IT and data protection law news
In our last Newsletter of the year we are reporting on current developments in data protection law (update on the Safe Harbour Agreement; official examinations of website contact forms as to whether they are adequately encrypted) and in copyright law (new Federal Court of Justice decision on the exhaustion of the right to distribute copies of software; judgement of the Regional Court [Landgericht, LG] of Halle (Saale) on forbearance claims on grounds of the licence-breaching use of open source software; claim against access providers to have websites blocked). We would like to wish you a pleasant and peaceful holiday season, a very Merry Christmas, and hope that you will remain an avid reader of our Newsletter in the coming year.
The EU Commissioner responsible for data protection, Vera Jourová, has announced a new solution for data transfers between the EU and the USA for January 2016. For the moment, the German authorities and consumer protection organisations are sitting tight.
The Bavarian Regional Data Protection Supervisory Authority [Bayerisches Landesamt für Datenschutzaufsicht, BayLDA] is currently extensively examining whether communication via contact forms on websites is adequately encrypted. Website operators face the choice of either ensuring state-of-the-art encryption or removing contact forms from their websites.
In its “Green IT” decision, the Federal Court of Justice has once again ruled on the exhaustion of distribution rights for copies of a computer programme. Pursuant to the decision, exhaustion also covers the right to further distribute the respective programme copy by disclosing the product code required to download the programme. However, the acquirer of the copy is only entitled to download the copy if the former acquirer has disabled his copy of the programme at the time of resale.
4. Regional Court of Halle: Forbearance claim also exists upon the remedy of a first-time breach of the licence conditions of the GNU General Public License Version 3 (GPLv3)
In injunction proceedings the Regional Court of Halle had to decide on a forbearance claim regarding a breach of conditions of the open source software licence agreement GPLv3. The key issue of the decision was whether or not the possible remedy of committed licence breaches pursuant to the GPLv3 removed the risk of repetition.
According to two current judgements of the Federal Court of Justice, access providers can fundamentally be obliged to block their customers’ access to websites with copyright-breaching content. The hurdles for
blocking access are high, however.
IT and data protection law news
The EU commissioner responsible for data protection, Vera Jourová, explained in Washington on 16 November the current status of negotiations between the EU and the USA on a new solution for data transfers between the EU and the USA. The EU and the USA have been negotiating for some time now on a new solution for data transfers based on the “Safe Harbour” data-exchange agreement. Following the judgement of the European Court of Justice dated 6 October 2015, the pressure upon the EU Commission and USA to quickly find a legitimate replacement for the Safe Harbour Agreement has increased. The EU Commissioner has announced a solution for as early as January 2016 since 1.) the European Court of Justice has clearly stipulated the requirements; 2.) it is possible to build on the results of the talks conducted since January 2014, and 3.) it is in Europe’s and the USA’s interests and 4.) a strong political commitment exists at the highest level on both sides of the Atlantic. The USA had also already undertaken to ensure greater supervision by the Department of Commerce as well as a stronger cooperation between the Federal Trade Commission and the European data protection supervisory authorities. This will generally lead to a greater supervision of the new data transmission system in contrast to the self-regulatory mechanism that prevailed with Safe Harbour. Moreover, an annual review mechanism is to be introduced which will involve the competent authorities of both sides.
In a publication of 5 November 2015 the Hamburg Officer for Data Protection and Freedom of Information has since clarified that legal enforcement measures will be taken in case of unlawful transfers made on the basis of the now invalid Safe Harbour Agreement as of February 2016. The European and German data protection authorities have not yet named any specific transition periods, but have given the impression that they will take action against breaches at any time. The European data protection authorities had merely stated with respect to further instruments (model contract clauses and binding corporate rules) that it intended to check these by the end of January 2016 (we reported on this).
Also with respect to the current revision of the law on forbearance actions, the legislator presently appears to be striving to protect enterprises against the risk of premature written warnings and lawsuits by consumer protection organisations. Consumer protection associations will soon be able to issue written warnings regarding any and all violations of data protection law and can therefore target enterprises which still base their data transfers on the Safe Harbour Agreement. In its “Recommendation for a decision and report“ published on 2 December 2015, the Commission for Law and Consumer Protection [Ausschuss für Recht und Verbraucherschutz] therefore strove to grant enterprises a grace period of until 1 October 2016 for data transfers based on the Safe Harbour Agreement. However, in light of the present wording of this exemption provision, this will only have very limited success: enterprises will only be protected “[...] to the extent the data transfer was executed by 6 October 2015 […]”. Hence, only old cases until the ECJ’s decision will be excluded from the scope of application. Conversely, this should currently mean that written warnings can still be issued for all other data transfers executed afterwards as soon as the new law on forbearance actions has entered into force (with it being understood that this risk is distinctly reduced if data transfers are no longer based on Safe Harbour). Hence; enterprises will soon have to reckon with the consumer protection associations taking action against data transfers to the USA based on the Safe Harbour Agreement in addition to the competent data protection authorities.
Philipp Ahrens, Dr. Jürgen Hartung
In September of last year the Bavarian State Office for Data Protection [Bayerische Landesamt für Datenschutz, BayLDA] reported publicly on the execution of an online investigation of the mail servers of Bavarian enterprises. The purpose was to check whether the servers were using adequate encryption possibilities to protect the personal data being exchanged per e-mail via this channel. Pursuant to Sec. 9 of the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG], enterprises which collect, process or use personal data themselves or on behalf of others must take the technical and organisational measures required to ensure compliance with the provisions of the BDSG. According to the appendix to Sec. 9 BDSG, the secure transmission of personal data in particular has to be guaranteed. The law explicitly names state-of-the-art encryption processes as a suitable means to ensure this. According to the BayLDA, e-mails therefore need to be encrypted upon transmission by using the protocol “STARTTLS”. A further requirement is the use of the code exchange protocol “Perfect Forward Secrecy” which serves to prevent the subsequent decoding of already encrypted and transmitted data if the code used is disclosed.
Almost a third of the enterprises which were investigated online failed to meet these requirements and were therefore ordered by the BayLDA to bring their mail servers into line with the state of the art.
According to a recent public notification by an information portal for online traders, the BayLDA has now also started checking whether websites with contact forms are observing these data protection requirements. Website operators which fail to encrypt the personal data transmitted to them via the contact form at all or which fall below the requirements set by the BayLDA insofar are given the choice of either taking the measures (supposedly) required by the law or of removing the contact form from their sites.
The investigations conducted by the BayLDA prove that the adequate securing of personal data transmitted electronically through adequate encryption techniques is increasingly becoming the focus of attention of the data protection authorities. Although violations of the pertinent statutory requirements are not punishable by fine, the data protection authorities can order measures to remedy violations established, whereby the failure to comply with a corresponding order can then constitute a regulatory offence that is subject to a penalty. Moreover, the authority can, under certain circumstances, impose a fine in case of the failure to implement the measures ordered. Enterprises should therefore take these investigations as cause to check the compliance of their own e-mail communications with the statutory or official requirements. In some cases the data protection authorities have set even stricter requirements for the encryption technology to be used when electronically transmitting certain types of personal data. However, many legal aspects surrounding encryption have not yet been conclusively clarified. This applies in particular to the question of whether one can also revert to encryption techniques which no longer/do not correspond to the state of the art or even continue to communicate via e-mail in an unencrypted form if consent is obtained from the person in question.
Dr. Dirk Reintzsch
In its Green-IT decision dated 19 March of this year, the reasons of which have now been published, the Federal Court of Justice has ruled again on the prerequisites for and scope of the exhaustion of the right to distribute software.
In the underlying case the claimant, which develops and distributes antivirus software, objected to the resale of its antivirus software by the defendant, a commercial trader in software. The defendant had acquired several copies of the claimant’s antivirus software in the form of so-called “box products” from an authorised distributor of the claimant. These box products consist in particular of a physical data-carrier containing the respective copy of the software as well as a product code with which the software can optionally also be downloaded from the claimant’s website. According to the attached licence conditions of the claimant, the right to use the software is limited to a specific service period upon whose expiry the software is automatically deactivated and disabled. Within the scope of the resale of the software, the defendant had transferred to some of its customers only the programme code for the software without the pertaining data-carrier. The claimant deemed this a violation of its exclusive right to distribute and copy the software and took legal action for forbearance.
In its decision the FCJ negated an infringement of the claimant’s distribution right with the argument that the sale – made with the claimant’s consent – by the distributor to the defendant exhausted the claimant’s distribution right with regard to the copies of the software in question. This was not opposed by the fact that, according to the claimant’s licence conditions, the acquirer was only granted a fixed-term right of use. Since the right to use the software covered the entire period of the software’s functional capability, the rights to the respective programme copy were also permanently and finally assigned in this case. The FCJ ruled that it was of no consequence that the defendant had not given its customers the actual “exhausted” programme copy – in the form of the data-carrier acquired by the distributor – but that the latter had to download the software from the claimant’s website, for the effect of the exhaustion also extended to the right to be able to distribute the respective programme copy by disclosing the product code required to download the software.
In the FCJ’s opinion the subsequent acquirer’s – here the defendant’s customers’ – right to download and thus reproduce the software presupposes, however, that the previous acquirer – in this case the defendant – has disabled his copies of the software at the time of the resale. Since the defendant, who bears the burden of proof insofar, was unable to adequately prove the fulfilment of this requirement, the FCJ ultimately affirmed the claimant’s forbearance claim under copyright law against the defendant on grounds of the serious risk created by the latter that this could result in an unauthorised reproduction of the software by its customers.
Whilst the findings on the prerequisites for and scope of the exhaustion of the distribution right are in line with the pertinent case law of the ECJ, this can legitimately be challenged with respect to the opinion that the second acquirer is only entitled to download (and use) the programme copy after the first acquirer has handed him his programme copy or disabled it. The FCJ’s reference in this connection to the “UsedSoft” decision of the ECJ is certainly incorrect. This decision concerns and exclusively assumes an infringement of the reproduction right by the first acquirer in the event that such first acquirer does not disable his copy of the programme at the time of the resale. Against the background of the purpose pursued with the exhaustion principle – namely securing the marketability of the respective copy of the programme - one must certainly critically question the fact that, in corresponding cases pursuant to the case law of the FCJ, the subsequent acquirers themselves can now be faced with forbearance claims asserted by the holder of the right.
Dr. Dirk Reintzsch
4. Regional Court of Halle: Forbearance claim also exists in case of the remedy of a first-time breach of the licence conditions of the GNU General Public License Version 3 (GPLv3)
The Regional Court of Halle (Saale) recently had to decide in injunction proceedings on a forbearance claim asserted on grounds of a licence-breaching use of open source software. In the underlying case the defendant of the injunction proceedings – a high school – had provided employees and students with downloadable software on its website which enabled access to the high school’s own WIFI. The software is licensed under the conditions of the GNU General Public License (GPL). Whether the 2nd or 3rd version of GPL applies was left open by the court, as it based its legal appraisal on the pertinent conditions of both licence contracts in parallel.
The court confirmed a forbearance claim under copyright law of the holder of the right, respectively the claimant in the injunction proceedings, because the defendant had – undisputedly – violated obligations under the licence conditions to provide the users with a copy of the licence agreement as well as access to the source code of the programme. The Regional Court of Halle deemed this a violation of the claimant’s exclusive right to allow the public reproduction of a computer programme pursuant to Sec. 69c No. 4 German Copyright Act [Urhebergesetz, UrhG].
In the court’s opinion it was of no relevance to the risk of repetition required for a forbearance claim that the defendant has since rendered a sworn affidavit to the effect that it has removed the software from its website and has also promised to discontinue using the software in future. The possibility envisaged in clause 8 sec. 3 GPLv 3 of being able to “remedy” breaches of licence within 30 days of receipt of a corresponding indication, with the consequence that the right of use is upheld, did not justify any other judgment according to the Regional Court of Halle. The granting of a right to continue using the software should not be interpreted to mean the licensor simultaneously also intended to waive its legal claim to having the (first) infringer render a declaration of forbearance subject to penalty clause. Such interpretation would not do justice to the interests involved since, for the licensee, they would be tantamount to an invitation to breach the licence conditions once without having to fear any sanctions.
The Regional Court of Halle’s judgement is evidence of the increasing frequency with which the German courts have to deal with licence-related disputes over the use of open source software. In view of the many unclear legal issues in this area as well as the legal uncertainty this entails, this development can be welcomed without reservation. At the same time, however, this development creates a need to carefully ensure the observance of – often not very precisely worded - licence conditions.
Dr. Dirk Reintzsch
In two decisions dated 26 November 2015 (docket Nos. I ZR 3/14 and I ZR 174/14) the 1st Senate of the FCJ ruled that access providers can fundamentally be obliged to block access to websites that contain copyright-infringing contents. In both proceedings the holders of rights demanded that a German access provider block access to specific websites. The FCJ ruled that the provision of access to such websites could be classed an adequate causal contribution of the telecommunications enterprise to the infringements of rights by the website operators. When evaluating the reasonableness, one needed to consider the basic ownership rights of the holders of such rights, the freedom of profession of the telecommunications enterprises as well as the freedom of information and informational self-determination of the internet users.
However, the FCJ has set very strict requirements for blocking access. Claims can only be asserted against access providers as a last resort if prior direct measures against the operator of the website infringing the copyright are unsuccessful or without prospects of success. When determining the parties to primarily be sued, the holder of the rights must make reasonable investigations, such as hiring a detective or calling in the state investigative authorities.
Only if claims against these parties fail or if all prospects of success fail and this would therefore result in a loophole in the legal protection, legal action against the access provider as the “disturber of public order” [Störer] is deemed reasonable. After all, according to the FCF, the operator and host provider of the respective website are far closer to the infringement of rights than the access provider, which only generally provides internet access.
The prior instances of both proceedings (the Higher Regional Court [Oberlandesgericht, OLG] of Cologne in its decision “Goldesel” as well as the Higher Regional Court of Hamburg in its decision “3dl.am”) had previously always negated an obligation of the access provider to block access. However, in its judgement of 27 March 2014 (docket No.: C-314/12) in the matter “kino.to” the ECJ had already opened up the scope for blocking internet sites on the basis of European law, which has now been applied by the FCJ.
As a result, it is now possible for the holders of rights to have websites blocked insofar as these sites offer contents which infringe their copyrights. In light of the strict requirements of the FCJ, however, they are obliged to conduct extensive investigations prior hereto and must document these vis-à-vis the access provider.
Dr. Helge Pühl, Dr. Jürgen Hartung