If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation.
The household exception
The so called “household exception” is enshrined in Art. 3 para 2 of the European data protection directive: “This Directive shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”. The European Court of Justice, in its famous “Lindqvist”-decision (C-101/01), held that this exception must be interpreted as “relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. This interpretation (of a law enacted in 1995) does of course not reflect the actual circumstances in our digitized world.
Help is on its way?
As many of our readers will know, the future European General Data Protection Regulation (GDPR) is currently negotiated by European member states in the Council of the European Union (Council). After the European Commission presented the draft to the GDPR in January 2012 and the European Parliament adopted its position in March 2014, the Council of the European Union is the last institution to examine the draft law, before informal tripartite meetings (Trilogue) between the three institutions may begin.
In a recently published Council document (PDF), recital 15 of the GDPR has been amended in a way that might significantly extent the scope of the household exception. The Council included the following second sentence in the recital: “Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities”. If a user shares personal data with a large number of people, this might very likely fall under the notion of “social networking activity”. But would this activity still be considered to be “personal”? To answer this question, one has to examine the (also amended first sentence of recital 15): “This Regulation should not apply to processing of personal data by a natural person in the course of a personal or household activity, and thus without a connection with a professional or commercial activity”. So, as long as a private user shares photos or posts comments in a social network that contain personal data, this data processing operation shall be regarded as being “personal” if there is no connection to his or her commercial or professional activity, even if an undefined number of persons would be able to read or access this information. Of course, these amendments to the GDPR are only proposals by the Council and might not make it into the final version of the law. Nevertheless, it’s recognizable that the Council tries to extent the scope of the household exception and to exclude data processing operations by private persons from the legal obligations of the GDPR.
Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken. Continue reading →
Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading →
Today the Hamburg Regional Court opened the trials in Max Mosley’s lawsuit against Google Inc. over violation of his right of personality. The plaintiff wants Google to filter out compromising pictures from its search results. Continue reading →
During last week’s 69th German Legal Colloquium the association’s members discussed – amongst other topics – the future of IT-law in Germany (you can find all the decisions here – in German). Their decisions on how to fight cyber crime, data protection and liability are supposed to initiate legal reforms. In some cases, you hope the legislator won’t feel inclined. Continue reading →
The following is certainly not really a matter of IT-Law but I bet you will find it interesting anyway.
This post is about a law suit Pope Benedict XVI. started against Titanic (nice case reference, isn’t it?), a well-known German satire magazine. We all expected today a hearing to take place at the Hamburg Regional Court – but it was canceled just last night, as the Pope had withdrawn his petition.
It has already been written a lot on whether this case is an example for censorship or some kind of litmus test for the freedom of speech in Germany. I don’t think that this really what makes the case so interesting. I believe that the question we should discuss is whether a pope should defend his personality rights by going to a civil court. Continue reading →
As a blogger you are always happy to receive feedback from your readers. So I was really pleased when shortly after posting my recent comments about the CJEU’s UsedSoft decision, the E-Commerce Law Reports approached me to ask whether I could write a more detailed article about the case for their August 2012 issue. Recently published, this issue also contains a number of other fascinating contributions by colleagues from around the world on a variety of important topics such as the online collection of consumer data, search engines’ liability for misleading search results, the cloning of games, advertising on Twitter, etc. Check it out: http://www.e-comlaw.com/e-commerce-law-reports/
Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading →