German data protection authorities: old consents survive under the GDPR if…

On 14th September, the German data protection authorities (“DPAs”), gathering in the so called “circle of Düsseldorf”, issued a non-binding opinion (pdf, German) on the question of the lawfulness of consents under the looming General Data Protection Regulation (“GDPR”), which were obtained under the conditions of the current legal framework.
Continue reading

European Court of Justice rules on applicable data protection law and terms of use

Today the European Court of Justice (ECJ) decided in the case C-191/15 (Verein für Konsumenteninformation vs Amazon EU Sàrl). The ruling sheds light on some interesting questions with regard to consumer protection law and also assesses the European data protection rules on applicable law.

With regard to consumer protection, the case concerned potentially unfair terms in the terms of use of Amazon EU, a company established in Luxembourg. The ECJ clarified that the law applicable to the examination of the unfairness of terms in consumer contracts which are the subject of an action for an injunction (in this case by Verein für Konsumenteninformation) must be determined independently from the law applicable to the action of injunction itself. National courts might therefore face a situation where they would have to assess the unfairness of certain clauses in terms of use on the basis of the law of another Member State. This result is though not entirely surprising but is now affirmed by the ECJ in a case considering e-commerce.
Continue reading

General Data Protection Regulation: German DPAs demanding more staff and financial resources

On 24 May 2016, the Data Protection Regulation has entered into force. From 25 May 2018 it will be directly applicable in all European Member States. Not only companies or authorities therefore now have two years to adapt their data processing activities to future requirements. The national legislature must consider the applicable data protection regulations in its Member State for compliance with the future regulations.

Against this background, the conference of the independent German data protection authorities (“conference”), in a resolution of 25 May 2016 (German), calls on the German legislator to provide the data protection authorities with more staff and financial resources so they can effectively meet their assigned duties.
Continue reading

Watch out: Consumer protection associations may now sue companies for data protection violations

On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.

Previous situation
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question.
Continue reading

District Court of Berlin: Google Germany not responsible for ‘right to be forgotten’-requests

On 21 August 2014, the District Court of Berlin ruled (27 O 293/14, German) that the subsidiary of Google in Germany, Google Germany GmbH, is not responsible for the fulfillment of requests of natural persons under the so called ‘right to be forgotten’, created by the European Court of Justice (ECJ) in its much-noticed judgment in May 2014 (C-131/12). The Berlin court held that only the American company, Google Inc., can be regarded as the ‘data controller’ in the sense of European data protection law because only Google Inc. is the operator of the search engine. As a consequence, legal actions must be brought against Google Inc., not the subsidiary in Hamburg. Natural persons who want a link to third party websites to be removed from the search result list following a search made on the basis of a person’s name would therefore have to sue Google Inc. and not the European subsidiary.
Continue reading

Will the use of social networks fall outside the scope of future data protection law?

If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation. Continue reading

Home office solutions for employees – requirements under German data protection law

Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken.
Continue reading

Monetary Penalties for Data Protection Breaches: ICO vs. German DP Authorities

I have just stumbled upon the Information Commissioner’s Office’s  page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit. Continue reading

“Google Has Few Concerns About the Right to be Forgotten!”

Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading

69th German Legal Colloquium

During last week’s 69th German Legal Colloquium the association’s members discussed – amongst other topics – the future of IT-law in Germany (you can find all the decisions here – in German). Their decisions, along with speeding ticket lawyer located in Long Island on how to fight cyber crime (find criminal defense lawyer based in New Jersey area here), data protection and liability are supposed to initiate legal reforms. In some cases, you hope the legislator won’t feel inclined. Continue reading

The Pope’s litigation against a German magazine

The following is certainly not really a matter of IT-Law but I bet you will find it interesting anyway.

This post is about a law suit Pope Benedict XVI. started against Titanic (nice case reference, isn’t it?), a well-known German satire magazine. We all expected today a hearing to take place at the Hamburg Regional Court – but it was canceled just last night, as the Pope had withdrawn his petition.

It has already been written a lot on whether this case is an example for censorship or some kind of litmus test for the freedom of speech in Germany. I don’t think that this really what makes the case so interesting. I believe that the question we should discuss is whether a pope should defend his personality rights by going to a civil court. Continue reading

E-Commerce Law Reports with our article on Oracle v. UsedSoft

As a blogger you are always happy to receive feedback from your readers. So I was really pleased when shortly after posting my recent comments about the CJEU’s UsedSoft decision, the E-Commerce Law Reports approached me to ask whether I could write a more detailed article about the case for their August 2012 issue. Recently published, this issue also contains a number of other fascinating contributions by colleagues from around the world on a variety of important topics such as the online collection of consumer data, search engines’ liability for misleading search results, the cloning of games, advertising on Twitter, etc. Check it out: http://www.e-comlaw.com/e-commerce-law-reports/

„Implied Consent“ to Cookies Being Set Suffices in the UK

Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading

CNIL’s Sends Second Questionnaire to Google on Google’s New Privacy Policy

Google’s new privacy policy is not that new, as it “went into force” on March 1. It is still big news in data protection terms, though, at least as far as European data protection authorities are concerned. CNIL, commissioned by the Art. 29 Working Party, has now sent a second rather comprehensive questionnaire to Google. Obviously they were not completely sold on Google’s answers to the first set of questions CNIL had sent in March. Continue reading

Tracking and Controlling Your Child’s Mobile Phone Activities

I just came across a post on golem.de (a rather good IT news site – in German only, sadly) about bemilo, a service in the UK that (I quote)

“puts [parents] in full control of [their] child’s mobile service”;

“puts [parents] in the driving seat, 24 hours a day”;

“[gives parents] FULL control [w]ho [their] children can contact and who can contact them, time of das [their] children can use their phone, WHEN they can browse the web”;

“[enables parents to] [r]eview all calls & SMS messages at any time, block bullies at the flick of a switch, control mobile spend with no fuss [emphasis added].”

Do watch the intro on the website. It’s rather, well, unique, besides the fact that it the little toy man in the intro looks suspiciously similar to a typical LEGO design. Continue reading