General Data Protection Regulation: German DPAs demanding more staff and financial resources

On 24 May 2016, the Data Protection Regulation has entered into force. From 25 May 2018 it will be directly applicable in all European Member States. Not only companies or authorities therefore now have two years to adapt their data processing activities to future requirements. The national legislature must consider the applicable data protection regulations in its Member State for compliance with the future regulations.

Against this background, the conference of the independent German data protection authorities (“conference”), in a resolution of 25 May 2016 (German), calls on the German legislator to provide the data protection authorities with more staff and financial resources so they can effectively meet their assigned duties.
Continue reading

No more “Stoererhaftung”?

What was for a long time associated with high liability risks and warning letters from lawyers, will now be made easier by the German government: Free wifi-hotspots.  The German government has decided to modify the so called “Stoererhaftung” – the liability of the operator of a wifi-hotspot for any infringements of law committed through the hotspot. However, even though rumor still has it a few days after the presentation of the draft for the new German Teleservices Act, this does not mean that operators of wifi-hotspots now will not be liable for whatever happens through their hotspot. To speak of a complete abolition of “Stoererhaftung” is a bit too much, at least at the moment.

Continue reading

Patrick Breyer v Federal Republic of Germany: Dynamic IP addresses = Personal Data? And Is German Data Protection Law too Restrictive?

Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).

We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:

“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1  — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”

“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”

Continue reading

Add-on Modules under the GPL: “Derivative Works” despite separated distribution

If your add-on modules are dynamically loaded into GPL-licensed software at runtime, you’ll have to license the add-on modules under the GPL’s terms when distributing them along with the GPL-licensed software; it is a clear-cut case of a “derivative work” under the License. The case is less clear, however, if the add-on module is distributed separately from the GPL-licensed software, as may, for example, happen where the recipient has already installed the GPL-licensed software from a different source. Continue reading

Federal Administrative Court asks ECJ: Who is responsible for data processing on Facebook Fanpages?

With its decision from 25. Februrary 2016, the German Federal Administrative Court referred several interesting data protection questions related to the operation of a Fanpage on Facebook to the European Court of Justice (ECJ) (the whole decision can be accessed here, in German). The case number at the ECJ is C-210/16. Since there does until now not exist an English version of the reference for a preliminary ruling, you will find beneath a rough translation of some of the questions referred.
Continue reading

Adblocker detection scripts vs. Article 5 (3) of the ePrivacy Directive: A German law take

It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.

Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.

https://twitter.com/alexanderhanff/status/722861362607747072

Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time. Continue reading

Why B2B is not necessarily always B2B when it comes to consumer protection

Online-shops that officially trade as B2B-shops must comply with European consumer protection regulations or make actually sure that only business customers can place orders in the shop. In order to ensure that consumers do not use the shop, it is not sufficient to provide the respective disclaimer on the website. That was recently ruled by the Regional Court in Dortmund.

Continue reading

“Hyperlink does Not Constitute a Copyright Infringement”

Article 3 (1) of Directive 2001/29/EC on the “harmonisation of certain aspects of copyright and related rights in the information society” legally communicating copyrighted works to the public depends on the copyright holders authorization.

Continue reading

German DPAs „leak“ EU-US Privacy Shield assessment by European Authorities

On 6th and 7th April 2016, the German Data Protection Authorities (“DPAs”) met to discuss several current privacy topics.

One point on the agenda has of course been the assessment of the proposed EU-US Privacy Shield (the successor of the Safe Harbor regime). Currently, the European Data Protection Authorities (the so called “Article 29 Working Party”) are finalizing their common position on the proposed adequacy decision by the European Commission (pdf).

Today, the resolution of the DPAs for the mandate of the German representatives in the Article 29 Working Party has been published (German, pdf).
Continue reading

Facebook and the abuse of market power or the German Federal Cartel Office as data protection authority

The German Federal Cartel Office (Bundeskartellamt) has started preliminary proceedings against Facebook in early March, trying to find out if Facebook was misusing its market power to enforce abusive terms and conditions because of alleged data protection law violations. What sounds just like what antitrust authorities do, may in fact have a huge impact on Facebook and how it is behaving against its users.

Continue reading

German Regional Court: Consent necessary when implementing the Facebook Like-Button

On 9th March 2016, the Regional Court of Dusseldorf issued its ruling (pdf, German) in a proceeding between the consumer protection association of North Rhine-Westphalia and the company Fashion ID which concerned data protection issues surrounding the Facebook Like-Button.

The company had the well-known social plugin included on its website and informed website visitors about the plugin in its privacy policy, which was accessible via a link. In the privacy policy, the company informed that personal might be transmitted to Facebook and also provided a link to the privacy policy of Facebook. Below I will briefly discuss some aspects of the judgment. Continue reading

Open Source Software, License Compliance and the OpenChain Working Group

So you set up an open source license compliance program in your company. You educate your employees and you make sure you know how they handle open source software. But what about the software, which is supplied to you? Do you know how your supplier handles open source software? Can you trust that they know what they are doing when it comes to open source license compliance? Continue reading

Watch out: Consumer protection associations may now sue companies for data protection violations

On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.

Previous situation
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question.
Continue reading

Private use of the internet and the rights of the employer

Employers may collect browser data of their employees without their approval, if (1) there is reasonable suspicion that the employee uses his (business) computer and/or the office internet improperly and (2) there is no other means to prove this improper use than the collection of browser data (LAG Berlin-Brandenburg, Urt. v. 14.01.2016 – 5 Sa 657/15).

Continue reading

MFM fee recommendations and the license analogy method

Rightholders are entitled to damages when their photographs are used by third parties who have not been granted the necessary rights of use. Under German copyright law, damages are calculated according to the so-called license analogy method. This method assumes a fictitious license agreement upon reasonable conditions between the rightholder and the infringer. The rightholder then receives monetary compensation amounting to the royalties the parties would have reasonably agreed on. Continue reading

On “warranty” and “Gewährleistung”

When drafting and negotiating technology agreements of almost any sort between German companies and US or UK companies (or companies from other common law based countries), particularly on software, one of the various Groundhog moments that one experiences is the never-ending discussion on everything that is “warranty”. Continue reading

Smart Cars: Industry and German authorities agree on certain aspects of data protection

On 26th January 2016, the conference of the German data protection authorities and German Association of the Automotive Industry (VDA) agreed on a joint statement (PDF, in German) concerning aspects of data protection relating to the usage of smart cars.
According to the parties, smart cars and the proceeding digitalization in cars create advantages (safety and comfort) but also risks for the personal rights of individuals. The German authorities and car manufacturers agreed inter alia on the following aspects:

1. Personal data: During the use of modern cars, data is created permanently. Particularly by using additional information, this data created by smartcars can be attributed to the car owner or to the driver and be considered “personal data” in the sense of European data protection law. Data created during the usage of a vehicle is at least considered “personal data” within the meaning of the Federal Data Protection Act (Act), if it is linked to the vehicle identification number or the license plate. Continue reading

Filesharing reloaded

The Higher District Court in Munich (the “OLG”, 29 U 2593/15) revisited the evergreen topic “filesharing”. It ruled that, in case of an alleged copyright infringement, the owner of an internet connection has to present all known facts with regard to the infringer, even if such infringer is a family member. If the owner of the internet connection does not do so, he will be liable himself. Continue reading

German DPAs: Situation regarding consent for cookies is “unacceptable”

In February 2015, the German data protection authorities adopted a resolution with the title “Tracking of user behavior on the Internet” (German).

In this resolution, the authorities urge the German government to finally transpose the standards of European directive 2002/58/EC (so called ePrivacy Directive). The authorities are of the opinion that the current German data protection law (especially the German Telemedia Act (Telemediengesetz)) does not correctly implement Art. 5 para 3 of directive 2002/58/EC (in the revised version of directive 2009/136/EC). According to Art. 5 para 3 of the ePrivacy Directive, European “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing”. Continue reading

ECJ-decision: International jurisdiction in case of copyright infringement on a website

By judgment of 22 January 2015 (C-441/13), the European Court of Justice (ECJ) decided on the interpretation of Art. 5 para 3 of Regulation 44/2001 (Brussels I) on international jurisdiction of courts in a copyright infringement case. According to the ECJ, in case of an alleged infringement of copyrights and rights related to copyright by placing of protected photographs online on a website, the court is competent in the district where this website is accessible in its territorial jurisdiction. But this national court has jurisdiction only to rule on the damage caused in the European Member State within which the court is situated.
Continue reading