IT Law and Data Protection15.12.2022 Newsletter
Focus IT&C – 4th Quarter 2022
Find out more about our IT law & data protection practice group - now regularly summarised for you at a glance! On a quarterly basis, we will be presenting you with the most important developments in IT law and data protection. In addition to informing you of the latest draft laws and developments in the field, we advise you on classic IT law, data protection law and new media. Please also feel free to contact us for audits, IT project support and consulting, including cloud computing, e-commerce topics and social media issues.
1. Data protection supervision - record fines imposed on Instagram and Facebook
2. Basic price indication on the internet
3. Regional Court of Cologne: No password request when using the termination button
4. ECJ national data retention regulations infringe Union law - scope for design remains
5. Blocking access to websites
6. Higher Regional Court of Karlsruhe: theoretical access possibility not transfer to third country
7. EU-US Data Privacy Framework: EU Commission presents new draft decision
1. Data protection supervision - record fines imposed on Instagram and Facebook
The Irish Data Protection Commission (Irish DPC) has imposed a record fine of 405 million euros on Meta Group's social network Instagram. The accusation: serious violations of the General Data Protection Regulation, or "GDPR" for short. In addition, a number of remedial measures have been ordered. Meta is taking action against the decision. Its key argument: the decision violates the EU Charter of Fundamental Rights and is therefore invalid.
Meta subsidiary Facebook has also been fined 265 million euros following regulatory investigations into the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools, triggered by a release of the personal data of up to 533 million Facebook users. The focus is on questions of compliance with the data protection principles "Privacy by Design and by Default".
This means that Meta Group companies have received a total of four fines for data privacy violations totalling €910 million since September 2021. Back in 2021, the Irish DPC had fined WhatsApp 225 million euros. In March 2022, a further 17 million euros fine was imposed upon the parent company. WhatsApp brought an action before the ECJ for a declaratory judgement that the decision of the European Data Protection Board ("EDPB") preceding the fine is invalid. The ECJ recently rejected this claim as inadmissible (together with the comment: “However, the validity of the EDPB's decision may be challenged before the national court, which may make a request for a preliminary ruling to the Court of Justice”. Parallel legal proceedings initiated by WhatsApp against the Irish DPC's decision are underway in the national court.)
Subject of the allegations against Instagram
With the fine, the authority sanctions the fact that Instagram had allowed young people between the ages of 13 and 17 to operate so-called "business accounts" on the platform. As a result, telephone numbers and e-mail addresses of minors were temporarily visible to the public. In addition, accounts of young people were set to "public" by default. Unless teens had switched this default setting to "private" in advance, their social media content was freely viewable by Instagram users. According to Meta, this was an outdated setting that has since been revised. The authority nevertheless addresses violations of Art. 5(1)(a), Art. 5(1)(c), Art. 6(1), Art. 12(1), Art. 24, Art. 25(1), Art. 25(2) and Art. 35(1) GDPR in its decision.
Integration of the EDPB in the Instagram process
The present final fine decision brings a complex procedure to an end. This had been initiated by the Irish DPC in September 2020, partly in response to information provided by US data scientist David Stier. In 2021, as the "lead" authority, it had then drawn up a draft decision based on extensive investigations of Instagram's data processing and shared it with other "concerned" national supervisory authorities within the EU (Art. 60 GDPR). Six authorities had raised objections. These authorities objected, among other things, to the assumption of a legal permission for the data processing operations under Art. 6(1) GDPR. No agreement was reached.
The Irish DPC referred the matter to the European Data Protection Board, or "EDPB", for a dispute resolution procedure (Article 65 GDPR). The latter adopted its binding decision on this matter on 28 July 2022. In this decision, the EDPB comprehensively explains the restrictive conditions for the intervention of the permission criteria "necessity of the data processing for the performance of a contract with the data subject" (Art. 6 (1) (b) GDPR) and "legitimate interest in data processing" (Art. 6 (1) (f) GDPR). Based on this decision, the Irish DPC revised its original comments and based the final decision on a breach of Article 6(1) of the GDPR.
Europe-wide signal: special care required when processing data of minors
Angelika Jelinek, chair of the EDPB, calls the decision "historic" in the EDPB press release, stating: “Not only because of the size of the fine - it is the second highest fine since the General Data Protection Regulation came into force – but also because it is the first EU-wide decision on children's data protection rights. With this binding decision, the EDPB makes it particularly clear that companies that target children must take particular care. Children deserve special protection regarding their personal information."
Against this background, companies that process the personal data of minors or cannot completely exclude this must ensure that they:
- Obtain full transparency within their area of responsibility regarding the processing of personal data of minors.
- Apply the principles of data avoidance and data economy consistently with regard to such data. Refrain from using such data or anonymise it to the extent their business model allows. Otherwise, check options for pseudonymisation.
- Check whether they can base the processing of minors' data on the permission criteria "performance of a contract with the data subject" (Article 6 (1) (b) of the GDPR) or "legitimate interest" (Article 6 (1) (f) of the GDPR) against the standards applied by the EDPB in its binding decision (pages 29 et seq) regarding Instagram.
Dr. Angela Busche
2. Basic price indication on the internet
The German Federal Court of Justice [Bundesgerichtshof, BGH] has ruled that the basic price must be indicated in close proximity to the sales price. The decision is based on a ruling from May 2022 (BGH, ruling dated 19 May 2022 - I ZR 69/21). According to the BGH, this offers consumers optimal possibilities to assess and compare the prices of products and thus make informed decisions.
The case: basic price indication on the internet
In the case at hand, a trader had offered on the internet a hydro-plunger additive (automotive accessory) with a volume of 300 ml and a ceramic paste weighing 50g. Its offer did not specify the basic price. An association of online entrepreneurs objected to this presentation of the offer. In the preliminary injunction proceedings, the retailer was ordered to cease and desist its actions, but not to place the information in "close proximity" to the total price in the future. The suing association was defeated at first and second instance. The BGH, in contrast, sentenced the internet retailer in accordance with the motion.
Legal background
With its practice, the retailer had violated its obligation to also indicate the price per unit of quantity (i.e., in this case, price/litre or price/100g), including sales tax and other price components (basic price), in close proximity to the total price for goods that it offered to consumers by volume or weight in pre-packaged form, as required by the German Price Indication Ordinance [Preisangabenverordnung, PAngV] (Sec. 2 (1) sentence 1 PAngV, old version). In addition, the court considered this to be an unfair and unlawful act (Sec. 5a (2) sentence 1, (4) German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG] and Sec. 3 UWG). This simultaneously gave rise to a claim to injunctive relief (Sec. 8 (1) sentence 1, (3) No. 2 UWG).
New Price Indication Ordinance 2022
The German Price Indication Ordinance is the national implementation of European Directive 98/6/EC, the so-called Basic Price Directive, which has recently been modernised by Directive 2019/2161/EU. The obligation to indicate a basic price now arises from Secs. 4 and 5 PAngV and applies in the new version since 28 May 2022.
The basic price, with some exceptions, must be indicated - in addition to the final price - for the following goods if they are offered by weight, volume, length or area:
- Goods that are pre-packaged,
- Goods in open packages,
- Goods delivered as sales units without wrappings.
Here, the basic price must be displayed in such a way that it is "unambiguous, clearly recognisable and easy to read" for the consumer. Total price and basic price must be perceptible at a glance.
Online traders should therefore refrain from using a separate link that first has to be clicked on to find out the basic price, or even a so-called "mouse-over", where the basic price only becomes visible when the cursor is moved over a certain area. Otherwise, traders risk receiving warnings that incur costs.
Dr. Hanna Schmidt
3. Regional Court of Cologne: No password request when using the termination button
When terminating a contract using the new termination button in online commerce pursuant to Sec. 312k of the German Civil Code [Bürgerliches Gesetzbuch, BGB], the customer may not be required to first enter his customer password. This has now been decided by the Regional Court [Landgericht, LG] of Cologne in a recent decision (29 July 2022 - 33 O 355/22).
The LG Cologne upheld the applicant's complaint that the respondent's website did not offer sufficient options for terminating telecommunications contracts.
A quick reminder: The legislator added the new Sec. 312k BGB with effect from 01 July 2022. This stipulates that an entrepreneur who offers online on a website the conclusion of consumer contracts that establish a continuing obligation, such as subscriptions or mobile and internet contracts, now has to provide a so-called "termination button". Clicking on this button should lead to a confirmation page where the consumer must provide information about the type of termination, the contract to be terminated and, in particular, his identity. Only after this has been entered is the termination itself completed via another button.
The legislator wanted to make it just as easy for consumers to terminate a contract as it is for them to conclude it. In other words: concluded with one click, terminated with one click. Of course, neither is that simple. For this reason, the legislator is trying to strike a balance between a simple termination and data economy on the one hand, and protection against abuse and certainty for the entrepreneur on the other.
The effect this has in the law is that the information to be provided by the consumer for the termination (Sec. 312k (2) BGB) constitutes both a minimum and maximum requirement for the entrepreneur. The entrepreneur may therefore not demand additional information that may not be readily available to the consumer and thus makes a simple and straightforward termination more difficult. This is also how the LG Cologne cites it from the relevant explanatory memorandum to the law: In the court's opinion, the request for the customer's password constitutes a hurdle that is not provided for in the provision, which is likely to prevent the customer from terminating the contract, as the password might not be accessible to him. At the very least, it must also be possible [for the customer] to identify himself by providing names and other common identifiers such as home address, e-mail address and the like for the termination.
The legislator did indeed have such a narrow interpretation in mind. However, this has fuelled the criticism that the entrepreneur is left entirely alone with its responsibility to protect the customer from abuse. Entering the password, namely, is precisely the way in which the verification of the customer can be ensured. The mere retrieval of data that may also be known to third parties, on the other hand, harbours a high potential for misuse. Although the law requires that the consumer also provides information about the contract to be terminated (i.e., usually the contract number), in practice, however, it is often more time-consuming for the consumer to look up the contract number than it is for him to log into his customer account. It also often requires a great deal of effort on the part of companies to modify and adapt their established verification mechanisms accordingly.
In particular, foreign companies whose business model provides for the conclusion of online contracts with consumers should take note of the Regional Court’s decision. They should critically check whether a "termination button" that is geared towards the German market is available and correctly implemented on their websites, for the provision in Sec. 312k BGB is a national peculiarity of German civil law that is not based on a European consumer protection provision.
Inadequate implementation could result in warnings – the consumer protection authorities are already active.
Dr. Hanna Schmidt
4. ECJ national data retention regulations infringe Union law - scope for design remains
By judgement dated 20 September 2022 (docket No. C-793/19, C-794/19), the European Court of Justice (ECJ) ruled that the German regulations on the preventative storage of location and traffic data, known as data retention, are contrary to Union law. The Court of Justice herewith confirms its previous case law (most recently ECJ, judgement of 05 April 2022, case C-140/20), as was to be expected.
At the same time, the ECJ formulates conditions according to which it is possible to deviate from the fundamental ban on retaining data without specific reason. In this way, the ECJ provides the national legislator with decisive recommendations for action to reform the law.
Internet and telecommunications service providers fight back
The background to the current decision is a legal dispute between two internet and telecommunications service providers (SpaceNet & Telekom). They had objected to the Federal Network Agency [Bundesnetzagentur, BNetzA] about the obligation to store traffic and location data under the German Telecommunications Act [Telekommunikationsgesetz, TKG] (Secs. 113b - 113g TKG old version, now Secs. 176 et seq. TKG). This data retention obligation exists generally and indiscriminately according to the national requirements.
The Administrative Court [Verwaltungsgericht, VG] of Cologne had already ruled at first instance in 2018 that such an obligation violates Union law. In the second instance, however, the Federal Administrative Court [Bundesverwaltungsgericht, BVerwG] came to the conclusion that the storage of location and traffic data could be in line with EU law. The Federal Administrative Court then referred the case to the ECJ for a preliminary ruling.
ECJ decision on data retention
The ECJ confirmed that the retention of data without a specific reason and indiscriminately is impermissible. This applies even if data is retained for the purpose of fighting crime and protecting national security.
Under certain conditions, however, the instrument of data retention could be designed in a manner that conforms to EU law. Accordingly, Union law does not preclude regulations on data retention if they
- permit the operators of electronic communications services to be required to retain traffic and location data generally and indiscriminately in order to protect national security if there is a serious threat to national security that can be considered real and current or foreseeable. The requirement may be controlled by a court or independent administrative agency and must be limited to the absolutely necessary time period.
- provide for a targeted retention of traffic and location data to protect national security, fight against serious crime, and prevent serious threats to public security based on objective and non-discriminatory criteria by means of categories of data subjects or a geographic criterion, provided that they are limited to the absolutely necessary time period.
- provide for a general and indiscriminate retention of IP addresses assigned to the source of a connection, provided that this is done for the same purposes and under identical time limits.
- provide for a general and indiscriminate retention of data concerning the identity of users of electronic communications for the purpose of protecting national security, fighting crime and protecting public safety.
- allow providers of electronic communications services to be required, for a specified period of time, to promptly secure the traffic and location data available to them in order to fight serious crime and protect national security (cf. also margin No. 131 of the judgement).
Scope for design remains despite the ECJ ruling
In its decision, the ECJ made it clear that data retention without a specific reason is not permissible. However, it is precisely the exceptions and interpretable legal terms defined by the ECJ that leave the German legislature considerable scope for design. Ultimately, this could lead to more data retention than one might think based on the partial media coverage.
Christian Saßenbach, LL.M.
5. Blocking access to websites
By judgement dated 13 October 2022 (docket No. I ZR 111/21), the Federal Court of Justice [Bundesgerichtshof, BGH] rejected the claim of several scientific publishers against Telekom to have various websites blocked. Before enforcing a network or DNS block against the access provider pursuant to Sec. 7 (4) sentence 1 of the German Telemedia Act [Telemediengesetz, TMG], it is reasonable for parties concerned to take action against the operator of the website or the host provider in interim relief proceedings.
Websites made copyrighted content available
According to the plaintiffs, the websites in question had made available literature in which scientific publishers from the USA, Great Britain and Germany exclusively hold the rights of use. The operators of the websites could not be identified because their whereabouts are unknown and attempts by US courts to enforce judgements against them were unsuccessful. Out-of-court measures and attempts such as warning letters to the Swedish-based host provider requiring it to identify the operators of the website had also failed. As access provider of the two websites, Telekom should therefore block the use of information pursuant to Sec. 7 (4) TMG. Whilst the Munich Regional Court I affirmed such claim to blocking in the first instance, in the second instance the Munich Higher Regional Court held that not all measures that could reasonably be expected of the plaintiffs had been exhausted. This view is now also shared by the BGH, referring in particular to the possibility of interim relief proceedings.
Interim relief before the German courts reasonable
It was reasonable and also proportionate for the plaintiffs to bring interim relief proceedings against the host provider before a German court in order to obtain information.
Blocking as the ultima ratio
When blocking is appropriate and proportionate within the meaning of Sec. 7 (4) TMG must be examined on a case-by-case basis. As a rule, however, before applying for blocking, the holder of the right not only has to take measures to obtain information and settle the dispute out of court, but also seek appropriate means of interim relief. If the operator of the disputed website or the host provider has its registered office in the EU, the interim relief proceedings against the operator of the website or host provider are definitely reasonable before a German court. Blocking pursuant to Sec. 7 (4) TMG is only the ultima ratio.
Practical consequences
Holders of rights therefore fundamentally have to take action against the operators of a website and the host provider if they are based in the EU. For information claims against operators of websites and host providers located outside the EU, court action by way of summary proceedings may not be necessary.
Tobias Kollakowski, LL.M.
6. Higher Regional Court of Karlsruhe: theoretical access possibility not transfer to third country
The Higher Regional Court [Oberlandesgericht, OLG] of Karlsruhe has brought a sigh of relief to companies that have personal data hosted by an external service provider. When assessing whether this constitutes a data transfer to a third country outside the EU, all that matters is whether the external service provider is based in the EU and that the data is stored in the EU. The service provider's group connections to other companies, in contrast, do not play a role. Thus, according to the OLG Karlsruhe, the theoretical possibility of access by the US parent company of the European service provider does not lead to the assumption of a transfer to a third country (judgement of 07 September 2022 (docket No. 15 Verg 8/22)).
Background and subject matter of the main proceedings
In the Schrems II ruling (docket No. C-311/18), the ECJ declared the US Privacy Shield invalid. This ruling made the permissible transfer of data to the USA more difficult, as it is now necessary to rely on appropriate safeguards of Art. 46 et seq. GDPR. Without an appropriate safeguards (especially the agreement of the model data protection clauses), a data transfer to a third country is not permitted without an adequacy decision.
The Baden-Württemberg Public Procurement Tribunal caused a stir at first instance with its decision of 13 July 2022 (docket No. 1 VK 23/22). The Tribunal equated the mere possibility of accessing personal data with a data transfer. The consequence: the hosting of personal data by a European service provider had to comply with the requirements of the GDPR for data transfers to third countries. The reason was the group connection between the European service provider and the US parent company. The Public Procurement Tribunal classified the mere possibility of access by the parent company as a third-country transfer to the USA. According to the Tribunal, the latent risk of data being accessed by governmental or private bodies outside the EU sufficed for the assumption of a data transfer of relevance under data protection law.
This assumption had far-reaching consequences for companies when selecting an external service provider. Companies had to additionally check the service provider's group connections before concluding a contract and take them into account in the data protection assessment.
OLG Karlsruhe revises the decision of the Public Procurement Tribunal
The OLG Karlsruhe overturned this widely criticised decision of the Baden-Württemberg Public Procurement Tribunal in its ruling of 07 September 2022 (docket No. 15 Verg 8/22)). A violation of data protection law does not already exist if a European service provider of a US-American group is commissioned within the scope of the hosting. The (mere) connection to the group does not give rise to any fears that instructions will be given that are contrary to the law or to the agreement, or that the subsidiary will mandatorily comply with possible instructions that are contrary to the law.
Relief for companies and outlook for the new adequacy decision
The decision of the OLG Karlsruhe is to be welcomed and comes as a relief for companies.
Nevertheless, in case of data processing with a connection to countries outside of the EU, particular care should be taken to comply with data protection requirements, also and especially in case of transfers to third countries. In the meantime, data transfers to the US could be simplified in the future under a new adequacy decision. The EU Commission submitted the draft adequacy decision for data transfers to the US to the European Data Protection Board on 13 December 2022. The Board's next step will be to review and possibly approve the draft. Once the necessary approvals have been given, the EU Commission can issue the adequacy decision.
Patrick Schwarze
7. EU-US Data Privacy Framework: EU Commission presents new draft decision
The EU Commission is committed to promoting secure transatlantic data flows and addressing the concerns expressed by the Court of Justice of the European Union in the "Schrems II" ruling. Against this background, on 13 December 2022, the Commission initiated the procedure for adopting an adequacy decision for the EU-US Data Privacy Framework by submitting its draft decision. This draft ties in with a US decree signed by US President Biden and regulations issued in respect of this. This US act implements a "fundamental agreement" between President von der Leyen and President Biden on a new transatlantic framework for data transfers that was reached in the spring after intense negotiations. The Commission assesses this new US regulatory framework in its draft decision, coming to the conclusion: The USA now ensures an adequate level of protection for personal data from the EU on grounds of sufficient guarantees.
Effect of the adequacy decision in the event of its adoption
Insofar and as soon as the adequacy decision is adopted, European companies may transfer personal data to those companies in the United States that participate in the EU-US Data Privacy Framework without having to introduce additional data protection safeguards.
Essential regulatory content
US companies can participate in the EU-US Data Privacy Framework by committing to a catalogue of data protection requirements.
EU citizens affected by breaches of this Data Privacy Framework shall be afforded various legal remedies.
US intelligence agencies shall be able to access European data only to the extent this is necessary and proportionate to protect national security. An independent and impartial appeals process is also envisaged, including the establishment of a new court to check data protection.
Course of events until the final decision
The draft decision is currently with the European Data Protection Board (EDPB) for its comments. A committee of representatives from the EU member states must then give its approval. The European Parliament still has a right of control. After that, the way is clear for the decision to be finally adopted by the Commission. We expect the final decision within the 1st half of 2023.
Continuous monitoring of the EU-US Data Privacy Framework
The EU Commission, US authorities, and the European data protection authorities will monitor the full and effective practical implementation of the relevant elements of the US legal framework (decree and regulations).
Further details and links to background information can be found here (EU Commission press release of 13 December 2022).
Dr. Angela Busche & Dr. Jürgen Hartung