Federal Administrative Court asks ECJ: Who is responsible for data processing on Facebook Fanpages?

With its decision from 25. Februrary 2016, the German Federal Administrative Court referred several interesting data protection questions related to the operation of a Fanpage on Facebook to the European Court of Justice (ECJ) (the whole decision can be accessed here, in German). The case number at the ECJ is C-210/16. Since there does until now not exist an English version of the reference for a preliminary ruling, you will find beneath a rough translation of some of the questions referred.
Continue reading

Adblocker detection scripts vs. Article 5 (3) of the ePrivacy Directive: A German law take

It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.

Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.

https://twitter.com/alexanderhanff/status/722861362607747072

Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time. Continue reading

Why B2B is not necessarily always B2B when it comes to consumer protection

Online-shops that officially trade as B2B-shops must comply with European consumer protection regulations or make actually sure that only business customers can place orders in the shop. In order to ensure that consumers do not use the shop, it is not sufficient to provide the respective disclaimer on the website. That was recently ruled by the Regional Court in Dortmund.

Continue reading

“Hyperlink does Not Constitute a Copyright Infringement”

Article 3 (1) of Directive 2001/29/EC on the “harmonisation of certain aspects of copyright and related rights in the information society” legally communicating copyrighted works to the public depends on the copyright holders authorization.

Continue reading

German DPAs „leak“ EU-US Privacy Shield assessment by European Authorities

On 6th and 7th April 2016, the German Data Protection Authorities (“DPAs”) met to discuss several current privacy topics.

One point on the agenda has of course been the assessment of the proposed EU-US Privacy Shield (the successor of the Safe Harbor regime). Currently, the European Data Protection Authorities (the so called “Article 29 Working Party”) are finalizing their common position on the proposed adequacy decision by the European Commission (pdf).

Today, the resolution of the DPAs for the mandate of the German representatives in the Article 29 Working Party has been published (German, pdf).
Continue reading

Facebook and the abuse of market power or the German Federal Cartel Office as data protection authority

The German Federal Cartel Office (Bundeskartellamt) has started preliminary proceedings against Facebook in early March, trying to find out if Facebook was misusing its market power to enforce abusive terms and conditions because of alleged data protection law violations. What sounds just like what antitrust authorities do, may in fact have a huge impact on Facebook and how it is behaving against its users.

Continue reading

German Regional Court: Consent necessary when implementing the Facebook Like-Button

On 9th March 2016, the Regional Court of Dusseldorf issued its ruling (pdf, German) in a proceeding between the consumer protection association of North Rhine-Westphalia and the company Fashion ID which concerned data protection issues surrounding the Facebook Like-Button.

The company had the well-known social plugin included on its website and informed website visitors about the plugin in its privacy policy, which was accessible via a link. In the privacy policy, the company informed that personal might be transmitted to Facebook and also provided a link to the privacy policy of Facebook. Below I will briefly discuss some aspects of the judgment. Continue reading

Open Source Software, License Compliance and the OpenChain Working Group

So you set up an open source license compliance program in your company. You educate your employees and you make sure you know how they handle open source software. But what about the software, which is supplied to you? Do you know how your supplier handles open source software? Can you trust that they know what they are doing when it comes to open source license compliance? Continue reading

Watch out: Consumer protection associations may now sue companies for data protection violations

On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.

Previous situation
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question.
Continue reading

Private use of the internet and the rights of the employer

Employers may collect browser data of their employees without their approval, if (1) there is reasonable suspicion that the employee uses his (business) computer and/or the office internet improperly and (2) there is no other means to prove this improper use than the collection of browser data (LAG Berlin-Brandenburg, Urt. v. 14.01.2016 – 5 Sa 657/15).

Continue reading

MFM fee recommendations and the license analogy method

Rightholders are entitled to damages when their photographs are used by third parties who have not been granted the necessary rights of use. Under German copyright law, damages are calculated according to the so-called license analogy method. This method assumes a fictitious license agreement upon reasonable conditions between the rightholder and the infringer. The rightholder then receives monetary compensation amounting to the royalties the parties would have reasonably agreed on. Continue reading

On “warranty” and “Gewährleistung”

When drafting and negotiating technology agreements of almost any sort between German companies and US or UK companies (or companies from other common law based countries), particularly on software, one of the various Groundhog moments that one experiences is the never-ending discussion on everything that is “warranty”. Continue reading

Smart Cars: Industry and German authorities agree on certain aspects of data protection

On 26th January 2016, the conference of the German data protection authorities and German Association of the Automotive Industry (VDA) agreed on a joint statement (PDF, in German) concerning aspects of data protection relating to the usage of smart cars.
According to the parties, smart cars and the proceeding digitalization in cars create advantages (safety and comfort) but also risks for the personal rights of individuals. The German authorities and car manufacturers agreed inter alia on the following aspects:

1. Personal data: During the use of modern cars, data is created permanently. Particularly by using additional information, this data created by smartcars can be attributed to the car owner or to the driver and be considered “personal data” in the sense of European data protection law. Data created during the usage of a vehicle is at least considered “personal data” within the meaning of the Federal Data Protection Act (Act), if it is linked to the vehicle identification number or the license plate. Continue reading

Filesharing reloaded

The Higher District Court in Munich (the “OLG”, 29 U 2593/15) revisited the evergreen topic “filesharing”. It ruled that, in case of an alleged copyright infringement, the owner of an internet connection has to present all known facts with regard to the infringer, even if such infringer is a family member. If the owner of the internet connection does not do so, he will be liable himself. Continue reading

German DPAs: Situation regarding consent for cookies is “unacceptable”

In February 2015, the German data protection authorities adopted a resolution with the title “Tracking of user behavior on the Internet” (German).

In this resolution, the authorities urge the German government to finally transpose the standards of European directive 2002/58/EC (so called ePrivacy Directive). The authorities are of the opinion that the current German data protection law (especially the German Telemedia Act (Telemediengesetz)) does not correctly implement Art. 5 para 3 of directive 2002/58/EC (in the revised version of directive 2009/136/EC). According to Art. 5 para 3 of the ePrivacy Directive, European “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing”. Continue reading

ECJ-decision: International jurisdiction in case of copyright infringement on a website

By judgment of 22 January 2015 (C-441/13), the European Court of Justice (ECJ) decided on the interpretation of Art. 5 para 3 of Regulation 44/2001 (Brussels I) on international jurisdiction of courts in a copyright infringement case. According to the ECJ, in case of an alleged infringement of copyrights and rights related to copyright by placing of protected photographs online on a website, the court is competent in the district where this website is accessible in its territorial jurisdiction. But this national court has jurisdiction only to rule on the damage caused in the European Member State within which the court is situated.
Continue reading

Protection for protection rights: The Federal Court of Justice on safeguard measures for video games

The German Federal Court of Justice (“BGH”, Videospielkonsolen II) has stated that technical safeguard measures for video games fall under the scope of section 95a (3) nr. 3 of the German Copyright Act (“UrhG”), if such measures (in the case decided: Nintendo DS cards for Nintendo DS games consoles) are specifically designed to prevent illegal copies of the games which are played on the consoles.
Continue reading

District Court of Berlin: Google Germany not responsible for ‘right to be forgotten’-requests

On 21 August 2014, the District Court of Berlin ruled (27 O 293/14, German) that the subsidiary of Google in Germany, Google Germany GmbH, is not responsible for the fulfillment of requests of natural persons under the so called ‘right to be forgotten’, created by the European Court of Justice (ECJ) in its much-noticed judgment in May 2014 (C-131/12). The Berlin court held that only the American company, Google Inc., can be regarded as the ‘data controller’ in the sense of European data protection law because only Google Inc. is the operator of the search engine. As a consequence, legal actions must be brought against Google Inc., not the subsidiary in Hamburg. Natural persons who want a link to third party websites to be removed from the search result list following a search made on the basis of a person’s name would therefore have to sue Google Inc. and not the European subsidiary.
Continue reading

Creative Commons and “non-commercial” use of works on websites

In a very recent ruling of 31 October 2014, the Higher Regional Court of Cologne (“OLG”) has further defined the scope of “commercial use” within the meaning of the Creative Commons Licenses de.creativecommons.org. According to the OLG (Az. 6 U 60/14), the use of a picture licensed under the CC-BY-NC 2.0-License to illustrate an article on a radio station’s website is “non-commercial” use within the meaning of the CC-License, even if users pay for the website by paying radio license fees. The OLG further discusses the question, when cutting a picture into shape can be considered as “adaptation” within the meaning of the license.
Continue reading

Do XING profiles require a masthead?

This past summer, a decision of the Stuttgart Regional Court became known by the name #XINGGATE. In its decision (LG Stuttgart, decision of June 27, 2014 – file number: 11 O 51/14), the court held XING profiles to be independent telemedia, to which § 5 Telemediengesetz, the German Law on Telemedia (TMG) applies, meaning that personal XING profiles have be equipped with a masthead under German law.

Continue reading