- ECJ: Global take-down duties of hosting providers
- ECJ on the territorial scope of the right to de-referencing v. operators of search engines
- Munich District Court: Right of access by data subject pursuant to Article 15 (1) GDPR does not include internal comments
- Working papers on special protection of the privacy of children
- EBA Guidelines apply
- Update on transparency requirements for influencer marketing
In its judgment on 1 October 2019 (docket no.: C-673/17, Planet49), the ECJ held that – for all EU countries that have transposed the Cookie Directive 2002/58/EC into local law (for example, the UK) – all cookies require the website user’s consent. The German supervisory authorities emphasised that, for websites that address German users, the use of analytics cookies that do not track users from website to website and functionality cookies may still be based on the website operator’s legitimate interests. According to the ECJ, where cookie consent is required, consent obtained through pre-ticked checkboxes is invalid.
Conclusion: ECJ and EU legislators have not provided uniform guidance on the question as to whether cookies on EU websites require consent. At the same time, cookie compliance remains a hot topic. The Spanish supervisory authority has fined an airline for offering an insufficient tool to configure cookie preferences (see the European Data Protection Board’s according press release at edpb.europa.eu). See more details at Technology Law Dispatch.
2. ECJ: Global take-down duties of hosting providers
On 3 October 2019 (docket no.: C-18/18), the ECJ handed down its judgment in the case of Austrian politician Eva Glawischnig-Piesczek against Facebook Ireland Limited, which deals with the take down of content by Facebook pursuant to Article 15 of the E-Commerce Directive (Directive). It was held that the Directive does not preclude a court of a Member State from ordering a hosting provider, such as Facebook, to remove content (and block future content) from its platform, where that content is identical to or equivalent to information that has already been deemed unlawful.
Conclusion: In some ways, this is not new. What is controversial is that the EU is extending its remit to the global stage rather than simply to EU Member States.
3. ECJ on the territorial scope of the right to de-referencing v. operators of search engines
In its judgment on 24 September 2019 (docket no.: C-507/17), the ECJ held that a search engine operator has to comply with the ’right to be forgotten’ with regard to the versions of that search engine corresponding to all the EU Member States, but not with regard to versions of that search engine corresponding to areas outside the EU. According to the ECJ, where necessary, the search engine operator would need to take measures to prevent, or at the very least, seriously discourage an internet user conducting a search from one of the Member States from gaining access, via the list of results displayed following that search, to the links that are the subject of that request (so called ‘geo-blocking’). At the same time, the ECJ makes clear that EU law does not prohibit a supervisory or judicial authority of a Member State to order, where appropriate, after weighing the data subject’s right to privacy and the right to freedom of information, the search engine operator to carry out a de-referencing on a worldwide basis.
Conclusion: In principle, the right to de-referencing v. search engine operators is limited to the territory of the EU. However, EU law does not prevent national authorities from issuing, on a case-by-case basis, orders against search engine operators to carry out a global de-referencing.
4. Munich District Court: Right of access by data subject pursuant to Article 15 (1) GDPR does not include internal comments
In its judgement on 4 October 2019 (docket no.: 155 C 1510/18), the Munich District Court held that the data subjects’ right to obtain confirmation from the controller as to whether or not personal data is being processed (right of access) is to be broadly interpreted and covers all personal data stored by the controller that makes it possible to identify the data subject. Besides health data, the court also explicitly includes data for asserting collection costs against the data subject. However, the court considers internal procedures, such as notes and all exchanged correspondence of which the data subject is already aware, as well as legal assessments and analyses to be excluded. According to the court, Article 15 (1) GDPR does not serve to simplify the accounting of the data subject but is intended to ensure that the data subject can assess the quality and quantity of the data stored and processed about them.
Conclusion: Another German court takes it upon itself to define the right of access pursuant to Article 15 (1) GDPR. It remains to be seen whether such broach interpretation will provide greater clarity or lead to further confusion. The Landau District Court in a similar case (docket no.: 3 O 389/17) found the right of access to be comprehensive.
5. Working papers on special protection of the privacy of children
The International Working Group on Data Protection in Telecommunications (IWGDPT) has released a working paper on the protection of the privacy of children in online services (WP). The WP highlights the main privacy risks and challenges associated with the use of online services by children. The WP recommends in particular that (i) parental consent should be obtained unless there is another legal basis for processing, (ii) reliable measures should be implemented to verify the age of the user and authenticity of parental consent, (iii) information about processing activities should be provided in a transparent and child-friendly manner (for example, using graphics or videos) and (iv) mechanisms to ensure data quality should be implemented since data about children often becomes outdated.
Conclusion: Online service providers for children should implement special mechanisms that adequately protect children’s privacy. The IWGDPT has called on regulators to audit and investigate online services commonly used by children. We thus expect increased activities by supervisory authorities in this area.
6. EBA Guidelines apply
Since September 30, 2019, the new Guidelines on Outsourcing of the European Banking Authority (EBA) (Guidelines) apply. The Guidelines replace the previous version from 2006 as well as the guidelines on outsourcing to cloud services. In addition to a uniform definition of outsourcing for banks, investment firms and payment service providers, the focus is on many adjustments resulting from digitalization and changes to the market such as cloud computing, sub-outsourcing, outsourcing within a group of companies, processing locations and business continuity.
Conclusion: Regulated companies should consider these Guidelines, regardless of whether the EBA is the competent supervisory authority. Due to the large number of potential outsourcing constellations, the Guidelines must be examined on a case-by-case basis to determine whether a requirement applies.
7. Update on transparency requirements for influencer marketing
In its judgement on 24 October 2019 (docket no.: 6 W 68/19), the Frankfurt Court of Appeals considered an influencer post containing tags to corporate profiles to be commercial content. The influencer thanked a hotel that was tagged in her picture for inviting her. The court based the commercial purpose on the idea that any influencer post promotes the influencer’s own business interests. According to the court, the commercial nature must be disclosed and cannot be concluded from the circumstances, although the influencer has more than 500,000 followers.
Conclusion: Another German court has applied very low thresholds on qualifying influencer posts as commercial activity. There is still no clear line regarding the circumstances under which the commercial nature of an unlabelled post may become apparent.
Recommended reading in the areas of EU/German IT and data protection law
Draft German Act against Restraints of Competition – Digitalisation.
- Reed Smith Blockchain White Paper.
- European Data Protection Board:
- Guidelines on Data Protection by Design and by Default.
- Guidelines on the territorial scope of the GDPR. More information available at Technology Law Dispatch.
- Guidelines on data processing based on Article 6(1)(b) GDPR. More information available at Technology Law Dispatch.
- Guidelines on the right to be forgotten in search engine cases.
- German DPAs:
- Concept for the admeasurement of fines. More information available at Technology Law Dispatch.
- Report on experience gained in the implementation of the GDPR.
- Security measures for the development and use of AI systems.
- Standard data protection modell 2.0.
- Transfer of sensitive data by health websites and apps.
- Lower Saxony Data Protection Authority: Report on GDPR audit of 50 organizations. More information available at Technology Law Dispatch.
- Bavarian Data Protection Authority: GDPR FAQ.
- Report of the German Data Ethics Committee.
- European Commission: Report on third annual Privacy Shield review. More information available at Technology Law Dispatch.