Asset Deal: Eyes open when buying a company – an update

Karsten Krupna General Data Protection Regulation 0 Comments

Customer data is one of the most important assets of many asset deals. If they are not transferred correctly, however, they are worthless for the buyer. In addition, it can be expensive for both the selling and acquiring company.

In accordance with the currently applicable Federal Data Protection Act / Bundesdatenschutzgesetz (BDSG), fines of up to 300,000 euros may be imposed for breaches of data protection regulations. On this basis, the Bavarian State Office for Data Protection (BayLDA) imposed fines of five-digit amounts on the seller and the buyer at the end of July 2015. The General Data Protection Regulation (GDPR), which will come into force on 25 May 2018, does not change the legal relevance of a customer data transfer in the asset deal. However, the fines are increased to up to 20 million euros and can even be exceeded for companies.

It is therefore not only for buyers that there is still reason enough to deal intensively with the transmission and use of customer data in an asset deal. I have already discussed the legal situation under the BDSG and the Act Against Unfair Competition (UWG) in my article on LTO, which can be downloaded here (only in German language). However, with a view to 25 May 2018, the question arises as to what changes will result from the GDPR. Against this background, the principles of the above-mentioned article are summarized in the following and compared with the future legal situation:

 

BDSG / UWG GDPR / UWG
In the case of customer data which the buyer wishes to continue using as part of the continuation of the respective contractual relationship, there are no data protection concerns if the customers have consented to the transfer of their contractual relationship. This principle remains.
The buyer can only use the customer data received for his own advertising e-mails or telephone calls on the basis of a consent originally given by the customers to the seller and in favour of the seller, if the consent can be transferred in favour of the buyer. Whether this is possible requires an individual case study. This principle remains.
If the seller was entitled to send advertising e-mails in accordance with § 7 para. 3 UWG, the buyer may also invoke the competition law exemption if he essentially continues the business operations under the old company. This principle remains.
So-called “list data” such as the name, address or year of birth can be transmitted to and used by the buyer for advertising purposes in the context of letter advertising, if

·       the respective advertising measure of the buyer contains a reference to the origin of the data, i. e. the seller, and

·       the seller stores the information on the origin of the data as well as the buyer to whom the data were transmitted for a period of two years and provides the respective customer with information on request.

 

 

 

 

 

 

 

 

 

 

 

 

Personal data can be transmitted to and used by the buyer for the purpose of mail advertising if

·       the respective advertising measure of the buyer contains a reference to the origin of the data, i. e. the seller.

 

Explanation:

 

Admissibility is assessed according to Art. 6 para. 1 lit. f GDPR. In accordance with the recital 47 GDPR: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

 

The obligation to inform the user of the origin of the data follows from the general principles according to Art. 5 para. 1 GDPR.

 

Storage obligation is not provided according to the GDPR and is also not necessary in the case of an asset deal, because the customer may exercise his right of objection in accordance with Art. 21 para. 3 GDPR directly towards the buyer. However, there is something else in cases where the seller remains “responsible” (see Art. 15 para. 1 lit c GDPR)

Other data (i. e. no “list data”) can be transmitted to the buyer for advertising purposes and used by the buyer for e-mail and telephone advertising, if the respective customers have given their explicit consent in each case.

 

This principle remains.

 

However, the written form requirement for consent to data transmission is not applicable (see. Art. 6 GDPR).

Consent to the receipt of advertising (e. g. registration for a newsletter) which has already been given to the seller can in individual cases justify the admissibility of a data transfer to the buyer and the further dispatch of advertising by the buyer if the buyer essentially continues business operations under the old company. This principle remains.

 

Additional information:

  1. the previous assessments imply that the buyer is initially permitted to process data and comply with the necessary information obligations (Art. 13 para. 1 lit. c and e GDPR or Art. 14 para. 1 lit. c and e GDPR). These aspects must be examined separately in the context of an asset deal. If the customers have not been informed in advance about the purposes of the advertising processing and/or (at least) the categories of recipients in the context of a company sale, there is a need for a recourse to Art. 6 para. 4 GDPR. In this case, however, the seller’s obligation to provide prior information in accordance with Art. 13 Abs. 3 GDPR should be considered.

 

  1. Since the ePrivacy Regulation was only available in draft form at the time this article was written, it was not taken into account in the assessment. Should the final version of the ePrivacy Regulation result in any changes to the above-mentioned results, these will be pointed out separately at a later date.

Review: European Data Protection Law Review

Bernhard Freund General Data Protection Regulation, International Data Protection 0 Comments

Data protection law is more than ever undergoing a radical change. The introduction of the EU’s General Data Protection Regulation (GDPR) and the continuous development of new technologies raise countless questions. If you want to stay informed about the latest discussions, trends and judgements, you need high-quality and up-to-date sources. The European Data Protection Law Review (EDPL) aims to meet this need. A review.Read More

The Keylogger Decision of the Federal Labour Court – Exclusion of Evidence Due to Data Protection Violation

Bernd Schmidt Employee Data Protection 0 Comments

The Federal Labour Court (Bundesarbeitsgericht) had to decide on the effectiveness of the termination of a web developer who used substantial parts of his working time for private activities. The employer had gained this insight by using a keylogger, without any concrete suspicion of a criminal offence or serious breaches of duty by the employee. (Judgment as of 27.07.2017, BAG 2 AZR 681/16).
Read More

Small cause, great impact: The missing reference to the alternative dispute resolution procedure

Jens Thurn IT Law 0 Comments

The statutory law for the alternative dispute resolution in customer affairs “Gesetz über die alternative Streitbeilegung in Verbrauchersachen” (VSBG) was published in the Bundesgesetzblatt on 23 February 2016 and entered into force on 1 April 2016. Since, 1 February 2017 some additional mandatory references are required in §§ 36, 37 VSBG which are often forgotten in practise. This minor error has a great impact.

It is useful to take a closer look at the implementation of required information in practice so far.

1. What might happen in case of a lack of the required references?

The VSBG does not provide any legal consequences which means at least, there is no basis for any fine to be imposed by the authorities. However, warning letters based on the competition law (Gesetz gegen unlauteren Wettbewerb – UWG) might cause serious harm to companies. During the last months, several court decisions set the value in dispute on 10k € and even more. Therefore, the following statements shall give an overview about the VSBG.

2. What are the statutory required references?

The law differs between pre-dispute references (Art. 36 VSBG) which means required references prior to any conflict situation between customer and company and required references in conflict situations.

a) Pre-dispute references

Companies are generally obliged to inform customers in a simple and comprehensible manner whether they are participating in an alternative dispute settlement procedure.

This requirement applies to all companies who conclude contracts with customers and maintain a website and/or have general terms and conditions (GTC) in place. The information need to be easily accessible and inform the customer clearly and comprehensibly whether the company is participating in an alternative dispute resolution procedure and which concrete dispute resolution organisation is responsible in case of dispute.

Exempt from this obligation are only small-scale companies who had employed up to ten (10) employees on 31 December of the preceding year, unless they are otherwise obliged to participate in the dispute resolution procedure. Such an obligation might arise out of a participation in an economic association which requires a compulsory dispute settlement for their members.

b) Obligation in case of dispute

In addition to this general obligation, the law provides specific requirements in case a dispute has already arisen out of a customer contract and cannot be settled.

These requirements must be taken into account by companies regardless of their number of employees. The company need to inform the customer of his or her willingness/duty to participate in the alternative dispute resolution procedure and provide specific information on the responsible dispute resolution organisation.

According to the law companies are obliged to provide customer information after a dispute exists, even, if the company rejects to participate in such a procedure. According to the wording of Article 37 VSBG, in this case the company is obliged to designate the customer compensation organisation which would be hypothetically responsible to lead the dispute resolution procedure, even if the information is completely useless to the customer.

3. Practice Note

To implement the aforesaid requirements, the following formulations could be used:

a) Precautionary information obligation

“We are not participating in a dispute resolution procedure.”

b) Information obligation in case of dispute

In case of a failed settlement, the following information should be sent by e-mail – an oral note is not sufficient:

“In case of any disputes, the Dispute Settlement Office, Center for European Customer Protection, Bahnhofsplatz 3, 77694 Kehl, phone: 07851/991480, E-Mail: mail@online-schlichter.de, www.online-schlichter.de. We do not, however, participate in the dispute settlement process.”

A list of officially recognized dispute settlement organisations can be found here.

4. Where are the information need to be published?

a) Precautionary information obligation

In addition to the link to the so-called ODR platform, which is usually found at the imprint of each website, the reference to the dispute resolution organisation is to be included in the terms and conditions published on the website.

If no general terms and conditions are published, for example because a conclusion of a contract cannot/should not be made directly via website, another suitable place is to be found. The imprint could be a good place, next to the ODR platform’s link.

b) Information obligation in case of dispute

If a complaint management is established, the reference should be standardized included in the e-mail’s signature.

5. Conclusion

It depends on the individual case whether a neutral arbitration body can prevent a court dispute and serve the customer satisfaction. In our opinion, a professional complaint office is likely to achieve similar goals more efficiently and perhaps even contribute to long-term customer loyalty. Notwithstanding participation, company should implement the above-mentioned information in order to avoid any warnings based on the competition law.

Is video streaming illegal by now?

Claudia Bischof IT Law, Telemedia 0 Comments

The European Court of Justice (ECJ) (decision of 26 April 2017, ref: C-527/15) needed to decide whether the distribution of multimedia player enabling free access to audiovisual works protected by copyright without the consent of the right holders might be illegal.

The defendant sold on a number of internet sites various models of a multimedia player. That player is a device which acts as a medium between, on the one hand, a source of visual and/or sound data and, on the other hand, a television screen. On that player, the defendant stalled an open source software, which makes it possible to play files through a user-friendly interface via structured menus, and integrated into it, without alteration, add-ons available on the internet, created by third parties, some of which specifically link to websites on which protected works are made available to internet users without the consent of the copyright holders.  Those add-ons contain links which, when they are activated by the remote control of the multimedia player, connect to streaming websites operated by third parties, some of which give access to digital content with the authorization of the copyright holders, whilst others give access to such content without their consent. In particular, the add-ons’ function is to retrieve the desired content from streaming websites and makes it start playing, with a simple click, on the multimedia player. The defendant advertised the multimedia player, stating that it made it possible, in particular, to watch on a television screen, freely and easily, audiovisual material available on the internet without the consent of the copyright holders.

Initial, the Dutch foundation gave the defendant a last warning. On the basis of unexplained legal questions, the competent local District Court suspended the proceedings and submitted questions to the ECJ for a preliminary ruling. Regarding to these questions the ECJ decided the sale of the disputed player is a “public broadcasting” in the meaning of Article 3 sec. 1 of Directive 2001/29/EC and such devices are not excluded from the exclusive reproduction author’s right. The distribution of such a player leads to a copyright infringement.

I. Legal Status

Watching streamed online video is hold as non-infringement proceeding, since the user does not store any copy on his device. That means it does not reproduce the video in the legally sense of sec. 44a of the German Copyright Act (UrhG).

Against this backdrop, up to the decision of the ECJ the distribution of devices which play copyright-infringing online streams was regarded as lawful. The ECJ ruling switch this point.

II. Public Performing Rights and Reproduction Rights

The ECJ dealt with the question whether the player is “merely a physical provision devices” which in itself does not constitute a copyright infringement of “communication to the public”, or whether it might be itself a “public reproduction”.

According to the ECJ ruling it is already a public reproduction itself.

The ECJ referred to its case law that interpreted the concept of “communication to the public” in a broad meaning, to install a high-level protection of authors’ rights. Therefore, two cumulative criteria, namely an ‘act of communication’ of a work and the communication of that work to a ‘public’ need to be fulfilled.

Amongst those criteria, the Court has emphasised, above all, the essential role played by the defendant. The defendant makes an act of communication when he intervenes, in full knowledge of the consequences of his action, to give access to a protected work to his customers and does so, in particular, where, in the absence of that intervention, his customers would not, in principle, be able to enjoy the broadcast work.

Next, the ECJ has specified that the concept of the ‘public’ refers to an indeterminate number of potential viewers and implies, moreover, a fairly large number of people who potentially might buy the multimedia player.

The ECJ also dealt with the question of whether temporary reproductions for video streaming might be reproduction of the copyright owner according to Article 2 of Directive 2001/29.

Under Article 5 (1) of Directive 2001/29, an act of reproduction may be exempted from the reproduction right provided for in Article 2 thereof only if it satisfies five conditions, that is, where

  1. the act is temporary;
  2. it is transient or incidental;
  3. it is an integral and essential part of a technological process;
  4. the sole purpose of that process is to enable a transmission in a network between third parties by an intermediary or a lawful use of a work or protected subject matter; and
  5. that act does not have any independent economic significance.

 

Furthermore, Article 5 (5) of Directive 2001/29 does not affect the “normal” exploitation of any work or any other protective article, or the legitimate interests of the right holder are not unduly infringed.

The court held at least the condition 4 is not fulfilled by the multimedia player in disputable, since no legal use might be possible.

Furthermore, Article 5 (5) of Directive 2001/29 is also affected, according to the exception of the exclusive right for reproduction is unlikely to affect the media player as a result of the copyright owner which infringes the normal exploitation by the authors and unduly violates the legitimate interests of the rightsholders.

III. Transfer to other issues

The ECJ ruling raised the concerns that it could be applied to any other devices for playing illegal content, such as the PC.

However, this concern could be seen to be unjustified.

The ECJ itself held the main incentive for using the media player with its pre-installed add-ons is to get access to an unauthorized offer of copyright protected works.

The players were actively advertised to grant that access to copyrighted content and were actually able to provide it. It was also considered by the ECJ that the defendant acted with the intention of making profit by violating copyrights.

In contrast to an ordinary computer, which also grants access to illegal content, the special feature of the multimedia player dependents on its application and the range of functions to receive and display copyright-infringing content. The main difference to devices providing an ordinary browser, which allows access to unlawful content, is that the multimedia player was delivered with a browser, which is explicitly pre-set to make illegal content available without further hurdles, so the copyright infringements will be caused by the pre-configuration.

The ruling also points out that multimedia media player such as those at issue got addressed by the judgment, only.

IV. Conclusion

In contrast to the public debate, the ECJ has not declared the streaming of content being against the law, it says the distribution of multimedia media player, which grants easily access to unlawful content according to the prior PR advertising need to be prohibited. No findings can be picked out of the judgment, which can lead to a mass warning of user.

Dismissal based on serendipitous disclosure by covert video surveillance

Claudia Bischof Employee Data Protection 0 Comments

In a recent decision of 22 September 2016 (2 AZR 848/15), the Federal Labour Court (BAG) dealt with a dismissal based on serendipitous disclosure of facts by a covert video surveillance. Therefor the legal changes resulting from operating covert video surveillance are summarized below.

 I. The facts

The applicant had been working as a deputy branch manager for likely 15 years with the defendant, which is a company engaged in food retailing. The applicant was mainly employed as a cashier.

An annual stocktaking at the end of 2013 disclosed an inventory loss of approximately ten-fold compared to the previous year for the product groups tobacco/cigarettes and non-foods. According to the defendant, this loss could only be attributed to the employed staff. Since the subsequent revision measures, including employee’s bags checks did not explain the situation, the employer introduced a covert video surveillance for the cash desk with the approval of the installed works council.

A video sequence resulting from the video surveillance showed the applicant who uses a “sample bottle” taken over the scanner, carried out an empties registration and took money from the cash desk. The cash receipt generated by her showed an amount of € 3.25.

The disclosure of this process was a so-called “serendipitous disclosure”, since the deputy branch manager was not suspected of being responsible for the inventory loss.

The defendant dismissed the deputy branch manager without prior notice and immediate effect who started court proceedings against the company based on this dismissal. The first instance of the labour court allowed the appeal (ArbG Duisburg, judgment of 4.9.2014 – 1 Ca 272/14). The state labour court of the second instance (LAG), however, dismissed the action (LAG Düsseldorf, judgment of 7.12.2015 – 7 Sa 1078/14) and the Federal Labour Court (BAG) confirmed the decision of the state labour court.

II. Data protection aspects of the judgment

From the data protection point of view, it is worth to take a note of the judgment. It deals with the controversial legal issue whether serendipitous disclosures could be a valid evidence when discovered in the context of covert video surveillance to disclose major offenses in the employment relationship.

Additional, the judgment clarifies whether the second sentence of sec. 32 para. 1 sentence 2 of the Federal Data Protection Act (BDSG) installs a restrictive effect and prohibits the use of covert video surveillance to investigate serious but not criminal offenses.

The judges assessed the employer’s approach is covered by § 32 para. 1 sentence 2 BDSG.

Since the principles laid down by the BAG in 2003 (BAG, judgment of 27.3.2003 – 2 AZR 51/02), covert video surveillance at working places breaches employees’ personal right to their own likeness if it is not installed:

  • to verify the concrete suspicion of a criminal offense or other serious misconduct at the expense of the employer,
  • as all less drastic measures for clarifying the suspicion have been exhausted, which means the covert video surveillance is the remaining measure only, and
  • it is not disproportionate.

The suspicion must be directed to an at least local and functionally distinguishable circle of employees.

However, at the time of the aforementioned decision of the BAG in 2003, § 32 BDSG was not in force, yet. Sec. 32 para. 1 sentence 2 BDSG was introduced in 2009, which expressly stated now:

Personal data of employees may only be collected, processed or used if actual documented evidences leads to the reasonable suspicion that the employee has committed a criminal offense related to the employment relationship. The collection, processing or use of the personal data needs to be necessary to solve the offence and the employee’s interests to be excluded from the collection, processing or use, in particular, does not prevail.

In the above ruling from 2013, the BAG expressly left open whether the covert video surveillance could be justified in compliance with sec. 32 paragraph 1 sentence 2 BDSG if a suspicion of a serious violation of duty exists without its criminality at the same time (BAG, judgment of 21.11.2013 – 2 AZR 797/11).

The BAG, however, stated at the current decision that sec. 32 BDSG bundles the principles developed by the jurisprudence, but does not want to alter them. If the wording of the second sentence in sec. 32 paragraph 1 BDSG differs to this intention, it is “accidently” unclear. Sec. 32 paragraph 1 sentence 2 BDSG is based on the required principles of the mentioned ruling of 2003. Accordingly, the wording of sec. 32 paragraph 1 of the Federal Data Protection Act does not prohibit investigations based on serious breaches of duties resulting from the employment relationship:

The circle of suspects must be limited as far as possible. However, sec. 32 paragraph 1 sentence 2 BDSG, could not to be understood in the meaning that surveillance measures are intended to cover persons who are suspected of serious breaching employee’s duties, only.

III. Conclusion

The admissibility of a data protection measure depends on its proportionality.

Every visible inspection measures must be exhausted before covert surveillance measures could be installed. According to the ruling, the employer was legally entitled to install the covert video surveillance, since the employer had previously used all available measures to determine the inventory loss unsuccessfully. Installing the covert video surveillance system was as an “ulima-ratio” solution. As the result, the employer was entitled to use the video recording as a proof of the serious breach of a duty to base its terminate without notice on this according to sec. 626 BGB (German Civil Code).

Lacking IT compliance: When the data „oil boom“ could come to an end

Karsten Krupna Data Security, General Data Protection Regulation 0 Comments

Digital data processing is an important driver for sustainable company development and therefor, as is regularly to be read, the new (motor) oil. For this, the linkage and cross-platform accessibility to all data types plays a central role. Herein, fintech’s focus on e.g. bank data, developers of health apps or wearables on health data. If the corresponding data protection requirements are taken into account, such a business model can be economically very lucerative.

However, problems occur if the “oil pipeline” has a “leak”or – in other words – the data is accessed by unauthorized third parties. The reasons for data loss are manifold. Apart from data theft by employees, cyber-attacks pose an increasing threat. In the event of data loss, not only the company’s reputation is at stake. A loss of data may trigger reporting obligations, which, in case of non-fulfillment, can lead to high fines.

I. Fines for breach of data protection reporting obligations

According to the currently applicable German Federal Data Protection Act (BDSG), violations of notification obligations can be penalised with fines of up to € 300,000.00 per case.

The EU’s General Data Protection Regulation (GDPR) that comes into effect on 25th May 2018 stipulates fines of up to € 10 million or 2% of the annual turnover achieved in the previous year, in the case of a breach of duty.  Companies should urgently establish internal procedures in order to ensure compliance with reporting obligations, if not so already done. Otherwise the “oil-boom” is quickly over. The basic conditions for the reporting obligations in accordance with BDSG and the significant changes of the GDPR concerning this are described below. To conclude the article, follow the recommendations for dealing with data protection violations as shown below.

II. What applies according to the BDSG?

According to Sec. 42a BDSG, a company must inform the responsible supervisory authority and the data subject if it finds that sensitive data stored by the company was unlawfully accessed by a third party and thus have serious adverse effects on the rights and interests of the data subject. According to Sec. 42a para. 1 BDSG, the following types of data are considered to be particularly vulnerable:

  1. special categories of personal data,
  2. personal data subject to professional secrecy,
  3. personal data related to criminal offences or administrative offences or the suspicion of punishable actions or administrative offences, or
  4. personal data converning bank or credit card accounts.

If none of the aforementioned data types are affected, the verification of the further requirements of § 42a BDSG (German Federal Data Protection Act) and therefore the notification obligation (at least) according to the BDSG is no longer necessary.

However, the affected companies still are supposed to fulfil other reporting obligations which may arise e.g. from the IT Safety Act or from the contract with the parties concerned (e.g. customer).

If, however, e.g. bank data are affected and the additional requirements of the notification obligation in accordance with Sec. 42a BDSG apply, the regulatory authority and the concerned parties must be informed “immediately”. In analogous application of Sec. 121 para. 1 sentence 1 of the German Civil Code (BGB), this means acting “without any undue delay”.

III. What will change with the GDPR?

The General Data Protection Regulation complies with the basic structure of the Sec. 42a BDSG in accordance with the provisions in articles 33, 34 GDPR. However, it expands the scope of application and individual obligations.

1. Reporting to the supervisory authority

Article 33 GDPR standarised the reporting requirements to the supervisory authority “in the case of a personal data breach of security”. ”A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data pransmitted, stored or otherwise processed” (see article 4 number 12 GDPR) are sufficient for such an event. Therefore, in addition to e.g. Cyberattacks, already data losses due to system crashes can trigger reporting obligations.

In addition, the reporting obligation under the GDPR is no longer restricted to certain data types.

Rather, the supervisory authority must always be notified, except if the data breach is not likely to “result in a risk for the rights and freedoms of individuals”.

The criteria for the above-mentioned risk assessment remain open and this is up to the responsible company to decide.

However, since the reporting obligation is linked to a breach of security, which must already be ensured by the company in accordance with article 32 GDPR taking into account the risks to the affected parties, the prolicy starts from the principle that the risk assessment, according to article 33 GDPR, will follow the previous assessment according to article 32 para.1 and para. 2 GDPR.

In the case of a reporting obligation, the regulatory authority must be notified immediately, but in any case within 72 hours after the notification of the data breach, except in exceptional cases.

2. Notification of the affected parties

The aforementioned expansion of the reporting obligation also applies to the notification of the concerned parties (article 4 n. 12. GDPR). However, according to article 34 GDPR, the concerned parties must only be notified if the data breach is likely to “result in a risk” for their rights and freedoms. Therefore, the threshold is higher for the notification obligation towards the concerned parties then the reporting obligation towards the regulatory authority. Here too, the risk assessment is incumbent upon the respective company. However, according to article 70 para. 1 letter h GDPR, the Data Protection European Parliament Committee should at least provide guidelines and recommendations. If there is a possibility for the outcome to contain high risk, the concerned parties need to be notified immediately, provided that no exceptions of article 34 para.3 GDPR take effect.

The notification obligation is not applicable e.g. if an encryption can virtually eliminate the unauthorised access to personal data.

3. Recommendations for action

Companies that have hithero ignored or insufficiently adressed this aspect of reporting obligations in the case of data breach in their IT compliance should establish an emergency management. The emergency management should initially assess the existing concept, adapts it as necessary and then regularly re-examine it in accordance to the GDPR. The policy should already start with preventive measures and then develop a list of measures for the case of data breaches.

For example, the following should be considered preventively:

  • testing the data processes as well as the technical and and organisational measures on legal conformity,
  • identifying and minimising particularly risky situations, taking into account the sensitivity of the data,
  • ensuring internal notification of relevant events (chain of information),
  • adjusting and training IT-Policies for all employees,
  • testing the necessity and the extent of the insurance coverage,
  • continuous evaluation of all informal or publicly known cases of damage as a “learning organization”,
  • establishing a crisis unit in the case of data loss and its reporting.

 

In the case of data loss, the crisis unit has to work out an extensive scenario in addition to IT technical measures:

  • compliance with legal and contractual information requirements (for example, towards the parties concerned, the regulatory authority or the BSI),
  • examination and defense of claims for damages of affected persons,
  • examination and enforcement of claims for damages against a contractor for breach of contract,
  • filing a criminal complaint,
  • examination and enforcement of claims for damages against the perpetrator,
  • assertion of the insurance claim,
  • coordination of public relations.
Free WeFi Zone

Liability for Operating Public Wi-Fi Hotspots

Bernd Schmidt General Data Protection Regulation, Telemedia 0 Comments

After long discussions, finally the German legislator implemented a rule excluding liability for providers of public Wi-Fi Hotspots. However, there remain relevant legal risks for operating public Wi-Fi Hotspots. Key aspects of this recent amendment of the German Telemedia Act (TMG) are summarised below.

1.   Liability Limitation for Access-Providers

Sections 7 and 8 TMG contain a liability limitation for so called access-providers. As they do not provide online contents, but only access, they shall in principle be free from any claim on the basis of e.g. copyright infringements by providing such content. Where access-providers are made aware of such infringing content, they may eventually be obliged to block access (notice and take down) while there is no obligation for actively monitoring for infringements.

For providers of public Wi-Fi Hotpots, there is a long-standing debate as to whether or not they are access-providers by the meaning of Telemedia law. This debate particularly turns relevant in the context of enforcing claims for cease and desist in online copy right infringement cases (e.g. file sharing). In such cases, typically there is no active infringement by the Wi-Fi Hotspot provider or at least no respective prove. Accordingly, there is a debate as to whether or not the Wi-Fi Hotspot provider is liable under the interferer’s liability principle (Prinzip der Störerhaftung).

Under the interferer’s liability principle, Wi-Fi Hotspot providers are subject to cease and desist claims where they have with intention created cause for the infringement (of copyright) e.g. by providing internet access via a public Wi-Fi Hotspot. In 2010, the German Federal Court (BGH) applied these principles to Wi-Fi Hotspot providers in the landmark case “Summer of our Life (Sommer unseres Lebens)”. Following the BGH ruling, the interferer’s liability principle applies where the Wi-Fi Hotspot providers fails to (i) implement state of the art security mechanisms for the Wi-Fi Hotspot and to (ii) carry out regular compliance-Checks.

This far-reaching application of the interferer’s liability principle lead to relevant legal risks for operating public Wi-Fi Hotspots and the consequence that public Wi-Fi coverage in Germany is significantly lower as compared to other European countries.

2.    Application of the Access-Provider Liability Privilege to public Wi-Fi Hotspot Providers

The second TMG Amendment Act (2. TMG-Änderungsgesetz) as of June 2016 implements supposedly clear guidance in Section 8 (3) TMG, stating the access-provider’s liability privilege applies to Wi-Fi Hotspot providers.

“Para 1 and 2 [containing the access-provider’s liability privilege] apply for providers in the meaning of para 1 providing internet access via local non-wired networks”

The respective legislative initiative’s goal was, inter alia, to reduce legal risks for public Wi-Fi Hotspot operators in order to create incentives for more public Wi-Fi Hotspots. If at all, this goal was achieved to a very limited extent only. In particular, the TMG amendment may not be considered as providing relevant protection against claims for cease and desist. This in particular holds true for the following reasons.

German courts are of the opinion that the access-provider’s liability limitation provides protection against damage claims, but no protection against claims for cease and desist. It appears rather unlikely this approach will change under the current amendment of the TMG.

In the legislative process, there was a proposal to include a para 4 to Section 8 TMG explicitly stating there is no rights holder’s claim for cease and desist against public Wi-Fi Hotspot providers where and to the extent they have implemented state of the art security measures preventing misuse of their Wi-Fi Hotspots. This provision has, however, not survived legislative debate.

Further, there are arguments from the perspective of European law against effective protection of public Wi-Fi Hotspot providers from cease and desist claims. Under Art. 12 (3) and Art. 14 (3) Directive 2000/31/EC (E-Commerce-Directive), there must be court measures provided by Member States’ law against intermediaries (such as access-providers) who’s services are used for (copyright)infringements. This aspect is also picked up in the recent European Court of Justice (ECJ) decision (C-484/14), inter alia stating explicitly, that public Wi-Fi Hotspot providers are not protected against cease and desist claims to prevent (copy)right infringements committed via their Wi-Fi Hotspot.

In such case, public Wi-Fi Hotspot providers must bear costs for cease and desist claims and respective court actions. However, there is also light in the ECJ ruling. Where the Wi-Fi Hotspot provider has taken state of the art security measures to prevent the infringing action, for the decision on costs for legislative proceedings, the addressed court must carry out a balancing of interests’ test taking into account the right holder’s freedom to carry out his business and the public interest to access information via public networks. In this context, the ECJ is of the opinion that public Wi-Fi Hotspot providers comply with their duty of care when implementing security measures preventing infringing actions by requiring information to identify users of their public Wi-Fi Hotspot where need be.

3.    Conclusion

Extending the access-provider’s liability privilege to providers of public Wi-Fi Hotspot fails to significantly decrease their legal risks, because the respective liability limitation does not apply to cease and desist claims and subsequent court rulings. Before setting up public Wi-Fi Hotspots, it is recommended to carefully assess legal risks and to decide on state of the art measures to prevent infringing actions carried out via the public Wi-Fi Hotspot.

District court Hamburg: Linking as a breach of the legal provisions

Claudia Bischof IT Law 0 Comments

By the decision of 18 November 2016 (310 0 402/16), the district court Hamburg ruled in the preliminary injunction proceedings that profit-making website operators might infringe author’s statutory right by making the original available to the public referred to in Section 19a Copyright Act (UrhG). In the opinion of the judges the decision actually leads to a review obligation of website operators whether they link to copyright infringing websites.

The decision, which is largely based on the “Sanoma decision” of the ECJ published in September of this year (C-160/15) on the issue of linking. The decision is not only criticized by lawyers. However, if this reading of the ECJ decision will be successful, it would increase the risk of warning and generally increasing legal uncertainty when linking to third-party content.

The decision was based on the following facts:

The complaining photographer had taken a photo and issued it licensed by a Creative Commons license. Regarding to the license stipulations any changes to the photo required an explicit note. The photographer discovered on the applicant’s website an article, which was published by using his photos. This photo in issue has been redesigned by the website author. There was neither a consent to use, nor a reference to the alteration of the photo. After the defendant had not signed the cease and desist declaration with penalty clause, the claimant initiated temporary injunctions court proceeding.

1. Link as a public reproduction

The district court Hamburg essentially decided that the alteration of the photo without any consent and contrary to the license stipulations violates sec. 23 sentence 1 of the Copyright Act (UrhG). The website which published the article and the altered photo is a “public accessibility” (sec. 19a UrhG) of the claimant’s altered photo within the meaning of sec. 23 sentence 1 UrhG. Referring to the recent ECJ ruling, the district court decided regarding to the claimant’s linked photo:

“The defendant ‘s linking to the altered photo is a public communication in the sense of the cited ECJ case-law.”

In the light of the ECJ’s case-law, the district court affirmed the objective and subjective legal prerequisite of “public communication by linking”.

According to the ECJ case-law, the issue is whether the photo is made available to a new group of people, of which the copyright owner had not thought when he allowed the original public communication. The Hamburg judges concluded that the public communication in the specific case depended on the fact whether the claimant had given his consent to a freely accessible altered photo, which was denied, since neither an author’s consent exists, nor the alteration was not covered by the license.

The prerequisites of the subjective elements for the attribution of the law infringement will play an essential role in practice. Here, the district court referred in large passages to the ECJ ruling.

2. Review: ECJ ruling of 8 September 2016 (C-160/15)

The European Court of Justice decided, whether a Dutch online magazine had placed links on illegally copied photos of a Dutch television star, which allowed the readers to have a look at copyright-infringing photos when reading the online magazine article. After deleting the infringing content on claimant’s request, the online magazine implemented another links to another source. The online magazine knew about the illegality of the linked content, as the copyright owner had referred to the illegality regarding the link.

The ECJ judges came to the conclusion that the commercial magazine, despite the knowledge of the legal infringement, once again linked to copyright-infringing content. Against this background they decided:

“[No 49] In contrast, where it is established that such a person knew or ought to have known that the hyperlink he posted provides access to a work illegally placed on the internet, for example owing to the fact that he was notified thereof by the copyright holders, it is necessary to consider that the provision of that link constitutes a ‘communication to the public’ within the meaning of Article 3(1) of Directive 2001/29.”

The wording “knew or ought to have known” establishes the negligence in which the infringement treatment is attributable to the infringer. The ECJ, however, did not leave it in the case of liability for intent or negligence, but in the case of a person with a profit-making perspective, the ECJ assumed a refutable presumption concerning the need to know, and therefore negligent ignorance:

“[No 51] Furthermore, when the posting of hyperlinks is carried out for profit, it can be expected that the person who posted such a link carries out the necessary checks to ensure that the work concerned is not illegally published on the website to which those hyperlinks lead, so that it must be presumed that that posting has occurred with the full knowledge of the protected nature of that work and the possible lack of consent to publication on the internet by the copyright holder. In such circumstances, and in so far as that rebuttable presumption is not rebutted, the act of posting a hyperlink to a work which was illegally placed on the internet constitutes a ‘communication to the public’ within the meaning of Article 3(1) of Directive 2001/29.”

In the decision of the district court Hamburg the judges continue on this scale of fault:

“Therefore, the ECJ only accepts an infringement of the right to a public communication if the link is culpably done in the sense that the responsible person had “known or should have known” the illegality of the linked accessibility (No 49). The latter also being intended to cover cases of negligence. According to the ECJ ruling, the scale of the offense depends on the responsible person. No 51 clarifies that a higher scale of fault applies to a person who acts with a profit-making intent: that person is expected to ascertain whether the linked content has been made lawfully. The refutable presumption of knowledge of the missing permission applies”.

The defendant stated that he had acted in the knowledge of the ECJ decision, but did not started any investigate on the photo’s copyright history because he found the ruling being contrary to fundamental principles and incompatible with the EU Charter of Fundamental Rights. From this, the court held that the defendant had accepted the illegality of the content at least as approvingly and thus acted intentionally. Even without a conditional intention, the liability would be conceivable in that case: since the defendent sold teaching material on his website and, thus, he ran his website with the profit-making intent, the refutable presumption applies. Hence, he ought to have known the copyright infringement on the linked website.

3. High warning fees are expected

In fact, the copyright test is likely to be difficult for small businesses and firms without their own legal department. In order, not to tap into the warning-trap, linking to content of others should be avoided in every case of doubt.

The court justified the amount in dispute at EUR 6,000.00. Although the infringement is only a link, it is judged from the legal point of view as a independent communication of the photo. Therefore, the court seemed the amount in dispute to be (still) appropriate.

If the economic importance is calculated roughly, a total of 960 EUR net lawyer costs (own and opposing attorneys’ fees) will result for the court proceeding which would need to be payed by the losing party in case no court appointment would be necessary. When the parties meet at the judges’ bench, additional EUR 848 will be charged. There are also costs of 248 EUR for the court. To sum up, this is EUR 2,000. If the matter is not terminated in injunctive proceedings, the costs are doubled.

4. Conclusion

The decision of the district court Hamburg provides a taste of the issues raising from the ECJ jurisprudence for the internet economy. Commercial web site operators are advised, due to the uncertain legal situation, to check whether there are obvious copyright infringements on the respective website and, before linking to contents of third parties, and in case of doubt, better avoid any links. Whether the arguments of the district court will be successful in the future is open by now. In the course of the decision, the district court Hamburg at least gave the impression that the consequences of the jurisprudence brought up by the ECJ were not certain entirely:
At the request of the famous Heise publishing house to confirm that all copyrighted contents on the court’s website “do not violate the provisions of the copyright or related laws”, the court answered three days later evasively that “contents that is available on the district court’s website is lawful, but there is no need for a legally binding declaration.”

The answer is understandable, since no one would be responsible for third-party content.