Newsletter IT & Data Protection
2015 is already well underway and we are keen to keep you up-to-date on this year’s new developments in IT law. There is certainly no shortage of interesting topics, and so we have summarised further articles for you on data protection law, database law and the law governing general business terms and conditions. A further focus of our newsletter is the discussion on the introduction of an IT Security Act which is expected in the near future. And finally, we are providing you with an update on the planned Data Protection General Regulation [Datenschutz-Grundverordnung].
The Bavarian State Office for Data Protection Supervision [Bayerisches Landesamt für Datenschutzaufsicht, BayLDA] has conducted technical tests on the Smart TV appliances of 13 manufacturers and published the test results. Further steps have been announced, amongst others the drafting of a guideline.
The European Court of Justice has decided that, in specific cases, the creator of a database may not be denied the possibility of contractually limiting a third party’s use of its database.
The Regional Court [Landgericht, LG] and Higher Regional Court [Oberlandesgericht, OLG] of Oldenburg have deemed the choice of German law in the general terms and conditions of a German online shop whose custom was also directed at consumers resident abroad to be invalid on grounds that this might mislead the foreign consumers.
The increasing potential threat of cyber crime has led the Federal Government to present a draft bill to tighten the security of critical IT infrastructure as an element of its “Digital Agenda”. The ambitious goal of this draft bill is to make Germany’s IT systems and digital infrastructure the securest in the world.
As is generally known, the European Commission and European Parliament have already presented their drafts for the Data Protection General Regulation. The Member States are currently negotiating the draft in the European Council. A compilation of the material, including the two official drafts of the General Regulation, can be found under http://gesetzgebung.beck.de/news/datenschutz-grundverordnung.
IT and Data Protection Law News
Following the repeated publicity since 2013 on the transmission of data via Smart TV appliances and the scrutiny of whether TV broadcasters, content providers and appliance manufacturers comply with data protection provisions, various official investigations have been conducted. In May 2014 the supervisory authorities for data protection and broadcasting supervision already published a common position. Subsequent to this, the Bavarian State Office for Data Protection Supervision [Bayerische Landesamt für Datenschutzaufsicht, BayLDA], on behalf of all of the supervisory authorities, conducted technical tests on the Smart TV appliances of 13 manufacturers, covering about 90% of the market in Germany.
Firstly, the aim was to determine which data flows from Smart TV appliances and to gain a better understanding of who the various actors are and who bears the responsibility under data protection law. At a press conference held on 27 February 2015 the main findings of the technical examination were presented. A summary of the test criteria and corresponding findings has been published.
In our opinion, the informative value of these test results is modest. They contain no specific statements on which type of data flows to which responsible parties and for which purposes. They merely establish that several parties were certainly not able to present the required documents, such as data protection declarations, etc.
However, further steps were announced at the press conference. Firstly, the respective competent supervisory authorities will be contacting the participants to clarify any open questions and to determine which measures are necessary to ensure they operate in conformity with data protection law. Secondly, the German data protection authorities have announced within the scope of the so-called Düsseldorfer Kreis and its working groups that they are drafting a Smart TV guideline, which shall serve as the basis for the legal appraisal of the findings of the technical examination. A specific time frame for this was not announced.
Dr. Jürgen Hartung
In its decision dated 15 January 2015 (C 30/14), the European Court of Justice (ECJ) had to decide on a case in which the low-budget airline Ryanair sued a Dutch website operator which is acting as a broker for low-budget flights on the internet. The website operator obtains offers from numerous airlines and compares them to find the cheapest flight. The website operator obtains the data required for this automatically using a so-called screen scraping software, inter alia also on Ryanair’s website, despite the fact that Ryanair expressly prohibits this conduct in its general business terms and conditions. Users are obliged to expressly accept these conditions prior to use. Ryanair has also attempted to judicially prohibit this practice in Germany, albeit without success to date.
The German Copyright Act [Urheberrechtsgesetz, UrhG] distinguishes (like Council Directive 96/9/EC on the Legal Protection of Databases) between databases which are a personal intellectual creation on grounds of the choice or arrangement of their elements and are therefore copyright-protected and databases whose creation, examination or presentation require substantial investment in terms of their type or scope (so-called sui generis right). In both cases, the creators of the database are deprived of their contractual freedom of disposal within certain limits, for they are fundamentally not allowed to contractually prohibit the normal use of that part of the database which is insubstantial in terms of type and scope. For this reason, deviating terms and conditions of use of database creators can generally be disregarded in such cases.
In its decision, the ECJ makes it clear that this limitation of the contractual freedom of disposal does not apply to databases which neither meet the requirements of a copyright-protected database nor the requirements of the sui generis right. In other words: if the database enjoys protection, then statutory exceptions apply to the creator which cannot be contracted out. If, conversely, the database does not enjoy such protection, the statutory barriers do not apply and the creator of the database is validly able to contractually limit its use. Database creators such as Ryanair - which have thus far pleaded the sui generis right in the absence of a sufficient level of originality, but have been unsuccessful with this plea because the German courts have considered screen scraping to constitute only the permissible use of an insignificant part of the database to date - could argue in future that they do not fall under the scope of application of the sui generis right. If successful, a contractual limitation of the use of its database would also be possible in Germany again. However, it remains to be seen whether this will be enforced if the legal protection of databases pursuant to the Copyright Act is thereby lost in other areas.
By judgement dated 11 June 2014 (5 O 908/14), the Regional Court [Landgericht, LG] of Oldenburg had to decide on the legality of a choice of law clause in the general terms and conditions of an internet shop operator who had ordered the applicability of German law for the general terms and conditions of its shop whose custom was also aimed at consumers resident abroad. The Regional Court deemed the choice of law clause to be invalid because the foreign consumers might understand it to mean that, contrary to Art. 6 (2) of the Rome I Regulation, the consumer protection provisions applicable in the consumer’s country of residence – which cannot be deviated from to the consumer’s detriment – were not to apply either. Since the choice of law clause was not worded clearly and comprehensibly, foreign customers were given a false impression of their possibilities of legal protection pursuant to this provision. This legal opinion has since also been confirmed by the Higher Regional Court [Oberlandesgericht, OLG] of Oldenburg as the appeal instance (6 U 113/14).
Against this background, sellers who distribute their goods and/or services to consumers transnationally and who have included or intend to include an agreement on the choice of law in their general terms and conditions should explicitly stipulate in such clause that the choice of law does not affect the validity of the consumer protection provisions of the consumer’s country of residence that are mandatory, i.e. that cannot be contracted out by the parties, in such cases. The clause could otherwise be deemed invalid and cause competitors or correspondingly authorised associations (as in the case up for decision) to issue a warning. Insofar as sellers exclusively contract with consumers, in the light of the limited effect of a choice of law, one should also always critically scrutinise whether or not such an agreement is even expedient.
Dr. Dirk Reintzsch
Threats of attacks on IT systems by other countries, criminals or competitors are constantly on the rise. The most prominent example was the recent hacker attack on Sony Pictures, where sensitive e-mails and information concerning scripts and contracts with prominent actors were stolen and caused damages running into hundreds of millions. A report by the German Federal Office for Information Security [Bundesamt für Sicherheit in der Informationstechnik, BSI] recently announced that hackers in Germany had succeeded in taking over an entire blast furnace and damaging it to such an extent that it could no longer be properly shut down. Such attacks on machine controls first became known through “Stuxnet” (attacks on Iranian Uranium enrichment plants).
The increasing potential threat of cyber crime caused the Federal Government at the end of December 2014, respectively end of February 2015, to present a draft bill to tighten the security of critical IT infrastructure as an element of its “Digital Agenda”. The ambitious aim of the draft bill is to make Germany’s IT systems and digital infrastructure the securest in the world.
The focal point of the submitted Cabinet draft (additional amendments are expected during the further legislative process) is to oblige operators of so-called “critical infrastructure” to adhere to certain organisational and technical minimum standards in future. These need to be updated continuously and verified every two years through security audits or certifications. The BSI is entitled to check compliance with the security standards. An ordinance will stipulate in detail which infrastructures will be classed as critical. Particularly in focus are facilities which “are of major importance to the functioning of the community”, such as facilities in the energy, health, telecommunications, transport and finance sectors.
The operators addressed by this draft will also be obliged to immediately notify the BSI of any major disruptions in the availability, integrity, authenticity and confidentiality of their IT systems, for example hacker attacks. As the central notification body, the BSI is obliged to collect and analyse the information available on security loopholes, malware and their potential effects, and to subsequently make this information available to the operators of critical infrastructures. The role of the BSI is therewith being considerably upgraded.
IT security is a topic of major relevance to all enterprises, however, and is something which needs to be addressed. To begin with, inadequate IT security constitutes a breach of compliance duties and can therefore also indirectly lead to responsibility and liability on the part of the corporate management. Against the background that systematic threats and risks are a generally known occurrence, the failure to take action borders the area of gross negligence. Secondly, however, the future viability of the German economy is also at stake. In the major trend topic “digitalisation” (key words: Industry 4.0, Internet of Things), to which the German economy has especially devoted itself, IT security is exponentially increasing in importance as the degree of networking increases.
Dr. Johannes Rabus
As we know, the European Commission and European Parliament have already presented their drafts for the General Data Protection Regulation. The Members States are currently negotiating the draft in the European Council. A compilation of the material, including the two official drafts of the General Regulation, can be found under http://gesetzgebung.beck.de/news/datenschutz-grundverordnung. As soon as the European Council has also passed its own version of the General Regulation, the European Council, European Parliament and the European Commission will then consult on the drafts within the framework of the so-called trialogue. The political pressure (to reach an agreement) is perceived by all of the parties to be considerable, and many assume that not just the European Council’s version, but also an agreement in the trialogue can still be expected in 2015. We consider this unlikely, however, and are assuming that the General Regulation will be adopted in 2016. In this case the General Regulation would then enter into force in 2018.
The European Council has already reached agreement on 5 of the 11 chapters of the Data Protection General Regulation. For example, in June 2014 the European Council agreed on Chapter IV (Controllers and Processors) and in July on Chapter V (Transfer of Personal Data to Third Countries or International Organisations). Six chapters of the Data Protection General Regulation are therefore still open, including the negotiation on the Council of the important topics of Sanctions (Chapter VIII), Rights of the Data Subject (Chapter III), as well as Principles (Chapter II) with important provisions concerning big data (e.g. pseudonymisation and consent). The next meeting of the European Commission will take place in March 2015. Each Member State is sending one delegation to the Council meetings. The 28 delegations must agree on a common version in a procedure that is cautiously described by participants as being laborious. Consequently, we deem it ambitious to already expect a coordinated Council draft in 2015. Once this draft is available, a negotiation process between the Commission, Parliament and Council within the scope of the trialogue will then determine the final version.
Dr. Marc Hilber
Dr. Marc Hilber, LL.M.
Telephone: +49 221 2091 612
Telefax: +49 221 2091 333
Dr. Jürgen Hartung
Telephone: +49 221 2091 643
Telefax: +49 221 2091 333
Indonesia, Malaysia, Singapore, Taiwan