- New German Trade Secrets Act
- German DPAs publish guidance on the use of tracking tools
- German DPAs publish new statement on Facebook fan pages
- Update on GDPR fines
- Update on transparency requirements for influencer marketing
- German Supreme Court once again refers a question on copyright infringement by framing to CJEU
- Berlin Regional Court: No extra costs permitted for different payment methods
- Austrian DPA rules that it is not possible to give consent to unencrypted emails
- Munich Regional Court I: No right of re-publication of positive reviews
- CJEU on the question whether over-the-top (OTT) services constitute “electronic communications services”
1. New German Trade Secrets Act
EU member states were required to transpose into local law Directive (EU) 2016/943 on trade secrets by June 2019. Most member states, including, for example, the UK, Hungary, Belgium, Poland and Slovakia, have already done so. Germany did so by implementing the German Trade Secrets Act (TSA). The major change under the TSA is that legal protection is now provided alongside the contractual protection that already exists under non-disclosure agreements (NDAs), provided that the owner has implemented adequate protective measures (such as an NDA).
Conclusion: It is extremely important that companies check existing confidentiality obligations imposed on employees and NDAs concluded with other organizations to make sure their trade secrets are protected under the TSA. You are invited to attend our free webinar on June 25, 2019 for more details.
2. German DPAs publish guidance on the use of tracking tools
On April 5, 2019, the German data protection authorities (German DPAs) published guidance on the applicability of the German Telemedia Act to telemedia services – including, as an example, the use of website cookies for targeted advertising post GDPR. The guidance aims to clarify and concretize a previous statement on the topic released by the German DPAs in April 2018 and to serve as guidance for the implementation of data protection requirements when processing users’ data through telemedia services.
The German DPAs confirm their previously published views and, as a key statement, point out that the consent of data subjects will be required for most tracking tools as such tools are outside the scope of the user’s expectations. Therefore “legitimate interests” cannot be used as a legal basis for such processing activities.
Conclusion: The general views of the German DPAs, and, in particular, the detailed requirements set out in the guidance with regard to cookie banners and consent tools, have received criticism on both legal and practical grounds. However, online service providers should carefully assess whether the tools they implement on their websites or in their apps actually require consent.
3. German DPAs publish new statement on Facebook fan pages
The German DPAs have again commented on the operation of Facebook fan pages in a statement of April 1, 2019 (more on the previous statements in our blog). According to the German DPAs the "Page Insights Controller Addendum" does not meet the requirements for a joint controller agreement under Art. 26 GDPR.
The German DPAs expect Facebook to improve and the operators of fan pages to meet their responsibilities, and they conclude their statement by saying that “As long as these obligations are not fulfilled, a fan page cannot be operated in compliance with data protection laws.”
Conclusion: The German DPAs provide a clear view on the current status of Facebook fan pages, but, unfortunately, fail to provide any solutions. Organizations should further monitor the developments carry out a risk assessment if they want to continue to operate their fan page. Organizations have not yet collectively deleted their Facebook fan pages.
4. Update on GDPR fines
On May 12, 2019, the German newspaper Welt Am Sonntag published statistics on fines imposed by the German DPAs under the GDPR. The German DPAs have imposed a total of 81 fines since May 2018. The fines have ranged from a few hundred euros to five-digit amounts, and have so far totaled €485,490.
Conclusion: The supervisory authorities are becoming more active with regard to fines, in both Germany and the rest of Europe, imposing, for example, a fine of €2 million in Italy for telemarketing without consent and a fine of €400,000 in France for inadequate security measures and retention periods.
5. Update on transparency requirements for influencer marketing
Based on recent judgments of courts in Germany (Karlsruhe Regional Court, judgment of March 21, 2019, docket no. 13 O 38/18 KfH; Braunschweig Court of Appeals, court order of January 8, 2019, docket no. 2 U 89/18; and Munich Regional Court I, judgment of April 29, 2019, docket no. 4 HK O 14312/18), there is a tendency for German courts to consider all posts by influencers as commercial content that must therefore be labeled as advertising. In those judgments, the courts have taken the view that influencer posts promote either the business interests of organizations that are tagged or whose products are depicted, or, where this is not the case, at least the influencer’s own business interests.
Those judgments are, however, inconsistent with regard to the questions of whether there is room for influencer posts to qualify as editorial content and whether the commercial nature is apparent from the circumstances so that there is no need for any further labeling.
Conclusion: Influencers and organizations that engage in influencer marketing should carefully follow further case law, at least until the German Supreme Court has the opportunity to create more legal certainty or until the legislator clearly regulates the labeling requirements. See our client alert for more details.
6. German Supreme Court once again refers a question on copyright infringement by framing to CJEU
by Arne Senger, LL.M.
The European Court of Justice (CJEU) has to deal with the issue of framing once again. In its decision of April 25, 2019 (docket no. I ZR 113/18), the German Supreme Court referred to the CJEU the question of whether a collecting society may require a user to take effective technical measures against framing within the framework of a license agreement. In its judgment of June 18, 2018 (docket no. 24 U 146/17), the Berlin Court of Appeals had previously declared such a clause invalid (more on this judgment on our blog).
Conclusion: It remains to be seen whether the CJEU will echo its judgment of January 14, 2014 in the BestWater case (Case C-348/13) by again ruling that such use is not covered under copyright law. The consequence would be that the collecting society would be unable to contractually oblige users to take technical measures against framing.
7. Berlin Regional Court: No extra costs permitted for different payment methods
The Berlin Regional Court (judgment of March 21, 2019, docket no. 52 O 243/18) has decided that no additional costs may be charged for the use of a payment method that falls under the SEPA Regulation (Regulation (EU) No. 260/2012) (see Section 270a of the German Civil Code). This prohibition extends beyond payment cards and SEPA transfers and direct debits, to cover payment methods such as Giropay or Pay now with online banking (Sofortüberweisung) (see also Munich Regional Court I (judgment of December 13, 2018 – docket no. 17 HK O 7439/18)). Further it is also prohibited to grant lower prices with regard to a specific payment method if a payment method under the SEPA Regulation would be more expensive as a result.
Conclusion: e-commerce players must check whether the payment methods provided for under the SEPA Regulation are offered free of charge and adjust their pricing if necessary.
8. Austrian DPA rules that it is not possible to give consent to unencrypted emails
by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.
In addition to raising several objections to the consent form used by the company concerned – a day clinic, in its administrative decision of November 16, 2018, docket no. DSB D213.692/0001 DSB/2018, the Austrian DPA concluded that it is not possible to deviate from the obligation of encrypted transmission of emails pursuant to Art. 32 GDPR by means of consent. It follows, from the reasoning in the decision, that this finding is not limited to special categories of personal data.
Conclusion: Data controllers who still use unencrypted email should consider this decision.
9. Munich Regional Court I: No right of re-publication of positive reviews
by Friederike Wilde-Detmering, M.A.
In its judgment of April 16, 2019 (docket no. 33 O 6880/18), Munich Regional Court I ruled that a dentist had no right to re-publish deleted, positive reviews originally published on a medical rating portal, as the deletion had taken place lawfully. In the opinion of the court, the deletions had only been made to maintain the portal’s standards of quality and not to cause distress to the dentist. By following its review process, which consisted of both automated and written assessments, as well as subsequent contact with the authors of the reviews (further details were not disclosed), the portal had made a decision to delete on legitimate grounds. By contrast, the dentist could not sufficiently prove the validity of the reviews in dispute.
Conclusion: Platform providers are required to implement and record effective validation processes. However, details of the processes do not need to be disclosed as they constitute trade secrets.
10. CJEU on the question whether over-the-top (OTT) services constitute “electronic communications services”
by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.
In its judgment of June 5, 2019 (Case C 142/18), the CJEU ruled that a software-based VoIP service that allows the user to call a fixed or mobile number covered by a national numbering plan via the public switched telephone network of an EU member state constitutes an “electronic communications service” within the meaning of the EU Framework Directive 2002/21/EC. In a further judgment of June 13, 2019 (Case C 193/18), the CJEU found that a web-based email service that does not itself provide Internet access does not constitute an "electronic communications service".
Conclusion: The above judgments follow increased regulatory activity by EU telecoms watchdogs aimed at OTT providers. With this in mind, organizations should carefully assess whether their OTT services fall within the scope of EU telecommunications regulations, taking into account, in particular, the recent CJEU decisions.
Recommended reading in the areas of EU/German IT and data protection law
- Directive on Copyright in the Digital Single Market. More on the infamous Art. 17 in our client alert.
- Cybersecurity Regulation. More on our blog.
- Draft Act to prevent abusive warning letters.
- Celebration of GDPR’s first anniversary on our blog.
- Publications of the European Data Protection Board
- Guidelines on Art. 6 (1)(b) GDPR. More on our blog.
- Guidelines on Codes of Conducts.
- Guidelines on certification bodies.
- Opinion on the interplay between the ePrivacy Directive and the GDPR. More on our blog.
- 1 year GDPR – taking stock.
- Publications of the German DPAs
- Resolution on the concept of broad consent and the interpretation of certain areas of scientific research. More on our blog.
- Resolution on case groups for asset deals.
- Resolution on artificial intelligence.
- Resolution on the liability of organizations for data protection violations of their employees.
- Guidance on access guarding for online service providers.
- Position paper on the use of camera drones.
- Annual reports of the DPAs
- Lower Saxony
- France (CNIL)
- UK (ICO)
- Dutch DPA released fining matrix. More on our blog.
- ICO released draft code of practice to protect the children’s online space. More on our blog.
- Opinions of Advocate General Szpunar
- Restricting GDPR access requests in employment proceedings. More on our blog.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.
If you would like more information about how these developments may affect your business, please contact Dr. Andreas Splittgerber.