers should provide users with static or dynamic IP addresses upon the users’ request without a surcharge and users should be enabled to switch to dynamic IP addresses without a surcharge

– hardware and software developers should support privacy extensions and privacy by default so that the identification of users could not be carried out by anyone

– the German DPAs support decentralized software solutions and peer to peer

– content providers should store only the first four bytes of an IPv6 address, since it is sufficient for geolocalization and the additional user data should not be stored

– owners of IP addresses should be included in whois databases only based on their explicit request. In the long run, the ICANN’s database should be decentralized and data of owners of local IP addresses should be only accessible only locally and based on local laws

The conference emphasized about social networks, e.g. Facebook, that they must comply with European data protection laws since they target EU consumers as well.

The use of plugins of certain social networks (e.g. Facebook like, Google +1, Twitter) on homepages is held illegal from German and European law perspective if the owner of the website does not duly inform the users about these and also if the site owner does not provide an alternative to the use of these plugins. The German DPAs hold it explicitly illegal if – by the simple act of pressing a “like” button – the users’ data will be forwarded to the U.S. They however emphasized that the plugins are only an example of the many problems related to social networks and they also mentioned the face recognition of Facebook. According to German law, sites such as Facebook and Google+ should be used also anonymously whereas these sites require prior authentication of users.

German DPAs therefore called all German public bodies and institutions to refrain from the illicit use of social network plugins and refrain to maintain fan pages on such websites.

With this step, they basically backed up the legal basis of the former (19/08/2011) decision of the DPA of Schleswig-Holstein in which he forbid the use of the “like” button in Schleswig-Holstein, forbid the use of fan pages for public bodies and institutions, and impended a fine of EUR 50 000. However, the state of Schleswig-Holstein does not agree with this opinion and has been maintaining its Facebook fan page since then.

source: http://www.datenschutz.hessen.de/k82.htm https://www.datenschutzzentrum.de/presse/20110819-facebook.htm http://www.facebook.com/SchleswigHolstein