17 September 2015

Olswang Germany IT and Data Protection Newsletter - Autumn Edition 2015

Content:

I. EU-General Data Protection Regulation (GDPR): Status Update

II. Fines for illegal data transfer in asset deal

III. Bavarian Data Protection Authority: Commissioned data processing requires a detailed contract

IV. German Federal Court of Justice: “Framing” is not infringement of copyright law – if the content was communicated to the public with rights holder’s consent 

V. Hamburg Higher Regional Court: Video platform must take down content in case of copyright infringements

VI. Outlook on bills and new laws and recommended reads   

 

I. EU-General Data Protection Regulation (GDPR): Status Update

  • The 'trilogue' discussions on the GDPR are ongoing. Council, Commission and Parliament are currently negotiating a common position. The GDPR shall be finalised before the end of December 2015. Follow the progress on our blog on datonomy: www.datonomy.eu
  • The GDPR shall come to force in 2018
  • German and European data protection authorities considerably criticised the current draft of the GDPR in several statements. To find out more, read the commentary by our Munich-based Head of Data Protection in Germany Andreas Splittgerber 

 

II. Fines for illegal data transfer in asset deal
by Dr. Andreas Splittgerber

The Bavarian Data Protection Authority (the Authority) announced on 30 July 2015, that it has penalised each party of an asset deal with a five-digit Euro fine due to an illegal transfer of customer data in an asset deal.

The Authority notes that it is lawful to transfer customer names and postal addresses in asset deals, even without prior consent of the customer. However, the transfer of other personal customer data (such as phone numbers, e-mail addresses, account or credit card data or purchasing history) requires either the prior consent of the customer or at least a prior notice of the transfer that grants the right to object. Infringements can be fined with up to EUR 50,000.

Conclusion: An asset deal does not justify the transfer of customer data. The data transmission in an asset deal, or the transfer of a customer database, is subject to special requirements. On the other hand, a share deal is simple from a data protection point of view.


III. Bavarian Data Protection Authority: Commissioned data processing requires a detailed contract
by Sven Schonhofen

The Bavarian Data Protection Authority (the Authority) announced on 20 August 2015, that it has fined the principal in the case of commissioned data processing because the data processing agreement was not detailed enough. The Authority notes that a data processing agreement (DPA) must be detailed and tailored to the individual case. The DPA must in particular describe in detail the technical and organisational measures to protect the data.

A mere reproduction of Sec. 9 and the Appendix of the Sec. 9 of the German Data Protection Act (BDSG) does not meet this requirement.

Conclusion: DPAs are not just “paper tigers”. Every company should have a look at their DPAs and examine whether they meet the statutory requirements.


IV. German Federal Court of Justice: “Framing” is not infringement of copyright law – if the content was communicated to the public with the rights holder’s consent
by Ramona Kimmich

On July 9, the German Federal Court of Justice (BGH) held that implementing copyrighted content on a website via “framing” does not constitute a copyright infringement if it was originally uploaded with the rights holder’s consent and is accessible to the public. The defendant implemented a YouTube video on their website via framing.

The BGH refers to a preliminary ruling (C-348/13) of the European Court of Justice (ECJ). Interpreting the ECJ’s answer, the BGH held that “framing” constitutes an act of use that is relevant under Sec. 15 (2) German Copyright Code only where the rights holder has not consented. A (pending) preliminary ruling by the ECJ might provide more clarity on the requirement for consent.

Conclusion: The BGH did not allow framing without any limits. However, website operators must check if the implemented content comes from a legal source – in such cases “framing” is permitted.


V. Hamburg Higher Regional Court: Video platform must take down content in case of copyright infringements
by Dr. Monika Stöhr

On 1 July, the Hamburg Higher Regional Court (OLG) made a decision, as to whether the operator of a video platform (here: YouTube) (Az.: 5 U 87/12 und 5 U 175/10; press release) is liable for copyright infringement if the user-uploaded content infringes the copyright of a third party.
 
The OLG ruled that the platform is not liable as an offender of copyright infringement. However, with regard to some of the content the OLG held that the platform is liable as an interferer (Störer). The OLG emphasised that the platform is under no general obligation to monitor uploaded content. However, once made aware of the infringement, it is not sufficient to simply remove the content, but the platform has to take additional steps to prevent further infringements. 
 
Conclusion: Operators of video platforms and also of other platforms with user generated content can be relieved as they are not automatically held liable if the user-uploaded content infringes the copyrights of third parties. However, such operators must take down content and avoid similar infringements in the future after their attention has been drawn to the infringements.


VI. Outlook on bills and new laws and recommended reads
 

Draft laws:

  • Network and Information Security Directive (NISD); please see a summary on the developments here.

Recommended reads:

  • Main points of the 'trilogue' on the General Data Protection Regulation; please see a summary here (available in German only).
  • Overview on the current investigation by the European Commission in relation to Pay TV licensing arrangements and geoblocking, here
  • Agreement on standards regarding transatlantic transfers of investigation data between EU and USA (Press release of the federal data protection commissioner) (available in German only). 


Dr. Andreas Splittgerber
Olswang Germany LLP
+ 49 (0) 89 206 028 404
andreas.splittgerber@olswang.com


Christian Leuthner
Olswang Germany LLP
+ 49 (0) 89 206 028 414
christian.leuthner@olswang.com