German court rules that online retailers must specify the delivery date even for ‘coming soon’ B2C pre-release orders

In a judgment of 17 May 2018, case no. 6 U 3815/17 (“Judgment”), the Court of Appeal Munich (Oberlandesgericht München – “Court of Appeal”) held that online retailers are required to indicate a precise delivery time on their website where consumers purchase products. A ‘coming soon’ notice is insufficient, even where the relevant product has not yet been released. The Judgment was published on 9 July 2018 by the German consumer protection association Verbraucherzentrale Nordrhein-Westfalen, which had initiated the court proceedings (“Plaintiff”). The Plaintiff’s accompanying press release of 9 July 2018 can be found here (in the German language).

Background

In 2016, the Plaintiff initiated court proceedings against a major German online retailer (“Defendant”). The Defendant had offered on its website to customers a new smartphone that had not yet been released by the manufacturer, placing the following notice on its website: “The item will be available soon. Secure your device now!” (Original German wording: “Der Artikel ist bald verfügbar. Sichern Sie sich jetzt Ihr Exemplar!”).

In its first instance judgment of 17 October 2017, case no. 33 O 20488/16 (“First Instance Judgment”), the District Court Munich I (Landgericht München I) held that the Defendant was in breach of its statutory information obligations on distance selling contracts under the German Civil Code (Bürgerliches Gesetzbuch“BGB”).

Continue Reading

European Parliament calls for suspension of EU to U.S. data transfers under the Privacy Shield

On 5 July 2018, the European Parliament demanded in a resolution that the European Commission suspends its EU-U.S. Privacy Shield unless the U.S. administration introduces adequate data protection safeguards by 1 September 2018. The Privacy Shield agreement is aimed at facilitating data transfers of EU personal data to the United States. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions, and calls on the European Commission to suspend the data-sharing deal unless the United States is fully compliant by September 1.

Issue

The European Parliament admonishes the United States for failing to ensure effective ‘adequate protection’ of the transfer of EU personal data to the United States.

The European Parliament critiques that the U.S. administration has been slow to meet requirements set forth by the General Data Protection Regulation (GDPR), which specifies that special data sharing arrangements with countries outside the EU can only remain in place if those countries have independent authorities that properly oversee how Europeans’ data is handled once it moves abroad. The United States has failed to appoint members to the U.S. Privacy Civil Liberties Oversight Board (PCLOB), or to appoint a permanent Ombudsman to chair the PCLOB.

Continue Reading

New data protection fee exemptions considered in UK

The UK government has opened a consultation on exemptions to paying a data protection fee, giving businesses the opportunity to lobby for new exemptions to be introduced.

Businesses that are responsible for processing personal data (i.e. controllers) are required to pay a data protection fee to the Information Commissioner’s Office (ICO). These fees are: £40 for micro organisations; £60 for small and medium organisations (SMEs); and £2,900 for larger organisations. These fees apply unless the controller is legally exempt.

The government has launched a consultation on whether the list of exemptions should be expanded. As the government is required under the General Data Protection Regulation (GDPR) to ensure the ICO receives an adequate level of funding, it says that it will take into account of the impact of any changes on the ICO’s resources.

Current exemptions

The Data Protection (Charges and Information) Regulations 2018 (the Regulations) require controllers who are processing personal information to pay a charge to the ICO, unless they are exempt. More than 500,000 organisations are currently registered. The Schedule to the Data Protection (Charges and Information) Regulations 2018 provides a number of exemptions for individuals and organisations from paying charges to the Information Commissioner in relation to one or more of the following:

(i) business purposes:

  • Staff administration (including payroll)
  • Advertising, marketing and public relations (in connection with their own business activity)
  • Accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency)

(ii) Other exemptions – processing for the purposes of:

  • Judicial functions
  • Personal, family or household affairs (including recreational purposes)
  • Some not-for-profit organisations
  • Controllers processing personal data only for maintaining a public register (such as the Electoral Roll)
  • Controllers that do not process personal data by automated means, or with the intention that the data will be processed by automated means

(iii) Exemptions granting a reduction in fees (tier 1 fee £40):

  • Small occupational pension schemes
  • Charities

Consultation

The Department for Digital, Culture, Media and Sport has now asked businesses whether the list of exemptions should be expanded and which exemptions are considered to be appropriate and should be retained and those that aren’t. The deadline for providing responses to the consultation is 1 August 2018.

Comment

It will be interesting to see what responses are triggered by this consultation, and what changes will be made as a result. Of course, there is merit in reviewing the exemptions to ensure that they are still current and appropriately apply to businesses that should benefit from them. We will be watching with a close eye.

EU’s GDPR applied to promotion marketing

The European Union’s General Data Protection Regulation (GDPR) is underway, and companies and organizations around the world are analyzing its effects on how they collect, use, store and disclose data. U.S.-based sponsors of sweepstakes, contests, instant win games and other promotions opening entry to or targeting Europeans need to be mindful of the GDPR rules since they are processing personal data by collecting the entries’ contact information, sending marketing communications and contacting the winners. To learn more on how U.S. marketers can address this legal development, click here.

Digital token ruled a security under the Howey Test, for now

With the plaintiffs’ bar setting its sights on initial coin offerings, a body of precedent will soon develop analyzing digital tokens under U.S. securities laws. Last week, United States Magistrate Judge Andrea M. Simonton began developing that body of law in Rensel v. Centra Tech, Inc., No. 17-CV-24500, 2018 BL 227097 (S.D. Fla. June 25, 2018). Although Judge Simonton’s opinion does not tackle many of crypto’s most-pressing questions, it serves as a guidepost for future actors in an industry desperate for clarity. To read more, click here.

European Data Protection Board replaces Article 29 Working Party

On 25 May 2018 the European Data Protection Board (EDPB) formally replaced the Article 29 Working Party as the European advisory committee on data protection issues. In addition to taking over Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice, the EDPB, which operates as an independent body of the European Union with its own separate legal personality, also takes on a far broader set of responsibilities:

  • examining – on its own initiative or on the request of one of its members or the European Commission (Commission) – any question covering the application of the GDPR;
  • advising the Commission on any issue related to data protection in the EU, including on any proposed amendment of the General Data Protection Regulation (GDPR) and any EU legislative proposal;
  • advising the Commission on the format and procedures for the exchange of information in the framework of the Binding Corporate Rules;
  • providing the Commission with an opinion on the assessment of the adequacy of the level of protection in a third country;
  • providing opinions on draft decisions of the supervisory authorities; and
  • issuing binding decisions in certain instances, mostly about dispute resolution among supervisory authorities.

In its first plenary meeting, which took place on 25 May 2018, the EDPB agreed the final version of Guidelines 2/2018 on the derogations under Article 49 GDPR in the context of international data transfers (Article 49 Guidelines), as well as a set of draft Guidelines 1/2018 on certification in accordance with Articles 42 and 43 GDPR (Certification Guidelines).

Continue Reading

Ireland: New guidelines on restrictions on data subject rights

Article 23 of the General Data Protection Regulation (GDPR) allows EU Member States to restrict the scope of data subjects’ GDPR rights and organisations’ GDPR obligations.

The Irish data protection authority, the Data Protection Commission (DPC), released guidelines (Guidelines) on GDPR Article 23 on 19 June 2018. The Irish Data Protection Act 2018 (the Act) was recently passed by the Irish parliament. The Act fills in the details of the derogations left to EU Member States under GDPR.

The Guidelines’ purpose is to provide advice for the Irish government when drafting regulations that restrict data subjects’ rights and organisations’ obligations.

GDPR Article 23

Any proposed restriction requires a detailed analysis of the following conditions to justify why it is required and how it will apply. Restrictions must:

Continue Reading

EU reaches agreement on rules allowing free flow of non-personal data

You may well remember our blog from last year which outlined the Commission’s proposal for a framework in relation to the free flow of non-personal data in September 2017 (you can view our blog here).

On 19 June 2018, the European Parliament, Council and the European Commission reached a political agreement on the rules that will allow data to be stored and processed everywhere in the EU, without unjustified restrictions.

In addition to supporting the creation of a competitive data economy within the Digital Single Market, these new rules will remove barriers which hinder the free flow of data. Predictions suggest that this could boost Europe’s economy by an estimated growth of up to 4 per cent GDP by 2020. You can find more information on the European Commission’s website.

Key objectives

The new rules on the free flow of non-personal data will:

  • Ensure the free flow of data across borders: this will prohibit data localisation restrictions permitting organisations to be able to store data anywhere in the EU. Also, requiring Member States to communicate to the Commission any remaining or planned data localisation restrictions in “limited specific situations of public sector data processing”.
  • Ensure data availability for regulatory control: allowing public authorities to access data – for scrutiny and supervisory control – despite where it is stored and/or processed in the EU. Also, Member States may sanction users that do not provide access to data stored in another Member State.
  • Encourage creation of codes of conduct for cloud services: to facilitate switching between cloud service providers under clear deadlines. The Commission states that this “will make the market for cloud services more flexible and the data services in the EU more affordable”.

Continue Reading

UK Government publishes technical note on data protection

On 7 June 2018, the UK government published a technical note detailing options for future UK-EU cooperation on data protection, post-Brexit. The technical note is part of a series of papers produced by the UK Brexit negotiation team for discussion with the EU, in order to assist with the development of future EU-UK relations.

The UK government suggests that a new data protection agreement should be executed between the UK and the EU. The agreement would build on the current concept of the “adequacy” of data-sharing laws between the EU and UK after Brexit and enable the Information Commissioner’s Office (ICO) to continue to play an important role in the EU’s data protection decisions. A failure to maintain the flow of information between the UK and the EU is one of many concerns facing multinational companies as the UK prepares to leave the EU.

This blog will look at the key themes put forward in the technical note.

Continue Reading

LexBlog