IT and data protection law news
On 5 July 2016 Oppenhoff & Partner will be hosting the inaugural meeting of the Rhine-Ruhr KnowledgeNet Chapter of the International Association of Privacy Professionals. At this meeting Dominik Stockem – Data Privacy Officer at Microsoft Deutschland – will be speaking on the subject of “International Data Transfers – General Data Protection Regulation and Privacy Shield”.
On 4 May 2016 the General Data Protection Regulation was announced in the Official Journal of the EU. It entered into force on 24 May 2016, with a 2-year implementation period.
The Advocate General at the European Court of Justice [ECJ] has pleaded in his Opinion that dynamic IP addresses represent personal data and has simultaneously urged for a less restrictive handling.
The Regional Court of Bochum prohibited an online trader from offering its goods over the internet in the course of trade on grounds of its failure to refer to the EU online dispute resolution platform (ODR Platform).
The Regional Court of Dortmund has established requirements for the structuring of notices aiming to exclude consumers as a target group of an internet shop in order to circumvent the applicability of consumer protection provisions.
The Higher Regional Court of Cologne has ruled that the operator of a homepage offering a contact form on its homepage must notify the user of the storage and processing of his personal data and that competitors can caution the operator for failing to meet this requirement.
In a recently published decision of the Berlin Court of Appeals, WhatsApp Inc. was sentenced for breaching several consumer protection provisions and was obligated to comply with these provisions, in particular to provide German-language general business terms and conditions.
4. Amendments of the law/new guidelines
On 14 April 2016 a new EU Directive was passed on the protection of confidential know-how and confidential business information against unlawful acquisition, use and disclosure.
4.2 Federal Government plans to abolish WIFI operators’ co-liability
The Federal Government is planning to abolish the much criticised liability of WIFI operators as a co-liable party [Störerhaftung] through an amendment of the German Telemedia Act [Telemediengesetz, TMG] within the year.
4.3 Art. 29 Data Privacy Group: Opinion on the EU-US Data Privacy Shield
The Art. 29 Data Privacy Group has published an opinion on the draft of the EU Commission’s decision regarding the reasonableness of the new EU-US Data Privacy Shield.
4.4 Düsseldorfer Kreis: Guideline on the data privacy law aspects of declarations of consent in forms
The Düsseldorfer Kreis has published a new guideline on the data protection requirements of declarations of consent which, with the aid of concrete examples, offers sound advice on how to structure the content and layout of such declarations.
1. O&P affairs
On 5 July 2016 Oppenhoff & Partner will be hosting the inaugural meeting of the Rhine-Ruhr KnowledgeNet Chapter of the International Association of Privacy Professionals (IAPP).
Oppenhoff & Partner and Dr. Jürgen Hartung as one of the Chairs of the Chapter are delighted to welcome Dominik Stockem – Data Privacy Officer at Microsoft Deutschland – to the meeting. He will be speaking on the subject of “International Data Transfers – General Data Protection Regulation and Privacy Shield”. The presentation will be held in German. Further information on the topic and registration via the IAPP can be found here.
Dr. Jürgen Hartung
On 4 May 2016 the General Data Protection Regulation was announced in the Official Journal of the EU. It entered into force on 24 May 2016, with a 2-year implementation period. During this implementation period all existing data processing must be brought into line with the General Data Protection Regulation. Until the expiry of the implementation period, however, ongoing and new proceedings still have to meet the requirements and fulfil the conditions of the currently applicable data privacy laws.
The General Data Protection Regulation will apply as of 25 May 2018, unless the respective Member States make use of the numerous opening clauses contained in the General Data Protection Regulation and issue their own regulations.
For German enterprises, this will also mean that countless new requirements will have to be met by enterprises during the implementation period. This includes, in particular, training sessions for all employees dealing with data privacy issues, a review of all existing data processing with regard to the new provisions in the General Data Protection Regulation, the implementation of new corporate processes becoming necessary (for example to implement the new obligation to conduct a data protection impact assessment or to comply with the principle of “privacy by design”), the drafting of new documentation (in order and in particular to satisfy the new accountability principle) or the revision of existing documents (e.g. declarations of consent or commissioned data processing contracts).
In his Opinion on the case “Patrick Breyer versus the Federal Republic of Germany” on 12 May 2016, the Advocate General at the European Court of Justice (ECJ) declared that dynamic IP addresses also represent personal data within the meaning of Council Directive 95/46/EC (“Data Protection Directive”) if the additional information required to identify the user is possessed only by the internet access provider.
Dynamic IP addresses are addresses which are allocated for a limited time to the respective connection with the internet and are changed again in later connections. In the Advocate General’s opinion, dynamic IP addresses represent information concerning a specifiable person since they enable an “indirect” identification of the user by means of the additional knowledge located at the internet access provider. Although for such a possibility of identification it is fundamentally not enough that there is simply some third person or other who can determine the person’s identity on grounds of his additional knowledge, since it is a known fact that the internet access provider possesses such additional knowledge, there is a “reasonable” possibility of lawfully creating a connection to the additional knowledge – however limited this may be in practice.
In addition thereto, the Advocate General at the ECJ supports a less restrictive handling in certain circumstances as regards the long-term storage of IP addresses. The restrictive provision in Sec. 15 German Telemedia Act [TMG], pursuant to which a service provider may only collect and use IP addresses to enable the usage and invoicing of telemedia, violates the Data Protection Directive, which permits a processing of personal data under certain circumstances if a legitimate interest exists. The Data Protection Directive is thus worded far more broadly than Sec. 15 TMG. In the opinion of the Advocate General, for example, the purpose of ensuring the security and functional capacity of the telemedium fundamentally has to be viewed as a legitimate interest, the realisation of which could justify the processing of the IP address insofar as this interest is acknowledged to have precedence over the interest or the basic rights of the data subject. Whether such a process can be acknowledged must be determined by a court in the individual case.
Although the opinion of the Advocate General at the ECJ is not binding for the ECJ, it does generally have a strong influence over the court’s subsequent decision. In the past, the ECJ has frequently followed the Opinion of the Advocate General. Should the ECJ also follow the Opinion in this case, not only will years of controversy over the personal reference of IP addresses be clarified, but a more liberal handling in case of legitimate interests of the responsible body will also be secured.
As we had already reported in our Newsletter 01/2016, on 9 January 2016 EU Regulation No. 524/2013 entered into force. The measure regulates the online resolution of disputes between consumers and online traders and establishes an obligation of traders who sell their products to end customers to notify such consumers of the possibility of dispute resolution. We had also pointed out that violations of the notification obligations can lead to written warnings (with the online trader having to bear the costs) pursuant to the law against unfair competition.
On 31 March 2016 the Regional Court of Bochum confirmed an interim injunction which prohibits a trader from offering the end customer a product (in this case watches) over the internet in the course of trade without drawing the consumer’s attention to the EU online dispute resolution platform (ODR platform). This interim injunction was issued because the trader in question had not acted upon a caution by which he had been ordered to render a declaration of submission with penalty clause.
The interim injunction – and with it also the caution – was deemed lawful by the Regional Court despite the fact that the ODR platform had not yet been available at the time of the caution and no dispute resolution as yet takes place in Germany. The Regional Court stated that this of no consequence to the need to refer to the ODR platform since the involvement of the dispute resolution platform was not relevant at the conclusion of contract, but only at a later date in the event of the occurrence of a dispute.
Since the ODR platform has been available since 15 February 2016, a “readily accessible” link to it must be included on the internet trader’s homepage. The lack of information and link thus already now represents a tangible disadvantage to the consumer within the meaning of Sec. 3a German Unfair Competition Act UWG and thus a violation of competition.
The judgement once again makes it clear that all traders who have not yet added a reference to the ODR platform and a corresponding link to its homepage should do so without undue delay.
By judgement dated 23 February 2016 the Regional Court of Dortmund had to decide on whether, respectively under which conditions, the operator of a web shop could validly limit its offers to tradespersons with the consequence that consumer protection provisions did not apply.
In the underlying case, the defendant – a provider of a payment-based database for cooking recipes – had indicated in several places on its website that it only wished to do business with enterprises. Accordingly, the website was structured without regard to the pertinent consumer protection requirements. A consumer protection association – the subsequent claimant – objected hereto, stating that the limitation to businesses was not sufficiently transparent and that the defendant’s website therefore violated consumer protection law in many places.
The Regional Court of Dortmund ultimately shared this opinion and sentenced the defendant to forbear from specific actions that contravened consumer protection law, as requested. The Regional Court of Dortmund initially established in its decision, making reference to a corresponding decision of the Higher Regional Court [Oberlandesgericht, OLG] of Hamm, that it is fundamentally possible to limit sales offers to sales to tradespersons. Insofar as this limitation is sufficiently transparent and clear, a consumer who misrepresents their status as a tradesperson cannot also plead the applicability of the consumer protection provisions in good faith vis-à-vis the seller.
The court held that this transparency requirement had not been fulfilled despite the many references contained on the defendant’s website. It especially complained in this connection of the inadequate visible presence of the notices as well as their positioning on the website. A particular fault deemed by the court was that the heading “Notice” was in light lettering, was first visible to the customer by scrolling on the website and was positioned outside of the central registration screen for using the database. Since cooking recipes are generally available on the internet free of charge and reasonably alert internet customer therefore does not expect any cost risk when searching for a cooking recipe, he can assume that all information located outside of the central registration screen is irrelevant to him. The fact that during the registration process the customer has to tick off a field containing the notice “I accept the general business terms and conditions and expressly confirm my commercial user status” does not justify any deviating appraisal in the court’s opinion. Rather, it can be assumed that the reasonably alert internet customer will only acknowledge the first few words located in the field he has to click. Ultimately, the court also criticised the fact that the field included in the registration screen for stating the company name was not designed as an obligatory field. This suggests to customers that it does not matter whether or not they are acting in a commercial or private capacity.
The judgement of the Regional Court of Dortmund makes it clear that case law sets extremely strict requirements for a transparent limitation of web shops to B2B transactions. Where and how corresponding notices must be placed also depends on the concrete protection needs of the consumers as regards the subject matter of the transaction concerned. In order to prevent the application of consumer protection provisions, therefore, in addition to making transparent notices, if possible the provision of information which clearly indicates that the buyer is acting in a commercial capacity (such as a VAT identification number, for example) should be demanded.
Dr. Dirk Reintzsch
On 11 March 2016 the Higher Regional Court of Cologne decided a case in which a website operator had used a contact form without notifying the user of how his personal data was being collected and stored, and without pointing out that he still had a right of revocation after having given his consent. A written warning was issued towards the Operator about the missing notification and he had opposed this warning. The Higher Regional Court of Cologne confirmed the ruling of the previous instance to the effect that the homepage should not be operated without these notices.
Only in cases where the operator issues the corresponding notice does the website fulfil the requirements of Sec. 13 TMG, which demands a generally comprehensible notice, to the extent no such notice has already been given. The type, scope and purpose of the collection and use of the personal data was not evident from the actual contact form, which meant that one also could not rely upon the user deriving this information himself.
If the operator of the homepage does not provide this information, it is acting in an anti-competitive manner within the meaning of Sec. 3a UWG and a warning can be issued. Sec. 13 TMG represents a norm regulating market conduct and also serves inter alia to protect the interests of competitors by creating equal competitive conditions. According to the court, it is certainly a possibility that a user – through a clearly issued notice regarding the storage and use of his personal data – will refrain from filling out a contact form, respectively due to the lack of a corresponding notice, will refrain from revoking any consent already given. Since the provision of a contact form makes it easier for the user to make contact and submit his data, the lack of a data protection declaration can represent a competitive advantage over other competitors. This violation then also has noticeable effects upon the user’s business decision.
The decision of the Higher Regional Court of Cologne did not go uncriticised; moreover, other courts have recently also ruled to the contrary as regards whether Sec. 13 TMG represent market conduct provisions which also protect the interests of the competitors within the meaning of Sec. 3a UWG and whether a violation thereof constitutes a tangible disadvantage (cf. for example Regional Court of Berlin, judgement dated 4 February 2016 - 52 O 394/15). This matter still awaits clarification by the Federal Court of Justice. Until such time, however, when using a contact form on a homepage, all website operators are advised to give detailed information on the type, scope and purpose of the data collected and processed in connection with the respective contact form as well as the possibility of revoking any consent given. Since such a violation is not only pursued by the data protection authorities, but can also lead to cautions from competitors, this risk exists for all websites.
Dr. Helge Pühl
By judgement dated 8 April 2016 the Berlin Court of Appeals established several breaches of consumer protection provisions by WhatsApp Inc.
To begin with, the Court of Appeals criticised the lack of any possibility to make contact with the enterprise other than by e-mail, for such a second channel of communication and a corresponding indication to the consumer is stipulated in the TMG. The court left it open whether its Facebook presence could constitute such a channel of communication, since the present configuration of the enterprise’s own Facebook site did not enable the receipt of messages in any event.
Furthermore, the court established that the provision of its general business terms and conditions exclusively in English, irrespective of their content, represented a violation of the transparency requirement. Insofar, one could at best assume the spread of “everyday English” amongst German consumers, but not the linguistic skills required to understand complex legal clauses.
Finally, the judgement stated that information on the authorised representative of the enterprise is missing from the legal notice. In contrast to the two points stated above, however, in the court’s opinion this did not represent a market conduct provision and hence a sentencing insofar was ruled out.
In light of this decision, internationally operating enterprises which presently only work in Germany with texts, for example, relevant to English law, should endeavour to have these translated into German.
On 14 April 2016 the European Parliament adopted the new “Directive on the Protection of Confidential Know-How and Confidential Business Information (Trade Secrets) against Unlawful Acquisition, Use and Disclosure.
The Directive obliges the EU States to provide for measures, procedures and legal remedies which will ensure civil law protection against an abusive use of trade secrets. In the event of an abusive use of trade secrets, the enterprise in the respective Member State of the EU will be able to also assert its rights before a court and to procure damages. All negative consequences are to be taken into consideration in the calculation of the damages: this includes any lost profit of the enterprise concerned, any unfair profits of the infringer, as well as moral damages incurred by the enterprise. There is no concept of compensation of “moral” damages in German law to date, however.
According to the Directive, trade secrets are things which have a commercial value and are the subject matter of secrecy measures. In particular, the last condition will force enterprises to take corresponding protective measures in future and to prove such measures in legal proceedings if they wish to profit from the protection offered by the Directive.
In many cases enterprises have thus far refrained from taking legal action against a violation of their trade secrets for fear of these secrets being disclosed during the course of the court proceedings. The Directive aims to remedy this situation: it envisages in its recitals that the Member States will ensure the preservation of secrecy by limiting access to evidence or hearings and by only publishing the non-confidential parts of the court decision. With the so-called “in-camera proceedings”, Germany already has proceedings that protect secrecy in case of administrative court proceedings. For this reason, such proceedings conceivably could also be introduced for civil proceedings.
In order to protect the freedom of opinion and to additional notify the public of any shortcomings, there are various limitations. Hence the Directive offers no protection, for example, for the acquisition of secrets
- in the scope of the exercise of the employees’ representative body’s rights to information and a hearing;
- in the scope of independent research;
- when examining a product which has been made publicly available or is in the lawful possession of the acquirer of the information;
- in case of every other manner of proceeding which, in the given circumstances, is reconcilable with a serious business practice (what the Directive exactly means by a serious business practice is not defined here, however);
- in the scope of the lawful exercise of the freedom of opinion and information, or
- for purposes of disclosing misconduct or an illegal activity, insofar as this was necessary for the disclosure and the infringer has acted in the public interests.
Only time will tell the extent to which the Directive will bring substantial, new practical improvements, despite this limitation. The undefined term “serious business practice” especially could - depending on its interpretation - erode the protection of secrecy in its entirety.
The Directive must be transformed into German law within 2 years, which will involve corresponding amendments of the law. Enterprises are already advised, however, to introduce verifiable secrecy measures to ensure that they will subsequently fall under the sphere of protection of the Directive.
The Federal Government has agreed to abolish WIFI operators’ liability as a co-liable party.
According to the present legal situation, private WIFI operators can be sued for forbearance as co-liable parties if their inadequately secured WIFI connection is used by third parties to breach copyrights over the internet. Enterprises which allow their customers the use of their WIFI connection (cafés, bars, hotels etc.) also presently face the risk of co-liability. Most recently, the demands for the abolition of the co-liability have increased, especially since this is deemed to be the reason why Germany – in comparison with the range of public WIFI hotspots internationally – somewhat lags behind.
The reason why the Federal Government has adopted this endeavour is perhaps due to the proceedings currently pending before the ECJ on the co-liability of WIFI operators. In the proceedings in question, the Advocate General came to the conclusion that the co-liability of enterprises which, as an ancillary activity to their main commercial activity, allow public internet access to the WIFI network operated by them at no charge, is irreconcilable with the stipulations of the Telecommunications Directive. The privileged liability position contained in Art. 12 of the e-commerce Directive (Council Directive 2000/31/EC) for service providers who limit themselves to a transmission of third-party information in a communication network also applies correspondingly to WIFI operators.
Art. 12 of the e-commerce Directive has been transformed into German law in Sec. 8 of the German Telemedia Act. The Federal Government’s present draft bill also addresses this. It envisages the supplementation of a third paragraph in Sec. 8 TMG in which it is established that WIFI operators are to be classed as service providers within the meaning of the provision. In future, they are to be equated explicitly to the “classic” access providers. With this - according to the recitals of the draft bill – also and especially liability independent of fault on the part of WIFI operators pursuant to the principles of co-liability shall also be ruled out in future.
Whereas the fundamental endeavour to abolish the co-liability of WIFI operators definitely met with a positive response, the implementation proposal made by the Federal Government faces increased criticism. This is because case law is partially of the opinion that the privileged liability position documented in Sec. 8 TMG does not oppose being sued as a co-liable party in any case. In order to secure the abolition of the co-liability it would therefore have made sense to also have the wording of the act stipulate the envisaged range of the privileged liability provision. The mere explanation of the legislator’s own understanding of the draft in the recitals certainly falls short of the legislator’s self-stated purpose of creating legal certainty for WIFI operators. Whether the Federal Government will take this justifiable criticism as a reason to review its draft bill again remains to be seen.
Dr. Dirk Reintzsch
On 13 April 2016 the Art. 29 Data Protection Group published an opinion on the draft of a decision of the EU Commission on the reasonableness of the new “EU-US Data Privacy Shield” (Privacy Shield), the successor agreement to Safe Harbour. Prior thereto, in February 2016, the EU Commission had presented details on the Privacy Shield, including the guarantees previously given by the US Government regarding the handling of the personal data of EU citizens (we had reported on this in our last Newsletter).
The Art. 29 Data Privacy Group establishes in its opinion that the Privacy Shield as a whole contains substantial improvements vis-à-vis the Safe Harbour Agreement. However, at the same time the Art. 29 Data Privacy Group expresses concerns as to whether the Privacy Shield will be in a position to secure a level of data privacy in the USA which is equivalent to that in the EU.
For example, it lacks an express confirmation of the principle of data economy and the obligation not to store data longer than the respective purpose requires. Moreover, the principle of the specific purpose of the data processing is described inconsistently within the Privacy Shield, and for this reason requires clarity according to the Art. 29 Data Privacy Group . The Art. 29 Data Protection Group also criticises the absence of a provision concerning the further transmission of data by a US enterprise to a third party outside of the USA. In such cases, the respective US enterprise must be obligated to ensure an adequate level of data protection at the data recipient in the other country and to inform the responsible body in the EU if it identifies a corresponding risk to the level of data protection level. The responsible body in the EU must be entitled to prevent such a transmission and, if need be, to terminate the contract with the US enterprise. Should the US enterprise itself function as responsible body, then the Art. 29 Data Protection Group feels that it should be prohibited from any further transmission, as otherwise the obligation to ensure an adequate level of data protection would be circumvented. In this connection, the Art. 29 Data Protection Group reminds us that it considers a transmission to a responsible body in the USA - where the transmitting body in the EU knows from the outset that a further transmission to another country is going to take place – from the outset to constitute a transmission to such other country and is therefore no longer covered by Safe Harbour (respectively, now the Privacy Shield). Furthermore, the currently planned legal remedies for data subjects are too complex to be personally exercised by the data subjects. Instead, the Art. 29 Data Privacy Group suggests that EU data protection supervisory authorities should be able to pursue these legal remedies on behalf of the data subject. Ultimately, the Art. 29 Data Protection Group expresses concerns about the massive processing of personal data by US authorities on grounds of national security. This still cannot be ruled out entirely.
The Art. 29 Data Protection Group orders the EU Commission to improve the Privacy Shield accordingly and to develop solutions for its concerns. Since the opinions of the Art. 29 Data Privacy Group do not have binding effect upon the EU Commission, however, the EU Commission can also adopt the decision on the reasonableness of the Privacy Shield without making any further improvements.
The Art. 29 Data Privacy Group points out that, until a final decision has been reached on the Privacy Shield, data transmissions will continue to remain possible by applying the EU standard contractual clauses as well as binding corporate rules.
The Düsseldorfer Kreis, an association formed by the supervisory authorities for data protection in the non-public sector, has published a guideline on the privacy law aspects of declarations of consent contained in forms. It contains concrete advice on the data-privacy compliant wording and layout of written declarations of consent both on paper and well as in electronic form (e.g. also in case of telemedia offers such as websites, etc.). A particularly practical feature is that it has been developed giving negative and positive examples, and thus makes it clear which conditions, in the opinion of the data protection authorities, have to be fulfilled and precisely which wording and text structuring are not sufficient.
Individually handled in the guideline are the neuralgic points such as the heading, the unambiguity of the consent (e.g. “I consent” instead of “I am aware”), the highlighting (e.g. through bold print or framing), the placement and thus also the distinction vis-à-vis the mere notice of data processing conducted on the basis of statutory approval criteria. At the same time it comments on the content of the declaration of consent and the ensuing mandatory possibility of revoking the consent, the consequence of refusing consent and, to the extent a data transmission to third parties takes place, the specific purpose associated therewith and the transparent representation of the data recipient.
Even if contours have already been created by case law in this context, and are constantly being created further, with the result that increased alertness is necessary, the guideline nevertheless represents a helpful guide for the increasingly important area of declarations of consent. However, they should always be applied in connection with the established case law.
Dr. Helge Pühl