11 April 2016

Olswang IT and Data Protection Newsletter - Spring Edition 2016




Our quarterly IT and data protection update keeps you informed of current legal issues, decisions and events in the technology sector in Germany. We hope you enjoy reading.


Contents:

  1. EU General Data Protection Regulation (GDPR): Status update
  2. Privacy Shield: The new framework for transatlantic data transfers
  3. Federal Court of Justice: Increased duty to investigate and duty of disclosure for operators of rating platforms
  4. Federal Court of Justice: Internet access providers’ liability for copyright infringement on third parties’ websites
  5. Federal Court of Justice: Advertising in auto-reply emails
  6. Federal Court of Justice: Apps are qualified for work title protection
  7. Higher Regional Court of Düsseldorf: Injunctive relief includes deletion from cache
  8. Higher Regional Court of Munich: GEMA loses again vs. YouTube
  9. Court of Appeals Frankfurt: Consent to use of cookies is legitimate in opt-out procedure
  10. Outlook on bills and new laws and recommended reads

 

1.EU General Data Protection Regulation (GDPR): Status update 

  • Almost four years after the EU Commission’s proposal of an EU General Data Protection Regulation (“GDPR”) the European Council, the European Parliament and the European Commission concluded their negotiations on 15 December 2015 and reached a political agreement. 
  • The final version of the GDPR can be found here.
  • Next steps: The Regulation will be formally approved by the European Parliament and the Council in July 2016. The new provisions will be applicable a bit more than two years later, i.e. as of July 2018. 
  • The slides of our event on the EU data protection reform of January 2016 (in German) are available here.

 

2.The new framework for transatlantic data transfers, privacy shield:

  • On 2 February 2016, the European Commission presented the new framework for data transfers between the EU and the USA: The "Privacy Shield" shall replace the „Safe Harbor“ Agreement. The European Commission has released the relevant legal documents. 
  • The Article 29 Working Party (WP29) will publish a statement the EU-US Privacy Shield and other transfer tools (Binding Corporate Rules, Model Clauses) by the middle of April 2016.
  • Please read a comment on the Privacy Shield and the remaining data transfer vehicles. 

 

3.Federal Court of Justice: Increased duty to investigate and duty of disclosure for operators of rating platforms 

by Dr. Andreas Splittgerber

The Federal Court of Justice (Bundesgerichtshof, BGH) has specified the legal obligations of the operator of a rating portal for doctors in its decision on 1 March 2016 (Az.: VI ZR 34/15). However, those obligations are – as before – determined by the impact of the potential infringement as well as by the required effort. 

The BGH ruled that the defendant had neglected its duty to investigate; the defendant should have submitted the complaint of the physician to the user and asked the user to present documents. 

Conclusion: Platform operators do not have to take immediate actions. The BGH has confirmed the previous principle of “notice and take down” regarding the liability as an interferer (Störer). In the present case, the BGH also assumed an increased duty to investigate and duty of disclosure on the part of the platform provider as of the specific trust between doctors and patients, which, however, cannot be offhandedly applied to every other case. Platform operators, however, should review their internal “notice and take down” procedures.

 

4.Federal Court of Justice: Internet access providers liable for copyright infringement on third parties’ websites

by Ramona Kimmich 

On 26 November 2015, the BGH has ruled (Az. I ZR 3/14 and Az. I ZR 174/14) that internet access providers can be held liable for copyright infringements on third parties’ websites. Right holders can undertake access providers to block access to such websites as access providers can be held liable as an interferer (Störer). However, under the aspect of proportionality this obligation requires previous efforts both reasonable but unsuccessful to enforce their claims against the website operator and the host provider.

Conclusion: The BGH confirmed that, in principle, rights holders can raise claims against access providers. However, extensive amounts of claims against access providers are unlikely

 

5.No advertising in auto-reply emails 

by Sven Schonhofen, LL.M. (New York)

The BGH has ruled in its decision of 15 December 2015 (Az.: VI ZR 134/15) that auto-reply e-mails that contain advertising are unlawful spam, if the recipient specifically objected in the receipt of such advertisement e-mails before. 

Conclusion: Companies should abstain from advertising in auto-reply e-mails. 

6.Federal Court of Justice: App names can be protected

by Sven Schonhofen, LL.M. (New York)

The BGH has ruled in its decision of 28 January 2016 (Az.: I ZR 202/14) that names of apps for mobile devices can be protected under the German trademark act (work title protection). In the present case the BGH denied work title protection for “wetter.de” as the title did not have inherent distinctiveness.

Conclusion: The BGH has clarified that apps are basically qualified for work title protection. However, the barriers for that protection remain high. 

 

7.Higher Regional Court of Düsseldorf: Injunctive relief includes deletion from cache

by Sven Schonhofen, LL.M. (New York)

The Higher Regional Court of Düsseldorf has ruled by decision on 3 March 2015 (Az. I-15 U 119/14) that the signer of a cease and desist declaration by reason of misleading advertising on the internet is obliged to work towards a deletion of the entry in search engines as far as reasonably possible. The deletion can be requested, for example via the webmaster tool provided by Google.  

Conclusion: Companies obliged to cease and desist due to violating entries on the internet must despite the mere omission of the infringement approach the operator of the search engine actively and request the deletion from the cache fulfill their obligations. . 

 

8.Higher Regional Court of Munich: GEMA loses again vs. YouTube

by Sven Schonhofen, LL.M. (New York)

Collecting society GEMA suffered another defeat in its long lasting dispute with YouTube. The Higher Regional Court of Munich (OLG) has dismissed a respective damage claim in its decision from 28 January 2016 (Az.: 29 U 2798/15).

The main issue, stated the OLG, is whether YouTube is a music provider and therefore generally responsible for the uploaded content or merely a platform for users to share their content. The court followed YouTube’s argument that first of all YouTube was a technical service provider, who merely provided its users with a tool.  

Conclusion: This is not going to be the last episode of the legal dispute between GEMA and YouTube. GEMA has already announced to appeal to the Federal Court of Justice.

 

9.Higher Regional Court of Frankfurt: Consent to use of cookies obtained as “opt-out” is legitimate.

by Christian Leuthner

The Higher Regional Court of Frankfurt (OLG) has ruled in its decision from 17 December 2015 (Az.: 6 U 30/15) that consent to store cookies on the device of a user can still be given in the opt-out procedure using a preset statement the user can object to by removing a preset check. An opt-in to obtain consent to the use of cookies is not required. It is also sufficient to provide the required information within the cookie policy, and not necessarily in the declaration of consent itself.

Conclusion: Cookie banners including a reference to the cookie policy displayed on the website as commonly used in the internet can be seen as legitimate after the decision of the OLG Frankfurt and can be used if all relevant data processing information can be found in the cookie policy. . 

10.Outlook on bills and new laws and recommended reads

Proposed legislation 

  • Proposal of the EU Commission for a Regulation to address the portability of online content services (e.g. movies, music, e-books) in the internal market; an analysis of the impacts on audiovisual services can be found here.
  • German Bundestag and Bundesrat have agreed on a legislation introducing a right for associations to bring legal action in case of breach of data protection; the Act became effective on 24 February 2016. 
  • Passenger Name Record Directive: a summary of the recent developments can be found here.

Reading recommendations 

  • An analysis on the the new German Data Retention Act that has become effective on 18 December 2015 by Christian Leuthner and Sven Schonhofen 
  • Opinion on 16 March 2016 Advocate General Szpunar in the case Tobias McFadden vs. Sony Music Entertainment. Szpunar claims that operators of public Wifis cannot be held liable for copyright infringements by users of these networks. 
  • Question for a preliminary ruling on 25 February 2016 the German Federal Administrative Court (Bundesverwaltungsgericht, BVerwG) on the competence of German data protection authorities for an Irish entity’s data processing. 
  • The Conference of German data protection authorities has issued an orientation guide to the use of email and other internet-based services in the workplace, published in January 2016. 
  • The so called Düsseldorfer Kreis (conference of German data protection authorities for the private sector) has published an orientation guide on consent requirements published in March 2016.  
  • The results of a coordinated data protection audit of several federal states regarding dating portals. 

 

Upcoming IT/data protection speaking event: 
Andy Splittgerber speaking at the West Coast Legal Tech Conference in San Francisco on June 14 on EU data transfers and the EU Data Protection Reform. 

 

 

 



Dr. Andreas Splittgerber

Partner
Olswang Germany LLP
+ 49 (0) 89 206 028 404
andreas.splittgerber@olswang.com

 

 

Christian Leuthner
Rechtsanwalt/Associate 
Olswang Germany LLP
+ 49 (0) 89 206 028 414
christian.leuthner@olswang.com