1. Make U.S. data transfers possible again: taking the first big step to EU–U.S. transatlantic data protection framework
by Dr Andreas Splittgerber and Christian Leuthner
On 7 October 2022, U.S. President Joe Biden issued an executive order, “Enhancing Safeguards for United States Signals Intelligence Activities” (EO). Above all, the EO requires that intelligence agencies to adjust their policies in accordance with the EO to reflect the proportionality and necessity principles, and that a Data Protection Review Court be set up in the United States. Both of these actions could take as long as one year. At the same time, the EU Commission will assess whether the EO and its implementation sufficiently meet GDPR concerns in order to issue an adequacy statement. See our blog post with details and links to all relevant documents.
Conclusion: The EO is an important step in the right direction. Even without an EU adequacy decision yet, the EO and its implementation will have strong weight in justifying data transfers to the United States. So far, we have seen both positive and less positive statements by EU data protection authorities.
2. Advocate General: requirements for GDPR damages
by Sven Schonhofen, LL.M.
The requirements for non-material damages under art. 82 GDPR are still highly controversial among the German courts. The Advocate General has now established principles for non-material damages in his Opinion of 6 October 2022 (docket no.: C-300/21. For a damage claim under art. 82 GDPR, the mere violation of a GDPR provision is not in itself sufficient; a material or immaterial damage is also required. The compensation for non-material damage does not cover mere upset as a result of the GDPR violation.
Conclusion: It remains to be seen whether the CJEU will follow the Advocate General. If this happens, it would be possible for companies to defend themselves against claims for damages under the GDPR in a large number of cases.
3. Fine due to a conflict of interest of the data protection officer
by Dr Thomas Fischl
The Berlin data protection supervisory authority (BlnBDI) recently imposed a fine of €525,000 on a subsidiary of a Berlin-based e-commerce group. In this notable conflict-of-interest case, the company's data protection officer – who was also the managing director of two of the group’s service companies that processed personal data on behalf of the company for which he was the data protection officer – was reprimanded.
Conclusion: So far, few complaints regarding a conflict of interest on the part of the data privacy officer have come to light. However, companies that have appointed an internal data protection officer should now pay close attention to possible conflicts of interest.
4. Federal Supreme Court rules on obligations for providers of online platforms to monitor customer ratings
by Dr. Alexander Hardinghaus, LL.M.
By judgment of 9 August 2022 (docket no. VI ZR 1244/20), the Federal Supreme Court (BGH) decided that the provider of an online hotel rating platform has a duty to investigate the general objection of a (negatively) rated hotelier submitted by an alleged customer. The alleged customer, who submitted the rating under a pseudonym, has never been a guest of the hotelier, even if there are circumstances that suggest a guest contact took place. If the provider fails to conduct any investigation, it is assumed that the rating was not submitted by a real hotel guest. In this case, the provider has an obligation to take down the rating from its platform.
Conclusion: Operators of rating platforms and online portals criticize the judgment for being in contradiction to the established statutory liability safeguards for hosting providers (so-called “Störerhaftung”) and the new Digital Services Act. It remains to be seen whether the BGH will change its view once the Digital Services Act has entered into effect.
5. Spanish data protection authority fines energy company €48,000 for insufficient identity verification
by Joana Becker
A caller contacted the energy company and asked the company to change the email address of a customer and to receive the last two bills of this customer. In response, the energy company requested the caller's name, address, ID card number, contract number, and the last four digits of the account number to verify his identity. A short time later, it was discovered that the caller was not the customer, but instead was an uninvolved third party.
The Spanish data protection authority considered the identity check to be a violation of art. 5(1)(f) GDPR (the principle of integrity and confidentiality) and art. 32 GDPR, due to a lack of technical security in data processing.
Conclusion: This decision has the potential to create uncertainty in practice, as there is no justification as to why the identity check carried out here was insufficient. In particular, the combination of name, address, ID card number, contract number, and the last four digits of the account number is very specific data that is generally suitable for verifying the identity of a customer.
6. Hamburg Regional Court: deletion claims by legal entities
by Irmela Dölle
In its ruling of 11 December 2020 (docket no.: 324 O 30/20), the Hamburg Regional Court decided that legal entities can also derive claims for erasure from the GDPR. The scope of application of the GDPR is opened if the processed information about the legal entity (also) relates to the natural person behind the legal entity. In this instance, the court considered this to be the case with regard to the company name and the registered office address of the plaintiff, as these referred to its managing directors. The company name contained the surname of the managing directors, and their place of business was also the residential address of their managing directors.
Conclusion: If the natural persons behind a legal person are affected and if data processing has a direct impact or a so-called “knock-on” effect on them, a legal person may also fall within the scope of the GDPR.
7. Legislation update
by Tim Sauerhammer
- In October 2022, the Council of the European Union gave the greenlight to the long-awaited Digital Services Act, which updates the now 20-year-old e-commerce directive. The regulation provides rules on obligations and liability exclusions for intermediary services (especially for online platforms such as social media, online marketplaces, or search engines) and is intended to contribute to a safe and trustworthy online environment. The law is to be published in the Official Journal of the European Union this fall and will then become effective approximately 15 months later.
Conclusion: The Digital Services Act introduces a canon of new requirements for intermediary services. Companies should therefore assess whether they offer such a service and whether the new regulations apply.
- In addition, the Council also approved the Digital Markets Act. The regulation targets individual actors who hold a particularly prominent market position in the ecosystem of online platforms in their respective branch. These so-called “gatekeepers” must now adhere to additional regulatory requirements – otherwise they face a fine of up to 10% of total global revenue. The law will become effective as of 2 May 2023.
Conclusion: The regulation features several very important changes. For gatekeepers, the new rules mean an overhaul of their internal processes; platform users, on the other hand, can look forward to more favorable competitive conditions.
- In view of the continuing importance of artificial intelligence in everyday life, the EU Commission has drafted a proposal for an Artificial Intelligence Liability Directive (AILD). The AILD is intended to complement the Artificial Intelligence Act (AI Act) and create uniform rules across Europe for non-contractual civil liability for damages caused by AI systems. The focus is on a victim-friendly burden of proof and simplified access to evidence. However, the Commission’s proposal still has to be adopted by the European Parliament and the Council.
Conclusion: Even if the date of entry into force and the specific details of the directive have not yet been finalized, the draft already indicates the intended direction. Companies that want to use AI should start making preparations early and, as a first step, obtain an overview of all data collected or to be collected.
8. Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- European Data Protection Board
- Guidelines on data breach notification
- Guidelines on identifying a controller or processor’s lead supervisory authority
- Bavarian DPA: Annual Report
- Bavarian DPA: Checklist on email account security
- Bitkom: Modell for technical and organizational measures in case of processors
- EU Commission: Draft Cyber Resilience Act – more on our blog
- ICO: Recommendations on data subject rights requests – more on our blog
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy, and security; data risk management; intellectual property; social media; and more. Recent episodes have covered the Unified Patent Court, eComms compliance, data protection in China, and M365.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.