- ECJ to decide what ‘cookie consent’ on a website must look like
- ECJ: Experts remain consumers but cannot file class actions
- German Federal Court of Justice: Deletion of profiles on platforms for rating doctors
- German Federal Court of Justice: One opt-in sufficient for multiple advertising channels
- Higher Regional Court of Frankfurt: Invalidity of sales of address data
- Regional Court of Berlin: Facebook default settings violate data protection law
- Regional Court of Frankfurt am Main: Right to be forgotten
- Regional Labour Court of Berlin-Brandenburg: Forwarding of emails with operational information to a private email account
Save the Date: The next Reed Smith Data Date on the General Data Protection Regulation (including a breakfast) will take place in our Munich office on 19 April 2018. Invitation to follow.
1. ECJ to decide what ‘cookie consent’ on a website must look like
The German Federal Court of Justice has asked the European Court of Justice (ECJ) to provide guidance on the interpretation of EU cookie rules (Order of 5 October, 2017, docket no. I ZR 7/16). Key questions to be decided by the ECJ concern how cookie consent must be obtained on a website in order to constitute valid consent and what details the cookie policy must contain.
Conclusion: Only a few months before finalization of the ePrivacy Regulation, the ECJ has been asked to decide on details of cookie consents – for example whether “surfing” the website constitutes valid consent and what details a cookie policy must contain. All organisations should follow this decision.
2. ECJ: Experts remain consumers but cannot file class actions
The European Court of Justice (ECJ) has ruled (judgment of 25 January 2018, Case C-496/16) that even an expert can enforce their own rights as a consumer in their field of competence if a product is used privately. The ECJ has also decided that the special venue for claims arising from consumer contracts only applies to the contracting parties. European users of Facebook had assigned (alleged) claims of for data protection violations to Max Schrems, who had previously brought down ‘Safe Habor’, which he wanted to pursue in Austria. However, according to the ECJ, Max Schrems can only assert his own individual rights in Austria.
Conclusion: Companies have to do their homework on data protection. Experts can and will enforce their rights as consumers.
3. German Federal Court of Justice: Deletion of profiles on platforms for rating doctors
In its judgment of 20 February 2018 (docket no. VI ZR 30/17) the German Federal Court of Justice upheld the claim of a doctor requiring the deletion of her profile on a platform for rating doctors. The platform provider was not a mere neutral intermediary. Thus, the privacy right of the doctor outweighed the right to freedom of speech of the platform provider. The key factor was that competing doctors were advertised alongside the non-paying doctor’s profile, whereas such promotional adverts were not displayed alongside profiles of doctors with premium accounts that require payment.
Conclusion: The German Federal Court of Justice has confirmed that ratings platforms are generally permissible under data protection law. Whether the deletion of profiles is required depends on the specific business model of the platform.
4. German Federal Court of Justice: One opt-in sufficient for multiple advertising channels
In its judgement dated 1 February, 2018 (docket no. III ZR 196/17), the Federal Court of Justice ruled that a single consent of a consumer is sufficient to receive advertising via multiple channels, e. g. e-mail, telephone, SMS and MMS. Separate consent for each means of communication channel was not required because by consenting by opt-in the consumer had expressed their preferences in full knowledge of the facts for a specific case. Also, the legal requirements in section 7 of the German Act Against Unfair Competition were the same for all channels. The court also stated, without going into further detail, that such consent complies with data protection law.
Conclusion: Consent may be given to advertising via different communication channels, provided that the consumer has been explicitly informed about the channels. It remains to be seen whether this decision can endure under the GDPR, which requires ‘granular’ consent under data protection law.
5. Higher Regional Court of Frankfurt: Invalidity of sales of address data
In a recent judgment of 24 January 2018 (docket no. 13 U 165/169) the Higher Regional Court of Frankfurt ruled that a sales contract for the acquisition of address data is null and void if the parties violate data protection laws. Although the data subject had consented to the processing of his data the data protection law requirements were not met. The consent wording did not clearly state the categories of personal data, recipients or purpose of processing (namely, the sale of address data).
Conclusion: Individuals need to give their express consent to the transfer of their data and to the use of their data for marketing purposes. The wording of the consent must be specific and must include the categories of the data recipients. If this is not the case the transfer is not permissible and any further processing is in breach of data protection laws.
6. Regional Court of Berlin: Facebook default settings violate data protection law
The Regional Court of Berlin held in its judgment of 16 January 2018 (docket no. 16 O 341/15) that various default settings of Facebook in its privacy centre violate data protection law. The default privacy settings include a location service in the app that reveals the location of the person that the user is chatting to. In addition, boxes were pre-ticked allowing search engines to link the user’s timeline. The court noted that there was no valid consent as there was no guarantee that users knew that these boxes were ticked by default.
Conclusion: Facebook was sued by the Federation of German Consumer Organizations. This decision demonstrates that consumer protection organisations are currently very active in enforcing violations of data protection law.
7. Regional Court of Frankfurt am Main: Right to be forgotten
by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.
On 26 October 2017 the Regional Court of Frankfurt am Main issued a new judgment (docket no. 2-03 O 190/16) to add to existing case law on the deletion of search results in search engines. The court relied, in particular, on recent case law of the German Federal Court of Justice which established the importance of determining whether the relevant information concerning sensitive personal data of an individual is concrete, or merely vague or general.
Conclusion: A legal claim for deletion of search results in search engines requires a comprehensive balancing of interests. Where the search results relate to sensitive personal data, it is particularly important to determine the extent to which the information in question is concrete.
8. Regional Labour Court of Berlin-Brandenburg: Forwarding of emails with operational information to a private email account
In its judgment dated 16 May 2017 (docket no. 7 Sa 38/17), the Regional Labour Court of Berlin-Brandenburg decided that the forwarding by an employee of emails containing operational information to a private email account in preparation for a new job with a different employer might justify extraordinary termination of the employee’s work contract. Such forwarding without the employer's consent and without official necessity constitutes an immediate threat to the employer's business interests.
Conclusion: The forwarding of business emails to private email accounts must be permitted by the employer and also necessary for business purposes.
New laws and recommended reads in the areas of EU/German IT and data protection law
New laws
Recommended reads
- Sven Schonhofen and Friederike Detmering on the territorial applicability of the GDPR in Business Law Magazine
- Reed Smith report on GDPR readiness
- Reed Smith chart on national GDPR implementation laws
- The Article 29 Working Party has published further guidance on GDPR:
- Consent
- Transparency
- Data breaches
- Binding Corporate Rules for data controllers and processors
- Conference of the German Data Protection Authorities published GDPR guidance (in German only) on:
- Template for register of processing activities for controllers and processors by Bavarian Data Protection Authority
- GDPR readiness tool by Bavarian Data Protection Authority (also available in English)
- EU Commission confirms: UK will be third country post-Brexit
- Privacy Shield update