On 14th September, the German data protection authorities (“DPAs”), gathering in the so called “circle of Düsseldorf”, issued a non-binding opinion (pdf, German) on the question of the lawfulness of consents under the looming General Data Protection Regulation (“GDPR”), which were obtained under the conditions of the current legal framework. Continue reading →
Today the European Court of Justice (ECJ) decided in the case C-191/15 (Verein für Konsumenteninformation vs Amazon EU Sàrl). The ruling sheds light on some interesting questions with regard to consumer protection law and also assesses the European data protection rules on applicable law.
On 24 May 2016, the Data Protection Regulation has entered into force. From 25 May 2018 it will be directly applicable in all European Member States. Not only companies or authorities therefore now have two years to adapt their data processing activities to future requirements. The national legislature must consider the applicable data protection regulations in its Member State for compliance with the future regulations.
Against this background, the conference of the independent German data protection authorities (“conference”), in a resolution of 25 May 2016 (German), calls on the German legislator to provide the data protection authorities with more staff and financial resources so they can effectively meet their assigned duties. Continue reading →
On 24th February, a new law for the civil enforcement of violations of data protection rules, specifically protecting consumers entered into force. With this new law, certain provisions of the German Act on Injunctive Relief (Unterlassungsklagengesetz – UklaG) are amended and also extended.
Until now, consumer protection organizations (e.g. the Federation of German Consumer Organisations – vzbv) were only able to challenge privacy policies of companies under the German Act on Injunctive Relief if the competent court acknowledged that the respective policy could be considered as general terms and conditions (see for example one press release about a recent lawsuit against Facebook, pdf). In general, certain clauses of privacy policies were therefore the aim of legal actions if these clauses deviated from the statutory provision of data protection law. If personal data were in fact processed in an unlawful way was merely the question. Continue reading →
On 21 August 2014, the District Court of Berlin ruled (27 O 293/14, German) that the subsidiary of Google in Germany, Google Germany GmbH, is not responsible for the fulfillment of requests of natural persons under the so called ‘right to be forgotten’, created by the European Court of Justice (ECJ) in its much-noticed judgment in May 2014 (C-131/12). The Berlin court held that only the American company, Google Inc., can be regarded as the ‘data controller’ in the sense of European data protection law because only Google Inc. is the operator of the search engine. As a consequence, legal actions must be brought against Google Inc., not the subsidiary in Hamburg. Natural persons who want a link to third party websites to be removed from the search result list following a search made on the basis of a person’s name would therefore have to sue Google Inc. and not the European subsidiary. Continue reading →
If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation. Continue reading →
Under German data protection law, as well as under the European data protection directive (95/46/EC), there exist no specific provisions that would govern the processing of personal data in home office scenarios. Only few German data protection authorities published recommendations on how or which kind of technical or organizational measures should be implemented, if a company wants to grant its employees the benefit of working at home. The few existing recommendations remain mainly vague and don’t name specific measures which must be taken. Continue reading →
Until last year, the right to be forgotten used to be an idea of Viktor Mayer-Schönberger, an Austrian law professor. He suggested – and probably still suggests – providing a “best before date” for data that is electronically saved. After the expiration of the date, the data would be automatically deleted by the application or computer system. Last year, the idea – or a modification thereof – became part of a draft regulation of the European Commission. Continue reading →
Today the Hamburg Regional Court opened the trials in Max Mosley’s lawsuit against Google Inc. over violation of his right of personality. The plaintiff wants Google to filter out compromising pictures from its search results. Continue reading →
The following is certainly not really a matter of IT-Law but I bet you will find it interesting anyway.
This post is about a law suit Pope Benedict XVI. started against Titanic (nice case reference, isn’t it?), a well-known German satire magazine. We all expected today a hearing to take place at the Hamburg Regional Court – but it was canceled just last night, as the Pope had withdrawn his petition.
It has already been written a lot on whether this case is an example for censorship or some kind of litmus test for the freedom of speech in Germany. I don’t think that this really what makes the case so interesting. I believe that the question we should discuss is whether a pope should defend his personality rights by going to a civil court. Continue reading →
As a blogger you are always happy to receive feedback from your readers. So I was really pleased when shortly after posting my recent comments about the CJEU’s UsedSoft decision, the E-Commerce Law Reports approached me to ask whether I could write a more detailed article about the case for their August 2012 issue. Recently published, this issue also contains a number of other fascinating contributions by colleagues from around the world on a variety of important topics such as the online collection of consumer data, search engines’ liability for misleading search results, the cloning of games, advertising on Twitter, etc. Check it out: http://www.e-comlaw.com/e-commerce-law-reports/
Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. Continue reading →