1. Access rights vs. data backup

by Dr. Thomas Fischl

On February 6, 2020 (docket no.: 4 O 6/19), the Heidelberg Regional Court ruled that access rights under Article 15 of the GDPR do not apply if access can only be provided by the data controller with “unreasonable effort.” This may be the case when a large number of emails have to be restored from backup files.

Conclusion: This decision is the first apparent court case that looks at the issue of backups in the context of data subject rights. How it is evaluated and dealt with going forward is also likely to impact the discussion as to whether data from backups also needs to be deleted under the right to erasure (Article 17 of the GDPR). Ultimately, if providing access to data via backups is deemed to be disproportionate, then the erasure of this data, which equally requires prior restoration, seems to be all the more disproportionate.

2. Cookie Update: Planet49 and Cookie Walls

by Sven Schonhofen, LL.M.

In its decision of May 28, 2020 (docket no.: I ZR 7/16), the German Supreme Court confirmed that pre-ticked checkboxes do not constitute sufficient consent for cookies.

The European Data Protection Board clarified in its guidelines on consent that consent obtained by using a cookie wall is not valid and genuine consent to cookies. A cookie wall requires a user to click the “Accept cookies” button in order to use a service. The German Federal Commissioner for Data Protection, however, confirmed that cookie-or-pay walls, where the user also has the choice to use a service without cookies but has to pay a fee, may be permissible.

Conclusion: Cookies remain a hot topic. The German Supreme Court confirmed that an opt-out solution is not sufficient where consent is required. However, the court did not decide what kinds of cookies actually require consent.

3. Double opt-in required under GDPR

by Dr. Andreas Splittgerber

The “double opt-in” is considered a “German specialty” under the German Unfair Competition Act (UWG). Now, the Austrian Data Protection Authority, by its decision of October 9, 2019 (docket no.: DSB-D130.073/0008-DSB/2019), confirmed that the double opt-in procedure is also a data protection requirement under Article 32 of the GDPR. The authority stated “for example, such a data protection security measure may consist in the implementation of a double opt-in procedure for obtaining consent in conformity with the law”.

Conclusion: Double opt-in is not a “must” under the GDPR. However, it is recommended implementing a double opt-in procedure for initial contacts via the internet (e.g., when obtaining newsletter consent or for user account registration).

4. Update on influencer advertisement

by Ramona Kimmich

German case law on the obligation to label influencer posts in social media remains inconsistent. In its decision of May 13, 2020, the Braunschweig Court of Appeals (docket no.: 2 U 78/19) held that the “tagging” of manufacturer accounts triggers an obligation to label. Some higher courts have taken a less strict approach and held that the commercial purpose of influencer posts would be apparent from the circumstances (Hamburg Court of Appeals, docket no.: 15 U 142/19; Munich Court of Appeals, docket no.: 2 U 78/19).

The German legislature has published a proposal under which influencer posts do not have to be labeled as advertising if the posts are primarily used for information purposes or to shape public opinion and the influencer receives no payment or similar consideration. However, the details of the proposed statutory requirements remain unclear. See more details on our blog.

Conclusion: It remains to be seen whether the German Supreme Court will have the opportunity to specify the rules around influencer advertising and provide legal clarity.

5. German Supreme Court: on how company reviews and ratings are presented on review platforms

by Arne Senger, LL.M.

In its decision of January 14, 2020 (docket no.: VI ZR 496/18), the German Supreme Court (BGH) confirmed that review platforms can rate user reviews by means of an algorithm and that the overall rating of a company may exclude “not recommended” ratings.

According to the BGH, this is permissible provided that users of the review platform are sufficiently informed about the composition of the overall rating. The BGH also stated that in qualifying user ratings as “recommended” or “not recommended,” the platform could also invoke its rights of freedom of profession and expression. Businesses, on the other hand, would have to accept criticism of their services and related public discussion.

Conclusion: With this ruling, the BGH strengthens the position of review platforms with regard to the presentation of reviews and ratings. However, the BGH does not specify the requirements for the algorithms used to rate user reviews.

6. ECJ: details of alternative dispute resolution entity must be provided in general terms and conditions of consumer contracts

by Dr. Philipp Süss, LL.M./Dr. Alexander Hardinghaus, LL.M.

The European Court of Justice (ECJ), in its preliminary ruling of June 25, 2020 (docket no.: C-380/19), held that traders who provide, in an accessible manner on their websites, the general terms and conditions of sales or service contracts (T&Cs) must also provide, in those T&Cs, information about any relevant alternative dispute resolution (ADR) entity or entities pursuant to Article 13 of Directive 2013/11/EU (with which traders must comply) if they commit to or are obliged to use such ADR entity or entities to resolve disputes with consumers, regardless of whether the traders conclude contracts with consumers via their websites. In the view of the ECJ, in this respect, it is not sufficient that a trader either provides the information in other documents accessible on its website, or under other tabs thereof, or provides the information to the consumer in a separate document from the T&Cs upon conclusion of the contract subject to those T&Cs.

Conclusion: In the light of the clear statement from the ECJ, the common practice of only informing consumers about the relevant ADR entity or entities in the imprint is no longer sufficient. The information should also be included in the T&Cs of consumer contracts.

7. Metadata also constitutes trade secrets

by Christian Leuthner

The German Federal Administrative Court, in its decision of March 3, 2020 (docket no.: 20 F 3.19), decided that external characteristics of files (including metadata such as file extensions, file size and certain combinations of these) can also constitute trade secrets if these characteristics allow conclusions to be drawn about corresponding trade and business secrets (e.g., the programming language used). Passing on such files without making them completely unrecognizable may therefore constitute a violation of the German Trade Secrets Act.

Conclusion: When passing on third party information, companies must assess whether conclusions about the confidential information received are possible and take appropriate precautionary measures. Employees must also be made aware of this issue with regard to the disclosure of both own company information and the information of contractual partners.

8. ECHR: blocking of entire websites violates freedom of expression

by Friederike Wilde-Detmering, M.A.

In its decision of June 23, 2020 (docket no.: 10795/14), the ECHR held that ordering a worldwide blocking of access to websites on the basis of local laws could violate the freedom of expression. Such blocking would be tantamount to banning a newspaper and too susceptible to abuse without legal safeguards such as an ex-ante impact assessment and monitoring by courts and authorities.

Conclusion: The decision is of particular relevance to hosting providers who are subject to non-territorially limited injunction, as it provides further arguments against a worldwide deletion obligation.

Recommended reading in the areas of EU and German IT and data protection law

by Sven Schonhofen, LL.M.

• European Data Protection Board
  • Guidelines on connected cars
  • Guidelines on consent
• Commission: implementation report after two years of GDPR
• Annual reports of German supervisory authorities
  • Bavaria
  • Baden-Württemberg
  • Hesse
  • Hamburg
  • Berlin
• German supervisory authorities
  • Guidelines on email encryption. More on our blog.
  • Guidelines on the use of Google Analytics
• Data processing under Article 28 of the GDPR
  • FAQ by Lower Saxony supervisory authority
  • Template-data processing agreement by Baden-Württemberg supervisory authority
• Discussion paper of the German presidency to the Council of the EU on the ePrivacy Regulation
• The Platform-to-Business Regulation has applied since July 12, 2020. More in our client alert.
• Recommendation by the Council of Europe on the human rights impacts of algorithmic systems