1. More on Google Analytics and GDPR in Europe
by Dr Andreas Splittgerber
After several decisions by EU data protection authorities regarding the ‘old’ set-up of Google Analytics (situations prior to the new Standard Contractual Clauses (SCCs) and certain changes by Google; see also our previous posts and podcast), EU data protection authorities are now firm in their position that the use of Google Analytics and similar tools in such situations is not compliant with GDPR or, at the very least, are quite problematic. There are not yet any published decisions on Google Analytics under new SCCs. The Commission Nationale de l'Informatique et des Libertés (National Commission for Computing and Liberties) (CNIL) has now published guidance on the data protection-friendly use of Google Analytics (reach measurement) via a proxy solution.
Conclusion: EU data protection authorities have taken a close look at the use of website trackers. The main issues are the data transfers to the United States that cannot be justified with user consent. The CNIL solution is a first “help” by a data protection authority on how to use Google Analytics (and similar tools), however, organizations will then only be able to use a portion of the tool’s functionalities.
2. Checklist for data processing agreements from German supervisory authorities
by Friederike Wilde-Detmering, M.A.
In coordination with various other German data protection authorities, the Berlin Commissioner for Data Protection and Freedom of Information published a checklist for reviewing data processing agreements (DPAs) on 19 July 2022. The checklist was created for the review of DPAs with web hosts, but it is also helpful and relevant beyond this purpose. Complete instructions have been published together with the checklist.
Conclusion: The checklist deals with topics that are often disputed in practice (for example, identification of specific safety measures and costs for audits) and therefore generally offers beneficial guidance for drafting and negotiating DPAs.
3. CJEU: Scope of special category personal data
by Sven Schonhofen, LL.M.
The Court of Justice of the European Union (CJEU) decided in its judgment of 1 August 2022 (docket no. C-184/20) on the scope of special category personal data. The case concerned whether the name of a spouse or partner could be regarded as information concerning a person’s sex life or sexual orientation. The CJEU stated that special category personal data must be interpreted widely and covers not only inherently sensitive data but also indirect sensitive data which requires an intellectual operation involving deduction or cross-referencing.
Conclusion: Due to the broad interpretation of special category personal data, a lot more processing activities might have to comply with the strict requirements under article 9 GDPR, particularly the consent requirement in article 9(2)(a) GDPR. However, because the CJEU has not defined the scope of indirect special category personal data, this decision leaves a lot of uncertainty.
4. Frankfurt Court of Appeals: The receipt of free e-books may trigger an obligation for influencers to label their posts as advertising
by Dr Alexander Hardinghaus, LL.M.
In its judgment of 19 May 2022 (docket no. 6 U 56/21), the Frankfurt Court of Appeals held that the promotion of e-books received free of charge by an influencer on Instagram with a link to the company via tap tags must be labelled as advertising.
Conclusion: The judges had to deal with a case that took place before the new section 5a(4) of the German Act against Unfair Commercial Practices entered into effect on 28 May 2022. But also under the new legal framework, a commercial purpose of a post on social media, which triggers the labelling requirement, does not only exist where influencers receive monetary compensation. In addition, influencers who are promised a “similar consideration” are required to label their posts accordingly.
5. Kassel Local Court: Confirmation email in double opt-in process not spam
by Joana Becker
In its judgment of 26 April 2022 (docket no. 435 C 1051/21), the Kassel Local Court decided that sending a mere confirmation email as part of a double opt-in process (DOI) for subscribing to a newsletter is not an unauthorised advertising mailing. In this case, the defendant sent the plaintiff an email in which he would have had to confirm his email address in order to confirm his subscription to the newsletter. The plaintiff considered this to be a legal violation as he had not subscribed to the newsletter.
Conclusion: Unlike the Berlin Regional Court (decision of 19 September 2019, docket no. 15 O 348/19) or previously the Munich Court of Appeals (judgment of 27 September 2012, docket no. 29 U 1682/12), the Kassel Local Court does not consider a mere confirmation email to be an unacceptable nuisance. This decision bolsters the use of the DOI procedure by advertisers in the context of sending newsletters and also demonstrates that DOI is a practical way to prove consent for email advertising. It should be noted, however, that a confirmation email in the DOI process is considered to be an unacceptable nuisance if it contains advertising content.
6. Advocate General/CJEU: Scope of the right of access under the GDPR
by Dr Thomas Fischl
On 9 June 2022, the Advocate General at the CJEU in his Opinion (docket no. C 154/21) specified the scope of the right of access under article 15(1)(c) of the GDPR. In the initial Austrian case, an individual had requested information from the postal service about the disclosure of his data and its recipients. In the response, he only received information about possible categories of recipients. According to the Advocate General, the right of access should include information about the specific recipients of disclosed data.
Conclusion: This right of access should only be limited to the indication of categories of recipients if a more detailed determination is impossible for factual reasons or if the controller proves that the data subject's request is manifestly unfounded or excessive. Should the CJEU rule accordingly, this also presupposes that the data processing entity indeed also knows all recipients.
7. Düsseldorf Administrative Court on the right to access under article 15 of the GDPR
by Irmela Dölle
In a ruling dated 7 March 2022 (docket no. 26 K 406/19), the Düsseldorf Administrative Court decided that the transcript of an employee appraisal in which a colleague made critical comments about the plaintiff does not have to be disclosed as part of a right to access request under article 15 of the GDPR. Article 15 of the GDPR is not intended to serve as a means to obtain personal data about other persons (in this case, the work colleague). The rights and freedoms of such other persons would be affected if their data (in this case, the interview transcripts) were released.
Conclusion: Transcripts of conversations which do not contain any statements by the person requesting information, but only statements about the person requesting information, cannot be requested pursuant to article 15 of the GDPR. The rights and freedoms of the person(s) whose information is requested outweigh the interests of the person(s) requesting the information.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- European Data Protection Board
- Guidelines on certification as a tool for transfers
- Guidelines on the use of facial recognition technology in the area of law enforcement
- Guidelines on the calculation of GDPR fines
- Guidelines on dark patterns in social media platform interfaces
- German data protection authorities
- Decision on employee data protection
- FAQ on Facebook fan pages
- Guidelines on e-commerce using guest access
- Decision on scientific research and data protection
- Annual reports of German data protection authorities
- New rules to strengthen and better enforce consumer rights in Germany and the EU – more on our blog
- European Parliamentary Research Service: briefing on the metaverse
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy, and security; data risk management; intellectual property; social media; and more. Recent episodes have covered eComms compliance, M365, an update on ICO activities, analytics cookies, and AI vendors.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.