Table of contents
- New cookie rules in Germany will apply as of December 1, 2021
- German data protection authorities conduct coordinated audits on international data transfers
- Mainz Administrative Court: Data protection requirements for emails sent by individuals with a duty of professional confidentiality
- Cologne Court of Appeal: Influencers must also label unpaid product posts as advertising
- Saarland Administrative Court of Appeal: Double opt-in by email not suitable for consent to telephone advertising
- ECJ: Framing in circumvention of safeguards requires copyright holder’s consent
- German Supreme Court: Admissibility of charging a fee for payment when engaging payment service providers
Save the date: Webinar on the new German cookie rules with Visitor Analytics on July 1, 2021
Save the date: Munich Data Date on the new EU standard data protection clauses and EU digitalization regulations on July 9, 2021
1. New cookie rules in Germany will apply as of December 1, 2021
by Dr. Andreas Splittgerber
After a 12 year delay, German lawmakers have passed a new cookie law (TTDSG). Germany is now in line with many other EU countries in requiring consent for cookies and other tracking technologies that store information on or read information from users’ devices, unless the technology is required to provide a website service. The TTDSG applies to website operators worldwide that target German users.
The German lawmakers were not very creative and copied the wording of the 2009 EU Cookie Directive. The TTDSG was rushed through the legislative process and contains a couple of other rules for businesses operating in the electronic communications sector that will be unwelcome to some.
Conclusion: Many organizations will have to switch to consent when using cookies and similar technologies. There is some leeway for “novel” mechanisms, such as website measurement based on server request data. For more details listen to our podcast.
2. German data protection authorities conduct coordinated audits on international data transfers
by Sven Schonhofen, LL.M.
The German data protection authorities are currently auditing organizations with joint questionnaires on international data transfers following Schrems II. The questionnaires relate to the use of service providers for sending emails, hosting websites, web tracking, managing applicant data and the intra-group transfer of customer and employee data. The questionnaires can be accessed on datenschutz-hamburg.de.
Conclusion: The timing of these audits is surprising due to the finalization of the new standard data protection clauses
3. Mainz Administrative Court: Data protection requirements for emails sent by individuals with a duty of professional confidentiality
by Caroline Walz
In its ruling of December 17, 2020 (docket no. 1 K 778/19.MZ), the Mainz Administrative Court dealt with the question of whether a lawyer must comply with a higher level of protection under article 32 of the GDPR when sending confidential client information via email. The court answered in the negative as the GDPR does not contain an explicit regulation for parties subject to professional confidentiality. Only the general standards set out in articles 9 and 10 of the GDPR must be observed. However, as long as there is no indication of special category data requiring a higher level of protection, transport encryption is sufficient.
Conclusion: Standard transport encryption is sufficient to comply with article 32 of the GDPR, even when personal data is sent by an individual with a duty of professional confidentiality.
4. Cologne Court of Appeal: Influencers must also label unpaid product posts as advertising
by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.
By its judgment of February 19, 2021 (docket no. 6 U 103/20), the Cologne Court of Appeal held that influencer posts must be labeled as commercial practice/advertising even if there is no concrete evidence that the influencer has received any payment from the company in question. In the court’s view, the specific appearance of the post is decisive in assessing whether commercial or editorial content predominates.
Conclusion: The judgment deviates from recent decisions of other higher courts in Germany. A landmark ruling by the German Supreme Court is desirable, especially since legislative initiatives to create legal certainty have had little success to date.
5. Saarland Administrative Court of Appeal: Double opt-in by email not suitable for consent to telephone advertising
by Dr. Thomas Fischl
By its judgment of February 16, 2021 (docket no. 2 A 355/19), the Saarland Administrative Court of Appeal held that organizations may not use personal data consumers provide in emails for further advertising purposes. Advertising by (cold) calling a consumer, requires the consumer’s prior express consent. The court held that the double opt-in procedure via email is not appropriate for proving consent to telephone advertising.
Conclusion: While the double opt-in procedure is recognized in practice and legally unobjectionable when obtaining consent for e-mail advertising, the procedure has its limits, which are reached in the context of consent to telephone advertising.