28 October 2016

Olswang IT and Data Protection Newsletter - Autumn Edition 2016

Olswang Germany IT and Data Protection Update

Autumn Edition 2016


Contents:

  1. Breaking: Privacy Shield is challenged before European General Court
  2. New copyright requirements for platform providers
  3. Section 309 no.13 German Civil Code: Declarations may not be required to be more onerous than text-form
  4. ECJ: Dynamic IP addresses constitute personal data
  5. ECJ: Liability of Wi-Fi providers for third party use
  6. ECJ: Copyright infringement by posting hyperlinks
  7. Guidance on "re-cycling" of consents under GDPR
  8. Bavarian DPA publishes opinion on IoT
  9. Outlook on new legislation and recommended reads

 

 1. Breaking: Privacy Shield is challenged before European General Court

A legal challenge to the new Privacy Shield has been lodged by Digital Rights Ireland before the European General Court, which has been published on the Court's website here.


2.
New copyright requirements for platform providers
by Ramona Kimmich

The EU Commission has published its draft Directive "on Copyright in the Digital Single Market" on 14 September 2016. The draft includes a negotiation mechanism for rights holders and platform operators to facilitate the online exploitation of audio-visual works. Providers of platforms for user generated content have to ensure that licences for the uploaded content are in place. Authors and performers have the right to receive information about how their works and performances are being exploited and the right to additional remuneration if the remuneration that was originally agreed turns out to be disproportionally low.

Conclusion: The Directive contains several changes to the obligations of platform providers. However, it remains to be seen if the Directive will be passed in its current form.


3. Section 309 no.13 German Civil Code: Declarations may not be required to be more onerous than text-form
by Ramona Kimmich

Since 1 October 2016 any form requirements for declarations and notices in general terms and conditions will be invalid, if they require a stricter form than text-form (e-mail, (computer) fax, letter without a signature), provided that the stricter form is not already required by law (section 309 no. 13 of the German Civil Code). Termination clauses in standard agreements which stipulate – without a legal requirement – a written form for a termination by the contracting party as well as purchase agreements which require the notice of defects in writing have to be updated.

Conclusion: Standard agreements entered into or amended after 30 September 2016 have to be updated prior to their use. Older contracts are still valid and do not need to be changed until any provision has been amended.


4. ECJ: Dynamic IP addresses constitute personal data
by Sven Schonhofen, LL.M. (New York)

The ECJ has ruled in Patrick Breyer v. Federal Republic of Germany (C-582/14) on 19 October 2016 that dynamic IP addresses of a visitor constitute personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider. The corresponding German provision concerning visitor's data including IP addresses (Sec. 15 of the German Telemedia Act) under which an online media services provider may collect and use a visitor's personal data, without his consent, only to the extent that it is necessary to facilitate the specific use of services by that visitor, is too narrow. It must also include the possibility to collect and use visitor's personal data in order to ensure the general operability of the website, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.

Conclusion: German website operator may now use visitor's data applying a balancing of interests test.


5. ECJ: Liability of Wi-Fi providers for third party use
by Antonia Gold

In the case of McFadden v Sony Music Entertainment (C-484/14), the ECJ decided that a service provider who provides access to a Wi-Fi network, may not be held liable if third parties use such a Wi-Fi connection to infringe a copyright owner’s rights and the supplier implemented measures to safeguard the network. Copyright owners may not seek damages from the service provider. They may only require the service provider to end and prevent the infringement committed by third parties i.e. by securing the Wi-Fi network with a password.

Conclusion: Wi-Fi providers should protect their networks with a password to avoid potential injunctions and the related costs.


6. ECJ: Copyright infringement by posting hyperlinks
by Sven Schonhofen, LL.M. (New York)

The ECJ has ruled in its decision of 8 September 2016 (C-160/15) that the posting of a hyperlink on a website to works protected by copyright and published without the author’s consent on another website does not constitute a ‘communication to the public’ and thus no copyright infringement when the person who posts that link does not seek financial gain and acts without knowledge that those works have been published illegally. In contrast, if those hyperlinks are provided for profit, knowledge of the illegality of the publication must be presumed.

Conclusion: Companies must check that the content, that they provide links to, is published legally.


7. Guidance on "re-cycling" of consents under GDPR
by Dr. Andreas Splittgerber

In September, the Düsseldorf Circle handed down a resolution (in German) addressing the question whether consents that have been collected by organisations can still be used under GDPR. In short, the answer is "Yes". The resolution, however, leaves questions open and also raises new questions (e.g. it states that "the information requirements under Art. 13 must not be met"). See more comments here.

Conclusion: The Resolution is comforting for organisations that have obtained German-style consents in the past. We recommend, however, that organisations now update their consent language to fully meet the requirements under GDPR.


8. Bavarian DPA publishes opinion on IoT
by Christian Leuthner

On 26 September 2016, the Bavarian Data Protection Authority (“DPA”) published the results (in German) of this year's international Sweep Week, which was carried out by the Global Privacy Enforcement Network (GPEN) and lead by the UK Data Protection Authority (press release in German). The number of products, all in the area of Internet of Things ("IoT"), that were tested exceeded 300 by 25 data protection authorities amongst others in the UK, Canada and Australia (find all published press releases here). The DPA criticised the lack of information provided by providers about the collection, processing and use of personal data and that often information about data storage and data deletion, as well as contact information for further inquiries, was omitted.    

Conclusion: The DPA again states that transparency and information are essential for effective privacy. Companies must ensure that their Privacy Policy contains all necessary information as further investigations, also outside the IoT area.


9. Outlook on new legislation and recommended reads

Proposed legislation

  • German Federal Council proposes new crime of “Digital trespassing” to be added to the Criminal Act (in German).

Recommended reads

  • Sven Schonhofen on Datonomy on the proposed German Federal Data Protection Act.
  • DPA North Rhine-Westphalia published Q&As about Privacy Shield (in German).
  • Olswang’s Quick Guide to the GDPR: The headline changes and how they will impact your operations.
  • DPA Bavaria published new GDPR mini-guides (in German):
    • Reacting to data breaches (here)
    • Sanctions under the GDRPR (here)
    • Special categories of personal data (here)
    • Consent under the GDPR (here)
    • Commissioned data processing under the GDPR (here)
  • The reform of the State Treaty on the Protection of Minors from Harmful Media (in German) came into force on 1 October.
  • Commission for Protection of Minors in the Media asks (in German) for more efficient protection on mobile devices in new study.
  • Summary report on the public consultation on the evaluation and review of the ePrivacy Directive.
  • ECJ’s Advocate General considers that the PNR Agreement between the EU and Canada not to be sufficient.

EDPS releases opinion on the coherent enforcement of fundamental rights in the age of Big Data.

 

If you would like more information about how these developments impact your business, please contact:

 

 

   

 

 



Dr. Andreas Splittgerber

Partner
Olswang Germany LLP
+ 49 (0) 89 206 028 404
andreas.splittgerber@olswang.com

 

 

Christian Leuthner
Rechtsanwalt/Associate 
Olswang Germany LLP
+ 49 (0) 89 206 028 414
christian.leuthner@olswang.com