A sign of confidence: The EU Member States have adopted the EU-U.S. Privacy Shield

In short:

The EU Member States have given their support to the EU-U.S. Privacy Shield, a renewed framework for transatlantic data flows which is meant to replace the old “Safe Harbor”.  The decision of the Member States was mandatory in order to formally adopt the Privacy Shield in the EU.

In opposite to Safe Harbor, the Privacy Shield imposes clear and strong obligations on companies handling the date and makes sure that these rules are followed and enforced in practice. It is the first time that the United States has committed to written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizen’s personal data.

Continue reading

Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art

Not long after the “Safe Harbor” decision and in the same context (data transfer to the US by Facebook) the Irish Data Protection Commissioner has decided to bring the EU-US data flows before the European Court of Justice (CJEU) (again).

Continue reading

WhatsApp ordered by a German court to not use English language terms and conditions towards users in Germany

A German court has recently ordered WhatsApp to use German language terms and conditions towards users in Germany (see also here, for example). Or, to be more precise, called upon by a German consumer protection agency the Kammergericht, the appellate court for the district of Berlin, has, amongst other things, decided that using English language terms and conditions for user agreements to be concluded between WhatsApp and users in Germany is in violation of a certain provision of the German Civil Code that demands there to be transparency when using pre-worded terms and conditions towards consumers. So, if you allow the pun, what’s up with that? Continue reading

No more “Stoererhaftung”?

What was for a long time associated with high liability risks and warning letters from lawyers, will now be made easier by the German government: Free wifi-hotspots.  The German government has decided to modify the so called “Stoererhaftung” – the liability of the operator of a wifi-hotspot for any infringements of law committed through the hotspot. However, even though rumor still has it a few days after the presentation of the draft for the new German Teleservices Act, this does not mean that operators of wifi-hotspots now will not be liable for whatever happens through their hotspot. To speak of a complete abolition of “Stoererhaftung” is a bit too much, at least at the moment.

Continue reading

Why B2B is not necessarily always B2B when it comes to consumer protection

Online-shops that officially trade as B2B-shops must comply with European consumer protection regulations or make actually sure that only business customers can place orders in the shop. In order to ensure that consumers do not use the shop, it is not sufficient to provide the respective disclaimer on the website. That was recently ruled by the Regional Court in Dortmund.

Continue reading

Facebook and the abuse of market power or the German Federal Cartel Office as data protection authority

The German Federal Cartel Office (Bundeskartellamt) has started preliminary proceedings against Facebook in early March, trying to find out if Facebook was misusing its market power to enforce abusive terms and conditions because of alleged data protection law violations. What sounds just like what antitrust authorities do, may in fact have a huge impact on Facebook and how it is behaving against its users.

Continue reading

Watch out: Consumer protection associations may now sue companies for data protection violations

On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.

Previous situation
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question.
Continue reading

7th National IT-Summit in Essen

Last week, several German political leaders, members of the federal administration, academics, IT-businessmen and other members of the German society met in Essen for the 7th National IT-Summit. The summit is an invite-only conference being held once a year by the German Federal Ministry of Economics and Technology. It forms the end and new beginning of an ongoing discussion between the members of the six working groups and several sub-working groups to develop a nation-wide (political) IT-strategy for Germany. Continue reading

On the Intricacies of German Unfair Competition Law

It‘s easy to be a unfair competition law violator in Germany. Just operate an eBay shop or deal on Amazon’s market place and use their default settings when informing your customers on how long it will take to get the goods delivered to their homes. In all seriousness, that is what the Bremen Court of Appeals has effectively decided in a judgment in early October. Continue reading

Injunctive relief under competition law

Data protection is big in Europe, especially in Germany. It is not possible to process personal data without a data protection law regulation the data processing. And while data protection laws are primarily supposed to protect the individual’s right to determine how his or her data is being processed, data protection has also become a commercial factor. On the one hand, companies are restricted in their ways of advertisement towards their customers. According to section 28 subsection 3 of the Federal Data Protection Act for example, advertisement is dependent on the individual customer’s consent. On the other hand, data protection compliance demands investments in the implementation of data protection standards within the company, for example to lay down the technical and organizational measures demanded by section 9 of the Federal Data Protection Act. Continue reading