A German court has recently ordered WhatsApp to use German language terms and conditions towards users in Germany (see also here, for example). Or, to be more precise, called upon by a German consumer protection agency the Kammergericht, the appellate court for the district of Berlin, has, amongst other things, decided that using English language terms and conditions for user agreements to be concluded between WhatsApp and users in Germany is in violation of a certain provision of the German Civil Code that demands there to be transparency when using pre-worded terms and conditions towards consumers. So, if you allow the pun, what’s up with that? Continue reading
Author Archives: Julian Hoeppner
Patrick Breyer v Federal Republic of Germany: Dynamic IP addresses = Personal Data? And Is German Data Protection Law too Restrictive?
Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).
We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:
“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1 — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”
“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”
Adblocker detection scripts vs. Article 5 (3) of the ePrivacy Directive: A German law take
It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.
Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.
https://twitter.com/alexanderhanff/status/722861362607747072
Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time. Continue reading
On “warranty” and “Gewährleistung”
When drafting and negotiating technology agreements of almost any sort between German companies and US or UK companies (or companies from other common law based countries), particularly on software, one of the various Groundhog moments that one experiences is the never-ending discussion on everything that is “warranty”. Continue reading
On the Intricacies of German Unfair Competition Law
It‘s easy to be a unfair competition law violator in Germany. Just operate an eBay shop or deal on Amazon’s market place and use their default settings when informing your customers on how long it will take to get the goods delivered to their homes. In all seriousness, that is what the Bremen Court of Appeals has effectively decided in a judgment in early October. Continue reading
Monetary Penalties for Data Protection Breaches: ICO vs. German DP Authorities
I have just stumbled upon the Information Commissioner’s Office’s page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit. Continue reading
YouTube v. GEMA Decision by Hamburg District Court
After having uploaded quite some posts about how liability for third party Internet content works in German law, and having done so in rather abstract terms (in part, admittedly, for shying away from translating dozens of pages of court decisions) here is a good example of how it works in practice. A colleague from Italy has thankfully posted an English translation of the YouTube v. GEMA decision of the Hamburg District Court of April 20, 2012 on his blog. Continue reading
On Liability and Liability Clauses in German Law
When you negotiate agreements between German companies and companies with a – broadly speaking – common law background, especially the U.S., one issue that keeps appearing is the parties’ liability for damages. Groundhog day, if you will.
“Liability” is certainly a difficult legal term to being with, especially as you have to first decide what you are actually talking about when using the word. Continue reading
„Implied Consent“ to Cookies Being Set Suffices in the UK
Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading
CNIL’s Sends Second Questionnaire to Google on Google’s New Privacy Policy
Google’s new privacy policy is not that new, as it “went into force” on March 1. It is still big news in data protection terms, though, at least as far as European data protection authorities are concerned. CNIL, commissioned by the Art. 29 Working Party, has now sent a second rather comprehensive questionnaire to Google. Obviously they were not completely sold on Google’s answers to the first set of questions CNIL had sent in March. Continue reading
Tracking and Controlling Your Child’s Mobile Phone Activities
I just came across a post on golem.de (a rather good IT news site – in German only, sadly) about bemilo, a service in the UK that (I quote)
“puts [parents] in full control of [their] child’s mobile service”;
“puts [parents] in the driving seat, 24 hours a day”;
“[gives parents] FULL control [w]ho [their] children can contact and who can contact them, time of das [their] children can use their phone, WHEN they can browse the web”;
“[enables parents to] [r]eview all calls & SMS messages at any time, block bullies at the flick of a switch, control mobile spend with no fuss [emphasis added].”
Do watch the intro on the website. It’s rather, well, unique, besides the fact that it the little toy man in the intro looks suspiciously similar to a typical LEGO design. Continue reading
Germany is Ready for Cloud Computing? Well, if the BSA says so…
According to the Business Software Alliance’s (BSA) “Global Cloud Computing Scorecard”, Germany is ready for the cloud computing age, ranking at a spectacular No. 3, ahead of such cloud computing powerhouses as the United States, Italy and Poland! If you’re interested in the methodology (a word that my spell check has never heard of) uses by the BSA, go here. Either way, the result is interesting. Because, and I know I’m repeating myself, if you ask data protection practitioners in Germany, “ready” is certainly not the term that comes to mind when dealing with the cloud. Continue reading
Art. 82 of the (Draft) General Data Protection Regulation
The (Draft) General Data Protection Regulation being a Regulation it not only aims at fully harmonizing the field of law it covers (as some Directives do) but would achieve that goal by simply being the (only) directly applicable law as far as its reach goes. Plus the Commission’s “empowerment to adopt delegated acts”, of course, which is a rather intriguing idea from a democracy point of view. But that’s another story.
One of the very few areas where the member states are given a certain amount of legislative leeway is set forth in Art. 82 of the Draft Regulation. Continue reading
Direct Effect of the “Cookie Directive” in Germany?
It has been reported that today Mr. Peter Schaar, head of the Federal Commissioner for Data Protection and Freedom of Information, announced at the Data Protection Congress 2012 that is currently held in Berlin that the EU “Cookie Directive” – which has not yet been implemented into German law – has EU law’s “direct effect” (also known as “immediate applicability”), making Art 5 (3) of the Directive directly applicable and effective under German law. He (as reported) added that therefore Art. 5 (3) of the Directive can be applied and enforced by the German data protection authorities in their day to day business. Ooops! Continue reading
Analytics Cookies to Be Exempt from Consent Requirement in France
As reported by DataGuidance, the UK Information Commissioner the enforcement of the “cookie law” will be “pragmatic and realistic” in the UK. “Pragmatic” and realistic”: Sounds good doesn’t it? Doesn’t sound very German, though, does it? As explained here, the cookie situation in Germany is still unresolved, largely due to the (my take on the matter) inability to come up with a draft for transforming the Directive’s into German law that provides for a workable solution the problem. It seems that at least the current government feels uncomfortable to pass a law the wording of which would effectively rule out a good portion of how websites work today.
Even more interestingly, in the same DataGuidance post they report that the French Data Protection Authority (CNIL) will exempt analytics cookies from the new requirement of prior consent. Continue reading
On Facebook Fan Pages
As you may have heard, as per the self-appointedly competent data protection authorities in Germany you may not set up and maintain a Facebook fan page, nor may you embed Facebook plugins into to your web pages (it’s true, read here, here, here, and here). If you do, you’re acting in violation of German data protection law. Continue reading
The “Sopot Memorandum”: Recommendations on Cloud Computing
The International Working Group on Data Protection in Telecommunications, a working group of the International Conference of Data Protection and Privacy Commissioners (no entry in the Wikipedia. Should that make us think?), established and still run by the head of the data protection authority of the federal state of Berlin, has published a working paper with recommendations regarding the use of cloud computing services by companies and public authorities. They’ve called it the “Sopot Memorandum“. Conference pros never fail to pick one of the nicer and more interesting spots to meet, do they?
Starting from the usual analysis (cloud computing is risky with respect to privacy, data protection “and other legal issues”, you know the deal), the Working Group, essentially, recommends: Continue reading
Termination of a Perpetual Software License under German Law
I have just (goes to show how much time I really have to scan the law journals for relevant stuff) stumbled upon a very interesting decision by the District Court of Cologne published in the February edition of Germany’s famed “C&R” (i.e. “Computer & Recht” = “Computer & Law”) regarding the terminability of perpetual software licenses under German law for material breaches of contract. As per the District Court of Cologne the answer is: Sure you can! Which is a bit surprising, really. Continue reading
General Terms and Conditions and What That Means for Localizing Contracts to German Law
When you’re asked to localize contracts coming from a U.S. legal background so that they function under German law two very different legal worlds collide. Things just work differently over here. And things word differently over there. We draft our contracts differently, we use different language (which is why simply having a translator go over your documents just won’t cut it, much less asking uncle Google), our concept of selling and licensing software is nowhere near the “this software is licensed not sold” was of thinking, and so on and so forth. Nothing wrong with that, but it provides for some hard going sometimes.
One of the more peculiar concepts of German contract law is that of or our “Law on General Terms and Conditions” (Google Translator tells me that in English that should be “Legal terms and conditions of” which isn’t even close, so there…). In a nutshell, the idea is this: If, as a company, you work with standard contracts, i.e. a set of contractual documents that you have in your drawer all drafted to best fit your particular interests and ready to pull out for every new customer you want to do business with, the terms and conditions of those contractual documents are subject to the so-called “content control” (we Germans like control, as is well known). Continue reading
EU Cookie Law in Germany
As we are quickly moving towards Germany’s 1st anniversary of non-compliance with the infamous “EU Cookie Directive“, one would expect the legislator to really make a push to get something on paper, right? Well, not so. In fact, there isn’t even a legislative silver lining anywhere to be seen. We have witnessed one draft of a change to the “Telemedia Act” (the place where any transforming the EU’s wisdom into German law would take place) submitted by the federal state of Hessen last year that no one has really talked much about, and one draft submitted by the current opposition in the Bundestag that has now been rebuffed on committee level without before even getting a proper hearing in parliament – without spoiling us by publishing any reasons for the government’s stance, sadly. That said, that’s all good news, really. Continue reading