Newsletter IT & Data Protection
In this issue we are reporting on exciting proposed legislation and court decisions on the topics telecommunications data retention, liability for WLAN, images of employees, the resale of e-books and legal action against the use of social plugins. Further important developments and decisions are imminent: the outcome of the negotiations between the EU and USA on the Safe Harbor Principles is overdue; all the more eagerly awaited is the ECJ’s decision. The European Council intends to establish its position on the Data Protection Basic Regulation in mid June. These topics will be handled in our next Newsletter, likewise our experiences on the co-determination obligation regarding inhouse WLAN networks.
The Federal Government has presented a draft bill to reintroduce telecommunications data retention. A corresponding law is now to be passed by the Bundestag, if possible prior to the parliamentary summer recess.
The increasing demand for public internet access has caused the Federal Government to present a draft bill amending the German Telemedia Act [Telemediengesetz, TMG]. The declared purpose of the amending act is to promote the expansion of nationwide, open WLAN internet access by giving WLAN providers greater legal certainty.
The Federal Labour Court [Bundesarbeitsgericht, BAG] has ruled that the required consent to be given by employees to the publication of their images must be given in writing.
The Higher Regional Court [Oberlandesgericht, OLG] of Hamburg recently ruled that online dealers may prohibit their customers from reselling e-books. With this decision, the Higher Regional Court has strengthened the legal position of copyright holders and dealers of digital books.
5. Consumer protection association takes legal action against social plugs (Facebook’s “like” button)
Consumer Protection Association of North-Rhine Westphalia [Verbraucherzentrale Nordrhein-Westfalen] has taken two enterprises to court for installing Facebook’s “like” button on their websites. Four further enterprises have been issued warnings about this practice.
IT and Data Protection Law News
Telecommunications data retention comprises the storage of telecommunications data (about telephony, e-mails or internet use) by telecommunications providers without occasion for a defined period so that they can be accessed by criminal prosecution authorities to prevent and solve crimes. Please note that the data retention obligation which is in focus of the new draft law only relates (i) to providers of publically accessible telecommunications and internet access providers; it shall not affect corporate networks, or companies that provide a short term (free) service such as cafes, hotels, etc.
The first act on telecommunications data retention was declared unconstitutional by the German Federal Constitutional Court [Bundesverfassungsgericht, BVerfG] in 2010. In April 2014 the European Court of Justice (ECJ) repealed the Council Directive underlying the telecommunications data retention (Council Directive 2006/24/EC). In both cases, the judges fundamentally considered the retention of telecommunications data to be legally permissible if its purpose is to combat serious crime and is thus ultimately in the interests of public safety. However, the judges felt that the storage of user data without occasion represented a particularly grievous infringement of constitutional rights and exceeded the boundaries of reasonableness. To ensure the storage obligation is limited to the absolutely necessary minimum, both the German and European judges demanded restrictive regulations for its practical configuration, for example for data security, data usage, transparency and the protection of rights.
With its “draft bill to introduce a storage obligation and a maximum storage term for traffic data”, the Federal Government is trying anew to find a balance between data protection and safety interests and wants to provide a new legal basis for the retention of telecommunications data.
Like the first act, the governmental draft on telecommunications data retention that has now been submitted envisages the storage of user data without occasion, albeit to a lesser degree. Not to be included are the contents of the communication, the internet sites accessed and in future also the entire e-mail traffic. As regards location and traffic data, the draft bill introduces various storage obligations. A further key factor is the significantly shorter maximum storage periods: Location data can now only be stored for four weeks, the remaining traffic data for ten weeks. Data subjects fundamentally have to be informed in advance about the retrieval of any and all data. The right to access this information will be granted only to the criminal prosecution authorities, on grounds of a judicial order, which also has to be substantiated in detail, in case of offences that are catalogued as most serious crimes. For data protection purposes, telecommunications providers shall be obligated to protect their databases from third-party access in future by means of encryption processes and to record any accesses. In addition to sanction possibilities if the provisions are disregarded, the new criminal offence of “the receiving of data” is to be created.
The draft law includes a limited data localization requirement as the data to be stored on the basis of draft Sec. 113b Telecommunications Act shall be stored on the territory of Germany (the reason being that access by foreign state agencies in Europe or elsewhere shall be prevented). But please be aware that this data must be stored in a distinct database, being separated strictly from the operational systems, according to draft Sec. 113d Telecommunications Act. Hence, this does not prevent telecommunications providers/ISPs to continue running the operative systems outside Germany.
Despite the attempt to implement the requirements of the ECJ and BVerfG, the provisions of the draft bill contain several vague terms which harbour the risk of circumventions and infringements of constitutional rights. Uncertainty still exists with respect to their application to in-house communication and networks. The draft bill is to be put through the Bundestag in summary proceedings and a corresponding law already be passed before the summer recess. Whether it will meet the requirements of constitutional law remains to be seen.
Dr. Johannes Rabus
In an international comparison, Germany lags far behind as far as the provision of publicly accessible WLAN internet is concerned. One reason for this is the liability risks which currently still exist for potential providers of such WLAN internet access. The legal action possibly facing WLAN providers on grounds of the principles of liability arising from the duty of care [Störerhaftung] developed by case law is such that WLAN providers could be sued for illegal activities of third parties if it itself contributed to the perpetrated violation of the law. This has to be assumed if the WLAN provider failed to take adequate measures to avoid possible misuse by external third parties. Which specific measures are meant by this has also only been the topic of judicial decisions in individual cases. The Federal Government has therefore published a draft bill on the amendment of the German Telemedia Act (TMG), with which the existing liability risks are to be reduced.
The draft clarifies that WLAN providers are „access providers” within the meaning of the TMG and that the liabilities privileges for access providers therefore also fundamentally apply to them. Additionally, the aforesaid principle of liability arising from the duty of care developed by case law is specified more precisely in that the draft stipulates specific measures against a possible misuse by external third parties. As a reasonable measure, for example, the draft mentions the encryption of the connections. Additionally, WLAN providers may only allow access to those users who have previously declared that they will not commit any offences via the WLAN connection.
One point of criticism is that the additional obligations the draft attaches to the liability privileges of WLAN providers constitute practically insurmountable hurdles for them and that, in effect, the liability privilege will hardly effectively apply. The requirement of adequate encryption will prevent users from being able to simply log into the network. Rather, before being able to use the network they will have to request the respective password from the WLAN provider, which will hardly be possible, especially in case of public WLAN providers – for example state WLAN providers. The public WLAN provider would have to publicly disclose the password in the vicinity of the network, which in turn would counteract the purpose of the encryption (effective protection against unauthorised access by third parties). It is also doubtful that the user’s express declaration not to commit any offence via the WLAN is truly suited to deter or solve possible crimes.
On the whole, the obligations imposed upon WLAN providers are probably more likely to continue to deter them from making their WLAN available to the general public, and hence the draft is hardly likely to achieve its striven goal of providing nationwide, open WLAN internet access throughout Germany.
In its decision dated 11 December 2014 (8 AZR 1010/13), the Federal Labour Court (BAG) had to decide on a case in which an employee demanded that access to a promotional film produced by the employer on its website be prohibited. In this promotional film, the employee was visible for a few seconds amidst a group of about 30 employees. Although the employee had originally consented to the publication, he revoked his consent after the end of the employment relationship. The BAG had to clarify whether a valid consent of the employee originally existed and whether such consent was validly revoked after the end of the employment relationship.
To begin with, the BAG established that the strict requirements of Sec. 4a German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] do not apply to the consent since the German Copyright Act for Works of Art [Kunsturhebergesetz, KUG] has precedence over the BDSG in its applicability as a specific legal regulation. Pursuant to Sec. 22 KUG, images may only be distributed or publicly displayed with the consent of the person portrayed. However, the KUG does not stipulate a specific form for the consent. The BAG argued, however, that from a constitutionally conform interpretation of the KUG a written form requirement arises from the employment relationship. The employee must also be able to exercise his basic right to informational self-determination in the employment relationship so that it is clear that his consent is given regardless of the respective obligations arising from the employment relationship.
The BAG also decided that an employee cannot simply revoke at any time the consent already given by him, not even if the employment relationship has ended. If the employee did not only expressly give his consent for a limited period, then it can only be revoked in the individual case after weighing such revocation against the interests of the employer. Here, the employer’s interests in the publication and a cost-covering recovery of the production costs on the one hand must be weighed against the employee’s right to informational self-determination on the other. In the specific case, the outcome of the balance of interests went in the employer’s favour, since it was not the employee in person who was the subject of the advertisement, rather the advertisement only portrayed him along with other employees for illustration purposes. In future, employers should therefore ensure that, prior to publishing images of their employees, they obtain their written consent, which in the best case scenario should be granted without time limit.
Digital books acquired on the internet may not be resold without the consent of the copyright holder. This was decided by the Hanseatic Higher Regional Court (OLG Hamburg) in its decision dated 24 March 2015 (docket No.: 10 U 5/11), thus once again strengthening the legal position of the copyright holders and dealers of digital books.
In the above case, the OLG Hamburg dismissed the appeal of the Consumer Protection Association [Verbraucherzentrale Bundesverband e.V., vzbv] against a judgement of the Regional Court [Landgericht, LG] of Hamburg regarding the admissibility of the resale of e-books. The vzbv filed legal action against an online dealer which had prohibited the resale of e-books in its general terms and conditions. It considered this to be an unreasonable disadvantage for the customer, since the same regulations applying to analogue books ought also apply to digital books. Analogue books, that is to say physical works, are covered by the exhaustion principle of Sec. 17 Subsec. 2 German Copyright Act [Urhebergesetz, UrhG]. According to this: if works or their reproductions have been brought onto the market by the copyright holder itself or with its consent, it can no longer exert any influence over their further course thereafter. Its power in this respect has been “exhausted”. The lawful acquirer is then generally free to dispose over the work without the copyright holder’s consent.
Two other German courts previously had to decide on similar cases. Here as well, the vzbv complained of the exclusion of resales through the general terms and conditions of an online book dealer, in this case with respect to audiobooks that had been downloaded from the internet. The OLG Stuttgart (judgement dated 03 November 2011, docket No.: 2 U 49/11) and the OLG Hamm (judgement dated 15 May 2014, docket No.: 22 U 60/13) in both cases ruled that the resale prohibition was legally permissible and agreed in favour of the online book dealers. The courts were of the opinion that the exhaustion principle did not apply to digital audiobooks since this presupposed a physical transfer, which specifically is not the case with a digital download.
However, that the exhaustion principle can also be applied to non-physical works has been clearly stated by the European Court of Justice (ECJ) in the past with respect to software. In its UsedSoft decision (judgement dated 03 July 2012, docket No.: C-128/11) it negated a resale prohibition of software downloaded from the internet and, with such viewpoint, already decided contrary to the prevailing opinion of the German courts.
However, following the ECJ judgement pronounced, it is still unclear whether this case law can also be transferred to other digital contents. There could be a difference in the legal appraisal in that the UsedSoft case decision was based on the Software Copyright Directive, whereas books and audiobooks fall under the general Copyright Directive. A Dutch court recently presented the ECJ with a preliminary ruling on the question of the reconcilability of the resale of digital books with European law. The ECJ’s decision is eagerly awaited. Since it directly affects the legal situation in Germany, it is of great significance.
Dr. Johannes Rabus
5. Consumer Protection Association takes legal action against social plugins (Facebook’s “like” button)
The Consumer Protection Association of North-Rhine Westphalia [Verbraucherzentrale Nordrhein-Westfalen] has filed suits before the Regional Courts of Düsseldorf and Munich regarding the use of Facebook’s “like” button against the clothing chainstore Peek&Cloppenburg and the company Payback. The hotel portal HRS and the ticket dealer Eventim have already rendered declarations of forbearance from the continued use of the button without amendment. Talks are still being conducted with the Nivea provider Beiersdorf and the discount store Kik on out-of-court settlements.
When a social plugin (here the “like” button) is installed on a website, Facebook automatically receives data on the surf conduct of the users when the websites are accessed. This happens via a so-called cookie, which is placed on the user’s computer with the “like” button. With this, the browser can establish a connection to Facebook’s servers and transfer the data to the social network. The criticism pursuant to data protection law is that the transfer of data takes place irrespective of whether the user is registered with Facebook or not and irrespective of whether they even use the “like” button.
The Consumer Protection Association deems this a violation of German and European data protection standards, since the customer is neither informed about the transfer of the data nor can he oppose it. The Association therefore demands that the data is converted in conformity with data-protection law when using the button. A solution that conforms to data protection law has been developed by the publishers Heise-Verlag, for example, which requires the activation of the social plugin by the user in a first step before data is being transmitted.Since 2011, the Independent Regional Centre for Data Protection [Unabhängige Landeszentrum für Datenschutz, ULD] in Schleswig-Holstein has been taking legal action against this practice. However, the instructions of the ULD were deemed invalid by the Administrative Court [Verwaltungsgericht, VG] and Higher Administrative Court [Oberverwaltungsgericht, OVG], the appeal on points of law before the Federal Administrative Court [Bundesverwaltungsgericht, BVG] is currently running under docket No. 1 C 28.14 and will probably already be decided by the 1st Senate this year.
Dr. Jürgen Hartung
Dr. Marc Hilber, LL.M.
Telephone: +49 221 2091 612
Telefax: +49 221 2091 333
Dr. Jürgen Hartung
Telephone: +49 221 2091 643
Telefax: +49 221 2091 333
Indonesia, Malaysia, Singapore, Taiwan