Small cause, great impact: The missing reference to the alternative dispute resolution procedure

Jens Thurn IT Law Leave a Comment

The statutory law for the alternative dispute resolution in customer affairs “Gesetz über die alternative Streitbeilegung in Verbrauchersachen” (VSBG) was published in the Bundesgesetzblatt on 23 February 2016 and entered into force on 1 April 2016. Since, 1 February 2017 some additional mandatory references are required in §§ 36, 37 VSBG which are often forgotten in practise. This minor error has a great impact.

It is useful to take a closer look at the implementation of required information in practice so far.

1. What might happen in case of a lack of the required references?

The VSBG does not provide any legal consequences which means at least, there is no basis for any fine to be imposed by the authorities. However, warning letters based on the competition law (Gesetz gegen unlauteren Wettbewerb – UWG) might cause serious harm to companies. During the last months, several court decisions set the value in dispute on 10k € and even more. Therefore, the following statements shall give an overview about the VSBG.

2. What are the statutory required references?

The law differs between pre-dispute references (Art. 36 VSBG) which means required references prior to any conflict situation between customer and company and required references in conflict situations.

a) Pre-dispute references

Companies are generally obliged to inform customers in a simple and comprehensible manner whether they are participating in an alternative dispute settlement procedure.

This requirement applies to all companies who conclude contracts with customers and maintain a website and/or have general terms and conditions (GTC) in place. The information need to be easily accessible and inform the customer clearly and comprehensibly whether the company is participating in an alternative dispute resolution procedure and which concrete dispute resolution organisation is responsible in case of dispute.

Exempt from this obligation are only small-scale companies who had employed up to ten (10) employees on 31 December of the preceding year, unless they are otherwise obliged to participate in the dispute resolution procedure. Such an obligation might arise out of a participation in an economic association which requires a compulsory dispute settlement for their members.

b) Obligation in case of dispute

In addition to this general obligation, the law provides specific requirements in case a dispute has already arisen out of a customer contract and cannot be settled.

These requirements must be taken into account by companies regardless of their number of employees. The company need to inform the customer of his or her willingness/duty to participate in the alternative dispute resolution procedure and provide specific information on the responsible dispute resolution organisation.

According to the law companies are obliged to provide customer information after a dispute exists, even, if the company rejects to participate in such a procedure. According to the wording of Article 37 VSBG, in this case the company is obliged to designate the customer compensation organisation which would be hypothetically responsible to lead the dispute resolution procedure, even if the information is completely useless to the customer.

3. Practice Note

To implement the aforesaid requirements, the following formulations could be used:

a) Precautionary information obligation

“We are not participating in a dispute resolution procedure.”

b) Information obligation in case of dispute

In case of a failed settlement, the following information should be sent by e-mail – an oral note is not sufficient:

“In case of any disputes, the Dispute Settlement Office, Center for European Customer Protection, Bahnhofsplatz 3, 77694 Kehl, phone: 07851/991480, E-Mail:, We do not, however, participate in the dispute settlement process.”

A list of officially recognized dispute settlement organisations can be found here.

4. Where are the information need to be published?

a) Precautionary information obligation

In addition to the link to the so-called ODR platform, which is usually found at the imprint of each website, the reference to the dispute resolution organisation is to be included in the terms and conditions published on the website.

If no general terms and conditions are published, for example because a conclusion of a contract cannot/should not be made directly via website, another suitable place is to be found. The imprint could be a good place, next to the ODR platform’s link.

b) Information obligation in case of dispute

If a complaint management is established, the reference should be standardized included in the e-mail’s signature.

5. Conclusion

It depends on the individual case whether a neutral arbitration body can prevent a court dispute and serve the customer satisfaction. In our opinion, a professional complaint office is likely to achieve similar goals more efficiently and perhaps even contribute to long-term customer loyalty. Notwithstanding participation, company should implement the above-mentioned information in order to avoid any warnings based on the competition law.

Is video streaming illegal by now?

Claudia Bischof IT Law, Telemedia Leave a Comment

The European Court of Justice (ECJ) (decision of 26 April 2017, ref: C-527/15) needed to decide whether the distribution of multimedia player enabling free access to audiovisual works protected by copyright without the consent of the right holders might be illegal.

The defendant sold on a number of internet sites various models of a multimedia player. That player is a device which acts as a medium between, on the one hand, a source of visual and/or sound data and, on the other hand, a television screen. On that player, the defendant stalled an open source software, which makes it possible to play files through a user-friendly interface via structured menus, and integrated into it, without alteration, add-ons available on the internet, created by third parties, some of which specifically link to websites on which protected works are made available to internet users without the consent of the copyright holders.  Those add-ons contain links which, when they are activated by the remote control of the multimedia player, connect to streaming websites operated by third parties, some of which give access to digital content with the authorization of the copyright holders, whilst others give access to such content without their consent. In particular, the add-ons’ function is to retrieve the desired content from streaming websites and makes it start playing, with a simple click, on the multimedia player. The defendant advertised the multimedia player, stating that it made it possible, in particular, to watch on a television screen, freely and easily, audiovisual material available on the internet without the consent of the copyright holders.

Initial, the Dutch foundation gave the defendant a last warning. On the basis of unexplained legal questions, the competent local District Court suspended the proceedings and submitted questions to the ECJ for a preliminary ruling. Regarding to these questions the ECJ decided the sale of the disputed player is a “public broadcasting” in the meaning of Article 3 sec. 1 of Directive 2001/29/EC and such devices are not excluded from the exclusive reproduction author’s right. The distribution of such a player leads to a copyright infringement.

I. Legal Status

Watching streamed online video is hold as non-infringement proceeding, since the user does not store any copy on his device. That means it does not reproduce the video in the legally sense of sec. 44a of the German Copyright Act (UrhG).

Against this backdrop, up to the decision of the ECJ the distribution of devices which play copyright-infringing online streams was regarded as lawful. The ECJ ruling switch this point.

II. Public Performing Rights and Reproduction Rights

The ECJ dealt with the question whether the player is “merely a physical provision devices” which in itself does not constitute a copyright infringement of “communication to the public”, or whether it might be itself a “public reproduction”.

According to the ECJ ruling it is already a public reproduction itself.

The ECJ referred to its case law that interpreted the concept of “communication to the public” in a broad meaning, to install a high-level protection of authors’ rights. Therefore, two cumulative criteria, namely an ‘act of communication’ of a work and the communication of that work to a ‘public’ need to be fulfilled.

Amongst those criteria, the Court has emphasised, above all, the essential role played by the defendant. The defendant makes an act of communication when he intervenes, in full knowledge of the consequences of his action, to give access to a protected work to his customers and does so, in particular, where, in the absence of that intervention, his customers would not, in principle, be able to enjoy the broadcast work.

Next, the ECJ has specified that the concept of the ‘public’ refers to an indeterminate number of potential viewers and implies, moreover, a fairly large number of people who potentially might buy the multimedia player.

The ECJ also dealt with the question of whether temporary reproductions for video streaming might be reproduction of the copyright owner according to Article 2 of Directive 2001/29.

Under Article 5 (1) of Directive 2001/29, an act of reproduction may be exempted from the reproduction right provided for in Article 2 thereof only if it satisfies five conditions, that is, where

  1. the act is temporary;
  2. it is transient or incidental;
  3. it is an integral and essential part of a technological process;
  4. the sole purpose of that process is to enable a transmission in a network between third parties by an intermediary or a lawful use of a work or protected subject matter; and
  5. that act does not have any independent economic significance.


Furthermore, Article 5 (5) of Directive 2001/29 does not affect the “normal” exploitation of any work or any other protective article, or the legitimate interests of the right holder are not unduly infringed.

The court held at least the condition 4 is not fulfilled by the multimedia player in disputable, since no legal use might be possible.

Furthermore, Article 5 (5) of Directive 2001/29 is also affected, according to the exception of the exclusive right for reproduction is unlikely to affect the media player as a result of the copyright owner which infringes the normal exploitation by the authors and unduly violates the legitimate interests of the rightsholders.

III. Transfer to other issues

The ECJ ruling raised the concerns that it could be applied to any other devices for playing illegal content, such as the PC.

However, this concern could be seen to be unjustified.

The ECJ itself held the main incentive for using the media player with its pre-installed add-ons is to get access to an unauthorized offer of copyright protected works.

The players were actively advertised to grant that access to copyrighted content and were actually able to provide it. It was also considered by the ECJ that the defendant acted with the intention of making profit by violating copyrights.

In contrast to an ordinary computer, which also grants access to illegal content, the special feature of the multimedia player dependents on its application and the range of functions to receive and display copyright-infringing content. The main difference to devices providing an ordinary browser, which allows access to unlawful content, is that the multimedia player was delivered with a browser, which is explicitly pre-set to make illegal content available without further hurdles, so the copyright infringements will be caused by the pre-configuration.

The ruling also points out that multimedia media player such as those at issue got addressed by the judgment, only.

IV. Conclusion

In contrast to the public debate, the ECJ has not declared the streaming of content being against the law, it says the distribution of multimedia media player, which grants easily access to unlawful content according to the prior PR advertising need to be prohibited. No findings can be picked out of the judgment, which can lead to a mass warning of user.

Dismissal based on serendipitous disclosure by covert video surveillance

Claudia Bischof Employee Data Protection Leave a Comment

In a recent decision of 22 September 2016 (2 AZR 848/15), the Federal Labour Court (BAG) dealt with a dismissal based on serendipitous disclosure of facts by a covert video surveillance. Therefor the legal changes resulting from operating covert video surveillance are summarized below.

 I. The facts

The applicant had been working as a deputy branch manager for likely 15 years with the defendant, which is a company engaged in food retailing. The applicant was mainly employed as a cashier.

An annual stocktaking at the end of 2013 disclosed an inventory loss of approximately ten-fold compared to the previous year for the product groups tobacco/cigarettes and non-foods. According to the defendant, this loss could only be attributed to the employed staff. Since the subsequent revision measures, including employee’s bags checks did not explain the situation, the employer introduced a covert video surveillance for the cash desk with the approval of the installed works council.

A video sequence resulting from the video surveillance showed the applicant who uses a “sample bottle” taken over the scanner, carried out an empties registration and took money from the cash desk. The cash receipt generated by her showed an amount of € 3.25.

The disclosure of this process was a so-called “serendipitous disclosure”, since the deputy branch manager was not suspected of being responsible for the inventory loss.

The defendant dismissed the deputy branch manager without prior notice and immediate effect who started court proceedings against the company based on this dismissal. The first instance of the labour court allowed the appeal (ArbG Duisburg, judgment of 4.9.2014 – 1 Ca 272/14). The state labour court of the second instance (LAG), however, dismissed the action (LAG Düsseldorf, judgment of 7.12.2015 – 7 Sa 1078/14) and the Federal Labour Court (BAG) confirmed the decision of the state labour court.

II. Data protection aspects of the judgment

From the data protection point of view, it is worth to take a note of the judgment. It deals with the controversial legal issue whether serendipitous disclosures could be a valid evidence when discovered in the context of covert video surveillance to disclose major offenses in the employment relationship.

Additional, the judgment clarifies whether the second sentence of sec. 32 para. 1 sentence 2 of the Federal Data Protection Act (BDSG) installs a restrictive effect and prohibits the use of covert video surveillance to investigate serious but not criminal offenses.

The judges assessed the employer’s approach is covered by § 32 para. 1 sentence 2 BDSG.

Since the principles laid down by the BAG in 2003 (BAG, judgment of 27.3.2003 – 2 AZR 51/02), covert video surveillance at working places breaches employees’ personal right to their own likeness if it is not installed:

  • to verify the concrete suspicion of a criminal offense or other serious misconduct at the expense of the employer,
  • as all less drastic measures for clarifying the suspicion have been exhausted, which means the covert video surveillance is the remaining measure only, and
  • it is not disproportionate.

The suspicion must be directed to an at least local and functionally distinguishable circle of employees.

However, at the time of the aforementioned decision of the BAG in 2003, § 32 BDSG was not in force, yet. Sec. 32 para. 1 sentence 2 BDSG was introduced in 2009, which expressly stated now:

Personal data of employees may only be collected, processed or used if actual documented evidences leads to the reasonable suspicion that the employee has committed a criminal offense related to the employment relationship. The collection, processing or use of the personal data needs to be necessary to solve the offence and the employee’s interests to be excluded from the collection, processing or use, in particular, does not prevail.

In the above ruling from 2013, the BAG expressly left open whether the covert video surveillance could be justified in compliance with sec. 32 paragraph 1 sentence 2 BDSG if a suspicion of a serious violation of duty exists without its criminality at the same time (BAG, judgment of 21.11.2013 – 2 AZR 797/11).

The BAG, however, stated at the current decision that sec. 32 BDSG bundles the principles developed by the jurisprudence, but does not want to alter them. If the wording of the second sentence in sec. 32 paragraph 1 BDSG differs to this intention, it is “accidently” unclear. Sec. 32 paragraph 1 sentence 2 BDSG is based on the required principles of the mentioned ruling of 2003. Accordingly, the wording of sec. 32 paragraph 1 of the Federal Data Protection Act does not prohibit investigations based on serious breaches of duties resulting from the employment relationship:

The circle of suspects must be limited as far as possible. However, sec. 32 paragraph 1 sentence 2 BDSG, could not to be understood in the meaning that surveillance measures are intended to cover persons who are suspected of serious breaching employee’s duties, only.

III. Conclusion

The admissibility of a data protection measure depends on its proportionality.

Every visible inspection measures must be exhausted before covert surveillance measures could be installed. According to the ruling, the employer was legally entitled to install the covert video surveillance, since the employer had previously used all available measures to determine the inventory loss unsuccessfully. Installing the covert video surveillance system was as an “ulima-ratio” solution. As the result, the employer was entitled to use the video recording as a proof of the serious breach of a duty to base its terminate without notice on this according to sec. 626 BGB (German Civil Code).

Lacking IT compliance: When the data „oil boom“ could come to an end

Karsten Krupna Data Security, General Data Protection Regulation Leave a Comment

Digital data processing is an important driver for sustainable company development and therefor, as is regularly to be read, the new (motor) oil. For this, the linkage and cross-platform accessibility to all data types plays a central role. Herein, fintech’s focus on e.g. bank data, developers of health apps or wearables on health data. If the corresponding data protection requirements are taken into account, such a business model can be economically very lucerative.

However, problems occur if the “oil pipeline” has a “leak”or – in other words – the data is accessed by unauthorized third parties. The reasons for data loss are manifold. Apart from data theft by employees, cyber-attacks pose an increasing threat. In the event of data loss, not only the company’s reputation is at stake. A loss of data may trigger reporting obligations, which, in case of non-fulfillment, can lead to high fines.

I. Fines for breach of data protection reporting obligations

According to the currently applicable German Federal Data Protection Act (BDSG), violations of notification obligations can be penalised with fines of up to € 300,000.00 per case.

The EU’s General Data Protection Regulation (GDPR) that comes into effect on 25th May 2018 stipulates fines of up to € 10 million or 2% of the annual turnover achieved in the previous year, in the case of a breach of duty.  Companies should urgently establish internal procedures in order to ensure compliance with reporting obligations, if not so already done. Otherwise the “oil-boom” is quickly over. The basic conditions for the reporting obligations in accordance with BDSG and the significant changes of the GDPR concerning this are described below. To conclude the article, follow the recommendations for dealing with data protection violations as shown below.

II. What applies according to the BDSG?

According to Sec. 42a BDSG, a company must inform the responsible supervisory authority and the data subject if it finds that sensitive data stored by the company was unlawfully accessed by a third party and thus have serious adverse effects on the rights and interests of the data subject. According to Sec. 42a para. 1 BDSG, the following types of data are considered to be particularly vulnerable:

  1. special categories of personal data,
  2. personal data subject to professional secrecy,
  3. personal data related to criminal offences or administrative offences or the suspicion of punishable actions or administrative offences, or
  4. personal data converning bank or credit card accounts.

If none of the aforementioned data types are affected, the verification of the further requirements of § 42a BDSG (German Federal Data Protection Act) and therefore the notification obligation (at least) according to the BDSG is no longer necessary.

However, the affected companies still are supposed to fulfil other reporting obligations which may arise e.g. from the IT Safety Act or from the contract with the parties concerned (e.g. customer).

If, however, e.g. bank data are affected and the additional requirements of the notification obligation in accordance with Sec. 42a BDSG apply, the regulatory authority and the concerned parties must be informed “immediately”. In analogous application of Sec. 121 para. 1 sentence 1 of the German Civil Code (BGB), this means acting “without any undue delay”.

III. What will change with the GDPR?

The General Data Protection Regulation complies with the basic structure of the Sec. 42a BDSG in accordance with the provisions in articles 33, 34 GDPR. However, it expands the scope of application and individual obligations.

1. Reporting to the supervisory authority

Article 33 GDPR standarised the reporting requirements to the supervisory authority “in the case of a personal data breach of security”. ”A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data pransmitted, stored or otherwise processed” (see article 4 number 12 GDPR) are sufficient for such an event. Therefore, in addition to e.g. Cyberattacks, already data losses due to system crashes can trigger reporting obligations.

In addition, the reporting obligation under the GDPR is no longer restricted to certain data types.

Rather, the supervisory authority must always be notified, except if the data breach is not likely to “result in a risk for the rights and freedoms of individuals”.

The criteria for the above-mentioned risk assessment remain open and this is up to the responsible company to decide.

However, since the reporting obligation is linked to a breach of security, which must already be ensured by the company in accordance with article 32 GDPR taking into account the risks to the affected parties, the prolicy starts from the principle that the risk assessment, according to article 33 GDPR, will follow the previous assessment according to article 32 para.1 and para. 2 GDPR.

In the case of a reporting obligation, the regulatory authority must be notified immediately, but in any case within 72 hours after the notification of the data breach, except in exceptional cases.

2. Notification of the affected parties

The aforementioned expansion of the reporting obligation also applies to the notification of the concerned parties (article 4 n. 12. GDPR). However, according to article 34 GDPR, the concerned parties must only be notified if the data breach is likely to “result in a risk” for their rights and freedoms. Therefore, the threshold is higher for the notification obligation towards the concerned parties then the reporting obligation towards the regulatory authority. Here too, the risk assessment is incumbent upon the respective company. However, according to article 70 para. 1 letter h GDPR, the Data Protection European Parliament Committee should at least provide guidelines and recommendations. If there is a possibility for the outcome to contain high risk, the concerned parties need to be notified immediately, provided that no exceptions of article 34 para.3 GDPR take effect.

The notification obligation is not applicable e.g. if an encryption can virtually eliminate the unauthorised access to personal data.

3. Recommendations for action

Companies that have hithero ignored or insufficiently adressed this aspect of reporting obligations in the case of data breach in their IT compliance should establish an emergency management. The emergency management should initially assess the existing concept, adapts it as necessary and then regularly re-examine it in accordance to the GDPR. The policy should already start with preventive measures and then develop a list of measures for the case of data breaches.

For example, the following should be considered preventively:

  • testing the data processes as well as the technical and and organisational measures on legal conformity,
  • identifying and minimising particularly risky situations, taking into account the sensitivity of the data,
  • ensuring internal notification of relevant events (chain of information),
  • adjusting and training IT-Policies for all employees,
  • testing the necessity and the extent of the insurance coverage,
  • continuous evaluation of all informal or publicly known cases of damage as a “learning organization”,
  • establishing a crisis unit in the case of data loss and its reporting.


In the case of data loss, the crisis unit has to work out an extensive scenario in addition to IT technical measures:

  • compliance with legal and contractual information requirements (for example, towards the parties concerned, the regulatory authority or the BSI),
  • examination and defense of claims for damages of affected persons,
  • examination and enforcement of claims for damages against a contractor for breach of contract,
  • filing a criminal complaint,
  • examination and enforcement of claims for damages against the perpetrator,
  • assertion of the insurance claim,
  • coordination of public relations.
Free WeFi Zone

Liability for Operating Public Wi-Fi Hotspots

Bernd Schmidt General Data Protection Regulation, Telemedia Leave a Comment

After long discussions, finally the German legislator implemented a rule excluding liability for providers of public Wi-Fi Hotspots. However, there remain relevant legal risks for operating public Wi-Fi Hotspots. Key aspects of this recent amendment of the German Telemedia Act (TMG) are summarised below.

1.   Liability Limitation for Access-Providers

Sections 7 and 8 TMG contain a liability limitation for so called access-providers. As they do not provide online contents, but only access, they shall in principle be free from any claim on the basis of e.g. copyright infringements by providing such content. Where access-providers are made aware of such infringing content, they may eventually be obliged to block access (notice and take down) while there is no obligation for actively monitoring for infringements.

For providers of public Wi-Fi Hotpots, there is a long-standing debate as to whether or not they are access-providers by the meaning of Telemedia law. This debate particularly turns relevant in the context of enforcing claims for cease and desist in online copy right infringement cases (e.g. file sharing). In such cases, typically there is no active infringement by the Wi-Fi Hotspot provider or at least no respective prove. Accordingly, there is a debate as to whether or not the Wi-Fi Hotspot provider is liable under the interferer’s liability principle (Prinzip der Störerhaftung).

Under the interferer’s liability principle, Wi-Fi Hotspot providers are subject to cease and desist claims where they have with intention created cause for the infringement (of copyright) e.g. by providing internet access via a public Wi-Fi Hotspot. In 2010, the German Federal Court (BGH) applied these principles to Wi-Fi Hotspot providers in the landmark case “Summer of our Life (Sommer unseres Lebens)”. Following the BGH ruling, the interferer’s liability principle applies where the Wi-Fi Hotspot providers fails to (i) implement state of the art security mechanisms for the Wi-Fi Hotspot and to (ii) carry out regular compliance-Checks.

This far-reaching application of the interferer’s liability principle lead to relevant legal risks for operating public Wi-Fi Hotspots and the consequence that public Wi-Fi coverage in Germany is significantly lower as compared to other European countries.

2.    Application of the Access-Provider Liability Privilege to public Wi-Fi Hotspot Providers

The second TMG Amendment Act (2. TMG-Änderungsgesetz) as of June 2016 implements supposedly clear guidance in Section 8 (3) TMG, stating the access-provider’s liability privilege applies to Wi-Fi Hotspot providers.

“Para 1 and 2 [containing the access-provider’s liability privilege] apply for providers in the meaning of para 1 providing internet access via local non-wired networks”

The respective legislative initiative’s goal was, inter alia, to reduce legal risks for public Wi-Fi Hotspot operators in order to create incentives for more public Wi-Fi Hotspots. If at all, this goal was achieved to a very limited extent only. In particular, the TMG amendment may not be considered as providing relevant protection against claims for cease and desist. This in particular holds true for the following reasons.

German courts are of the opinion that the access-provider’s liability limitation provides protection against damage claims, but no protection against claims for cease and desist. It appears rather unlikely this approach will change under the current amendment of the TMG.

In the legislative process, there was a proposal to include a para 4 to Section 8 TMG explicitly stating there is no rights holder’s claim for cease and desist against public Wi-Fi Hotspot providers where and to the extent they have implemented state of the art security measures preventing misuse of their Wi-Fi Hotspots. This provision has, however, not survived legislative debate.

Further, there are arguments from the perspective of European law against effective protection of public Wi-Fi Hotspot providers from cease and desist claims. Under Art. 12 (3) and Art. 14 (3) Directive 2000/31/EC (E-Commerce-Directive), there must be court measures provided by Member States’ law against intermediaries (such as access-providers) who’s services are used for (copyright)infringements. This aspect is also picked up in the recent European Court of Justice (ECJ) decision (C-484/14), inter alia stating explicitly, that public Wi-Fi Hotspot providers are not protected against cease and desist claims to prevent (copy)right infringements committed via their Wi-Fi Hotspot.

In such case, public Wi-Fi Hotspot providers must bear costs for cease and desist claims and respective court actions. However, there is also light in the ECJ ruling. Where the Wi-Fi Hotspot provider has taken state of the art security measures to prevent the infringing action, for the decision on costs for legislative proceedings, the addressed court must carry out a balancing of interests’ test taking into account the right holder’s freedom to carry out his business and the public interest to access information via public networks. In this context, the ECJ is of the opinion that public Wi-Fi Hotspot providers comply with their duty of care when implementing security measures preventing infringing actions by requiring information to identify users of their public Wi-Fi Hotspot where need be.

3.    Conclusion

Extending the access-provider’s liability privilege to providers of public Wi-Fi Hotspot fails to significantly decrease their legal risks, because the respective liability limitation does not apply to cease and desist claims and subsequent court rulings. Before setting up public Wi-Fi Hotspots, it is recommended to carefully assess legal risks and to decide on state of the art measures to prevent infringing actions carried out via the public Wi-Fi Hotspot.

District court Hamburg: Linking as a breach of the legal provisions

Claudia Bischof IT Law Leave a Comment

By the decision of 18 November 2016 (310 0 402/16), the district court Hamburg ruled in the preliminary injunction proceedings that profit-making website operators might infringe author’s statutory right by making the original available to the public referred to in Section 19a Copyright Act (UrhG). In the opinion of the judges the decision actually leads to a review obligation of website operators whether they link to copyright infringing websites.

The decision, which is largely based on the “Sanoma decision” of the ECJ published in September of this year (C-160/15) on the issue of linking. The decision is not only criticized by lawyers. However, if this reading of the ECJ decision will be successful, it would increase the risk of warning and generally increasing legal uncertainty when linking to third-party content.

The decision was based on the following facts:

The complaining photographer had taken a photo and issued it licensed by a Creative Commons license. Regarding to the license stipulations any changes to the photo required an explicit note. The photographer discovered on the applicant’s website an article, which was published by using his photos. This photo in issue has been redesigned by the website author. There was neither a consent to use, nor a reference to the alteration of the photo. After the defendant had not signed the cease and desist declaration with penalty clause, the claimant initiated temporary injunctions court proceeding.

1. Link as a public reproduction

The district court Hamburg essentially decided that the alteration of the photo without any consent and contrary to the license stipulations violates sec. 23 sentence 1 of the Copyright Act (UrhG). The website which published the article and the altered photo is a “public accessibility” (sec. 19a UrhG) of the claimant’s altered photo within the meaning of sec. 23 sentence 1 UrhG. Referring to the recent ECJ ruling, the district court decided regarding to the claimant’s linked photo:

“The defendant ‘s linking to the altered photo is a public communication in the sense of the cited ECJ case-law.”

In the light of the ECJ’s case-law, the district court affirmed the objective and subjective legal prerequisite of “public communication by linking”.

According to the ECJ case-law, the issue is whether the photo is made available to a new group of people, of which the copyright owner had not thought when he allowed the original public communication. The Hamburg judges concluded that the public communication in the specific case depended on the fact whether the claimant had given his consent to a freely accessible altered photo, which was denied, since neither an author’s consent exists, nor the alteration was not covered by the license.

The prerequisites of the subjective elements for the attribution of the law infringement will play an essential role in practice. Here, the district court referred in large passages to the ECJ ruling.

2. Review: ECJ ruling of 8 September 2016 (C-160/15)

The European Court of Justice decided, whether a Dutch online magazine had placed links on illegally copied photos of a Dutch television star, which allowed the readers to have a look at copyright-infringing photos when reading the online magazine article. After deleting the infringing content on claimant’s request, the online magazine implemented another links to another source. The online magazine knew about the illegality of the linked content, as the copyright owner had referred to the illegality regarding the link.

The ECJ judges came to the conclusion that the commercial magazine, despite the knowledge of the legal infringement, once again linked to copyright-infringing content. Against this background they decided:

“[No 49] In contrast, where it is established that such a person knew or ought to have known that the hyperlink he posted provides access to a work illegally placed on the internet, for example owing to the fact that he was notified thereof by the copyright holders, it is necessary to consider that the provision of that link constitutes a ‘communication to the public’ within the meaning of Article 3(1) of Directive 2001/29.”

The wording “knew or ought to have known” establishes the negligence in which the infringement treatment is attributable to the infringer. The ECJ, however, did not leave it in the case of liability for intent or negligence, but in the case of a person with a profit-making perspective, the ECJ assumed a refutable presumption concerning the need to know, and therefore negligent ignorance:

“[No 51] Furthermore, when the posting of hyperlinks is carried out for profit, it can be expected that the person who posted such a link carries out the necessary checks to ensure that the work concerned is not illegally published on the website to which those hyperlinks lead, so that it must be presumed that that posting has occurred with the full knowledge of the protected nature of that work and the possible lack of consent to publication on the internet by the copyright holder. In such circumstances, and in so far as that rebuttable presumption is not rebutted, the act of posting a hyperlink to a work which was illegally placed on the internet constitutes a ‘communication to the public’ within the meaning of Article 3(1) of Directive 2001/29.”

In the decision of the district court Hamburg the judges continue on this scale of fault:

“Therefore, the ECJ only accepts an infringement of the right to a public communication if the link is culpably done in the sense that the responsible person had “known or should have known” the illegality of the linked accessibility (No 49). The latter also being intended to cover cases of negligence. According to the ECJ ruling, the scale of the offense depends on the responsible person. No 51 clarifies that a higher scale of fault applies to a person who acts with a profit-making intent: that person is expected to ascertain whether the linked content has been made lawfully. The refutable presumption of knowledge of the missing permission applies”.

The defendant stated that he had acted in the knowledge of the ECJ decision, but did not started any investigate on the photo’s copyright history because he found the ruling being contrary to fundamental principles and incompatible with the EU Charter of Fundamental Rights. From this, the court held that the defendant had accepted the illegality of the content at least as approvingly and thus acted intentionally. Even without a conditional intention, the liability would be conceivable in that case: since the defendent sold teaching material on his website and, thus, he ran his website with the profit-making intent, the refutable presumption applies. Hence, he ought to have known the copyright infringement on the linked website.

3. High warning fees are expected

In fact, the copyright test is likely to be difficult for small businesses and firms without their own legal department. In order, not to tap into the warning-trap, linking to content of others should be avoided in every case of doubt.

The court justified the amount in dispute at EUR 6,000.00. Although the infringement is only a link, it is judged from the legal point of view as a independent communication of the photo. Therefore, the court seemed the amount in dispute to be (still) appropriate.

If the economic importance is calculated roughly, a total of 960 EUR net lawyer costs (own and opposing attorneys’ fees) will result for the court proceeding which would need to be payed by the losing party in case no court appointment would be necessary. When the parties meet at the judges’ bench, additional EUR 848 will be charged. There are also costs of 248 EUR for the court. To sum up, this is EUR 2,000. If the matter is not terminated in injunctive proceedings, the costs are doubled.

4. Conclusion

The decision of the district court Hamburg provides a taste of the issues raising from the ECJ jurisprudence for the internet economy. Commercial web site operators are advised, due to the uncertain legal situation, to check whether there are obvious copyright infringements on the respective website and, before linking to contents of third parties, and in case of doubt, better avoid any links. Whether the arguments of the district court will be successful in the future is open by now. In the course of the decision, the district court Hamburg at least gave the impression that the consequences of the jurisprudence brought up by the ECJ were not certain entirely:
At the request of the famous Heise publishing house to confirm that all copyrighted contents on the court’s website “do not violate the provisions of the copyright or related laws”, the court answered three days later evasively that “contents that is available on the district court’s website is lawful, but there is no need for a legally binding declaration.”

The answer is understandable, since no one would be responsible for third-party content.

Commissioned Data Processing and International Data Transfer – GDPR Series, Part 4

Bernd Schmidt General Data Protection Regulation, International Data Protection Leave a Comment

Today involving data processors for processing personal data and outsourcing of business processes is a necessity for companies of practically any size and in any industry. Companies should therefore be aware of new rules, duties and risks imposed by the GDPR.

Read More

BREXIT – Future of Data Transfers to the United Kingdom

Bernd Schmidt General Data Protection Regulation, International Data Protection Leave a Comment

It was a serious shock when the British people voted for Britain to leave the European Union (EU). The consequences will be massive and also affect data protection law. When the common legal framework of the EU member states no longer spans the United Kingdom, there will be a need for justifying data transfers across the English Channel. Currently the legal justifications are laid down in the EU Data Protection Directive (DPD) and the respective implementations into the member states’ national data protection laws. On 25 May 2018, the member states’ data protection laws and DPD will be replaced by the General Data Protection Regulation (GDPR). Both DPD and GDPR differentiate between data transfers within the European Economic Community (EEC) and other countries outside the EEC and favour data transfers within the EEC. Leaving the EU may be the end for such privileged data transfers to the United Kingdom.

1. Data Transfers within the EEC

Data transfers require a justification under data protection law. Whether or not data exporter and data recipients are located in the same or in different member states is irrelevant under data protection law – DPD and GDPR consider the EEC member states per se as providing adequate data protection safeguards.
The same applies to assigning data processing to data processors located within the EEC as compared to data processors located outside the EEC. Currently, Section 11 German Data Protection Act (BDSG) considers data processors located in EEC member states as a part of the data controller. As a consequence of this so-called “privileged” data processing, the requirements for justifying such assignments are substantially lower compared to assignments of data processors in third countries. This will not change significantly under the GDPR.

Today, such privileges for data transfers apply inter alia with regard to data processors in the United Kingdom and data controllers in other member states. When the UK leaves the EU and supposedly the EEC, these privileges will no longer be automatically in place. In such case, data controllers in the EEC would need to implement alternative means to ensure adequate data protection guarantees for data recipients in Great Britain.

2. Data Transfers to the UK based on an Adequacy Decision

For countries outside the EEC (third countries), DPD and GDPR assume there are no sufficient data protection guarantees in place. Countries outside the EEC are considered prima facie as “unsecure third countries”. For unsecure third countries, the EU Commission may assess whether in fact there are adequate data protection guarantees in place and make a respective ruling under Art. 25 DPD [PDF] and in the future under Art. 45(1) GDPR (adequacy decision). The EU Commission’s adequacy decisions are legally binding, but may be challenged in the courts as any act of public authorities and ultimately be overruled by the European Court of Justice (ECJ). The ECJ has recently overruled the Safe Harbor adequacy decision for data transfers to the USA (see our blog articles as of 6 October 2015 and 12 February 2016).

Currently, there are adequacy decisions in place for Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. For the USA, there is an adequacy decision for data recipients under the EU-US Privacy Shield; see our blog article as of 12 February 2016 concerning the draft).

When the United Kingdom leaves the EU, it would as a starting point need to be considered an unsecure third country. However, the United Kingdom would likely either remain in the EEC and get a status such as Norway or that in the course of exit negotiations with the EU, an adequacy decision would be taken by the EU Commission, putting Great Britain in a position such as that of Switzerland today. Such adequacy decision would appear reasonably justified where Great Britain would keep in force its data protection act [PDF] based on the DPD.

In such case, we would almost be back to the current status quo – almost. As a consequence of the ECJ safe harbour ruling, national data protection authorities have the obligation to assess individually and independent from an adequacy decision whether or not a data transfer is justified and the data recipient provides for adequate data protection safeguards. For this assessment, data protection authorities would also consider access of public authorities to personal data e.g. in the context of criminal investigations or anti-terror activities.

In this course also data transfers to Great Britain could ultimately be brought before the ECJ for review similar to the Safe Harbor Ruling. The ECJs ruling in such case is hard to predict in light of the existing cooperation between US and British authorities.

3. Data Transfers to the UK as an Unsecure Third Country

In case exit negotiations should not establish a status of the UK as secure third county or the UK would lose such status, there would be a requirement for justifying data transfers based on the so called two-step test.

On the first step, data controllers based in the EEC would need to establish a justification as for any other data recipient located in the EEC or a secure third country. In addition, they would need to establish the second-step justification, compensating for the lack of adequate data protection at the data recipients’ end.

The means of choice for the second step would depend on the individual circumstances of the data transfer. In any event, implementing the EU Commission’s standard contractual clauses would be possible and establish adequate data protection standards without the requirement of approval by the data protection authority.

For intra-group data transfers, implementing so-called binding corporate rules may also be suggested (see Art. 47 GDPR). Binding corporate rules would, however, need to be approved by the data protection authority in order to constitute a sufficient second-step justification.

4. Conclusion

The Brexit will have severe impact on the foundations of economic cooperation with the United Kingdom and provide relevant challenges for affected companies. One of many tasks would be to establish a concept for data transfers to the United Kingdom that is compliant with data protection requirements. The challenges in detail will depend on the coming exit negotiations. Affected companies should have the possible scenarios in mind and prepare for the associated challenges.

Principles, Consent and Statutory Justifications – GDPR Series, Part 3

Bernd Schmidt General Data Protection Regulation Leave a Comment

The General Data Protection Regulation (GDPR) is a milestone in the development of data protection law that may not be overestimated in its relevance. The GDPR implements various changes as compared to the current situation. German and other companies should prepare for these changes entering into force May 2018.

1. Principles for Processing Personal Data

Art. 5 GDPR stipulates the below principles for processing personal data:

  • lawful and fair data processing
  • transparent data processing
  • data processing for specified, explicit and legitimate purposes
  • data minimisation
  • accuracy of data processing
  • storage limitation
  • integrity and confidentiality of data processing
  • accountability

These principles have largely been in place under the regulation’s predecessor, Art. 6 Data Protection Directive (DPD), and have been of relevance to interpretation of the German Data Protection Act (BDSG) even though they were not directly implemented in the wording of the BDSG. The principles of Art. 5 GDPR in particular turn relevant for interpreting justifications for processing personal data contained in the GDPR and other statutes. They also limit and define the member states’ competence to complement the GDPR with domestic legal instruments as provided for in various GDPR opening clauses.

Companies shall understand these principles as general principles for tailoring their data protection organisation without a need for direct implementation or a direct requirement to base any particular assessment on these principles. Assessment of particular data handling shall rather be carried out by applying statutory justifications e.g. in Art. 6 GDPR.

2. Justifications

Both DPD and GDPR consider data processing as illegal unless there is a specific justification in place (see Recital 40 GDPR). Art. 6(1) GDPR contains a number of justifications for processing personal data, Art. 9(2) GDPR for processing special categories of personal data (not subject to this article) and chapter IX for processing personal data in special processing situations.

3. Consent

Under Art. 6(1)(a) GDPR, the data subject’s consent is a valid justification for processing personal data. Also under Art. 7(a) DPD and Section 4(1) BDSG, data subjects’ consent is considered as a justification for data processing. Detailed requirements regarding the declaration of consent follow from Art. 7 GDPR and Recitals 32, 42 and 43 GDPR. In addition, there are more specific requirements for collecting a declaration of consent from children in the context of information society services.

Under the GDPR, as under the current legal framework, a declaration of consent must be freely given, based on an informed decision of the concerned person and made in a clear manner (see Recital 32 GDPR). Differing from today’s requirements under Section 4a(1) Sentence 3 BDSG, under the GDPR a declaration of consent must not generally be made in writing. Rather, written, oral, electronic and other ways to express a declaration of consent are considered equal (see Recital 32 GDPR). Also implicit declarations of consent will therefore be legally valid where provided by the data subject in an active manner. Remaining silent – or in an online context – pre-checked boxes are no active expression of consent under Art. 8 GDPR and hence no declaration of consent.

The data controller has the burden of proof in regard to the requirements of a valid declaration of consent according to Art. 7 (1) GDPR. From a data controller’s perspective, it would therefore be prudent to collect declarations of consent in written or electronic form and retain it at least for the duration of the processing. Art. 7 GDPR expressively states that a data subject may revoke a declaration of consent at any time with effect for the future. This is in line with the current understanding of Section 4a (1) BDSG. Accordingly, a data controller is bound by an obligation to design any consent-based data processing in a manner that enables execution of individually revoked declarations of consent.

Under Art. 8(1) GDPR, children may provide a valid declaration of consent in the context of information society services from the age of 16. A declaration of consent expressed by children under the age of 16 becomes valid upon the parent’s confirmation. According to Art. 4 No. 25 GDPR and Directive (EU) 2015/1535 on procedures for the provision of information in the field of technical regulations and of rules on information society services, information society services are typically provided in return for money in the context of distance distribution, such as in app purchases and other (mobile) value added services.

4. General Statutory Justifications

The GDPR contains general statutory justifications for processing personal data in Art. 6(1)(b)-(f) GDPR. Under these rules, personal data may be processed if necessary for the purposes listed below:

  • performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Art. 6(1)(b) GDPR,
  • compliance with a legal obligation – Art. 6(1)(c) GDPR,
  • protecting the vital interests of the data subject or of another natural person – Art. 6(1)(d) GDPR,
  • performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – Art. 6(1)(e) GDPR,
  • legitimate interests pursued by the controller or by a third party – Art. 6(1)(f) GDPR.

These statutory justifications are at large similar to their predecessors in Art. 7(b)-(f) DPD and Section 28 BDSG. For affected companies, particularly relevant are the justification to process personal data for the performance of contractual obligations and to pursue legitimate interests as currently covered by Section 28(1) No. 2 BDSG and Section 28(1) No. 2 BDSG. Similar justifications will also be in place under the GDPR.

In order to justify data processing for the performance of contractual obligations under Art. 6(1)(b) GDPR, the data controller must check and ensure that such data processing is in fact required for the performance of contractual obligations. The extent to which data processing is permitted is in the first place defined by the scope of contractual obligations as agreed by the parties.

Processing personal data under the legitimate interest justification of Art. 6(1)(f) GDPR requires justified interests of the data controller that outweigh the data subjects opposed interests, i.e. a balancing of interest test. When carrying out such balancing of interest, the data controller must in particular consider the data subjects’ fundamental rights and freedoms. Art. 6(1)(f) GDPR now explicitly states that when processing children’s personal data under a legitimate interest justification, one must particularly consider their specific interests.

In order to assess the scope of justified data processing under the legitimate interest justification of Art. 6(1)(f) GDPR, it appears prudent to apply the principles developed under the predecessor rule of Section 28 (1) No. 2 BDSG mutatis mutandis. In addition, Recital 47 GDPR contains further guidance for an appropriate connection between data controller and data subject and the foreseeability of data processing that turns relevant when establishing the legitimate interest justification. Where such appropriate connection is in place, e.g. in a sales and purchase of goods relationship, common data processing will be rather easy to justify. However, as today under the BDSG, also under the GDPR, justifying data processing under legitimate interests will always depend on assessing the circumstances of the individual case.

5. Special Processing Situations

Chapter IX GDPR contains statutory justifications and the permission for Member States to implement individual justifications for special processing situations. Member States may in particular “reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.” In other words, member states may implement justifications for data processing for such purposes.

Principles and rules governing the freedom of expression, press publications and scientific research as in place at a member state regulatory level will therefore continue to establish data protection justifications in certain cases. Art. 86 GDPR provides for a similar rule in regard to the right to information about public authorities’ activities which namely may turn relevant for the German Federal Freedom of Information Act (IFG) [PDF] and the German States’ Freedom of Information Acts. These laws will continue to provide for data protection justifications in particular cases.

Art. 88 GDPR establishes employment data protection law at the EU regulatory level by giving the member states authority to implement respective data protection rules. Art. 88 GDPR may trigger a new discussion about implementing employment data protection rules in Germany. So far, there have been a number of draft laws and legislative initiatives – the only result being the minimalistic and “temporary” provision in Section 32 BDSG.

Processing personal data for archival purposes, scientific and historic research is under Art. 89(1) GDPR in principle subject to the GDPR. Under Art. 89(2) GDPR, the Member States may, however, implement additional legal provisions. As currently the case, also under the GDPR, the German Federal Archive Act (Bundesarchivgesetz) and the German States’ Archive Acts may therefore restrict data protection rights and provide for data protection justifications.

The church data protection acts, namely the Church Act on Data Protection of the Protestant Church and the Regulation on Church Data Protection of the Catholic Church will be applicable under Section 91 GDPR. Currently, there is a respective Setup under Art. 140 German Constitution (Grundgesetz) in connection with Art. 137 of the German Constitution of 1919 (Weimarer Reichsverfassung). However, under Section 91 GDPR, the church data protection acts apply only to the extent that they are in line with the principles of the GDPR.

6. Conclusion

The GDPR further develops German and European data protection law in particular on the basis of the DPD. This also holds true for the principles for processing personal data and data protection justifications that are subject of this article. Companies do not have to completely change their data processing procedures under the GDPR. Where data processing is in line with current data processing requirements, at large the requirements under the GDPR are likely to be fulfilled as well. In any case, it is advisable to carefully assess deviating legal requirements and to implement respective measures in preparation for the GDPR.

Other parts of this series:

Part 1: EU Data Protection Regulation – New Series

Part 2: Fines, Penalties and Damages for Data Protection Infringements

Part 4: Commissioned Data Processing and International Data Transfer