Focus IT&C – 4. Quarter 2024

We have compiled some important and exciting new developments and case law from IT law and data protection for you. We hope you enjoy reading it!

1. Federal Court of Justice publishes judgement on damages for loss of control

2. Artificial intelligence and copyright: the training of AI

3. Proceedings against the online retailer Temu: possible violations of the Digital Services Act

4. Is the implementation of the NIS 2 Directive in Germany at risk of being delayed?

5. Data access rights in the healthcare sector are taking concrete shape

6. EDPB publishes draft new Guidelines on data processing based on legitimate interests 

1. Federal Court of Justice publishes judgement on damages for loss of control

The judgement of the Federal Court of Justice [Bundesgerichtshof – BGH] of 18 November 2024 (docket No. VI ZR 10/24) has now been published (see our article of 27 November 2024). The judgement makes it easier to prove damage due to loss of control in data protection incidents, but assesses the amount of damage as rather low.

The subject of the decision is the tapping of telephone numbers and other data of Facebook users in 2018 and 2019 and their publication on the internet in April 2021. The plaintiff sued for damages due to a noticeable loss of control over his data and his resulting fears and worries, as well as for a declaration of the obligation to compensate future damages, injunctive relief and information. The BGH largely overturned the negative decision of the Higher Regional Court [Oberlandesgericht – OLG] of Cologne.

The BGH categorises the loss of control over personal data itself as immaterial damage, provided that the plaintiff proves that they still had control over it beforehand. Further damage, such as the specific misuse of the data or psychological harm to the plaintiff, is not necessary unless the plaintiff wishes to claim a different type of damage, which they must then prove specifically. This legal categorisation by the BGH makes it easier for the plaintiff to proceed, at least in part. However, this is certainly open to challenge if one considers the ECJ's clarification that the infringement is not to be equated with the damage. Recent decisions by other supreme federal courts such as the Federal Social Court [Bundessozialgericht – BSG] or the Federal Labour Court [Bundesarbeitsgericht – BAG] also appear to contradict the view of the BGH. The necessary causality may also be doubtful in the case of loss of control, for example if an email address has already been lost and published in previous data leaks.

According to the BGH, when assessing the amount of damages in accordance with Section 287 of the German Code of Civil Procedure [Zivilprozessordnung – ZPO] one must account for the fact that Article 82 GDPR has a purely compensatory function, but no punitive or deterrent function. If the damage lies solely in the loss of control, the sensitivity and appropriate use of the specific data concerned must be taken into account, as well as the nature and duration of the loss of control and the possibility of regaining control. In this context, the BGH considers measuring the damage on the basis of the hypothetical effort required to regain control by changing the lost data. In this specific case, the BGH considers an amount in the order of around EUR 100 to be legally unobjectionable.

In all other respects, (a) the BGH affirms the admissibility of applications for a declaratory judgement if the infringement and damage have already been established, (b) strict requirements are placed on the specificity of applications for injunctive relief, although these are difficult to meet, especially in the case of data leaks resulting from cyberattacks by unknown third parties, (c) no information about specific recipients of the tapped data can be demanded if the perpetrators are unknown third parties.

For the mass of individual consumer lawsuits pending in Germany due to GDPR violations, the BGH's leading decision is only a win for plaintiffs and consumer lawyers at first glance. According to the BGH's interpretation, the loss of control may often (but not always) give rise to immaterial damages, but the damages will generally be in the modest range of EUR 100. This has undermined the numerous individual lawsuits seeking immaterial damages of several thousand euros. They cannot be pursued in a cost-covering manner, neither for the plaintiffs' lawyers nor for the plaintiffs. Class actions in the form of a model declaratory judgement or redress action, as announced by the Federation of German Consumer Organisations [Verbraucherzentrale Bundesverband – vzbv] in the group of cases decided by the BGH, are now more likely to become an alternative.

Dr. Jürgen Hartung & Dr. Vanessa Pickenpack

Back

2. Artificial intelligence and copyright: the training of AI

AI systems are often trained with copyrighted material such as images or texts. The training involves (i) collecting data and (ii) feeding it into the neural network in order to adjust the parameters. Training with the works of third parties without the appropriate authorisation could constitute an infringement of the author's exclusive right to reproduce their work (Section 16 of the German Copyright Act [Urhebergesetz – UrhG]).

1. Reproductions during data collection

The collection and storage of protected works without the consent of the rights holder affects the reproduction rights under Section 16 UrhG. The AI provider therefore requires the rights of use from the rights holder or must be able to invoke a limitation provision.

On 27 September 2024, the Regional Court [Landgericht – LG] of Hamburg outlined the applicability and requirements of copyright limitation provisions in the context of AI training in proceedings under docket No. 310 O 227/23. The key questions of the proceedings before the LG Hamburg were whether Section 44b UrhG is applicable to AI training datasets and what requirements must be placed on the machine-readability of a reservation of use.

The court ruled that, in principle, the reproduction in question could fall under the limitation provision of Section 44b UrhG, but that in this case it was not temporary or ancillary, as required by Section 44a UrhG. In addition, the court ruled that a disclaimer in the GTC is machine-readable because it is "machine-understandable" and could be automatically processed by software. The court came to the conclusion that the defendant's act of reproduction was covered by the limitation provision in Section 60d UrhG because the defendant's activities were considered non-commercial scientific research and the dataset was made publicly available free of charge.

2. No reproduction by storing the data in the neural network

According to the current prevailing opinion, feeding the training data into the neural network does not affect copyright reproduction rights, as the training material is not stored in the neural network. Rather, only probabilities are calculated and stored in the network. However, probabilities constitute neither copyright-protected works nor personal data (see the discussion paper of the Hamburg Commissioner for Data Protection and Freedom of Information [HamBfDI] on large language models and personal data, available here).

3. Practical tips

The discussion about the extent to which AI systems store copyright-protected works and personal data is in flux and has not been conclusively clarified. Companies should therefore currently

(i) establish internal guidelines on data usage and copyright compliance for AI training,

(ii) regulate usage rights in their contracts for the purchase of AI training datasets and

(iii) log their data usage for AI training.

Dr. Axel Grätz

Back

3. Proceedings against the online retailer Temu: possible violations of the Digital Services Act

On 31 October 2024, the EU Commission initiated formal proceedings to investigate whether the online platform Temu has violated the Digital Services Act (DSA). The investigation focuses in particular on the sale of illegal products, potentially addictive design features of the service, the product recommendation algorithms and researchers' access to data.

The decision to initiate proceedings is based on a preliminary analysis of the risk assessment report submitted by Temu at the end of September 2024. The EU Commission based this on responses to requests for information dated 28 June and 11 October 2024 as well as information from third parties. In addition, it used data from the cooperation mechanism between the EU Commission and national authorities, in particular the cooperation with the Irish Digital Services Coordinator.

Subject matter of the investigation and potential violations

The EU Commission is analysing several key issues.

1. The sale of illegal products and non-compliant goods
Temu is said to utilise systems that regulate the sale of products in the EU. In particular, the EU Commission is investigating how the platform deals with "rogue traders" who have been associated with illegal goods in the past, and how it avoids the resumption of non-compliant products.

2. Addictive design features
A further focus is on the potentially addictive design features of Temu's website, such as game-like reward mechanisms. The investigation encompasses the extent to which these features are likely to impair the physical and mental well-being of users and how Temu attempts to minimise these risks.

3. Recommendation systems and profiling
With regard to the DSA obligations concerning product recommendations, the question arises as to whether Temu sufficiently discloses the key parameters used in its recommendation algorithms and whether it offers users an option that is not based on profiling.

4. Researchers' access to data
The EU Commission is also checking whether Temu fulfils the requirements for providing publicly accessible data for research purposes, as stipulated by the DSA.

Next steps

The EU Commission will continue its investigation by continuing to gather evidence, for example through additional requests for information or inquiries. It could take further enforcement measures as part of the proceedings. To this end, it has the option of either issuing a decision on non-compliance or requiring Temu to rectify any deficiencies identified.

The DSA does not specify a legal deadline for the conclusion of the procedure. The duration of the investigation depends on various factors, such as the complexity of the case and Temu's willingness to cooperate.

Liability in the event of a confirmed violation

If suspicions are confirmed, Temu may be held liable for violations of the DSA. In particular, Articles 27, 34, 35, 38 and 40 of the DSA could be affected. Among other things, these regulate the responsibilities of an online platform to combat illegal content, disclose algorithms and cooperate with researchers. Violations could lead to significant fines of up to 6% of annual global turnover. In addition, regular sanctions of up to 5% of its average daily global turnover are possible for each day of delay in implementing remedies, interim measures and obligations.

As a last resort, the EU Commission could request that the service be temporarily suspended. This might come into consideration if the violation continues to cause significant harm to users and involves criminal offences that endanger the lives or safety of individuals.

Dr. Hanna Schmidt

Back

4. Is the implementation of the NIS 2 Directive in Germany at risk of being delayed?

It is becoming apparent that the planned implementation of the NIS 2 Directive in Germany will be further delayed and that it will not come into force in March 2025 as planned.

The NIS 2 Directive extends cybersecurity obligations to at least 30,000 affected companies in Germany (see our article in Focus IT&C 3rd quarter 2024). The EU member states had to transpose these obligations into national law by 17 October 2024. Germany is already in “transposition delay".

The European Commission has not failed to notice the expiry of the transposition deadline. It has instigated the first steps of proceedings for breach of contract to ensure that the NIS 2 Directive is implemented as quickly as possible, also by Germany (press release dated 28 November 2024).

Whether Germany will implement the Directive in the near future is highly questionable. Due to the unscheduled end of the coalition, the second and third readings of the NIS 2 Implementation Act were probably missing from the agenda of the German Bundestag on 5 and 6 December (available here). This puts the previous timetable on considerably shaky ground and we can assume that the NIS 2 Implementation Act will only be put back on the agenda after the planned new elections. Its entry into force will therefore be delayed until at least mid-2025.

The current draft of the Implementation Act contains hardly any and at best only short transposition deadlines, i.e. affected companies will have to comply with a large number of the standardised requirements and obligations as soon as it comes into force. Companies are therefore well advised to familiarise themselves with the content of the Directive and the current status of the Implementation Act now.

Christian Saßenbach

Back

5. Data access rights in the healthcare sector are taking concrete shape

On 12 November 2024, the Federal Ministry of Health [Bundesministerium für Gesundheit – BMG] presented a first draft of the ordinance on the more detailed regulation of the procedure for, among other things, the concrete implementation of data access rights under the Act on the Improved Use of Health Data [Gesetz zur vebesserten Nutzung von Gesundheitsdaten – GVNG] (“GVNG-VO-E”). The GVNG-VO-E provides an early insight into the modalities of data access and should be taken into consideration in the data strategy of research companies in the healthcare sector.

After the Act on the Improved Use of Health Data (GVNG) marked a decisive turning point in the use of health data for research purposes at the end of April 2024, the data access rights created there are now taking concrete shape. With the GVNG, the legislator created the basis for making health data stored in electronic patient records (EPRs) in connection with the treatment of patients available to researchers, upon request, on an unprecedented scale via the research data centre located at the Federal Institute for Drugs and Medical Devices [Bundesinstitut für Arzneimittel und Medizinprodukte – BfArM] (see our article in Focus IT&C 2nd quarter).

Section 14 of the GVNG-VO-E initially regulates the establishment of a "pseudonymisation working group", which is to determine the details of how the health data generated in EPRs is to be alienated before being forwarded to the research data centre. The results of this working group will be decisive in determining how useful the data will ultimately be for researchers. Here, it would be desirable to also involve the research industry, which is not currently planned. However, according to Section 14 (3) of the GVNG-VO-E, it is possible to involve "other relevant stakeholders" in an advisory capacity.

The GVNG-VO-E also regulates the details of the application for data processing to the research data centre (Sections 17-20 GVNG-VO-E). Of particular practical interest here is the maximum time limit for processing by the research data centre set out in the ordinance. According to Section 18 (4) GVNG-VO-E, the BfArM must decide on an application within three months and can extend this period once by one month in the case of more extensive applications.

If an application for data access is approved, the research data centre provides the applicant with either (i) standardised datasets in anonymised form or (ii) aggregated datasets or individual datasets in anonymised or pseudonymised form in a secure virtual environment controlled by the research data centre in accordance with Section 20 (1) GVNG-VO-E. The purpose of the provision of "only" pseudonymised data, i.e. still personal data, in the protected environment of the research data centre is to protect the data subjects. Datasets on the results of research activities in this protected environment can be transferred to researchers in accordance with Section 20 (1) GVNG-VO-E.

Finally, the GVNG-VO-E contains provisions on fees (Article 2 GVNG-VO-E). A fee of 4,000 euros is envisaged for the application for data access. A fee of 1,000 euros per day is envisaged for the provision of data in the protected environment of the research data centre. While the fees for public applicants can be reduced, this is not envisaged for private companies and public-private partnerships. In the interests of equal access to data, a change would be desirable here, at least for public-private partnerships.

The BMG has initially invited various associations to comment on the GVNG-VO-E in participation proceedings. The ordinance will only be issued - possibly in an amended form - once this procedure has been completed.

Conclusion

The GVNG-VO-E provides an interesting insight into the details of the new data access rights created by the GVNG. Research companies in the healthcare sector should already be planning which research projects they can realise with the newly created opportunities. The next federal government will hopefully also focus on digitisation in the healthcare sector and further develop the details of data access via the research data centre.

Marco Degginger

Back

6. EDPB publishes draft new Guidelines on data processing based on legitimate interests 

In October, the European Data Protection Board (EDPB) published its draft Guidelines 01/2024 on the processing of personal data based on legitimate interests based on Article 6(1)(f) GDPR. The Guidelines explain when data processing on this legal basis is lawful in the opinion of the EDPB.

1. Essential content of the Guidelines

In consideration of the CJEU ruling of 4 October 2024 (C-621/22), the EDPB requires for this (1) the pursuit of a legitimate interest by the controller or third party, (2) the necessity of the processing to pursue these interests and (3) the interests or rights of the data subject do not override the legitimate interests.

1.1 Legitimate interest and necessity

The legitimate interest must be lawful, precisely formulated and actually exist. Speculative interests are excluded, as are interests that are not sufficiently specific, e.g. the “good of the community”. The EDPB interprets the necessity requirement strictly. It does not exist if less intrusive means are available or the principle of data minimisation is not being observed.

1.2 Balancing opposing interests

In particular, the Guidelines specify the balancing of interests. Decisive factors include (1) the interests and rights of the data subject, (2) the impact on their person and (3) their legitimate expectations. Here, the Guidelines propose new aspects that are to be taken into consideration.

1.2.1 Measures beyond the obligatory measures

If the interests of the data subject prevail, the controller or third parties should be able to balance these out with mitigating measures. Obligatory measures under the GDPR are not taken into account. Mitigating measures have to be beyond that.

1.2.2 Impact on the data subject

The effects are assessed according to the type of data, the data processing context and the possible consequences of the data processing.

As far as the type of data is concerned, the EDPB does not consider pseudonymisation to be relevant. The decisive factors should be, for example, whether the data is of a private (e.g. financial data) or public nature (e.g. data on professional roles).

The data processing context is determined, among other things, by the relationship between the data subject and the controller, the status of the parties involved and the possibility of combining the data with other datasets. The Guidelines also prioritise children’s interests in general. As regards the consequences of processing, future actions by third parties and the emotional impact of data processing are also factors that are to be taken into consideration.

1.2.3 Expectations of the data subject 

Merely fulfilling the statutory information obligations (Articles 13, 14 GDPR) does not mean that the data subject has to expect a certain processing. Decisive factors include relationships, age, level of public exposure and professional position of the data subject.

In order to comply with the principle of accountability, the Guidelines require proper documentation of the process of balancing of interests.

2. What should companies bear in mind?

Overall, the EDPB interprets the legal basis of overriding legitimate interests (Article 6(1)(f) GDPR) rather strictly. However, the Guidelines are still at the draft stage. Companies should wait and see what changes the EDPB might incorporate into the final version of the Guidelines after the public consultation. In all events, companies are advised – as they have to date – to adequately document the process of balancing interests if they base their data processing on this legal basis.

We will keep you up to date on further developments regarding the Guidelines.

Valentino Halim

Back

Legal Tech Tools - Digital applications for more efficient solutions

Discover our wide range of legal tech tools! Learn more ...

Oppenhoff Taskforce AI

Find out here how the interdisciplinary Oppenhoff AI Taskforce ensures your compliance with the requirements of the EU’s AI Act and many other legal requirements for AI from the very outset, as well as the many other legal requirements for AI, and that AI systems can be used in a legally compliant manner.

Download the brochure here.

Back to list