27 February 2015

Olswang Germany IT and Data Protection Newsletter - Winter Edition 2015

IT Data Protection Winter 2015 Eng Title

Content

I. German Data Protection authorities impede data transfers to the US  

II. Afterquake of Google Spain in Germany: Google is liable for search engine hits

III. ECJ: Courts at the place of harmful event are competent for actions against online copyright infringements

IV. Implementation of company Facebook fansite does not trigger a co-determination right

V. Update Fingerprinting - Article 29 Working Party demands information and user consent

VI. Outlook on bills and new laws and recommended reads  

 

I. German Data Protection authorities impede data transfers to the US
by Dr. Franziska Schröter

In January 2015, data protection authorities of Berlin and Bremen proclaimed the initiation of administrative proceedings (available in German here) against U.S. companies due to Safe Harbor based data transfers. This is the first time that German data protection authorities took legal actions against data transfers based on the Safe Harbor framework. It is important to note that other German authorities (e.g. Bavaria) do not share the view of Berlin and Bremen and continue to permit data transfers based on Safe Harbor as long as there is no obvious breach of law.

The 15-years-old Safe Harbor decision has been discussed controversially over the past months. Following the Snowden revelations the European Commission has threatened to suspend the Safe Harbor decision if the US (US Trade Commission) do not agree to adjust the Safe Harbor framework.

Conclusion: Data transfers to the US should not be justified on the basis of Safe Harbor registrations until the European Commission and the US Trade Commission have agreed on sufficient Safe Harbor rules. As the various data protection authorities across Germany have different views, companies should consider these local specialities when exporting data to the US. The EU Standard Contractual Clauses are a good alternative to Safe Harbor in theory; in practice, however, they do not provide for better protection of personal data.


II. Afterquake of Google Spain in Germany: Google is liable for search engine hits
by Dr. Andreas Splittgerber

The Regional Court of Hamburg decided on November 7, 2014 (File No: 324 O 660/12 - available in German only) that Google is obliged to remove hits from the search results if they are infringing and if Google has been given notice thereof.

In the case decided the plaintiff requested removal of defamatory content. The court in Hamburg based its decision on the ECJ decision "Google Spain" and considered in favor of the plaintiff that the search results give a structured overview over the personality of the respective individuals.

Conclusion: The decision by the Hamburg court goes one step beyond Google Spain as it is not limited to data protection. On the other hand, search engine operators benefit in this wider area from the hosting provider liability privileges. Courts must pay thorough attention not to limit the right for information, which is a very important right in any democracy.


III. ECJ: Courts at the place of harmful event are competent for actions against online copyright infringements
by Dr. Anne Brandenburg

On January 22, 2015, the European Court of Justice ("ECJ") decided (Hejduk / EnergieAgentur.NRW GmbH, C-441/13) that in accordance with art. 5 no. 3 of the Regulation No. 44/2001 the competent court for online copyright infringements may also be a court in that Member State where the harmful event occurred if its website is not directed at that Member State. It is sufficient, if the website is accessible from that Member State and that the infringed right is protected according to the laws of the Member State where the action is filed. However, and as the ECJ decided before, the chosen court may only decide on the damages occurred in its own Member State. Therefore, several actions in different Member States may have to be filed to gain full compensation.

Conclusion: The ECJ continues its interpretation of the place "where the harmful event occurred or may occur". In Pinckney / KDG Mediatech AG (decision of 03.1.2013, C-170/12) the ECJ had to decide on the local competency in a case of an online order possibility for physical CDs produced without permission and now the accessibility and download of photographs put online without permission was in its focus. However, in the end the result is the same. There is now a higher likelihood for Non-EU internet providers to be sued in EU Member States - unless they arrange for their website not to be accessible from other countries, e.g. by technical means.


IV. Implementation of company Facebook fansite does not trigger a co-determination right
by Luisa Einsporn

On January 12, 2015, the Regional Labor Court Dusseldorf (available in German only) decided that the works council generally does not have a right of co-determination regarding the implementation and operation of a Facebook site by an employer.

After Facebook users had posted negative comments about employees on the employer's Facebook fansite, the employer's works council claimed a right of co-determination and requested deactivation of the fansite. The court found that the employer's fansite is no technical device designed to monitor the behaviour or performance of employees (in the sense of Sec. 87 para 1 No. 6 Works Constitution Act) and, therefore, rejected a codetermination right of the works council. However, the court indicated that it may have come to a different decision with respect to those employees maintaining and supervising the employer's fansite.
 
Conclusion: Even though the decision appears to be employer-friendly at first sight, caution is advisable. A works council's right of co-determination is not excluded per se when it comes to the operation of an employer's social media presence. Much depends on how the maintenance of the presence is organised within the employer's organisation.

 

V. Update Fingerprinting - Article 29 Working Party demands information and user consent
By Carsten Kociok

Having reported on the new user tracking technology of fingerprinting in the Summer Edition of our newsletter last year, the Article 29 Working Party has now taken a stance on this topic. In its opinion 9/2014 of 25 November 2014 (available here) the EU Commission advisory board has indicated that the information and consent requirements of Article 5(3) of the "Cookies" Directive 2002/58/EC (ePrivacy Directive) also apply to device fingerprinting. This would be the case regardless of whether the information on the user's terminal device which is accessed via fingerprinting is personal data. 

According to EU law the fingerprinting technology, therefore, in principle can only be employed if the user was informed of the tracking in advance and has given his consent. Exceptions apply in special cases, for example in the event of user interface customisation.

Conclusion: Digital fingerprints must be treated in the same way as cookies. Their usage generally requires detailed information and consent. The name of the "Cookie-Policy" on a website should, therefore, be adjusted, e.g. to "Tracking Policy" or "Tracking Practices".

Current Note: For updated information on the implementation of the Cookies Directive please see the "Recommended Reads" section below.


VI. Outlook on bills and new laws and recommended reads 

Draft laws:

Recommended reads:

 

Splittgerber , Andreas , Dr _q 100web
Dr. Andreas Splittgerber
OLSWANG Germany LLP
+ 49 (0) 89 206 028 404
andreas.splittgerber@olswang.com

 

Leuthner , Christian _q
Christian Leuthner
OLSWANG Germany LLP
+ 49 (0) 89 206 028 414
christian.leuthner@olswang.com