This past summer, a decision of the Stuttgart Regional Court became known by the name #XINGGATE. In its decision (LG Stuttgart, decision of June 27, 2014 – file number: 11 O 51/14), the court held XING profiles to be independent telemedia, to which § 5 Telemediengesetz, the German Law on Telemedia (TMG) applies, meaning that personal XING profiles have be equipped with a masthead under German law.
If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation.
The household exception
The so called “household exception” is enshrined in Art. 3 para 2 of the European data protection directive: “This Directive shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”. The European Court of Justice, in its famous “Lindqvist”-decision (C-101/01), held that this exception must be interpreted as “relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. This interpretation (of a law enacted in 1995) does of course not reflect the actual circumstances in our digitized world.
Help is on its way?
As many of our readers will know, the future European General Data Protection Regulation (GDPR) is currently negotiated by European member states in the Council of the European Union (Council). After the European Commission presented the draft to the GDPR in January 2012 and the European Parliament adopted its position in March 2014, the Council of the European Union is the last institution to examine the draft law, before informal tripartite meetings (Trilogue) between the three institutions may begin.
In a recently published Council document (PDF), recital 15 of the GDPR has been amended in a way that might significantly extent the scope of the household exception. The Council included the following second sentence in the recital: “Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities”. If a user shares personal data with a large number of people, this might very likely fall under the notion of “social networking activity”. But would this activity still be considered to be “personal”? To answer this question, one has to examine the (also amended first sentence of recital 15): “This Regulation should not apply to processing of personal data by a natural person in the course of a personal or household activity, and thus without a connection with a professional or commercial activity”. So, as long as a private user shares photos or posts comments in a social network that contain personal data, this data processing operation shall be regarded as being “personal” if there is no connection to his or her commercial or professional activity, even if an undefined number of persons would be able to read or access this information. Of course, these amendments to the GDPR are only proposals by the Council and might not make it into the final version of the law. Nevertheless, it’s recognizable that the Council tries to extent the scope of the household exception and to exclude data processing operations by private persons from the legal obligations of the GDPR.
The ‘Internet of Things’ is one of the current buzzwords in the international data protection sphere. In the future, more and more home appliances will have a connection to the Internet and will serve as sensors in our homes, facilitating our life as one may for example turn on the heating via an app while driving home at night from the office.
Not only will we see more and more smart devices in our homes, but also car manufacturers are increasing their efforts for future solutions of the next generation of smart cars. At this year’s CeBit in Hannover, privacy issues surrounding the smart car were one of the top themes. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother”, said Martin Winterkorn, Chairman of the Volkswagen Group, at the opening ceremony.
Under German copyright law, injunctive reliefs are subject to the condition of danger of repetition. Such danger is assumed once a copyright infringement occurred, but it is eliminated, if the infringer signs a declaration of discontinuance with a penalty clause (in German “strafbewehrte Unterlassungerklärung”) within the set deadline. The Higher Regional Court of Hamburg (OLG Hamburg, decision of October 16, 2014 – file number: 5 U 39/13) now held that such declaration of discontinuance is insufficient, if it includes a so-called potestative clause, i.e. the declaration is subject to the claimant proving his authorship.
And if so; May they be recorded? – The German Federal Court of Justice (BGH) in its decision dated October 28, 2014, court ref. VI ZR 135/13 referred to the to the European Court of Justice (ECJ) for a preliminary ruling regarding the interpretation of the EU Data Protection Directive concerning the definition of the term “personal data” therein and recording of dynamic IP-addresses. Continue reading
The European Court of Justice (ECJ) has stated that framing of content (such as embedding Youtube videos or other content on blogs and other websites via link) does not violate the copyright of the author of the respective content. In particular, such framing is not considered a “making available to the public” according to the European directive on copyright in the Information Society (2001/29/EC) and section 19a of the German Copyright Act (“UrhG”). However, it can be derived from the court ruling that this applies only if the reproduction is not meant for a new audience and does not use a different reproduction technique.
Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken.
The Higher Regional Court of Cologne (OLG Köln) held in its decision (court ref. 6 U 205/13) dated September 5, 2014 that the title of a mobile app can enjoy protection against similar titles for similar services. However, the claimant who is the operator of a German weather information website that runs under the domain <wetter.de> and an app with identical content also titled <wetter.de> cannot prohibit the use of the title <wetter DE> or <wetter-de> for a similar weather app by the defendant. Continue reading
Commercial WLAN operators will soon be certain about when and in how far they are liable for violations of third party rights by their users. The District Court in Munich (7 O 14719/12) has stayed the proceedings in a pending litigation and has submitted questions to the European Court of Justice (ECJ).
Inter alia, the court asks the liability privilege regulated in the European e-commerce directive and the German Teleservices Act (“Telemediengesetz” – TMG) is to be interpreted in a way that claims for injunctive relief, damage claims, and claims for the reimbursement of costs for warnings and court proceedings are excluded against the WLAN-operator in general or at least with regard to the first violation of third party rights. According to the respective provisions in the directive and the TMG; access providers are not responsible for the information submitted through their services.
The fundamental right to the protection of personal data as enshrined in Art. 8 (1) of the Charter of Fundamental Rights of the European Union (PDF) as well as the right to informational self-determination, derived from Art. 2 (1) and 1(1) of the German Constitution are not exclusive right of adults. Also children’s personal data are protected by these fundamental rights and consequently by the European Data Protection Directive (Directive 95/46/EC) or the respective national laws.
But if it comes to the practical compliance for companies, for example if you want to develop an app for children, European data protection laws currently will leave providers alone with an answer to the question, when a consent by minors might serve as the legal basis for the processing of their data. Continue reading
On February 14th, 2013 the Administrative Court of Schleswig held in two decisions that German data protection laws do not apply to data processing by Facebook (file numbers 8 B 60/12 and 8 B 61/1). Continue reading
In the case laid before the Federal Supreme Court (Bundesgerichtshof; BGH) the court primarily had to decide about the liability of the administrative contact of the domain dlg.de. However, in the obiter dictum, the court also held under which circumstances a foreign company is entitled to use a .de-domain. Continue reading
Last week, quite a few lawyers were more than surprised when they heard about a recent Higher Regional Court of Munich decision dealing with the question of how to get prior consent from recipients of advertising e-mails (decision of September 27, 2012, docket no. 29 U 1682/12). Before, the matter had seemed to be fairly settled but now new questions arise. Continue reading
Last week, several German political leaders, members of the federal administration, academics, IT-businessmen and other members of the German society met in Essen for the 7th National IT-Summit. The summit is an invite-only conference being held once a year by the German Federal Ministry of Economics and Technology. It forms the end and new beginning of an ongoing discussion between the members of the six working groups and several sub-working groups to develop a nation-wide (political) IT-strategy for Germany. Continue reading
It‘s easy to be a unfair competition law violator in Germany. Just operate an eBay shop or deal on Amazon’s market place and use their default settings when informing your customers on how long it will take to get the goods delivered to their homes. In all seriousness, that is what the Bremen Court of Appeals has effectively decided in a judgment in early October. Continue reading
According to German jurisdiction, WLAN-operators can be held liable for online-infringements on third parties’ rights committed via their connection to the internet. That is, unless the operator duly fulfills his obligation to make sure such infringements cannot and will not be committed via his connection. This also applies to WLANs operated in cafés, bars, hotels and similar places. In all these places, the WLAN operator basically has to check what his customers do online and to oblige them to act according to law. Continue reading
I have just stumbled upon the Information Commissioner’s Office’s page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit. Continue reading