21 May 2015

Olswang Germany IT and Data Protection Newsletter - Spring Edition 2015

Content:

I. Higher Regional Court Celle: Web content providers are responsible for ensuring the deletion of content stored in a search engine's cache

II. Draft paper by German banking regulator (BaFin): Minimum requirements for the safety of internet payments

III. Findings of the 89th Conference of Data Protection Commissioners of the Federation and the States in Wiesbaden

IV. Liability of blogging-platform for posts by its users

V. Outlook on bills and new laws and recommended reads   

 

I. Higher Regional Court Celle: Web content providers are responsible for ensuring the deletion of content stored in a search engine's cache
by Christoph Mikyska

In its judgment of 29 January 2015 (case no. 13 U 58/14 - available in German only), the Higher Regional Court Celle ruled that the undertaking to remove website content from the internet originating from a cease and desist order, also includes the undertaking to ensure that content is also removed from the cache of search engines.

It is not sufficient to merely delete the content from the website. The provider of the content has to effectively rule out the possibility that the removed content is still available indirectly, e.g. via the hit list in a search engine's cache. For instance, if the removed content is still available in the cache, it is the provider's responsibility to file a deletion request to the search engine operator. If the provider does not submit such a request, he culpably forfeited the contractual penalty resulting from the cease and desist order.

Conclusion: The Higher Regional Court Celle's judgment rules that the scope of a cease and desist order is not limited to the mere deletion of website content.  If a company issues a cease and desist order, it must also check, whether the deleted content (e.g. pictures) is still available in the cache storage of the search engine. Otherwise an obligation to payment arises due to the forfeiture of the contractual penalty.
 

II. Draft paper by German banking regulator (BaFin): Minimum requirements for the safety of internet payments
by Carsten Kociok

The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) recently published a draft paper for the safety of internet payments (available in German only). The paper is addressed to all payment service providers subject to the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) that offer payment services (as defined in sec 1 (2) no. 2 ZAG) for mass payment transactions over the internet, such as online banking services, or payment services via telephone banking.

However, the paper does not go far beyond the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay Forum) or the "Guidelines on the Security of Internet Payments" of the European Banking Authority. The paper aims at combating fraud in online payment transactions by implementing certain measures, e.g. a strong customer authentication, the protection of sensitive payment data and the improvement of customer protection.

Conclusion: The final paper will shortly be published after the consultations are closed. The measures to be implemented under the paper will then have to be applied by the payment service providers within a transition deadline of six months.


III. Findings of the 89th Conference of Data Protection Commissioners of the Federation and the States in Wiesbaden
by Dr. Anne Brandenburg

The 89th Conference of Data Protection Commissioners of the Federation and the States ("Conference") was held on March 18 and 19, 2015 in Wiesbaden. In particular, the Conference:

  • demanded to enable citizens, administrations and businesses to use encrypted communication infrastructures without regulatory restrictions;
  • stated that the draft Act on IT Security would not meet the requirements of adequate data protection and requested improvement;
  • demanded improvement of the eHealth Act and for clarification regarding the appointment of external service providers by persons who are entrusted with confidential health information by profession; and
  • stressed that Safe Harbour does not provide for an adequate and sufficient level of data protection with regard to a transfer of personal data to the US and outlined certain guarantees to be granted to the data controller transferring personal data outside the EU.

Conclusion: Statements of the Conference are not binding but nevertheless constitute an important source of interpretation of the German data protection law. The Conference's statements should therefore always be taken into account when assessing data protection issues under German law.
 

IV. Liability of blogging-platform for posts by its users
by Dr. Andreas Splittgerber

The Upper Regional Court of Dresden confirmed in its decision on 1 April 2015 (4 U 1296/14 - available in German only) that the operator of a blogging platform is liable for user posts under certain circumstances (referencing an earlier decision by the German Federal Court of Justice of October 25, 2011, case no. VI ZR 93/10 - available in German only).

In the case decided, a user posted allegedly untrue statements on a blog that was hosted by a micro-blogging platform. The platform had asked the blogger to comment after the alleged victim of these statements had informed the platform. As the blogger did not reply to this request, it would have been the platform's duty to remove the content.

Conclusion: Operators of a social media platform must be aware that:

  • there is no general obligation to monitor user content;
  • after notice of possible infringing content has been given, the operator must investigate into the case (notice and take down procedure);
  • this investigation is usually conducted through a mechanism where the user is asked to comment on the allegations; and
  • if the user does not reply, the operator must assume that the complaint by the alleged victim is true. 


V. Outlook on bills and new laws and recommended reads 

Draft laws:

Recommended reads:

 

Splittgerber , Andreas , Dr _q 100web
Dr. Andreas Splittgerber
OLSWANG Germany LLP
+ 49 (0) 89 206 028 404
andreas.splittgerber@olswang.com

 

Leuthner , Christian _q
Christian Leuthner
OLSWANG Germany LLP
+ 49 (0) 89 206 028 414
christian.leuthner@olswang.com