1. Update on Facebook fan pages – still legal risks despite joint controller agreement
2. Mistakes in privacy policies – can competitors request cease and desist?
3. Court of Appeals Frankfurt: Right to be forgotten does not generally prevail
4. Facebook Messenger is private communication and is not subject to the right to information legislation according to Sec. 14 German Telemedia Act
5. German Federal Supreme Court considers emails and customer satisfaction surveys
6. Court of Appeals Munich: Social networks are prohibited from deleting posts that are protected under the freedom of speech
7. ECJ: Re-posting of copyright-protected works
Save the Date: Join our Data Date breakfast seminar in our Munich office on November 22, 2018. Visit reedsmith.com to register.
Save the Date: Meet us at the IAPP 2018 Europe Conference in Brussels on November 28-29. Attend our session “Whatever Happened to Harmonization?” or contact us for a personal meeting.
1. Update on Facebook fan pages – still legal risks despite joint controller agreement
by Dr. Andreas Splittgerber
After the ECJ decision on joint controllership between Facebook and operators of a fan page (docket no.: C-210/16) and statements by the German data protection authorities (most recently on September 5, 2018), Facebook released a joint controller agreement in October. The German Green Party has now filed a claim against Facebook arguing that Facebook does not comply with the General Data Protection Regulation (GDPR).
Conclusion: The joint controller agreement is a step into the right direction, albeit leaving many open questions. In addition to implementing data protection compliance measures, organizations operating a fan page on Facebook (and also on other social media channels) should monitor further developments. So far, only the German data protection authorities have shown real interest in this topic.
2. Mistakes in privacy policies – can competitors request cease and desist?
by Christian Leuthner
The Würzburg Regional Court (decision of September 13, 2018, docket no.: 11 O 1741/18UWG) has decided that competitors can ask for a cease and desist if the privacy policies (on websites) are not GDPR compliant. The provisions that were violated (Articles 13 and 14 GDPR) are rules of market conduct, and non-compliance leads to unfair competition. The Bochum Regional Court (judgment of August 7, 2018, docket no.: 12 O 85/18) and the Wiesbaden Regional Court referring to this decision (decision of November 5, 2018, docket no.: 5 O 214/18) had decided the exact opposite shortly before, since the GDPR has a final sanctions framework (Articles 77-84 GDPR). This view is shared by the EU Commission with regard to the enforcement of data subject rights. The Court of Appeals Hamburg (judgment of October 25, 2018, docket no.: 3 U 66/17) decided that the GDPR has no final sanctions framework, but it has to be decided in the individual case whether the provision is a rule of market conduct.
Conclusion: Companies must include all necessary information in their privacy policies in accordance with the law to avoid warnings.
3. Court of Appeals Frankfurt: Right to be forgotten does not generally prevail
by Sven Schonhofen, LL.M.
The Court of Appeals Frankfurt am Main has decided in its judgment of September 6, 2018, (docket no.: 16 U 193/18) that the Google Spain case law on the right to be forgotten does not apply without exceptions. The ECJ has assumed a general overriding of the right to be forgotten in the Google Spain decision. However, such a “rule-exception mechanism” is not provided for in Article 17 and 6 of the GDPR. Rather, the interests of the data subject and data controller must be weighed against each other on a case-by-case basis.
Conclusion: Data controllers do not have to generally delete personal data when data subjects assert their right to be forgotten, but have to carry out a balancing-of-interest check on a case-by-case basis.
4. Facebook Messenger is private communication and is not subject to the right to information legislation according to Sec. 14 German Telemedia Act
by Friederike Detmering, M.A.
The Court of Appeals Frankfurt am Main ruled in its decision of September 6, 2018, (docket no.: 16 W 27/18, appeal to the German Federal Supreme Court admitted) that the right to information about inventory and usage data held by a service provider pursuant to Section 14(3) German Telemedia Act (TMA) only applies to social networks as defined in Section 1(1) German Network Enforcement Act and that Facebook Messenger is not such a network. Section 14 (3) TMA is also not superseded by data protection regulations, because neither GDPR provisions nor those of the Federal Data Protection Act are more specific according to the court.
Conclusion: Based on the current legal framework, service providers generally do not have to fulfill claims to information on user data with regard to means of individual communication, as these can neither be based on the TMA nor on data protection law.
5. German Federal Supreme Court considers emails and customer satisfaction surveys
by Dr. Thomas Fischl
The German Federal Supreme Court ruled in a judgment of July 10, 2018, (docket no.: VI ZR 225/17) that customer satisfaction surveys are a form of advertising and thus constitute spam when included with email invoices. What happened? The plaintiff had purchased a product from the defendant on Amazon’s Marketplace. The defendant sent a PDF invoice attached to an email. This email included a request to the plaintiff to take part in the customer satisfaction survey and to possibly give a good rating.
The lower courts said the email was a legitimate transactional message and not spam. But the German Federal Supreme Court ruled that the inclusion of the questions changed the communication into unsolicited email advertising, which, as a general rule, requires opt-in consent.
Conclusion: The case shows how narrow the ridge is when it comes to placing any kind of promotional elements in transactional emails.
6. Court of Appeals Munich: Social networks are prohibited from deleting posts that are protected under the freedom of speech
by Ramona Kimmich
On August 24, 2018, (docket no.: 18 W 12947/18), the Court of Appeals Munich held that social networks are prohibited from deleting a certain user’s post if it is protected under the freedom of speech. The court invalidated a clause in the social network’s terms of service, according to which the social network operator is granted the right to delete posts that are in breach of its policies in their view. According to the court, the deleted post would clearly not qualify as “unlawful content,” so its deletion would constitute an unreasonable disadvantage to the user.
Conclusion: The decision demonstrates the legal risk that social media networks bear as they have to take down unlawful content immediately but at the same time must not over-delete content. See more details on our blog.
7. ECJ: Re-posting of copyright-protected works
by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.
By judgment of August 7, 2018, (docket no.: C-161/17), the ECJ ruled that the posting of a photograph on a website requires the consent of the rightsholder, even if the photograph has previously been freely accessible on another website with the rightsholder’s consent. In the view of the ECJ, such re-posting constitutes an act of “communication to the public.” Other than the insertion of a hyperlink to the original website, the photograph is communicated to a “new public” within the meaning of the EU Copyright Directive 2001/29/EC. The ECJ stressed that the rightsholder had not taken into account this public when he consented to the initial communication.
Conclusion: Photographs freely available on the internet may only be made publicly accessible on another website with the rightsholder’s consent. If such consent is not available, providing a hyperlink may be an alternative. See more details on our blog.
Recommended reading in the areas of EU/German IT and data protection law
New laws
- New ePrivacy Regulation draft by the Council of the EU.
Recommended readings
- German Data Protection Authorities have released guidance on processing personal data for purposes of direct marketing under GDPR.
- When do organizations need to carry out a DPIA? More on our blog.
- The impact of a “No-deal Brexit” on data protection. More on our blog.
- Study of the EUIPO on trade secrets litigation.
- Berlin court holds that bitcoin is not a financial instrument contrary to the practice of the financial regulator. More on our blog.