Data protection in Germany: overview

A guide to data protection in Germany.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

In Germany, data protection is primarily regulated by the Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG), which implements the Directive 95/46/EC on data protection (Data Protection Directive).

There are also state data protection laws providing legal requirements for data processing carried out by state-level public authorities or public bodies.

Sectoral laws

Apart from the general data protection laws there are sector-specific regulations at both state and federal level that provide data protection requirements. Examples include:

  • Telemedia Act (Telemediengesetz), which regulates electronic information and communication services.

  • Telecommunications Act (Telekommunikationsgesetz), which addresses the processing of personal data relating to subscribers and users of telecommunications services.

  • Criminal Code (Strafgesetzbuch), which includes special rules on professional/business confidentiality and secrecy of telecommunications.

  • Social Security Codes (Sozialgesetzbücher), which include provisions for processing of medical, social and other personal data.

  • State press laws (Landespressegesetze), which include specific provisions for data processing in the context of journalistic activity and address the tension between data protection and freedom of the press.

 

Scope of legislation

2. To whom do the laws apply?

The Federal Data Protection Act (BDSG) addresses the processing of personal data by public authorities and private bodies. State data protection laws apply to data processing carried out by public authorities or state-level public bodies.

German data protection law distinguishes between the:

  • Data controller. This is any person or body collecting, processing or using personal data on his or its own behalf, or commissioning others to do so. The data controller is responsible for data protection compliance.

  • Data processor. This is any person or body processing the data on behalf of the data controller. However, responsibility for compliance with data protection provisions remains with the data controller.

 
3. What data is regulated?

The Federal Data Protection Act (BDSG) applies to the processing of personal data. Personal data is defined as "any information concerning the personal or material circumstances of an identified or identifiable individual".

It is highly disputed whether an absolute or a relative approach must be taken to determine whether a person is identifiable. Data protection authorities in Germany favour an absolute approach under which it is not relevant whether a particular data controller can link data to a data subject. It is sufficient if a data controller who theoretically had unlimited access to data stored anywhere could make this link. The German Federal Supreme Court (Bundesgerichtshof) submitted this question to the Court of Justice of the European Union (ECJ).

Anonymised data is not regulated by German data protection law. Pseudonymised data falls under the BDSG.

 
4. What acts are regulated?

The Federal Data Protection Act (BDSG) applies to any collection, use or processing of personal data.

  • "Collection" means the acquisition of data on the data subject.

  • "Processing" means the storage, modification, transfer, blocking and erasure of personal data.

  • "Use" means any utilisation of personal data other than processing.

 
5. What is the jurisdictional scope of the rules?

The Federal Data Protection Act (BDSG) covers cases where:

  • The data controller is located in Germany and the processing is carried out in Germany or within the EU.

  • The data controller is located in another EU member state but the collection, processing or use of personal data is carried out by a branch in Germany.

  • The data controller is not located in an EU member state but collects, processes or uses personal data in Germany.

 
6. What are the main exemptions (if any)?

The Federal Data Protection Act (BDSG) does not apply if the data controller is located in another EU member state but collects, processes or uses personal data in Germany.

A data transfer between a data controller and a data processor is not considered a transfer to a third party and therefore requires no justification. This is only the case if the processor is located within the EU/European Economic Area (EEA). If a data processor is located outside the EU/EEA, justification might be required.

There is no particular exemption for data transfers within a company group. Any transfer between legal entities must be justified under the BDSG.

The BDSG does not apply where the collection, processing or use of personal data is effected solely for personal or family activities.

 

Notification

7. Is notification or registration required before processing data?

Private bodies must, in principle, register automated processing procedures before putting them into operation with the competent supervisory authorities. Postal and telecommunications companies must register their procedures with the Federal Commissioner for Data Protection and Freedom of Information.

This does not apply if:

  • The data controller has appointed a data protection officer.

  • No more than nine employees are permanently employed in collecting, processing or using personal data and either consent has been obtained from the data subjects or the collection, processing or use is needed to create, carry out or terminate a legal obligation or quasi-legal obligation with the data subjects.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Data controllers must ensure compliance with the following data protection principles:

  • Legal permission/consent. Processing personal data is prohibited unless the data subject has given consent or the processing is permitted by law.

  • Direct collection. Personal data must be collected directly from the data subject.

  • Data minimisation. Only data required for the specific operation can be processed. Processing systems must be designed with the aim of collecting, processing and using as little personal data as possible. In particular, personal data is to be aliased or rendered anonymous as far as possible.

  • Purpose limitation. Data collected for a specific purpose cannot be used for other purposes. Data must be deleted or anonymised as soon as it is no longer necessary for the purpose for which it was collected or processed.

  • Transparency. The data controller must provide comprehensive information about the identity of the data controller, the purpose of the collection/processing/use of the data and the categories of recipients.

  • Access. A data subject must be given access to his personal data stored by the data controller.

  • Accuracy. Personal data must be accurate. Incorrect data must be corrected.

  • Data security. Technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss/destruction/damage of personal data.

 
9. Is the consent of data subjects required before processing personal data?

Processing of personal data is prohibited unless the data subject has given his consent or processing is permitted by law.

If consent is required, it must be given freely. There must be no (economic) pressure on the data subject. This particularly applies in an employment context. Consent can be revoked at any time.

The decision of the data subject to give consent must be informed. As a result, information about the processing, the purpose of processing, data categories and recipients must be provided in the consent declaration.

In principle, consent must be in writing (and clearly visible in general terms and conditions). However, the Telemedia Act makes an exception for consent provided through telemedia services (for example, online or smartphone apps). There are other exemptions for cases where special circumstances warrant forms other than writing but these are applied very restrictively (for example, if data is processed for ordering goods over the phone).

Minors are also able to provide effective consent if their degree of maturity allows a reasonable decision. The minor must be able to understand the content, scope and potential consequences of his consent.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

If consent is not given, processing can be justified if it is permitted under the Federal Data Protection Act (BDSG) or by another legal provision (for example, collective works agreements in an employment context).

In particular, no consent is required if processing is necessary to safeguard legitimate interests of the data controller and when there is no reason to assume that the data subject has an overriding legitimate interest in his data being excluded from processing or use. This also applies if processing is needed to create, carry out or terminate a legal obligation or quasi-legal obligation with the data subject. Furthermore, a legal justification applies if the data is generally accessible or the data controller is entitled to publish them, unless the data subject's legitimate interest in his data being excluded from processing or use clearly outweighs the justified interest of the data controller.

Data processing in employment contexts can be justified where processing is necessary for making hiring decisions or, after hiring, for carrying out or terminating an employment contract. Employees' personal data can also be processed to detect crimes if there is a documented reason to believe that the data subject has committed a crime and processing his data is not disproportionate.

Processing or using personal data for advertising or trading in addresses is, in principle, only admissible if the data subject provides explicit consent.

 

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

The Federal Data Protection Act (BDSG) provides special rules for certain types of data (for example, information on a person's racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life).

Collection, processing and use of sensitive data is only permitted, in principle, if the data subject has given his explicit consent to the processing of these data. Without the data subject's consent this is only allowed if:

  • Collection/processing/use is necessary in order to protect the vital interests of the data subject or a third party, in so far as the data subject is unable to provide consent for physical or legal reasons.

  • The data concerned has evidently been made public by the data subject.

  • Collection/processing/use is necessary in order to assert, exercise or defend legal claims and there is no reason to assume that the data subject has an overriding legitimate interest in excluding it.

  • Collection/processing/use is necessary for the purposes of scientific research, where the scientific interest in carrying out the research project substantially outweighs the data subject's interest in excluding collection, processing and use and the purpose of the research cannot be achieved in any other way or would otherwise necessitate disproportionate effort.

The collection of sensitive health data is admissible if it is necessary for medical purposes or the administration of health services.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

When personal data is collected from the data subject, the controller must provide the following information:

  • The identity of the controller.

  • The purpose of collection, processing or use.

  • The categories of recipients (if there is reason for the data subject to assume that his data will be transferred to them).

If personal data is stored for the first time without the data subject's knowledge, he must be notified of the storage and the type of data that is stored.

This obligation to notify will not apply if:

  • The data subject already knows that his data is being stored or transferred.

  • The data is stored for legal or contractual reasons or its preservation serves data security or data protection purposes and notification requires a disproportionate effort.

  • The data must be kept secret in accordance with a legal provision or because of an overriding legal interest of a third party.

  • The law expressly provides for its storage or transfer.

  • Storage or transfer is necessary for scientific research and notification would require a disproportionate effort.

  • The data is stored for the data controller's own purpose and:

    • it is taken from generally accessible sources and notification is not feasible because of the large number of cases concerned; or

    • notification would considerably impair the business purposes of the data controller, unless the interest in notification outweighs the impairment.

  • The data is stored commercially for the purpose of transfer and:

    • it is taken from generally accessible sources which relate to those persons who published the data; or

    • the data is compiled in lists or in a similar fashion.

 
13. What other specific rights are granted to data subjects?

The majority of a data subject's rights apply if his personal data is stored by automated procedures or in automated filing systems.

Rights of access

The data subject must on request be provided with information on:

  • Data stored about him (including its origin).

  • The recipients or categories of recipients to whom the data is transmitted.

  • The purpose of the storage.

Information about the origin and recipients can be withheld if the data controller's interest in protecting trade secrets outweighs the data subject's interest in the information.

There are further exemptions to the information obligations, for example if:

  • The data is stored for legal or contractual reasons or its preservation serves data security or data protection purposes and notification would require a disproportionate effort.

  • The data must be kept secret in accordance with a legal provision or because of an overriding legal interest of a third party.

  • Storage or transfer is necessary for scientific research and notification would require disproportionate effort.

  • The data is stored for the data controller's own purpose and:

    • it is taken from generally accessible sources and notification is not feasible because of the large number of cases concerned; or

    • notification would considerably impair the business purposes of the data controller, unless the interest in notification outweighs the impairment.

Information must, in principle, be provided free of charge.

If the personal data is stored commercially for transfer, the data subject can request information in writing and free of charge only once per calendar year. For each additional request a fee can be charged if the data subject can use the information for commercial purposes with respect to third parties. The fee cannot exceed the direct costs of providing the information.

Correction, erasure and blocking of data, rights to object

The data subject can request that the controller correct, erase or block personal data.

The data controller must immediately stop collecting, processing or using data if the data subject objects and his legitimate interest outweighs the data controller's interest in collecting, processing or using the data.

If the data subject objects to the processing or use of his data for advertising or market/opinion research, it must not be used, irrespective of the data controller's interests.

Compensation

If a data controller causes harm to a data subject by collecting, processing or using his personal data in violation of data protection regulations, he must compensate the data subject for the harm caused. There are no punitive damages under German law.

The right to claim compensation also applies if the personal data is stored by non-automated procedures or filing systems. This obligation will not apply if the data controller has exercised due care in accordance with the circumstances of the specific case.

 
14. Do data subjects have a right to request the deletion of their data?

Data subjects can request deletion of their data in particular if:

  • The storage is inadmissible.

  • The data concerns information on racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health, sex life (sensitive data), criminal offences or administrative offences and the controller is unable to prove its accuracy.

  • The data is processed for the data controller's own purposes and is no longer needed for that purpose.

  • The data is processed commercially for transfer, there is no objection from the data subject and after four years, it is concluded that further storage is unnecessary.

Where erasure is not possible due to retention periods (prescribed by law, statute or contract) or the specifics of storage, or where erasure is only possible with disproportionate effort, the data subject can ask for the data to be blocked instead.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

According to the Federal Data Protection Act (BDSG), the data controller must take appropriate technical and organisational measures to prevent unauthorised or unlawful processing as well as accidental loss/destruction/damage to personal data. Measures are required only if they are reasonable in relation to the required level of protection, in particular to:

  • Prevent unauthorised persons from gaining access to data processing systems.

  • Prevent data processing systems from being used without authorisation.

  • Ensure that anyone entitled to use a data processing system has access only to the right data and that personal data cannot be read, copied, modified or removed without authorisation during processing or use and after storage.

  • Ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of data is envisaged.

  • Ensure that it is possible to check and establish whether and by whom personal data has been input into data processing systems, modified or removed.

  • Ensure that where there is commissioned processing of personal data, the data is processed strictly in accordance with the data controller's instructions.

  • Ensure that personal data is protected from accidental destruction or loss.

  • Ensure that data collected for different purposes can be processed separately.

In July 2015, a new law on IT security (IT-Sicherheitsgesetz) came into force. The law imposes certain requirements for protection of IT systems and customer data. The requirements concern e-commerce operators, telecoms service providers and operators of "critical infrastructure" in the areas of energy, telecommunications, transport/traffic, healthcare, water, food, finance and insurance.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Under the Federal Data Protection Act (BDSG), the controller must inform the responsible supervisory authority and the data subject without undue delay if the following has been unlawfully transferred or otherwise unlawfully revealed to third parties (with the threat of serious harm to the data subject's rights):

  • Special types of personal data (sensitive data).

  • Personal data subject to professional secrecy.

  • Personal data relating to criminal offences or administrative offences or the suspicion of punishable actions or administrative offences.

  • Personal data concerning bank or credit card accounts.

Where notifying the data subjects requires unreasonable effort (in particular due to the large number of cases involved), notification can be made through public advertisements or other equally effective measures.

There are additional notification requirements for data breaches of telecoms service providers under the Telecommunications Act which must be reported to the Federal Commissioner for Data Protection and Freedom of Information without undue delay.

Additionally, the new law on IT Security (see Question 15) also foresees notification requirements on IT security incidents to the Federal Office for Information Security.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Under the Federal Data Protection Act (BDSG), the data processor can collect, process or use data only as instructed by the data controller. The responsibility for compliance with data protection provisions remains with the data controller.

Commissioned data processing must be made in writing, specifying the collection, processing and use of the data, the technical and organisational measures and any right of the processor to issue subcontracts.

The data controller must verify compliance with any technical and organisational measures undertaken by the processor before the data processing begins and regularly afterwards. The results must be documented.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

Websites must contain a privacy statement informing its users clearly and comprehensively about the use and purpose of cookies and the data processed in regard to them.

German law, in particular the Telemedia Act, does not require an opt-in decision by the user to lawfully employ cookies. So far Germany has not implemented Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive). An opt-out solution, which can be effected by adding a section on how to deactivate the cookies on a website's privacy policy, is sufficient.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Unsolicited electronic communications (both in a business to consumer or a business to business relationship) are, in principle, prohibited without the addressees' prior express consent.

There is disagreement about how express consent can be obtained. Most commentators in German legal literature argue that an opt-in button during an online sign-up process is sufficient. However, a Higher Regional Court argued that a "double opt-in" is required (that is, an opt-in button must be clicked, followed by a link to be activated via a confirmation e-mail). Because of the uncertainties concerning the legal requirements and the lack of a clarifying decision by the Federal Supreme Court, many online services implement the "double opt-in" procedure as their best practice.

However, explicit consent is not required if the following conditions are fulfilled:

  • The contact has been obtained from the customer in connection with the sale of goods or services.

  • The contact is used for direct advertising of the sender's own similar goods or services.

  • The customer has not objected to such advertising.

  • When acquiring the contact (and with any communication later on), the customer has been clearly advised that he can object at any time and without cost.

Any unsolicited electronic communication must contain an unsubscribe function.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Federal Data Protection Act (BDSG) differentiates between transfer of personal data within the EU/EEA and outside the EU/EEA.

Data transmission within the EU/EEA is admissible without any further requirements (see Questions 9 and 10 for general requirements and further information), transmission outside the EU/EEA is, in general, only permitted if an adequate level of data protection is ensured in the country of the recipient.

According to the EU Commission, the following countries are considered to provide an adequate level of data protection:

  • Andorra.

  • Argentina.

  • Australia.

  • Canada.

  • Switzerland.

  • Faroe Islands.

  • Guernsey.

  • Israel.

  • Isle of Man.

  • Jersey.

  • US (for transfer of air passenger name records).

Where the recipient is not situated in one of these countries, an adequate level of data protection can be ensured by using the Commission's Standard Contractual Clauses (Model Clauses) or by implementing binding corporate rules.

If there is no safeguard ensuring an adequate level of data protection, a data transfer outside the EU is only allowed if the data subject has given consent or, in particular, where:

  • The transfer is necessary for the performance of a contract between the data subject and the controller, or to implement pre-contractual measures taken in response to the data subject's request.

  • The transfer is necessary for the conclusion or performance of a contract that has been or is to be entered into in the interest of the data subject between the controller and a third party.

  • The transfer is necessary on important public interest grounds, or for the establishment, exercise or defence of legal claims.

  • The transfer is necessary to protect the vital interests of the data subject.

 
21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

In October 2015, the Telecoms Data Retention Law (Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten) was adopted which obliges telecoms operators and Internet Service Providers (ISPs) to store the following data:

  • Location data generated by the use of mobile phone services (within four weeks).

  • Phone numbers, the date and time of phone calls and text messages (within ten weeks).

  • IP addresses allocated to the subscriber, date and time of connections under the allocated IP address (within ten weeks).

All data (traffic data/location data) must be retained on servers in Germany.

 

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

The EU Model Clauses have been approved by national authorities. Companies can use these clauses to safeguard an adequate level of data protection in third states.

There are no other approved standard forms or precedents for international data transfers.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Data transfers are only permitted if the data subject has given consent or where the transfer is justified on the basis of the Federal Data Protection Act (BDSG) or another legal provision (see Questions 9 and 10). A data transfer agreement is not sufficient to legitimise the transfer.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

The EU Model Clauses can be used without prior approval provided the standard terms remain unchanged. If the terms are changed, prior approval by the competent data protection authority is needed.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The supervisory authority can:

  • Carry out checks and inspections during business hours on the data controller's property and premises and inspect business documents, stored personal data and data processing programmes.

  • Request information to be provided without undue delay.

  • Order measures to rectify violations during the collection, processing or use of personal data or technical or organisational irregularities.

  • Prohibit collection, processing or use, or the use of particular procedures, in the event of serious violations or irregularities, if the violations or irregularities are not rectified within a reasonable period and despite the imposition of a fine.

  • Demand the dismissal of a data protection officer if he does not possess the specialised knowledge and reliability necessary to perform his duties.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

A violation of the Federal Data Protection Act (BDSG) can result in fines of up to EUR300,000. The fine must exceed any financial benefit to the perpetrator derived from the unlawful data processing. If the financial benefit is higher than EUR300,000, the fine can also be higher.

If a violation is considered to be a criminal offence, it is punishable with up to two years in prison or a fine.

A violation of sector-specific telecoms secrecy obligations (which can be applicable to employers who allow or tolerate private use of business e-mail accounts) is punishable with up to five years in prison or a fine. The risk of such a violation often arises when an employer reviews the e-mail accounts of an employee without obtaining his prior consent.

The current draft of the new EU data protection regulation foresees administrative fines of up to EUR1 million or, in the case of an undertaking, 2% of its total worldwide annual turnover.

 

Regulator details

Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit)

W www.bfdi.bund.de

Main areas of responsibility. The Federal Commissioner for Data Protection and Freedom of Information is responsible for data protection and enforcing compliance with the Federal Freedom of Information Act. The federal regulator oversees data protection compliance by federal public agencies and companies providing telecommunications and postal services.

In addition to the federal regulator, each state has a separate regulator which oversees data protection compliance by private companies (except telecommunications and postal services).



Online resources

W www.bfdi.bund.de/SharedDocs/Publikationen/GesetzeVerordnungen/BDSG.pdf?__blob=publicationFile

Description. Updated, unofficial text of the Federal Data Protection Act (BDSG) in German, published by the Federal Commissioner for Data Protection and Freedom of Information.

W www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html

Description. Translations provided by the Language Service of the Federal Ministry of the Interior. The translation includes the amendment(s) to the Act by Article 1 of the Act of 14.8.2009 (Federal Law Gazette I p. 2814).



Contributor profiles

Norbert Nolte, Partner

Freshfields Bruckhaus Deringer LLP

T +49 221 20 50 7 249
F +49 221 20 50 76 51 54
E norbert.nolte@freshfields.com
W www.freshfields.com

Professional qualifications. Qualified in Germany, 1992

Areas of practice. Data protection; compliance; investigations; corporate crime.

Recent transactions

  • Advising a bank on data protection issues regarding the implementation of an internal monitoring system for electronic communications.
  • Advising a credit card company on using transactional data for marketing purposes.
  • Advising a fashion retailer on data protection issues in connection with video surveillance, including negotiations with data protection authorities and employee representatives.
  • Advising a US automotive manufacturer on data protection issues regarding the implementation of a human resources management system with databases in the US and Europe.
  • Advising a sports betting company on loss of customer data, including co-ordination of interaction with supervisory bodies, prosecuting attorney's office and police.

Languages. German and English.

Christoph Werkmeister, Associate

Freshfields Bruckhaus Deringer LLP

T +49 221 20 50 7 249
F +49 221 20 50 76 52 14
E christoph.werkmeister@freshfields.com
W www.freshfields.com

Professional qualifications. Qualified in Germany, 2013

Areas of practice. Data protection; telecoms; media and IT.

Recent transactions

  • Advising a pharmaceutical company on assessing its current IT and data protection compliance and establishing group-wide policies.
  • Advising a consumer healthcare company on implementing EU Model Contracts and respective change processes.
  • Advising a premium automotive company on the implementation of self-driving car technology and compliance with the upcoming EU data protection regulation.
  • Advising an automobile club on data protection aspects regarding the restructuring of its compliance system.
  • Advising a customer loyalty card company on the use of customer data.

Languages. German and English.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247366520115", "objName" : "Data protection in Germany overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/3-502-4080?source=relatedcontent", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "26bdaa572:152d00cb1df:-55e1", "analyticsSessionCookie" : "26bdaa572:152d00cb1df:-55e0", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }