ITC NEWSLETTER February 2017

Cologne, 24.02.2017


Dear Colleagues,

Oppenhoff & Partner’s IT and Data Protection Law Team wish you a good and successful 2017. In all probability, 2017 is going to be a busy year for both you and our team. The legislator and the courts have “bestowed” many a new development upon us. We would like to take this opportunity to give you a review and forecast of a selection of these developments.

1.  Data Protection 

1.1 GDPR – Orientation Guidelines 1.1 GDPR - Orientation Guidelines

The European Article 29 Working Party and the Bavarian Data Protection Authority have published a series of guidelines for interpreting the GDPR applicable as of 25 May 2018. We have set up a GDPR news ticker  on our website, where you can find our previous articles on this topic and by which we will keep you posted on all future developments. 

1.2 GDPR – Draft of the German Implementation Act 

At the end of February the governmental draft of the German Act implementing the GDPR was published.

1.3 Draft of a new ePrivacy Regulation presented 

The EU Commission has presented a draft of a new ePrivacy Regulation, which is to replace Directive 2002/58/EC as well as the respective national implementing acts.

1.4 News on the EU-US Privacy Shield 

Since July 2016 US enterprises have been applying for the new EU-US Privacy Shield. The European Article 29 Data Protection Working Party has published FAQs in this connection and the German data protection authorities are examining third-country data transfers of German enterprises.

1.5 The EU Commission on the EU standard contractual clauses and secure third countries 

On 17 December 2016 the European Commission amended the decisions on standard contractual clauses as well as the corresponding adequacy decisions in order to adapt the powers of the supervisory authorities in case of data transfers made on this basis.

1.6 ECJ decision on IP addresses 

The ECJ ruled in October 2016 that a dynamic IP address fundamentally represents personal data and that Sec. 15 Subsec. 1 German Telemedia Act [Telemediengesetz, TMG] is in contravention of EU law.

1.7 New contract on commissioned data processing at Google Analytics 

An updated contract on commissioned data processing is available for the web analysis service Google Analytics.

1.8 Higher Regional Court of Frankfurt on the consent to e-mail, postal and telephone advertising 

The Higher Regional Court [Oberlandesgericht, OLG] of Frankfurt am Main has ruled that the consent to telephone and e-mail advertising is invalid if it refers to a multitude of advertising enterprises and the areas of business in which these enterprises operate are only worded vaguely.

1.9 Regional Court of Frankfurt on information obligations in case of smart TVs 

The Regional Court [Landgericht, LG] of Frankfurt am Main has ruled that sellers of smart TVs also have information obligations and how this information can be given via the smart TV.

1.10 Amendment of Sec. 203 German Criminal Code planned 

The German Federal Government has presented a draft amending Sec. 203 of the German Criminal Code [Strafgesetzbuch, StGB], in order to make it easier for parties bound by a professional secrecy obligation to make use of external services.

2. Copyright Law 

2.1 ECJ on the sale of used software by way of a back-up copy   

According to the ECJ, the exhaustion principle of copyright law can only be attached to an original copy and not to a back-up copy. 

2.2 ECJ on breaches of copyright by setting hyperlinks  

According to the ECJ, setting a link to a protected work can represent a communication to the public in breach of copyright law, dependent on the intention to generate profit. 

3. Internet Law

3.1 ECJ on liability as a co-liable party for WIFI hotspots 

In a current decision, the ECJ has made important statements on liability as a co-liable party [Störerhaftung] for commercial operators of WIFI hotspots.

3.2 Higher Regional Court of Cologne on Internet ad-blockers 

According to a judgement of the Higher Regional Court [Oberlandesgericht, OLG] of Cologne, Internet ad-blockers may no longer use a whitelist function. This especially jeopardises the business model used by Adblock Plus.


1. Data Protection


1.1 GDPR - Orientation Guidelines

The new EU General Data Protection Regulation (GDPR) will apply directly in all EU/EEA Member States as of 25 May 2018. By this effective date at the latest, enterprises, associations and other bodies will have to implement the new statutory data protection standards if they are to avoid fines, damage claims or other disadvantages. In view of what in some cases are quite significant amendments to the GDPR, the less than 16-month period remaining for its implementation (involving, inter alia, enterprise-specific (project) planning, inventory, actual/target situation analysis and the implementation of new or the adjustment of existing data protection structures and processes) is extremely tight. Many legal questions connected with the new provisions have not been (conclusively) clarified to date and, in particular, how the data protection authorities are likely to interpret these issues remains open in many cases.

The Article 29 Data Protection Working Party has drafted a number of guidelines (on the topics of data portability, data protection officers, and the lead supervisory authorities for groups of companies (One-Stop-Shop)). It is to be expected that new working papers will be published.

Against this background, also the Bavarian Data Protection Authority [Bayerisches Landesamt für Datenschutzaufsicht, BayLDA] is currently publishing on its website a series of short papers on individual provisions and topics of the GDPR. The aim is to present the current opinions – albeit not legally binding opinions – of the BayLDA on the GDPR.

To date, short papers have been published on topics such as the (technical and organisational) security of the data processing (Art. 32 GDPR), consent (Art. 7 et seq. GDPR), commissioned (data) processing (Art. 28 GDPR) and cross-border data transfers into third countries (Art. 44 et seq. GDPR) as well as on revisions of the GDPR such as certification (Art. 42 GDPR) and the right to erasure, respectively “right to be forgotten” (Art. 17 GDPR). Further short papers are to be published once or twice a month and will each handle further focuses of the GDPR.

Moreover, we have set up a GDPR news ticker  on our website, where you can find our previous articles on this topic and by which we will keep you posted on all future developments. 

Lisa Büttgen 



1.2 GDPR – Draft of the German Implementation Act

At the end of February the governmental draft bill of a new Federal Data Protection Act (“BDSG-neu”) by the German federal cabinet was published in fulfilment of the need for legislative amendments arising from the requirements of the EU General Data Protection Regulation (GDPR), which will apply with binding effect to all enterprises as of 25 May 2018. The governmental draft bill was preceded by a ministerial draft bill by the Federal Ministry of the Interior [Bundesministerium des Inneren, BMI] in November 2016, which already in August had been leaked in a provisional working version of the BMI and been withdrawn shortly thereafter.

Irrespective of the full harmonisation fundamentally striven, for various regulatory areas the GDPR envisages opening clauses which will enable the Member States to concretise, supplement or amend the provisions of the GDPR through national provisions. Opening clauses exist, for example, for practice-relevant employee data protection (cf. Art. 88 GDPR), for the question of the binding appointment of a company data protection officer (Art. 37 Sec. 4 GDPR), for the information to be provided by enterprises to data subjects or for the amount of fines to be imposed upon natural persons (Art. 84 GDPR).

The revisions of relevance to enterprises include, inter alia, the following aspects:

  • Employee data protection: Sec. 26 BDSG-neu, which regulates the handling of the personal data of employees, essentially corresponds to the previously applicable provision on employee data protection (Sec. 32 BDSG). It also clarifies that data protection provisions in the context of employment can still be agreed by shop agreements. Whether the provision as a whole will bear up to the requirements of the GDPR, however, remains to be seen.
  • Data subjects’ rights to information: the GDPR envisages extended rights of data subjects with regard to notifications and information by enterprises vis-à-vis the previous legal situation. In its Secs. 32 et seq., in contrast, the BDSG-neu restricts these rights in that it releases enterprises from their notification obligation vis-à-vis the data subjects if, for example, the provision of the information requires “disproportionate effort” or would seriously jeopardise the generally recognised business purposes of the controller. Here as well, it is questionable whether the new provision will have legal validity under the GDPR or whether it will be declared invalid by the courts.
  • Company data protection officer: finally, Sec. 38 BDSG-neu stipulates that enterprises are obliged, as before, to appoint a company data protection officer [betrieblicher Datenschutzbeauftragter, bDSB] if they have ten or more employees processing personal data by automatic means on a constant basis. The same applies inter alia for enterprises which conduct data processing requiring a data protection impact assessment (Art. 35 GDPR).

On the whole, the governmental draft bill which, from the industry’s perspective, at first glance seems predominantly positive for enterprises, will not be without its problems. This is because enterprises will have to decide during the implementation period, which is short to begin with, whether they will take as the basis for their internal corporate planning and implementation of the new European data protection law until May 2018 the lower – yet in the light of its possible invalidity under the GDPR – less legally secure, standards of the BDSG-neu as opposed to the higher – yet more legally secure – standards of the GDPR. This causes more than insignificant legal uncertainty. However, it remains to be seen whether the governmental draft bill will be adopted without amendment in its current version and will therewith become law.

Dr. Marc Hilber 



1.3 Draft of a new ePrivacy Regulation presented

The European Commission has presented its proposal for a reform of the ePrivacy Directive 2002/58/EC. For private businesses, this directive represented the second pillar of European data protection law, basically dealing with services offered via the Internet. In Germany, the respective regulations were implemented by Secs. 11 et seq. Telemedia Act, and in part also in Sec. 7 Unfair Competition Act (UWG) (consent requirement for direct marketing). Lately, the amended provision on cookies included in the directive has been of wide practical impact (which is why it is frequently also referred to as the “Cookie Directive”).

The changeover of general data protection law from a directive-based structure to the regulation-based structure of the GDPR required, on the one hand, a revision of the contents of the ePrivacy Directive for the purpose of adaptation and modernisation. On the other hand, maintaining the form of a directive would have meant that some areas of European data protection law are directly governed by regulations but others only by national acts of implementation.

Therefore, the European Commission proposes to introduce a Europe-wide regulation also for the field of ePrivacy. However, its recently published proposal is only a first step in the legislative process, which will certainly involve numerous discussions on contents and respective amendments. We do not expect that the regulation on ePrivacy will enter into force concurrently with the GDPR, which means that, at least for an interim period, the above described legal framework will remain applicable.

Dr. Jürgen Hartung 



1.4 News about the EU-US Privacy Shield

In July, the EU Commission endorsed the new data protection treaty EU-US Privacy Shield (“Privacy Shield”) for the transfer of personal data between the EU and the USA and issued a corresponding adequacy decision (“Commission Decision”). With the Commission Decision, the EU Commission acknowledges the data protection level of enterprises situated in the USA as adequate pursuant to EU data protection standards if they are certified under the new Privacy Shield. Through this, enterprises in the EU – following a transitional phase of many months – now have a successor mechanism for the Safe Harbour Agreement which was declared invalid by the European Court of Justice (ECJ) in October 2015.

Like the Safe Harbour Agreement, the core of the Privacy Shield is a procedure for (self) certification, in which the participating US enterprises assure their observance of certain – newly structured – data protection principles (Privacy Principles, cf. Attachment II Commission Decision). Additionally, guarantees are also now given by the US authorities to the effect that the data transmitted under the Privacy Shield shall be subject to (just) limited access by the state offices for criminal prosecution and national security purposes. Further substantial revisions vis-à-vis the Safe Harbour Agreement are, besides increased supervision, in particular annual examinations of the adequacy of the Privacy Shield itself (Art. 4 Sec. 4 Commission Decision) as well as its observance by the participating enterprises (Recitals 24, 38 Commission Decision) and the extended possibilities of legal protection for data subjects. Should EU citizens wish to assert a breach of data privacy, then besides the possibility of taking legal action before the courts, they now also have access to an ombudsman. Moreover, they can turn to internal company complaint offices to be set up by the participating enterprises.

Since 1 August countless enterprises have already successfully completed the certification process (inter alia Google Inc., Microsoft, Salesforce and many more), cf. the certification list. Here, a distinction must be made by list entry as to whether the type of certification ("HR", "Non HR") of the enterprise importing the data also covers those categories of data (employee/HR data or only other/non-HR data) intended to be transmitted. The EU Commission has published several guidelines and FAQs on the topic.

The Privacy Shield that has now entered into force continues to be criticised by various sides – for example in the (legally non-binding) statements of the Article 29 Data Protection Working Party, of the European Parliament, of the European Data Protection Supervisor and the civil society associations. First law suits of Irish and French civil rights organisations are also now pending, with a view to having the new Privacy Shield declared invalid by the ECJ, as was the Safe Harbour – the outcome of which is hard to foresee. Until a decision to the contrary by the ECJ, the EU Commission or until a legally possible suspension of data transfers in individual cases by the competent national data protection authorities, however, enterprises will be able to base their US data transfers on the Privacy Shield.

Accordingly, in Germany the Bavarian Data Protection Authority [Bayerisches Landesamt für Datenschutzaufsicht, BayLDA] as well as the State Data Protection and Freedom-of-Information Officer for North-Rhine Westphalia [Landesbeauftragte für Datenschutz und Informationssicherheit NRW, LDI NRW] have stated that, irrespective of the criticism expressed, the Privacy Shield definitely can fundamentally be taken as the basis for transmitting personal data from Europe to certified enterprises in the USA. Questions, answers and instructions on implementing the Privacy Shield in corporate practice are given by the Guidelines Data Transfers to the USA – Questions and Answers on the EU-US Privacy Shield [Datenübermittlungen in die USA – Fragen und Antworten zum EU-US Privacy Shield] of the LDI NRW. German enterprises are advised to implement the instructions given there, above all against the background that since November 2016 and at present ten German data protection authorities have been examining in a coordinated action the cross-border data transfers of 500 German enterprises as to their conformity with data protection provisions. For this, the relevant enterprises are sent questionnaires in which detailed information is obtained on executed personal data transfers to states outside of the EU/EEA territory. A sample of the questionnaire can be found here on the website of the Bavarian Data Protection Authority.

Dr. Helge Pühl 



1.5 The EU Commission on EU standard contractual clauses and secure third countries

On 17 December 2016, the European Commission amended the so-called EU standard contractual clauses for the transfer of personal data to data processors and data controllers located in third countries as well as for the decision on safe third countries. The clauses as such remain unchanged, the decisions of the EU Commission only concern the monitoring rights of national supervisory authorities. Essentially, it is stated that a valid decision by the Commission represents a binding basis for data transfers and may not be suspended with respect to national supervisory authorities by opposing legal provisions. Nonetheless, national supervisory authorities are entitled to monitor and control data transfers, e.g. pursuant to the EU standard contractual clauses, and to notify infringements resulting, for instance, from the data importer’s non-compliance with its obligations pursuant to the respective clauses. If national supervisory authorities deem that the standard contractual clauses are not in compliance with European law, they have to try and contest this in front of a court.

In this respect, the Irish data protection authority has recently announced that it will seek a review of the standard contractual clauses by the ECJ, acting upon a respective request (again, by Mr. Schrems vs. Facebook).

Dr. Jürgen Hartung 



1.6 ECJ decision on IP addresses

The basis underlying the decision is the legal action taken by the judge and Schleswig-Holstein Pirate Party MP Patrick Breyer against the Federal Republic of Germany opposing the storage of his IP address by Federal offices’ websites visited by him. Within the scope of a request for a preliminary ruling, the Federal Court of Justice [Bundesgerichtshof, BGH] submitted two questions to the European Court of Justice (ECJ), which have now been decided by the ECJ (judgement dated 19 October 2016, case C-582/14).

Do dynamic IP addresses represent personal data, even though only a third party (the access provider) can establish the personal connection between the IP address and the visitor of the website but not the website operator itself?

Only the access provider can allocate the respective (dynamic) IP address to a user of the website, because only it has the data required for its identification, such as the name and address. The website operator, in contrast, lacks the required additional information in order to be able to determine which user is behind a dynamic IP address. The ECJ nevertheless fundamentally affirms the personal connection of dynamic IP addresses. Relevant is whether legal means exist which would enable the website operator (also with the access provider’s aid) to establish the personal connection and if these means can reasonably be used to identify the user. Here, reasonable is understood as being everything which is not legally prohibited or which requires a disproportionately high degree of time, costs or work. The ECJ instructed the BGH to clarify the question of whether or not such legal means exist in Germany.

In practical terms this means that, wherever a claim of the website operator against the access provider exists to information (even if this claim exists via third parties, as in Secs. 161, 161a German Code of Criminal Procedure [Strafprozessordnung, StPO] in conjunction with Sec. 113 German Telecommunications Act [Telekommunikationsgesetz, TKG] via the public prosecutor), dynamic IP addresses qualify as personal data. In this case the requirements of data protection law have to be observed in the processing and use of the IP addresses, meaning that the processing and use must be based on the statutory permission criterion or the data subject’s consent. However, it remains open whether dynamic IP addresses can be considered personal from the outset due to the fundamentally existing (for example in cyber attacks) legal possibilities of a disclosure, or whether this first applies after a concrete attack, respectively in case of a concrete information claim. The BGH’s decision is therefore eagerly awaited. Interestingly, the German version contained certain ambiguities, which have meanwhile been rectified by the ECJ (it was clarified that with respect to the personal identification of IP addresses it suffices that the provider may, in particular in case of cyber attacks, contact the competent investigating authority, to the extent such authority can then obtain the required information from the access provider).

The second question presented was whether a national provision such as Sec. 15 Subsec. 1 TMG, which only allows the providers of online media services the use of personal data for the purpose of permitting the use and invoicing of the service, opposes the requirements of European law.

This is affirmed by the ECJ for the prevailing interpretation of Sec. 15 Subsec. 1 German Telemedia Act [Telemediengesetz, TMG]. According to the ECJ, Art. 7 letter f of the Directive 95/46/EC (“Data Protection Directive”) (which permits the data processing in case of a legitimate and prevailing interest of the party responsible for the processing) prohibits a categorical exclusion of the processing of personal data which leaves no room for a consideration of the opposing rights and interests in the individual case. Such a consideration of opposing interests (here: the website operator’s interest in a lengthier storage for safety purposes and the website user’s interest in the quickest possible erasure) must be open to all statutory permission criteria. The provision of Sec. 15 Subsec. 1 TMG, which generally does not permit data processing once the access to a website has ended according to the predominantly upheld narrow interpretation, is therefore irreconcilable with the Data Protection Directive and will have to be interpreted in conformity with European Union law in future.

The ECJ’s opinion also raises doubt as to the legality of provisions such as Sec. 28 Subsec. 3 German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG], Sec. 28b BDSG, Sec. 32 Subsec. 1 sentence 1 BDSG or Sec. 100 Subsec. 1, 2 TKG, none of which provide for consideration on a case-by-case basis. Sec. 28a BDSG is also affected, however: although a consideration of opposing interests is envisaged there, this is only one of three requirements which cumulatively have to be met. If any of the two other requirements have not been fulfilled, then no consideration of interests takes place. The regulation of Art. 7 letter f Data Protection Directive is thus also restricted.

The ECJ’s decision will also have to be taken into consideration in future legislative endeavours. Binding stipulations on the permissibility of a data processing which do not allow for a consideration of opposing interests are prohibited. This also continues to apply under the GDPR: national permission criteria ensuing from its opening clauses must take account of the judgement, as Art. 6 Subsec. 1 sentence 1 letter f GDPR, which regulates the legality of the data processing, is identically worded to Art. 7 letter f of the Data Protection Directive.

Lisa Büttgen 



1.7 New contract for commissioned data processing at Google Analytics

For the use of the web analysis service Google Analytics an updated contract for commissioned data processing has been available since the end of September. Website or app operators located in Germany who wish to (continue) using Google Analytics in a legally conform manner within the scope of their offers are obliged to conclude the contract with Google Inc. (“Google”) in its updated version.

The need for adjustment is – according to the notification of the Hamburg Data Protection and Information Security Officer – a further consequence of the Safe Harbour judgement of the European Court of Justice (ECJ) dated October 2015, with which the adequacy decision of the EU Commission on the identically named agreement for data transfers in the USA was declared invalid. For many years now coordinated requirements, expressly accepted by the German data protection authorities, have existed in Germany for the data-privacy conform integration of the web analysis service Google Analytics (cf. on the individual requirements the decision of the association of German state data supervisory authorities Düsseldorfer Kreis  dated 2009), which also and especially includes a contract to be concluded with Google on commissioned data processing pursuant to Sec. 11 of the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG]. However, since Google’s model contract for this to date explicitly referred in clause 4.7 to the “Safe Harbour Agreement”, its adjustment to the Privacy Shield since adopted as the successor agreement (cf. our article above in this newsletter) was necessary. Google and its US subsidiaries have also already been certified pursuant to the new Privacy Shield since the end of September (cf. entry in the list of certified enterprises).

The new version of the model contract for commissioned data processing is provided here online by Google. The contract must be concluded – as previously – by sending a signed copy of the contract by post to Google Ireland Ltd. in Dublin. If the use by website or app operators is to be unobjectionable, they must also not fail to also make corresponding adjustments regarding the Privacy Shield in their telemedia-related privacy policies.

Dr. Helge Pühl 



1.8 Higher Regional Court of Frankfurt on the consent to e-mail, postal and telephone advertising

The defendant was the organiser of a prize draw on the Internet. In order to participate, the user had to tick a pre-drafted clause (opt-in) with which she declared her consent to receiving e-mail, postal and/or telephone advertising from sponsors contained in a list for the products or services stated therein. The words “list”, “sponsors”, “products” and “services” were linked to a list of 50 enterprises. On this list, an Internet address and an area of business were stated for each enterprise.

According to the judgement of the Higher Regional Court [Oberlandesgericht, OLG] of Frankfurt am Main dated 28 July 2016, consent given in this manner does not conform to the requirements of the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG]. A consent corresponding to the stipulations of the BDSG must be given without coercion, for the specific case, and in knowledge of the factual situation. The requirement of knowledge of the factual situation was not fulfilled in case of the stated clause, however. Whether the information about the factual situation is already (not) realistically possible because of the very large number of listed enterprises or whether it is disproportionate time-wise to the desired participation in the prize draw and the low prospects of winning, was expressly left open by the Higher Regional Court of Frankfurt am Main. See in this respect the article in our last newsletter. The consent was already deemed invalid because the areas of business of several of the advertising enterprises were worded so vaguely that it was not clear which products or services were being offered by these enterprises. In such case it is not evident to the consumer for which products his consent to e-mail, postal and/or telephone advertising is being given. Concretely, the areas of business were described as being, for example “media and newspapers”, “capital forming benefits” “retirement pension”, “finances and insurances” or “mail-order trading”.

In case of consents to the transfer of personal data for advertising purposes, enterprises are therefore advised to keep the number of advertising partners as low as possible. Moreover, their lines of business should be described as precisely as possible in the declaration of consent or in a related link made there. Otherwise, they could be faced with forbearance claims from consumer associations or fines of up to 300,000 euros per violation.

Dr. Helge Pühl 



1.9 Regional Court of Frankfurt on notification obligations in case of smart TVs

By judgement dated 10 June 2016 the Regional Court [Landgericht, LG] of Frankfurt am Main ruled that a distribution company of smart TVs – even though the distributor itself does not collect any personal data on the users – can be obliged to inform them about the possible transfer of their personal data to the manufacturer. It did not oblige the defendant to obtain data privacy declarations of consent, however. Also declared impermissible by the court pursuant to the provisions governing general business terms and conditions are those data protection provisions which, on grounds of their scope and layout, are not adequately understandable to users.

The Consumer Advice Centre of North-Rhine Westphalia [Verbraucherzentrale Nordrhein-Westfalen] had sued the German distribution company of the Korean electronics manufacturer Samsung on grounds of the collection of user data through Internet-enabled televisions (smart TVs). With smart TVs users can, amongst other things, call up interactive content from the television stations in addition to the normal programme (so-called hybrid broadcast broadband services, “HbbTV services”), other information, as well as updates for the manufacturer’s software run on the device (firmware updates), whereby it is necessary for the IP address to be transmitted to the HbbTV service. In case of Samsung smart TVs, the corresponding functions were activated by default and automatically created a link to a server of the Korean parent company as soon as the TVs were connected to the Internet. The Consumer Advice Centre took legal action against the German Samsung distribution company and complained that the smart TV devices were transmitting to the manufacturer personal data, namely IP addresses, without the consent and notification of the customers.  In this litigation, the Consumer Advice Centre has now been partially successful.

A notification obligation of the German distribution company pursuant to Sec. 13 Subsec. 1 German Telemedia Act [Telemediengesetz, TMG] was rejected by the court. Although the data protection provisions of the TMG are applicable, the relevant question for this (which has fundamentally been positively answered by the ECJ in the meantime) of whether dynamic IP addresses even constitute personal data, could be left unanswered by the court in this connection. This is because the transfer of static IP addresses is definitely also to be expected in addition to the transfer of dynamic IP addresses, and the former are recognised as personal data. However, as far as the HbbTV services are concerned, neither the distribution company nor the manufacturer can be seen as the responsible service provider, respectively body, since neither actually collect any personal user data themselves insofar. With respect to the firmware updates offered, however, the distribution company does also bear a notification obligation pursuant to Sec. 13 Subsec. 1 TMG.

Irrespective of this, the court did deem the distribution enterprise obliged to point out to the users of the smart TVs that there is a risk that personal data will be collected and used when they connect the device to the Internet. Such notification obligation also arises under aspects of competition law pursuant to Sec. 5a Subsec. 2 German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG] in conjunction with Sec. 13 TMG for parties who do not actually collect any personal data of users themselves, but merely distribute the devices used for this. In all other events users would be unable to reach an informed business decision of which device is the best developed in terms of data privacy law. Without the corresponding information, an anti-competitive deception by omission pursuant to Sec. 5a Subsec. 2 UWG can be assumed.

Furthermore, the Regional Court of Frankfurt am Main also prohibited general business terms and conditions used by the distribution company because they had a volume of over 56, respectively 399, screen pages and were shown in continuous text without the use of paragraphs, headings, or hyperlinks and could not be printed out. This design did not meet the statutory requirements as to transparency and clarity, and hence the general business terms and conditions could not be acknowledged as being reasonable for users and thus failed to become an integral part of the contract. Also in complex issues, it is the task of the party using general business terms and conditions to formulate them in such a way that they are clear and understandable for the user and, where necessary, to make use of suitable technical layout aids.

Lisa Büttgen 



1.10 Amendment of Sec. 203 German Criminal Code planned

The German Federal Government has presented a draft bill for the amendment of the legal provisions on professional secrecy obligations in order to facilitate the engagement of external service providers. German legislature imposes extreme restrictions on groups of professionals bound to secrecy, in particular physicians, lawyers, auditors and tax consultants, as well as private insurances, with respect to the outsourcing of services and the engagement of external service providers (e.g. in connection with software maintenance), which in today’s business life is not only common practice but often even inevitable. Pursuant to Sec. 203 German Criminal Code [Strafgesetzbuch, StGB], the unauthorised disclosure of professional secrets is a criminal act, with very few permissible exceptions. Legal certainty could often only be achieved by obtaining a declaration on the release from the secrecy obligation by the protected individual. For a long time, the legal situation has been at odds with the business reality also of the above mentioned group of professionals. German legislature now addresses this situation and proposes to permit the engagement of external service providers, to the extent they are carefully selected, bound to secrecy, and subsequently monitored by the respective professionals. If the statutory requirements are fulfilled, the participating persons themselves become liable to legal prosecution pursuant to Sec. 203 StGB. Thus, the circle of persons authorised to obtain protected information is extended while at the same time the protection provided by the criminal provisions extends to them. Amendments are also envisaged with respect to secrecy obligations under professional regulations.

The governmental draft bill was preceded by a ministerial draft bill by the Federal Ministry of Justice, which already contained numerous issues apt to lead to difficulties in the practical implementation: the requirements and criteria for the “careful selection” by the service provider as included in the ministerial draft remained unclear; the restrictions for the service provider on the transfer of authorisations and access rights for reasons of “necessity” in the performance of its tasks mean that other information remains protected against disclosure; it is unclear whether the service provider as the contractual party shall be legally bound by secrecy obligations etc. or the individual acting on its behalf (only the latter can be held criminally liable under the statutory provisions of German criminal law). The requirements of careful selection and also the service provider’s obligation of subsequent monitoring provided for in the ministerial draft were not included in the governmental draft. Other issued considered critical already in the ministerial draft remain so in the governmental draft How these issues are addressed and implemented will in particular have a major impact on the question whether the proposed facilitations can also be applied to current common forms of service provision like e.g. Cloud Computing.

Dr. Jürgen Hartung



2. Copyright Law


2.1 ECJ on the sale of used software by means of a back-up copy 

On the basis of criminal proceedings suspended in Latvia, the European Court of Justice (ECJ) has commented again by way of a request for a preliminary ruling with judgement dated 12 October 2016 (case C-166/15) on the question of the permissibility of reselling already “used” copies of computer programmes. The applicable principle in this connection is that the copyright holder’s right of distribution is exhausted once it has sold in the EU a copy of the computer programme with a licence for its perpetual use (“principle of exhaustion”). The court initially confirmed in its decision that, pursuant to this rule, the acquirer of a copy stored on a physical data-carrier may resell the used copy and his licence to a second acquirer, irrespective of contractual provisions prohibiting a resale. However, the case up for decision concerned the further-reaching question of whether, pursuant to the exhaustion principle, the resale of a back-up copy is also permissible if the original data-carrier of the originally produced copy has been damaged, destroyed or lost.

The ECJ established that the right to make a back-up copy, as an exception to the exclusive reproduction right of the holder of the right, is attached to two narrowly interpretable conditions. Firstly, the back-up copy must have been made by a person who is entitled to use the computer programme. Secondly, the back-up copy must be necessary to use this programme. From this the ECJ concludes that a back-up copy may not be used for purposes of reselling the used programme. Ultimately this means that the resale of a back-up of the computer programme is only permissible with the copyright holder’s consent.

Dr. Helge Pühl



2.2 ECJ on the breach of copyright by setting a hyperlink

By judgement dated 8 September 2016 the European Court of Justice (ECJ) ruled that a link to another website on which the contents have been entered in breach of copyright must be assessed as a communication to the public, and therewith as a breach of copyright, if the hyperlink has been set with a view to making profit. In this case, namely, the knowledge of the illegality of the publication on the linked website can be assumed.

The case up for decision concerned a commercially operated website which referred by hyperlink to photos which had been published on a different website without the consent of the copyright holder. Particularly questionable was whether or not the link could constitute a communication to the public of the photos in breach of copyright law despite the fact that the photos were already accessible on the other website.

The ECJ initially stated that whether or not a communication to the public exists must be assessed in the individual case. Within the scope of this assessment, according to the ECJ the deliberateness of the action is the primary central criterion. The ECJ thereby acknowledged the problem that it is not readily obvious to the party setting the link to another website whether the works published on that website have been lawfully published or whether the linked content was put online in breach of copyright. Hence, it should not be a breach of copyright if the user “did not know or could not have reasonably known of the illegality of the publication of the work on the other website”. If, on the other hand, it is proven that the user knew or should have known that the hyperlink set by it procured access to a work published without authorisation – for example because it was notified of this by the holder of the right – then the placement of the link represents a communication to the public. Insofar as the links were set with a view to making profits, a special care must be taken when examining the legality of the linked contents. It can be expected of the party setting a link with a view to making profits that it will conduct the necessary examinations to assure itself that the linked content in question has not been published without authorisation. Accordingly, there is a refutable presumption to the detriment of commercial providers, such as media portals or advertising-financed blogs, for example, that the links were placed in full knowledge of the protected nature of the work and of any lacking permission of the copyright holder to its publication on the Internet.

With this decision, the ECJ has deviated from the recommendation of the Advocate General. He had negated a public reproduction of the photos through the link since the photos had already been made accessible to the public through the linked website. The judgement has also been challenged in the discussion amongst legal scholars. Since links contribute towards the exchange of opinions and information on the Internet, many consider the constitutionally guaranteed freedom of opinion and information to be substantially restricted by the ECJ’s decision.

Lisa Büttgen



3. Internet Law


3.1 ECJ on liability as a co-liable party for WIFI hotspots  

By judgement dated 15 September 2016 the ECJ ruled on liability risks in case of WIFI nets. The core of the problem was the highly topical issue, not least through the latest amendments of the German Telemedia Act [Telemediengesetz, TMG], of liability as a co-liable party for WIFI hotspots. Here, the court excluded damage claims against commercial operators of such open nets, whilst simultaneously approving forbearance claims in a larger scope.

In detail, the ECJ initially established that the provider privilege of the E-Commerce Directive also covers commercial operators of WIFI hotspots. Infringements of rights which are committed by third parties through the use of the Internet access provided therefore cannot trigger any damage obligation on the part of the operators if they neither instigated these actions nor controlled their content or addressees. This means that copyright infringements in public WIFI networks, in particular, still only lead to damage claims against the actual acting party.

Nevertheless, the judgement did not only meet with consent by advocates of public networks. This primarily is due to the fact that the ECJ still deems forbearance claims against the operators to be possible. In particular, damaged holders of rights can demand from them that the networks be password-protected and that the users prove their identity, if this is the only possibility to prevent infringements of rights.

In practical terms this means that the offer and operation of open WIFI hotspots is still possible. If infringements of rights are established, their operators do not have to fear damage claims. On the other hand, they can be confronted with forbearance claims usually in conjunction with the agreement of a contractual penalty, which do then oblige them to set up access impediments, that is to say to “close” the networks. Also to be borne in mind in this connection is that the costs of a (successful) enforcement of forbearance claims, that is to say in particular the lawyers’ costs, will indeed have to be borne by the operators, which means that they could incur a financial damage.

Lisa Büttgen



3.2 Higher Regional Court of Cologne on Internet ad-blockers 

On 24 June 2016 the Higher Regional Court [Oberlandesgericht, OLG] of Cologne ruled in the legal action filed by Axel Springer AG against Eyeo GmbH (the distributor of Adblock Plus), that the use of the so-called whitelist function is anticompetitive. The previous instance had still ruled in the defendant’s favour.

Internet ad-blockers work with the aid of filter regulators which recognise and block adverts, so that the adverts contained on websites are no longer shown to the viewer. Here, so-called blacklists are used on which those advertising providers are listed whose web contents are to be hidden. In case of Adblock Plus enterprises can have themselves put onto a so-called whitelist against a turnover participation of 30 percent. Through this, these enterprises vanish from the blacklist and their adverts are consequently shown despite the ad-blocker.
The Higher Regional Court of Cologne considered the use of ad-blockers to be fundamentally permissible. The option to buy oneself off the blacklist per whitelist and to have the advert shown according to the aforesaid criteria was, in contrast, considered to be an aggressive business action within the meaning of Sec. 4a Subsec. 1 p. 1 German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG] and thus impermissible. This is because the enterprises affected were caused, through the combination of blacklist and whitelist function, to make use of a service – namely the payment-based clearance of their adverts – which they would not otherwise have required without the blockade. 

Eyeo GmbH has filed an appeal on points of law with the Federal Court of Justice [Bundesgerichtshof, BGH] against the judgement, with the result that no direct legal consequences have arisen to date. However, the Higher Regional Court had prohibited Eyeo GmbH from maintaining or distributing new and old versions of Adblock Plus with the whitelist. Moreover, should the judgement retain its legal validity before the BGH, Eyeo GmbH will be obliged to compensate Axel Springer AG for all damages already incurred by it since six months prior to the legal pendency of the claim as well as for all damages yet to be incurred.

Providers of Internet ad-blockers which, like Adblock Plus, finance themselves through paid whitelisting should therefore consider new ways of generating income. One should note, however, that Internet ad-blockers are not generally impermissible. In all events, if they are distributed in future without the payment-based whitelist function, then they are not anticompetitive. We await the judgement of the BGH.

Dr. Helge Pühl


Dr. Marc Hilber, LL.M.


Telephone: +49 221 2091 612
Telefax: +49 221 2091 333

Dr. Jürgen Hartung


Telephone: +49 221 2091 643
Telefax: +49 221 2091 333

Indonesia, Malaysia, Singapore, Taiwan