- ECJ and GDPR: Another decision hitting social media activities by companies
- EDPB does not opt for changes to EU standard contractual clauses
- EU Commission on implementation of GDPR
- Second German GDPR Implementation Act
- Frankfurt Court of Appeals: no general prohibition on bundling marketing consent to sweepstakes
- ECJ: landmark decision on sampling
- Frankfurt Court of Appeals ruling on influencer marketing and manufacturer tags
- Munich Regional Court: Affiliate links to be clearly labelled as advertisement
1. ECJ and GDPR: Another decision hitting social media activities by companies
On July 29, 2019 the ECJ (docket no.: C-40/17) ruled that website operators using social plugins are joint controllers with Facebook for the collection of personal data by the social plugin.
This means that website operators are responsible to inform users (Art. 13 GDPR) and obtain the required consent (Art. 7 GDPR) - regarding the personal data that is collected via their website (not for the further processing by Facebook). Using "Shariff” or a similar solution that "shields" the social plugin and only activates it if users actively click it might also be a solution and even help arguing that website operators are no joint controllers (see further details in the analysis of the judgment).
Conclusion: After Facebook Insights (more on our blog), social plugins are another specific area where courts see a joint controllership between Facebook and companies using Facebook functions. Courts and data protection authorities clearly want to shed light into the often unclear processing of personal data in connection with social media presences. We expect more decisions in this area. Companies should generally check compliance of their social media activities with data protection laws and balance legal risks against upsides.
2. EDPB does not opt for changes to EU standard contractual clauses
On July 17, 2019, the European Data Protection Board (‘EDPB’) published its pleading before the ECJ of July 9, 2019, in the case of Irish Data Protection Commission v. Facebook and Schrems (docket no.: C-311/18). The EDPB has commented on the legal framework necessary to assess whether an adequate level of data protection exists (consideration of the entire EU legal framework as well as in the country where the recipient is established; including at the time of the transfer). In addition, the EDPB has stated that it is primarily the obligation of data exporters and data importers to assess whether the data transfer is in accordance with the requirements applicable to EU standard contractual clauses. A review by the EU Commission is not necessary. National data protection authorities can check parties’ compliance with the requirements on a case-by-case basis (e.g., on the basis of complaints) and suspend data transfers accordingly.
Conclusion: The EDPB has correctly assumed that EU standard contractual clauses can offer comprehensive protection, provided that they are enforced effectively. A declaration of invalidity would have far-reaching economic consequences for companies operating internationally. The Advocate General announced his opinion for December 12, 2019; the ECJ will likely hand down its decision in 2020.
3. EU Commission on implementation of GDPR
On July 24, 2019, the European Commission published a communication on the impact of the EU data protection rules and how their implementation can be further improved. In the communication, the Commission points out that most EU member states have set up the necessary legal framework and companies are developing a compliance culture, while citizens are becoming more aware of their rights. The communication additionally sets out steps to strengthen the data protection rules and their application.
Conclusion: The Commission will further evaluate whether the steps suggested will strengthen compliance and will report on the implementation of the GDPR in 2020, including a review of the 11 adequacy decisions adopted under the old Data Protection Directive.
4. Second German GDPR Implementation Act
by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.
On June 28, 2019, the German Parliament passed the Second GDPR Implementation Act (the ‘Act’). The Act will align 154 German laws with the requirements of EU data protection law, in particular the GDPR and Directive (EU) 2016/680. The most significant amendment is the increase of the threshold for the requirement to designate a data protection officer in companies that act as data controllers and processors from 10 to 20 employees who are permanently involved in the automated processing of personal data. This increase is intended to give smaller companies and non-profit associations more flexibility. The Act is still subject to formal consent by the German Federal Council.
Conclusion: Germany is in the course of aligning its entire legal system with the requirements of the GDPR. More on our blog.
5. Frankfurt Court of Appeals: no general prohibition on bundling marketing consent to sweepstakes
by Friederike Wilde-Detmering, M.A.
In its decision of June 27, 2019 (docket no.: 6 U 6/19), the Frankfurt Court of Appeals ruled that participation in sweepstakes can generally be bundled with marketing consent under the GDPR. The GDPR does not provide for a general prohibition of bundling consent, provided that the voluntary nature of consent is guaranteed, where ‘voluntary’ is understood to mean ‘without coercion’. This is the case with informed marketing consent in the context of sweepstakes, in accordance with Art. 7 GDPR, since consumers can decide for themselves whether they wish to disclose personal data to gain the chance of winning a prize.
Conclusion: Organisations may make participation in sweepstakes dependent on marketing consent, provided that they transparently inform participants about the types of advertising, the products and the companies (including partner companies) for which consent is granted.
6. ECJ: landmark decision on sampling
In a legal dispute that has been dragging on for 20 years, the ECJ had to decide on the lawfulness of copying a two-second rhythm sequence by means of sampling. In its judgment of July 29, 2019 (docket no.: C-476/17), the court held that the reproduction of a sound sample, even if very short, required the authorisation of the phonogram producer. An authorisation was not required, however, if the sound sample was used in a modified form, unrecognisable to the ear, in another phonogram. The use of the sound sample may be covered by the quotation right. Further, the ECJ held that section 24 of the German Copyright Act (on the right to free use) was not in conformity with EU law.
Conclusion: A clear winner of the ECJ judgment – the phonogram producer or the sampler – cannot be identified.
7. Frankfurt Court of Appeals ruling on influencer marketing and manufacturer tags
While many other courts take the view that links that direct to manufacturer profiles trigger a labelling obligation, the Frankfurt Court of Appeals held in its judgment of June 28, 2019 (docket no.: 6 W 35/19) that this is not the case. The mere tagging of a manufacturer’s profile only was a strong indication of commercial action. The Frankfurt Court of Appeals, however, also emphasised that the influencer maintained a business relationship with the manufacturer, whose products he presented on his profile. As a result, if influencers’ posts included product presentations and manufacturer tags, they were considered commercial content, triggering an obligation to label them as advertisements.
Conclusion: The courts’ decisions on the labelling of influencer posts as advertising are still inconsistent. Against this background, the German legislator has announced changes to the law to provide legal certainty.
8. Munich Regional Court: Affiliate links to be clearly labelled as advertisement
by Arne Senger, LL.M.
In its ruling of February 27, 2019 (docket no.: 33 O 2855/18), the Munich Regional Court I ruled that affiliate links, that are placed on websites and give the impression of being purely editorial in nature, must be clearly labelled as advertisements. In particular, because freely accessible content on the internet is often financed through clearly labelled and recognisable advertisements, consumers do not expect additional income to be generated within an article itself through links to affiliate partners. The Munich Regional Court considered this to be misleading to consumers.
Conclusion: Affiliate links must be clearly labelled as advertisement. Using the shopping cart symbol before the link alone might not be sufficient.
New laws and recommended reads in the areas of EU/German IT and data protection law
New laws
- Current ePrivacy Regulation draft by the Council of the European Union. More on our blog, including the German government’s assessment of the current status of the ePrivacy Regulation.
Recommended reads
- Publications of the European Data Protection Board:
- Guidelines on processing of personal data through video devices
- Impact of the US Cloud Act on the EU legal framework
- Annual Report 2018
- Publications of German data protection authorities:
- DPA Lower Saxony: GDPR audit checklist. More on our blog.
- DPA Baden-Württemberg: Template for a joint controller agreement.
- DPA Berlin: Announcement of high fines. More on our blog.
- Publications on cookies:
- German DPAs
- ICO
- CNIL
- Publication of the Irish DPA on data breaches.
- Dresden Court of Appeals: No claims for damages under Article 82 GDPR for minor GDPR violations. More on our blog.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.
If you would like more information about how these developments may affect your business, please contact Dr. Andreas Splittgerber.