IT and data protection law news
In a recent judgement, the Federal Court of Justice has commented extensively on the conditions under which the provider of a link can be held liable for infringements of the law on the website linked by him.
A new decision of the Federal Court of Justice necessitates changes to certain e-mail systems. The e-mails affected are so-called “no-reply” confirmation mails containing advertising add-ons.
The pre-set consent to telephone advertising used by a large number of enterprises and requiring the withdrawal of consent in the individual case is not permissible. The use of an “opt-out” procedure for declarations of consent on the internet is fundamentally permissible.
1.4 BVerwG: ECJ to clarify data-privacy responsibility for the user data collected when calling up a Facebook fan page
The Federal Constitutional Court has brought before the ECJ various questions concerning an enterprise’s operation of a Facebook fan page and its responsibility for a possibly non-data-privacy compliant handling of personal data by Facebook.
The legislator’s adopted extension of the right of associations to initiate legal proceedings to include data protection issues entered into force on 24 February 2016. In the future, consumer associations and chambers of commerce and competition will be entitled to initiate legal action against or caution enterprises regarding breaches of data protection law.
Since 9 January 2016 online dealers now have an additional notification obligation resulting from the introduction of dispute resolution proceedings for transactions with consumers (so-called online dispute resolution platform).
The Conference of Independent National and Federal State Data Protection Authorities has published a guide for the data-privacy compliant use of e-mail and internet at work. Additionally, a regional employment court has ruled on the question of the prohibition of the evaluation of evidence in this context.
In an article on social engineering audits we explain the employment law aspects of the permissibility of checking technical security precautions and determining weak points within enterprises.
The IT Security Act which entered into force last year imposes strict requirements upon “operators of critical infrastructures” as regards the IT security to be ensured. Whereas the enterprises falling under this Act were initially only vaguely outlined, a first draft of the pertaining ordinance to determine the enterprises affected has now been published.
3.2 IT Security Act II: EU Cyber Security Directive expected in the spring of 2016
Extensive minimum harmonisation in the EU Member States ensuring a high degree of network and information security is just around the corner. For entrepreneurs situated in Germany, however, hardly any differences can be expected vis-à-vis the applicable IT Security Act.
The EU Commission has presented details of the “EU-US Data Privacy Shield” that was announced four weeks ago, including the assurances declared to date by the US Government as regards the handling of personal data of EU citizens. The EU data protection authorities will now be extensively examining the documents before presenting their comments.
Information on the current status of the EU General Data Protection Regulation
By judgement dated 18 July 2015, the Federal Court of Justice [Bundesgerichtshof, BGH] extensively commented on legal questions concerning the liability for hyperlinks which lead to websites with illegal content, albeit that the reasons for the judgement were not published until 5 January 2016. The BGH has essentially confirmed and concretised its previous jurisprudence.
First of all, the BGH confirmed that liability for own content is possible through an “adoption” of linked content “as own content”. Whether this is the case must be determined in an overall appraisal of all circumstances. A factor which would particularly suggest an “adoption as own content” is where the provision of hyperlinks constitutes a substantial element of the provider’s business model, for example where products of the provider of the link are promoted on the linked website or reference is made therein to products which complete the product range offered by the provider of the link. If, however, the link is not made to a specific section of the linked website (so-called deeplink), but only to the legally faultless homepage, then this would indicate that it was specifically not the wish of the website operator providing the link to adopt the illegal content contained in the respective subsections as its own content.
The BGH additionally confirmed its jurisprudence on liability as a “Liability for Interference” (“Störerhaftung”) to the effect that the provision of a hyperlink can fundamentally be classed as conduct which increases the risk. In the opinion of the BGH, a party which provides a link to what are evidently illegal contents is liable as a disturber of public order. However, in the interests of the freedom of opinion and freedom of the press, excessively strict requirements may not be set for the examination of the content. In particular, there is no proactive monitoring obligation. This changes, however, the moment the website operator providing the link gains knowledge of a potential legal infringement. In this case he has an extended examination obligation and as of this time also bears the risk of a correct legal assessment. If he maintains the link to content which does indeed turn out to be illegal, he cannot (can no longer) raise the defence that he was unable to establish, or to establish with certainty, the infringement.
This last point, above all, is new in the BGH’s judgement. With this, the BGH ultimately introduces a “notice-and-take-down-procedure” for hyperlinks. Enterprises which work with links on their websites are also advised to maintain a certain distance from the linked website and, in particular, not to use it as an integral element of their own internet presence, by refraining from using deeplinks, inter alia. Should an enterprise receive a concrete indication of illegal content, then in case of doubt the enterprise is advised to remove the link.
In a decision dated 15 December 2015 (docket No. VI ZR 134/15), the BGH had to decide on a case in which a consumer contacted a sued enterprise by e-mail for termination purposes and subsequently received an automatically generated confirmation of receipt from the enterprise. This confirmation of receipt contained advertising inter alia. The claimant subsequently informed the enterprise – once again by e-mail – that he did not agree to these advertising add-ons. He then received a second automatically generated confirmation of receipt which in turn contained the same advertising add-ons. In response to his query regarding the status of the situation, sent by him about one week later, the claimant then received a third automatic confirmation of receipt, once again containing advertising add-ons.
The BGH ruled that the third automatically generated e-mail response, with its advertising character, definitely impermissibly infringed the personal rights of the claimant (and not, for example, Sec. 7 Subsec. 3 Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG)) and therewith ultimately confirmed the judgement in the first instance by repealing the appeal court judgement that had dismissed the case.
What is special about this judgement is that in this case it is a consumer who is complaining of the infringement of his personal rights and not, as in the majority of cases, consumer protection associations or competitors asserting a violation of the UWG. Unlike violations of the UWG, when examining infringements of personal rights the opposing interests must be taken into consideration, in which case one could consider the fact that these are only automatically generated e-mails and that the advertising party must be given the time to remove the advertising add-on from its automatically generated e-mails. Whether the second e-mail containing the advertising add-ons, which was sent in response to the consumer’s complaint, already constitutes an infringement of personal rights could be left unanswered by the BGH, since the advertising enterprise had not even altered its automatic e-mails after more than a week and then sent the third e-mail with advertising add-ons.
Within the scope of application of the UWG the first automatically generated e-mail with advertising add-ons would already constitute an unfair business action pursuant to Sec. 7 Subsec. 2 No. 3 UWG unless, in an exceptional case, the strict prerequisites of Sec. 7 Subsec. 3 UWG had been fulfilled. This exceptionally allows the transmission of advertising by means of electronic post for the direct marketing of existing customers who were informed about planned advertising measures and have as yet not opposed them. At the latest upon the customer’s first objection, however, this assumption can no longer exist (Sec. 7 Subsec. 3 No. 3 UWG) and would certainly establish a violation of the UWG even if this were through an automatically generated e-mail and the advertising enterprise did not have the chance to react to the customer’s objection. Insofar, it is also surprising that the BGH derives the forbearance claim from an infringement of the consumer’s personal rights and not from Sec. 7 Subsec. 2 No. 3 UWG, for this implements Art. 13 of the EU Directive 2002/58/EC, which aims to protect affected parties against unrequested advertising sent via electronic channels. A more efficient consumer protection could have been achieved with an examination of Sec. 7 Subsec. 2 No. 3 UWG. In this case, the second e-mail at the latest would have to be assessed as a violation of the UWG. However, it seems incoherent that a consumer who takes direct legal action is only entitled to a forbearance claim under the more broadly worded requirements within the framework of a consideration of an infringement of his personal rights, whereas a suing consumer protection association or competitor benefits from the norms of the UWG, which set lower requirements for such a claim.
Enterprises should take this decision as grounds to check their automatically generated e-mail content to determine whether or not it contains advertising and, if so, to remove any such advertising.
Dr. Dirk Reintzsch
The Higher Regional Court [Oberlandesgericht, OLG] of Frankfurt commented in a decision dated 17 December 2015 on two important legal issues: 1) When has a user given his consent for a specific case and in knowledge of the factual situation and 2) can the so-called “opt-out” procedure be used for consent in cookies?
The first question arose within the scope of a declaration of consent to telephone advertising which was to be obtained for a multitude of partner enterprises, whereby the consent text contained a link via which the consumer was directed to an extensive list (ca. 60 enterprises) in which he could individually change his pre-set consent for each enterprise by unticking a box.
In reference to the jurisprudence of the BGH, pursuant to which the consent of consumers to telephone advertising within the scope of general business terms and conditions is only valid if this consent is given for a specific case and in knowledge of the factual situation, the OLG decided that these prerequisites had not been fulfilled here. Consumers needed to be able to determine to which products or services of which entrepreneurs their consent referred. In order for the consent to be valid, consumers had to have a realistic possibility of checking this, dispelling any risk of a premature decision. Such risk existed, however, in cases where the declaration of consent covered such a broad scope. The effort associated with establishing and examining the pre-set enterprises was disproportionate in terms of time to the striven participation in the competition.
This judgement will be of particular interest to many enterprises, especially as regards the second legal question of the “opt-out” procedure, since this issue has barely been commented on in jurisprudence to date. Whether this opinion will prevail, however, is dubious in light of the fact that the opinion cited by the OLG of the Art. 29 Group is generally understood to mean that only an “opt-in” procedure is permissible.
The German Federal Administrative Court [Bundesverwaltungsgericht] has presented various questions to the ECJ concerning the legality of a commercial academy’s operation of a Facebook fan page (docket No. 1 C 28.14). The data protection authority had ordered the deactivation of the fan page because user data had been collected inter alia through cookies on this platform and used for advertising purposes as well as for user statistics which were also provided to the academy, without the users having been sufficiently clarified about this or having consented to such use.
A total of five questions on the interpretation of the EU Directive 95/46/EC (Data Protection Directive) were presented to the ECJ. The ECJ essentially had to decide on the scope of the data protection authorities’ powers to examine and act as well as on the question of whether the claimant, as the fan page operator, bears the data-privacy responsibility for the choice of operator of its internet representation and for its data-privacy compliant handling of personal data.
The ECJ’s interpretation will affect many companies operating Facebook fan pages. We will inform you of the ECJ’s decision as soon as it is available. Further details of the current status of the proceedings and as well as the wording of the questions presented to the ECJ can be found here.
Dr. Helge Pühl
The German Act to Improve the Civil Law Enforcement of Data Protection Law Provisions for the Protection of Consumers [Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts] entered into force on 24 February 2016. In terms of content it essentially corresponds to the draft bill described by us in our December 2014 Newsletter.
The new Act now classes data protection law norms as consumer protection norms. With this, qualified establishments such as consumer associations, commercial associations, chambers of commerce and industry as well as chambers of trade are given an independent right to initiate legal proceedings. This not only extends to the right to demand forbearance, but now also includes a right to demand the remedy of the impermissible collection, processing and use of data.
Due to the increased circle of potential claimants, entrepreneurs face an increased risk of complaints and lawsuits in future. High profile lawsuits by consumer associations, in particular, often entail an enormous risk of damaging reputation – even if a complaint subsequently turns out to be unfounded. In the opinion of Florian Nöll, the President of the Federal Association of German Startups [Bundesverband Deutsche Startups e.V.], the right of associations to initiate legal proceedings will create a huge number of private control instances which have the potential to overrun startups with a flood of lawsuits. The same applies to
other enterprises which handle personal data.
For this reason it will be even more important to meet high data-privacy standards in future.
Philipp Ahrens / Dr. Helge Pühl
With effect as of 9 January 2016 the EU Directive 2013/11/EU and EU Regulation 524/2013/EU have entered into force, both stipulating additional notification obligation for online dealers.
The EU Directive stipulates that extrajudicial conciliation boards are to be created for the resolution of disputes between consumers residing in the EU and enterprises located in the EU. These dispute resolution proceedings are to last no longer than 90 days and are to either be free of charge for consumers or cost a maximum of 30 euro. The costs, which are oriented on the amount in dispute, must be borne by the enterprises. At present, however, no regulation as yet exists in Germany which would oblige online dealers to join these proceedings envisaged by the EU.
However, on grounds of the EU Regulation an obligation does exist to notify the existence of the online dispute resolution platform established by the EU. This notification obligation encompasses the provision of a link to the platform and an indication to the effect that a corresponding platform of the European Commission is available online. This link must be reached from the enterprise’s home page with a maximum of two clicks, i.e. it must be easily accessible.
Accordingly, all enterprises which conclude contracts with end consumers via online shops are advised to embed the link and reference to the existence of the platform on their homepages – for example where links to the general business terms and conditions can also be found – and, where necessary, to point out that the enterprise itself does not participate in the alternative dispute resolution proceedings.
Enterprises which maintain an online market place and thereby merely operate as intermediaries between buyers and sellers fall under the EU Directive insofar as they are also obliged to integrate the link and make a reference to the existence of the platform on their homepage. Here as well, in order to avoid misunderstandings it is advisable to indicate that the enterprise does not participate in the proceedings.
The planned implementation of the Directive in Germany will be in the form of the Consumer Dispute Resolution Act [Verbraucherstreitbeilegungsgesetz, VSBG]. This will provide that enterprises are also obliged to refer in their general business terms and conditions to the possibility of participating in dispute resolution proceedings before a conciliation board if the enterprise employed more than ten persons in the past year. Besides this notification obligation, however, no obligation to participate in dispute resolution proceedings will fundamentally exist. Insofar, the planned VSBG does not exceed the previous notification obligation currently already regulated in the EU Regulation. Exceptions to the mere notification obligation are envisaged in separate acts. For example, Sec. 111b Subsec. 1 sentence 2 of the Energy Management Act [Energiewirtschaftsgesetz, EnWG] obliges energy supply enterprises to participate in dispute resolution proceedings if a consumer applies for conciliation measures. The VSBG is expected to enter into force on 1 April 2016.
The notification obligations represent regulations concerning market conduct, which means that enterprises which violate these obligations can be cautioned by associations or competitors, at cost, pursuant to the German Act Against Unfair Competition [Gesetz gegen den unlauteren Wettbewerb, UWG].
The Conference of Independent National and Federal State Data Protection Authorities published in January 2016 a guide on the data-privacy compliant use of e-mail and internet at work. In this guide the data protection supervisory authorities have commented in greater detail than ever before on the scope of and conditions under employers may check their employees’ e-mails and internet use.
In this connection they have reconfirmed the opinion that an employer which permits or even only tolerates the private use of e-mail and internet becomes a telecommunication services provider, respectively telemedia services provider, vis-à-vis its employees. This means that the employer’s knowledge of e-mail content generally constitutes a breach of telecommunications secrecy and thus an offence pursuant to Sec. 206 German Criminal Code [Strafgesetzbuch, StGB].
The data protection authorities therefore recommend that employers either prohibit their employees such private use or clearly regulate under which conditions the employer may access the employees’ internet and e-mail use. The latter should be achieved by concluding a works agreement and by obtaining the individual consent of the employees. The guide contains a draft of such a works agreement as well as a draft for obtaining the consent of employees. The guide also contains information on the use of spam filters and virus protection, albeit very brief information.
In our opinion, there is nothing fundamentally new in the guide. The recommendations of the data protection authorities correspond to our regular advice. However, many enterprises will find the guide helpful insofar as the data protection supervisory authorities have taken a clear stand and offer practical suggestions for handling the topic, not least by providing the drafts. However, the disagreement over the correctness of such supervision by the authorities and regarding the conditions under which employers may check their employees’ e-mail and internet use has by no means been clarified, as can be seen from the most recent judgement of the Regional Labour Court [Landesarbeitsgericht, LAG] of Berlin-Brandenburg dated 14 January 2016 in this context.
In the case up for decision the employer had provided the employee with an office PC and permitted the private use of the internet in exceptional cases. Following indications of the employee’s considerable private use of the internet, the employer evaluated the browser history of the office PC without obtaining the employee’s consent and subsequently terminated the employment relationship on grounds of excessive private use.
The Regional Labour Court deemed the extraordinary termination to be legally valid and, as far as the browser history was concerned, did not establish a prohibition of the assessment of evidence to the employer’s detriment. Although personal data was involved and the employee had not consented to its examination, an assessment of the data was nevertheless permissible because the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] also permitted the storage and assessment of the browser history in order to check for misuse without obtaining such consent and, in the case at hand, it had not been possible for the employer to prove the scope of the unpermitted internet use by any other means.
The Regional Labour Court expressly admitted the appeal on points of law before the Federal Employment Court [Bundesarbeitsgericht, BAG], with the result that - until the decision becomes legally binding – it is advisable at the hearing of the works council in which the reasons for an extraordinary conduct-based termination must be given not to exclusively base the termination on the violation of the employer’s directions regarding the private use of the internet, but to alternatively base this on “time theft” (fraud with regard to the working hours).
2.4 Employment law aspects of social engineering audits
Social engineering describes a technique by which a party intending to cause harm establishes personal contact with human users with a view to overcoming technical security measures in an enterprise.
In order to protect against such attacks, enterprises are increasingly hiring external service providers to conduct “social engineering audits” to check their enterprise’s security and to identify weak spots. Two partners of our employment law practice group, Jörn Kuhn and Dr. Alexander Willemsen, conducted a detailed examination of the employment law aspects of such social engineering audits for an article in the journal DER BETRIEB.
A summary of the content as well as further links to the article can be found here.
Jörn Kuhn und Dr. Alexander Willemsen
With the IT Security Act which entered into force last year (we had reported on this in our September 2015 Newsletter), operators of critical infrastructures are obliged to meet certain organisational and technical minimum standards. Which individual enterprises this involves shall be determined in an ordinance in accordance with Sec. 10 Act on the Federal Office for Information Security [Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSI-Gesetz].
The Federal Ministry of the Interior [Bundesministerium des Innern, BMI], which is charged with the implementation, presented a first draft bill in February which is now being coordinated with the federal states and associations. The draft bill distinguishes between the individual sectors (inter alia energy, information and communication technology, nutrition, water) and stipulates for each sector threshold values beyond which a classification as an operator of a critical infrastructure can be assumed. At present, ca. 650 enterprises would be affected. To find out whether your enterprise falls under the IT Security Act, please refer to the draft bill.
Dr. Helge Pühl
With the consent of the EU Member States on 18 December 2015, the draft of the EU Network and Information Security Directive (NIS Directive), previously agreed upon by the European Commission, the Council of the European Union and the European Parliament, has now been determined. The draft first has to be approved by the Council of the European Union and then by the European Parliament. This is expected in the spring of 2016. Once the Directive enters into force, the Member States will have 21 months to implement it into their national laws.
This will affect the providers of digital services (online market places, search machines, cloud computing services and application stores, but will no longer affect social networks and internet payment gateways), or private or public establishments which render “essential” services (inter alia from the sectors energy, transport, banking and financing, health, internet nodes, domain name system service providers and top level domain name registries).
These have to take security measures which are “technically and organisationally suited” to “manage” risks to their networks and information systems. Moreover, in case of security incidents which have “considerable” effects upon the continuity of their essential services, they have an “immediate” obligation to notify the competent authority or the IT emergency team that is to be established by the Member States. “Microenterprises” offering digital services are released from the security requirements and notification obligations.
With the IT Security Act which entered into force on 25 July 2015 (further details are contained in our September 2015 Newsletter), and which was significantly oriented on the Commission draft of the NIS Directive, the Federal Republic of Germany has anticipated the essential content of the NIS Directive inter alia in the Telemedia Act [Telemediengesetz, TMG] (Sec. 13 Subsec. 7), the Telecommunications Act [Telekommunikationsgesetz, TKG] (Sec. 109) as well as in the Act on the Federal Office for Information Security [Gesetz über das Bundesamt für Sicherheit in der Informationstechnik] and therewith already essentially implemented it into national law. If the enterprises in question bring their security structures into line with these reforms, then they can expect barely any changes from the NIS Directive. Through the new Sec. 13 Subsec. 7 Telemedia Act, operators of online market places and parties which use the distribution platform to offer their goods from there were also covered by the IT Security Act, for these are deemed service providers within the meaning of the Telemedia Act. Hence they are also hardly affected by the NIS Directive. However, it remains to be seen whether the Federal Republic of Germany will take the NIS Directive as cause to tighten the existing legal situation, for example by increasing the levels of fines.
Dr. Marc Hilber
On 29 February the EU Commission presented the details of the planned “EU-US Data Privacy Shield”. Following its announcement on 2 February 2016 as the agreement which will succeed the Safe Harbour Agreement which was declared null and void by the ECJ (we reported on this in our newsflash), the draft of the “adequacy decision”, the assurance of the US Government, as well as further relevant documents have now been published.
In the further course of proceedings, a committee of representatives of the Member States and the EU data protection authorities (Art. 29 Data Protection Group) will meet to consult and comment on the project. The reading and analysis of the contractual text was made an express condition by the members of the Art. 29 Data Protection Group before conclusively reaching a decision on the permissibility of EU-US data transfers, also on the basis of EU standard contractual clauses and binding corporate rules.
Dr. Helge Pühl
On 15 December the three European institutions (Parliament, Commission and Council) reached agreement in so-called trilogy negotiations on a compromise solution and therewith pathed the way for the adoption of the new General Data Protection Regulation presumably this spring.
The agreed text of the Regulation will now have to be analysed by many enterprises to determine the scope of the changes for their own businesses. However, it is already evident that several changes will affect all German enterprises:
- For example, the criteria for determining whether consent to data processing has been validly given are partially being slackened and partially tightened, especially with regard to voluntary consent.
- The Regulation also contains extended notification obligations, with the result that the majority of enterprises will have to review the notification forms they use.
- Enterprises can also reckon with increased rights of the data subjects, for example the right to demand provision of one’s own data in a machine-readable format.
- The Regulation also introduces new obligations which require enterprises to develop and implement internal processes, for example within the scope of the so-called data protection impact assessment.
- Additionally, the Regulation partially introduces the market place principle, which means that the Regulation will apply worldwide to all services which are aimed at citizens in the EU, irrespective of the provider’s location.
- In case of violations against the Regulation, enterprises face fines of up to 20 million euro or 4 percent of the annual turnover.
The General Data Protection Regulation is to directly apply throughout the entire EU in the spring of 2018 after a two-year transitional period. However, it is already foreseeable that the national legislators will use the opening clauses contained at many places in the Regulation (in particular concerning the processing of health related data, but also employee data) to create or maintain deviations that are always only applicable at the national level. For this reason, the extent to which the Regulation will actually lead to a unification of data protection law in Europe remains to be seen.
Dr. Jürgen Hartung