Newsletter: Digital Business

There is a lot happening in the field of Digital Business. Below, we have summarised the most important legal developments: According to a recent ruling of the Higher Regional Court of Düsseldorf ("OLG Düsseldorf"), copyright holders cannot claim damages if third parties use their free intellectual property in an unlawful manner. What are the practical implications of this ruling? In the area of e-commerce, we present some innovations and legal consequences of Brexit and explain the limits of permissible video surveillance. Furthermore, you can learn the relevant implications of the new legislative proposal of the German implementation of the EU Digital Content and Services Directive. Finally, we take a look at the interaction between IT law and employment law: What do you need to consider in the area of crowdworking, the use of artificial intelligence towards employees, and working from home office?

1. No compensation for damages in case of royalty-free use of a non-commercially used legal good (e.g. open source software)?

2.  E- Commerce Post-Brexit - What's new? 

3. 10,4 million euros in fines: Unauthorized video surveillance in retail 

4. Draft law on the implementation of the EU Directive on the Supply of Digital Content and Digital Services published

5. Interfaces to employment law 

6. Data protection outlook for the year 2021

1. No compensation for damages in case of royalty-free use of a non-commercially used legal good (e.g. open source software)? 

In a judgement of the Higher Regional Court of Düsseldorf dated 19 November 2020 (docket No.: I-20 U 152/16), the Senate ruled that the holder of a trademark right who does not use the trademark commercially is not to be entitled to claim damages from the unauthorised user.

This raises the question - also with regard to previous case law – of whether the author of open source software might now also not be entitled to damage claims against the unlicensed user. The consequences of using open source software without a licence are of great practical relevance, especially in the context of due diligence audits of technology companies. This is because open source software has become indispensable in the development of software and a violation of copyleft licence terms (which are sometimes complex and not always easy to comply with) leads to the lapse of the licence.

Ultimately, the only point that is clear is that the holder of the right can demand injunctive relief from the infringer. In addition, the unlicensed use of software or other works constitutes a criminal offence pursuant to § 106 German Copyright Act [Urheberrechtsgesetz, UrhG]. However, it has not been finally clarified whether an unlicensed use of open source software (or other non-commercially exploited intangible legal assets) triggers a damage claim (in the form of the surrender of the infringer's profit). The Higher Regional Court of Düsseldorf has ruled against this. However, there are strong reasons (reasons that have also been recognised, for example, by the Higher Regional Court of Cologne) supporting such a damage claim. Clarification by the Federal Supreme Court [Bundesgerichtshof, BGH] is pending.

In detail, this arises from the following: 

The outcome of the judgement  

The legal dispute concerned the unauthorised use of a trademarked ÖKO-TEST seal. The defendant had affixed the seal to its products without having a valid licence to do so. The owner of the trademark right is unquestionably entitled to injunctive relief and, on the merits, also has a damage claim against the infringer.

However, the Higher Regional Court rejected the existence of a damage claim because there was no compensable damage as the trademark was not used commercially. 

Calculation of damages in the case of intellectual property rights

In the case of intellectual property rights such as trademarks, patents or copyrights, as is always the case with damage claims, the concrete damage incurred can be taken as the basis on the one hand. If there has been no concrete damage, the holder of the right holder can, on the other hand, also demand what he would have hypothetically demanded for a licence (so-called licence analogy) or skim off the profit specifically gained by the infringer through the unauthorised use of the right.

Since the claimant had not suffered any concrete damage, in the case decided by the Higher Regional Court of Düsseldorf the damage could only be calculated by way of licence analogy or profit skimming.

License analogy

Damage cannot be established by way of licence analogy, however, insofar as the holder of the right grants licences free of charge (and thus waives their commercial exploitation). Although the decisive factor here is not whether the claimant would have granted a (chargeable) licence to the defendant, but just the objective value to the infringer of the permission to use the right, the case law (for example also OLG Cologne, judgement dated 31 October 2014, docket No.: 6 U 60/14 on a photo provided free of charge; OLG Hamm, judgement dated 13 June 2017, docket No.: 4 U 72/16 on open source software) assumes that the objective value of the use depends on what the licensor usually demands for granting the licence. That is to say, if the licences are usually issued free of charge, this value can only be set at zero. Therefore, damages on the basis of licence analogy fundamentally cannot come into consideration in open source software cases either (even though this is commented on critically and by all means with good reasons: e.g. Heinzke, GRUR-Prax 2017, 439; Kilian/Heussen/Mantz ComputerR-Hdb, 32.6 OSS margin No. 60). 

Skimming of the infringer's profit

Furthermore, the profit gained by the infringer through the unauthorised use of the right could be skimmed off as damages. Here, as well, the Higher Regional Court of Düsseldorf negated damages, since the infringed party would not have realised the profit in the infringer’s stead, even if the property right had not been infringed, for the very reason that the holder of the right had waived its commercial exploitation. However, this contradicts the prevailing opinion in case law and legal literature, according to which the infringer's profit can be skimmed off irrespective of whether the infringed party would also have made or even just could have made this profit.[1]

However, this prevailing opinion was based, inter alia, on the wording of § 97 (1) sentence 2 German Copyright Act [Urheberrechtsgesetz, UrhG], old version, which was valid until 2008, according to which the claim to the surrender of profits existed "instead" and thus independently of any concrete damage incurred. According to the current wording of § 97 (1) sentence 2 UrhG, whose purpose is to harmonise statutory provisions in the EU, the profit, on the other hand, is only to be taken into consideration in the calculation of the damages. It is therefore unclear whether the claim to the surrender of the infringer's profit is merely a method of calculation, which presupposes damages (for example according to the Higher Regional Court of Düsseldorf), or whether it can exist independently of any damage incurred. The amended wording of § 97 (1) sentence 2 UrhG may speak in favour of the view now taken by the Higher Regional Court of Düsseldorf. However, there is much to suggest that the legislator did not intend to change the substantive prerequisites of the claim. Moreover, it would be inequitable to allow the infringer to keep the advantages it gained from its unlicensed use. This was also the opinion of the Regional Court [Landgericht, LG] of Cologne, for example (judgement dated 17 July 2014, docket No.: 14 O 463/13), which granted a claim to the surrender of the infringer's profit in the case of the unlicensed use of open source software, precisely because it was inequitable to let the infringer keep the profit gained from the unauthorised use of the open source software. The claim to the surrender of the infringer's profit specifically did not constitute a claim to compensation of the concrete damage incurred, rather it was aimed in another way at equitably compensating for the pecuniary disadvantage.

Conclusion

Based on the wording of § 97 (1) sentence 2 UrhG, it is unclear whether an enforceable claim to damages in the form of the surrender of the infringer's profit exists in case of the unlicensed use of open source software (or other non-commercially exploited intangible legal assets). The Higher Regional Court of Düsseldorf ruled against this. However, there are strong reasons supporting why such a claim should (continue to) be recognised. Clarification by the Federal Supreme Court is pending. The Higher Regional Court of Düsseldorf has in any event allowed the appeal on points of law on this issue, thus acknowledging the fundamental importance of the question of whether the holder of a right may be entitled to damages in the case of royalty-free licensing.

Dr. Marc Hilber, LLM (Illinois)

back...

2. E-Commerce Post-Brexit - What's new? 

On 1 February 2020, the United Kingdom exited the European Union ("EU"). On 24 December 2020, the UK and the EU agreed on a Trade and Cooperation Agreement ("Trade Agreement"). This Trade Agreement has now been in force since 1 January 2021. But what does this mean for online trade? Below, we provide a condensed overview of the most important topics.

Data Protection 

Firstly, the question arises as to what applies to the processing of personal data. It is clear that the EU General Data Protection Regulation no longer applies in the UK after the end of the transition period on 31 December 2020. However, the Trade Agreement stipulates that a transfer of personal data from the EU to the UK will not be classed as a transfer to a third country, at least until 30 April 2021. However, this assumes that the UK will not change its national data protection provisions during this period without the EU's agreement. If, for example, personal data were to be transferred from a server in the EU to a transport company in the UK as part of the purchase process, this would not constitute a transfer of data to a third country. The British government also has not yet envisaged any changes to the flow of data from the UK to the EU.

What the case will be after 30 April 2021 is still uncertain. If the UK and the EU do not object to an extension of the data protection transition period, it will automatically be extended by two months. The EU Commission could also issue an adequacy decision under Article 45 GDPR, therewith establishing that the UK as a third country provides an adequate level of protection for personal data. Personal data could then be transferred from EU member states and European Economic Area member states to the UK without further requirements. However, given the extensive powers for security authorities in the UK, it is questionable whether it will come to such an adequacy decision. If the transition period is not extended and the EU Commission decides against issuing an adequacy decision, data controllers would have to provide additional "appropriate safeguards" within the meaning of Article 46 (1), (2) GDPR for data transfers to the UK as of 1 May 2021. Such safeguards are, in particular, the agreement of standard data protection clauses of the Commission and binding (group) internal data protection rules ("Binding Corporate Rules"). 

Consumer rights in distance selling

For consumers habitually residing in Germany who conclude a contract with a British online trader, nothing changes in terms of contract law from a German perspective as a result of Brexit. This is at least the case when the online shop at least also directs its activities at Germany. In this case, namely, without a choice of law clause, German law is applicable and, even in case of a different choice of law clause, German consumers must retain the consumer protection granted them under German law. However, the practical enforcement of the law against contractual partners in the UK will be more lengthy and costly.

If, on the other hand, the British online shop does not direct its activities at Germany, the law applicable at the registered office of the company, i.e. British law, should generally apply. To date, consumer-protection provisions such as those also known to German consumers have also existed in this constellation, because the essential consumer rights (e.g. pre-contractual information obligations, 14-day right of withdrawal, warranty rights and reversal of the burden of proof in the case of defects during the first six months) have their basis in European law, which was transposed into national law. However, since Brexit and the end of the transition period, European law is no longer binding on the UK. For this reason, the possibility cannot be ruled out that the UK will enact new, deviating consumer law and that consumer rights in British law will also be (partially) abolished. In this case, affected consumers might find it more difficult to enforce their rights in the future.

An online trader based in Germany who sells goods or services to British consumers has until now been bound by British law if its online shop is directed at the UK. This arises from the European Rome I Regulation. Although this no longer applies with Brexit and the expiry of the transition period, it was transposed into British national law and the conflict of laws rules still apply. German online traders therefore also need to keep a close eye on the changes in British law.

Irrespective of this, in order to be on the safe side, German online traders selling to the UK should now remember to point out - at least abstractly - the possible incurrence of customs duties when quantifying final prices for consumers. Here, the same now applies as was previously the case for deliveries outside the EU: the statement should draw the customer’s attention to the possible incurrence of customs duties, as well as to the recipient’s obligation to pay such a customs debt directly to the competent customs authority.

Another point to be borne in mind is that the EU Online Dispute Resolution platform can now no longer be used by customers (and online traders) in the UK, as the EU Regulation on Out-of-Court Dispute Resolution and Online Dispute Resolution also no longer applies to the UK following its final exit from the EU. For this reason, the corresponding, previously obligatory reference to the EU dispute resolution platform needs to be removed from internet sites that are aimed exclusively at the British market. German online traders will also no longer be able to use the EU's online dispute resolution service (even for ongoing cases!) if this concerns consumers in the UK or they suggest dispute resolution bodies in the UK. 

Shipping and customs clearance

As the UK is now considered a third country for customs and export control purposes, German companies will generally have to prepare customs declarations when shipping to the UK (an exception applies to shipments to Northern Ireland). This especially means changes for those companies that have so far only supplied their products to customers within the European Single Market. These companies now have to apply for an EORI (Economic Operators' Registration and Identification) number in the UK from HM Revenue & Customs authority in order to comply with customs formalities. At the same time, they must also be able to produce a European EORI number for exports from or imports into the EU when doing business with the UK. German companies can apply for these at the General Customs Directorate in Dresden. The British EORI number is only superfluous if the business partner assumes the customs clearance in the UK, for example if this is provided for in the agreed Incoterms (such as EXW, depending on the constellation also FCA).

Conversely, British companies wishing to deliver to the EU fundamentally have to produce a European EORI number. The EORI numbers previously issued by the UK have lost their validity, necessitating their renewed application to an EU member state.

This means that customs duties are now generally due on the delivery of goods to and from the UK. Although exceptions are possible (so-called preferential tariff treatment), the effort required to obtain the necessary proof of preference will doubtlessly present a challenge, especially for small and medium-sized enterprises, and the administrative costs can be higher than the customs duties that would otherwise be incurred.

There is already an increasing stream of reports on processing problems and complexity in the context of return shipments. The complexity of the customs declaration for the return of goods between the EU and the UK is so great that, depending on the product, it is cheaper to do without the product. Unfortunately, unless the EU and the UK make further and possibly specifically tailored concessions in this area, this phenomenon is unlikely to change in the near future. It may be worthwhile for individual companies to set up a parallel distribution network, including warehouses, both in the UK and in the EU, thus eliminating the need to send goods back and forth.

Another point to be borne in mind in the context of export control is that a delivery of goods to the UK now no longer constitutes an intra-European shipment, which means that export licences may be required. Companies therefore also need to check their products as to their export control classification before shipping them to the UK.

Taxes

There are also (minor) changes with regard to (import) VAT, as the EU-UK Agreement does not address the issue of (import) VAT.

After leaving the EU, the UK will therefore now be treated as an ordinary third country. VAT is no longer levied on deliveries from an EU country to the UK, as these are to be treated as tax-exempt export deliveries in accordance with §§ 4 No. 1a German Turnover Tax Act [Umsatzsteuergesetz, UStG] in conjunction with 6 UStG. On the other hand, the UK now levies an import VAT, albeit that this - due to national regulations - mainly affects imports of goods with a value of more than GBP 135. This is likely to require, in particular, VAT registration in the UK. Conversely, i.e. for imports from the UK into the EU, the usual regulations on import VAT for deliveries from third countries apply. This means that import VAT is incurred when the goods cross the border, but - as usual - this can be economically neutralised within the framework of the input tax deduction.

The topic of excise duties was also not regulated in the EU-UK Agreement. Under excise law, it is no longer possible to send or receive excisable goods directly between the EU and the UK as corresponding transactions are to be treated as customs exports or imports, which means that European customs law applies, the customs declaration obligations apply and, in case of doubt, excise duty must be paid when crossing the border.

Dr. Hanna Schmidt, Mareike Heesing LL.M. (Köln/Paris I), Elmar Krüsmann

back...

3. 10, 4 million euros in fines: Unauthorized video surveillance in retail  

The Data Protection Commissioner of Lower Saxony [Landesbeauftragte für den Datenschutz Niedersachen, LfD Niedersachsen] announced on 8 January 2021 that she had imposed a fine of €10.4 million euros on notebooksbilliger.de AG.

The company had monitored its employees without any legal basis for doing so. The fine is the first known case of application of the Guidance on Video Surveillance of Non-Public Bodies [Orientierungshilfe zur Videoüberwachung privater Stellen] published by the Data Protection Conference [Datenschutzkonferenz, DSK] in July last year. There, the DSK had taken an extremely strict stance, especially with regard to employee data protection, a great deal of which has not been confirmed by the courts, however. Hence, it remains to be seen whether or not the fine (in this amount) will be upheld.

According to notebooksbilliger.de AG, it has already lodged an objection and announced that it will take legal action against the fine, if necessary.

Video surveillance at notebooksbilliger.de AG

According to the Data Protection Commissioner of Lower Saxony, the video cameras installed by notebooksbilliger.de AG had recorded workplaces, sales rooms, warehouses and common areas, among other things. The aim of the surveillance was to prevent and solve crimes and to trace the flow of goods in the warehouses. The monitoring had neither been limited to a certain period of time nor to specific employees. Finally, in many cases, the records had been stored for 60 days.

Data Protection Commissioner follows strict guidance of the DSK

In the opinion of the Data Protection Commissioner of Lower Saxony, the purposes given by notebooksbilliger.de AG for the video surveillance cited were not sufficient to justify it. Companies should first consider milder means of preventing theft.

Video surveillance to detect criminal offences is only lawful if there is reasonable suspicion against specific persons. Only in such a case can it be permissible to monitor these persons with cameras for a limited period of time. The retention of records for a period of 60 days is significantly longer than necessary.

As expected, the authority’s arguments adopt the DSK’s position from its guidance on video surveillance. This states with regard to the surveillance of employees, in reference to § 26 (1) sentence 2 German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG], that surveillance in order to disclose criminal offences can only be permissible in case of a concrete suspicion.

As far as the retention period is concerned, according to the guidance, only a period of 72 hours is regularly required to establish that a relevant incident has occurred and to prevent the deletion of the relevant video sequences.

Legal situation not yet clarified

However, the argumentation of the Data Protection Commissioner of Lower Saxony is by no means uncontroversial in the legal literature and case law:

In addition to the cases of a temporary monitoring of employees in the event of the concrete suspicion of a criminal offence (§ 26 (1) sentence 2 BDSG), conduct and performance checks of employees - and thus in principle also video surveillance - can be based on § 26 (1) sentence 1 BDSG or Article 6 (1) lit. f GDPR. On grounds of these provisions, such conduct and performance checks may be permissible on the basis of a balancing of interests. According to Supreme Court jurisprudence, the limit is definitely reached where there is a complete monitoring, without grounds and without interruption, which allows comprehensive movement and performance profiles to be drawn up.

In certain cases, it is justifiably questionable whether video surveillance can be regarded as uninterrupted, complete monitoring: for example, if video recordings are only evaluated in the case of a concrete and previously defined reason and further technical and organisational measures - in particular encrypted storage and automatic overwriting after expiry of the defined storage period - are taken and only the video sequences in question are viewed.

In all events, all-encompassing video surveillance is not advisable, because this leaves no areas for employees to withdraw.

The view of the supervisory authorities on the maximum permissible storage period, however, contradicts the case law of the Federal Labour Court [Bundesarbeitsgericht - BAG]. The German Federal Labour Court recently ruled in a decision of 23 August 2018 (docket No.: 2 AZR 133/18, margin No. 33) that even storage periods of several months may be permissible.

Calculation of the fine

The amount of the fine is based on the DSK's concept for the calculation of fines in proceedings against companies (we reported on the calculation of fines in our newsletter). The basis for the calculation is worldwide group sales. This can lead to very high fines, especially for large companies, even if the underlying data protection breach is classified as "minor" by the supervisory authority.

Because of this discrepancy between fault and the amount of fines, case law has been sceptical about the supervisory authorities’ new practice of imposing fines. The Regional Court of Bonn ruled by decision of 11 November 2020 (docket No.: 29 OWi 1/20) that a fine of EUR 9.55 million that had been imposed on 1&1 Telecom GmbH by the Federal Commissioner for Data Protection and Freedom of Information [Bundesbeauftragte für Datenschutz und Informationsfreiheit] be reduced by approximately 90% to EUR 900,000.

It therefore remains to be seen whether the supervisory authorities will be able to adhere to their approach to fines in the long term or whether an adjustment will be necessary.

Practical implications

The case shows that the supervisory authorities perceive the topic of video surveillance as a particularly sensitive area, especially when employees are involved. Companies should take the decision as an opportunity to check the compliance of the video surveillance they use with data protection law. In many cases, compliance with the strict requirements of the German supervisory authorities is likely to be difficult. In this case, companies need to find a risk-appropriate solution by implementing tailor-made technical and organisational measures.

Marco Degginger

back...

4. Draft law on the implementation of the EU Directive on the Supply of Digital Content and Digital Services published

With Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on Certain Aspects of Contracts for the Supply of Digital Content and Digital Services, the European legislator aims to close the current regulatory gap in EU consumer law regarding certain aspects of contracts for the supply of digital products. The Directive should be transposed into national law by the EU member states by 1 July 2021.

On 13 January 2021, a government bill was published on the implementation of the Directive, which is to be presented to the Bundestag for decision in the near future. The innovations envisaged by the bill are to find their way into law essentially through the newly inserted §§ 327 to 327u BGB-RegE. 

New rules for contracts for digital products

The new rules relate to contracts between entrepreneurs and consumers for the supply of digital products on a payment basis.

According to recital 19 of the above-mentioned EU Directive, digital products are computer programmes, applications, video files, audio files, music files, digital games, electronic books and other electronic publications, as well as digital services that enable the creation, processing or storage of, and access to, data in digital form, including software-as-a-service, such as the sharing of video or audio content and other forms of file hosting, word processing or games offered in a cloud computing environment and on social media.

The new regulations not only cover consumer contracts in which the consumer pays a price for a service, but also in cases where he owes data as counter-performance (§ 327 BGB-RegE). For example, according to recital 24 of the EU Directive, this also covers registration in a social network where users have to provide their name and e-mail address and this data is used not only for access to the social network but also for the provider's own further purposes (such as advertising).

What should digital product providers be aware of?

It is likely that the government bill will be passed in its published form, as the government bill closely follows the EU Directive. If the bill is adopted, providers of digital products for consumers must, in particular, comply with the following obligations:

• Creation and supply of updates required to maintain the contractual conformity of the digital product (§ 327f BGB-RegE). For example: removal of security gaps or malfunctions or adaptation to new technical standards. Insofar as the provider is not the manufacturer of the digital products itself, there is the possibility of recourse if the manufacturer does not provide updates.
  
  Relevant period: in the case of continuing obligations, the consumer is entitled to necessary updates for the entire period of the provision. In the case of a one-off provision, the update obligation extends over a "period of time that can be expected by the consumer, given the nature and purpose of the digital products and taking into account the circumstances and the nature of the contract". Consequently, it must be decided on a case-by-case basis how long updates mandatorily have to be provided. In principle, the basis to be taken will likely be the usual term of use and application of the digital product. Recital 46 of the EU Directive states that the minimum warranty period to be considered is two years. It remains to be seen whether case law can help in setting clearer boundaries and timeframes insofar.
  
  The updates can be provided, for example, by means of a download facility.

• Informing the user about updates, installation instructions and possible consequences of a failure to install updates. Only if the supplier, in addition to providing the updates, also properly informs the consumer, can it exculpate itself from liability in the event of the user’s failure to install the update (§ 327f (2) BGB-RegE).

In addition to these obligations, the supplier of digital products should review its own contracts or terms and conditions of use and adapt them in individual cases. In this context, particular reference should be made to the provision in § 327r BGB-RegE. According to this, the supplier may only change the digital products after contract conclusion if, among other things, the right to make subsequent changes is regulated in the contract. 

What else does the government bill envisage?

In the contract model "digital products against data", Section 327q BGB-RegE fortunately clarifies that the entrepreneur can terminate the contract if the consumer revokes his consent to data processing or objects to it and the entrepreneur cannot reasonably be expected to continue the contract. However, the entrepreneur is not entitled to any further damage claims in this case.

We are monitoring the further legislative process and will report on further developments.

Jörn Kuhn

back...

5. Interfaces to emplyoment law

Although employment law is largely defined by topics concerning corona, there are also news not related to corona. For example, the legislator has introduced a government bill for so-called platform workers (including crowdworkers). Additionally, the draft of the German Act Strengthening the Works Council [Betriebsrätestärkungsgesetz], which was also presented at the beginning of this year, addresses questions of co-determination in cases of artificial intelligence.

Platform work

In its eagerly anticipated ruling of 1 December 2020, the Federal Labour Court confirmed the employee status of a supposedly self-employed crowdworker. This was the first time the court has commented on the controversial legal classification of this form of employment (docket No.  9 AZR 102/20). A summary of the judgement and what this means in practical terms can be found here (Crowdworker - Neue Risiken der Scheinselbständigkeit - Oppenhoff).

Shortly before the decision of the Federal Labour Court, the Federal Ministry of Labour and Social Affairs [Bundesministerium für Arbeit und Soziales, BMAS] had presented a key issues paper on fair work in the platform economy. The aim of the BMAS is to strengthen the rights of crowdworkers and at the same time to increase the accountability of the platform operators.

Among other things, the proposal provides for the inclusion of crowdworkers in the statutory pension insurance and for platform operators to participate in the payment of contributions. In addition, the BMAS is examining how accident insurance coverage can be improved. The proposal that crowdworkers should in future be able to organise themselves and jointly negotiate conditions with the platforms deserves particular attention. In addition, a shift of the burden of evidence aims to facilitate the clarification of employee status and minimum notice periods are to be stipulated.

The dependence of crowdworkers on individual platforms is to be fundamentally limited, for example by allowing them to take assessments to other platforms. Information on the further proposals of the BMAS can be found here: BMAS - Neue Arbeit fair gestalten.

German Act Strengthening the Works Council

At the end of 2020, the BMAS presented a draft bill to promote works council elections and strengthen the works councils [Betriebsrätestärkungsgesetz]. To the extent relevant here, two points in the proposed legislation should be highlighted:

The draft bill addresses the question of the use of artificial intelligence (AI) at operational level. For example, in future the employer will have to consult with the works council if it wishes to use AI. According to the BMAS, the aim is to strengthen employees’ confidence and acceptance when introducing and using AI by involving the works councils at an early stage. The draft bill also highlights that the works council can call in external experts in the field of information and communication technology, at the employer's expense. In addition, the applicability of the rights of the works council is also to be secured in cases where AI is used when selecting personnel or if it is used in a supporting capacity.

The draft bill also extends the works council's participation rights with regard to the structuring of mobile work, particularly in the home office. The aim is to be able to create uniform and binding regulations that are tailored to the company in order to prevent the typical dangers of mobile work. In future, the works council will therefore have a mandatory right of co-determination regarding the temporal scope and place of the mobile work as well as availability in the home office.

Workplace co-determination was already part of the BMAS's "Mobile Work Act" [Mobile-Arbeit-Gesetz], which was announced prominently last year. Since this government bill is no longer present, after having received clear criticism from all sides, an attempt is now being made to implement co-determination via the Act Strengthening the Works Council, although this also shows that the legislator seems to have forgotten that sufficient co-determination rights already exist today and that the new regulation is therefore superfluous.

Jörn Kuhn, Johannes Kaesbach 

back...

6. Data protection outlook for the year 2021

As in recent years, we can expect important developments in data protection law in 2021. Many of the developments concern international data transfers. We are providing you an outlook on how to handle the ECJ judgement (Schrems II), EU standard contractual clauses for transfers to third countries, EU standard contractual clauses for processors, Brexit and the Council's proposal on the ePrivacy Regulation.

ECJ judgement (Schrems II)

In December, the European Data Protection Authorities presented their draft Recommendations of the European Data Protection Board (EDPB) on the additional safeguards demanded by the ECJ for data transfers to third countries.

It is clear, also according to the data protection authorities, that a supplementation of the EU standard contractual clauses is not sufficient for such transfers, but that further safeguards are needed. A great deal of uncertainty currently prevails, especially concerning the case groups of software-as-a-service cloud services and intra-group transfers mentioned in these Recommendations. The data protection authorities have indicated that they currently do not deem such transfers to be permissible.

The data protection authorities in Germany have announced that companies that continue to use cloud services in the US are probably doing this without a legal basis, and that the data protection authorities will feel compelled in future to sanction such data processing.

Unfortunately, there is no quick solution on the horizon; only corresponding agreements between the EU Commission and the US government can promise lasting relief here.

New EU standard contractual clauses for data transfers to third countries

Also in December 2020, the EU Commission published a draft for new EU standard contractual clauses for data transfers. This not only contains stricter clauses to implement the ECJ judgement (Schrems II), but also many positive developments for companies (we reported) (see here).

The EDPB, together with the European Data Protection Commissioner, has now also issued an opinion on this matter. Now, the European Commission intends to revise and adopt the standard contractual clauses in the first quarter of 2021.

Companies should therefore prepare to use the new contractual clauses and amend existing contractual clauses accordingly.

New EU standard contractual clauses for processing operations

The EU Commission has presented a draft standard contract for processing operations, which the EDPB and the European Data Protection Commissioner have also commented on.

From the point of view of German users, this detailed draft should help to enforce the contract clauses which are already standard in Germany and which are more detailed than those in other EU countries. However, it is to be feared that the adaption of existing contracts will give rise to a great deal of work.

Brexit

The Brexit Agreement does not yet contain any agreement on the topic of data protection. In this respect, the EU Commission and the British government have agreed that the UK is not currently considered a third country for the purposes of the GDPR. However, unless a subsequent regulation can be agreed by 30 June 2021 at the latest, in particular the recognition of the UK as a safe third country for data transfers, this will be the case.

The EDPB has pointed out the main consequences: if the UK has the status of a third country, the requirements of Art. 44 et seq. GDPR, in particular the need to conclude standard contractual clauses, apply. The collaboration between the supervisory authorities already came to an end on 1 January 2021 and the British authority ICO can no longer be the lead regulator. However, UK businesses may still be subject to the provisions of the GDPR (via Art. 3 GDPR) and must comply with the relevant obligations, e.g. appoint representatives.

In this respect as well, companies must be prepared to take action.

Progress on the ePrivacy Regulation

Under the Portuguese Presidency, the European Council has now adopted a unified position on an ePrivacy Regulation. In addition to the area of data retention, which shall remain possible, the disputed regulations primarily concern the use of cookies and other forms of user-tracking on the internet. In the new Council draft, so-called "cookie walls", which in particular make the offers of media services dependent on consent to cookies, are to be permissible. Additionally, in certain cases, personal data may be further processed for other purposes without the users’ consent.

The draft has already provoked considerable opposition from data and consumer protection groups. We will present a more detailed analysis of the scope of this draft in our next newsletter. However, these proposals to ease the burden on businesses do not yet mean that they will become law. For now, the negotiations in trialogue with the European Parliament and the EU Commission are pending, both of which are committed to raising the level of data protection.

We therefore do not expect the new ePrivacy Regulation to enter into force any time soon. 

Jürgen Hartung

back...

Back to list