Photo of Dr. Alexander Hardinghaus

According to a press release dated 26 February 2018, the Administrative Court of Appeal Munster (Oberverwaltungsgericht Münster) asked the European Court of Justice (ECJ) for a preliminary ruling on the question whether Over-the-Top (OTT) services shall be caught by the European regulatory framework on telecommunications services.

Background

By way of administrative orders, the German Federal Network Authority (Bundesnetzagentur – BNetzA) enforced a specific notification obligation pursuant to section 6 of the German Telecommunications Act (Telekommunikationsgesetz – TKG), which applies to operators of telecommunications services, against Google in relation to its free-of-charge Gmail service. Google took the view that Gmail would not qualify as “operation of telecommunication services” in the meaning of the TKG and, therefore, Google had not notified the Gmail service with the BNetzA.

Google challenged the administrative orders by legal action before the Administrative Court Cologne (Verwaltungsgericht Köln). Google argued that the transmission of emails through the Internet is technically not under Google’s control since it is conducted by access providers and not by Google. The Administrative Court Cologne regarded these arguments as irrelevant. By contrast, the transmission services provided by the access providers involved shall be attributed to Google. As a consequence, the Administrative Court Cologne found that Google would qualify as “operator” of the whole communication process. In its judgment of 11 November 2015, case no. 21 K 450/15, the Administrative Court Cologne dismissed Google’s action. As a consequence, Gmail would indeed be covered by the notification obligation under section 6 TKG.Continue Reading Are OTT services telecommunications services? German court asks European Court of Justice for preliminary ruling | Gmail Case

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.Continue Reading German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems

The 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong published a Resolution on Data Protection in Automated and Connected Vehicles, which sets out fundamental data protection requirements for the mobility of the future (“Resolution”). The Resolution proposes common international standards.

The Resolution addresses not only vehicle and equipment manufacturers, but also providers of personal transportation services, car rental providers, and providers of data driven services (e.g., speech recognition, navigation, remote maintenance or motor insurance telematics services), as well as standardization bodies and public authorities (“Addressees”). The Resolution expressly calls upon Addresses to “fully respect the users’ right to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services”.

Following the German Federal Data Protection Commissioner’s earlier proposals for automated and connected vehicles of June 2017, the Resolution describes how the rights of users should be protected. In particular, the Addresses are seriously urged to comply with the following 16 items:
Continue Reading 39th International Conference of Data Protection and Privacy Commissioners publishes Resolution on Data Protection in Automated and Connected Vehicles

Addressing the detection of and removal of illegal content from online platforms represents an urgent challenge for the digital society today. However, so far, there is no harmonised and coherent approach across the European Union. On 28 September 2017, the European Commission (“Commission”) published a communication titled „Tackling Illegal Content Online – Towards an enhanced responsibility of online platforms” (“Communication”). The Commission calls for a more aligned approach as it would make the fight against illegal content more effective. An aligned approach would also benefit the development of the Digital Single Market. The Commission stresses that online platforms carry a significant societal responsibility and shall, therefore, decisively step up their actions to address this problem.

Scope of the Communication

The Communication does not as such change the existing legal framework. It rather lays down a set of non-binding guidelines and principles for online platforms to step up the fight against illegal content online in cooperation with national authorities, Member States, and other relevant stakeholders: “It aims to facilitate and intensify the implementation of good practices for preventing, detecting, removing and disabling access to illegal content so as to ensure the effective removal of illegal content, increased transparency and the protection of fundamental rights online. It also aims to provide clarifications to platforms on their liability when they take proactive steps to detect, remove or disable access to illegal content (the so-called “Good Samarian” actions).”

The Communication does not only target the detection and removal of illegal content; but it also takes into account issues arising from removal of legal content (“Over-Removal”), which may impact the freedom of expression and media pluralism. Therefore, the Commission calls for adequate safeguards which shall properly prevent Over-Removal.
Continue Reading European Commission calls for enhanced responsibility of online platforms for illegal content

During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it is likely that, among others, the U.S. Department of State and the U.S. Department of Justice will participate.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. On 6 October 2015, the European Court of Justice (“CJEU”) invalidated the “Safe Harbour” decision by the European Commission, the predecessor to the Privacy Shield, in its Schrems v Data Protection Commissioner (Ireland) judgment (“Schrems Judgment”). By decision of 12 July 2016, the European Commission adopted a new transfer mechanism: the EU-U.S. Privacy Shield (“Adequacy Decision”).

Certified organisations

On a voluntarily basis, U.S. organisations can register for a self-certification to the U.S. Department of Commerce, and publicly assure to comply with the requirements under the Privacy Shield. A list of the certified organisations can be found here.

While about 5,500 organisations had signed up to Safe Harbour, about 2,500 organisations, including many large organisations, have already self-certified to the Privacy Shield in its first year. Apart from that, organisations still consider EU Model Clauses, as well as Binding Corporate Rules, as a good alternative to the Privacy Shield.Continue Reading Upcoming first annual review of the EU-U.S. Privacy Shield

The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently impose fines of up to EUR 300,000. Under the GDPR, fines can amount to up to EUR 20 million or 4% of the worldwide annual turnover.

Levels of fines

The DPAs explain the different levels of fines that can be imposed against a controller or processor, and give examples of the relevant cases.

  • Fines of up to EUR 10 million or, in case of an “undertaking”, 2% of the total worldwide annual turnover of the preceding business year, whichever is higher, can be imposed, e.g., for the failure to implement appropriate technical and organizational security measures.
  • “Particularly serious infringements” can result in fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher. Particularly serious infringements include violations of the rights of data subjects or processing without a justification.
  • Non-compliance with an order by the supervisory authority under Art. 58 (2) GDPR may be subject to fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher.

Continue Reading Fines under GDPR – German DPAs provide guidance

In the Opinion 1/15 of 26 July 2017 (“Opinion”), the Court of Justice of the European Union (“CJEU”) held that the proposed agreement between the EU and Canada on the transfer and processing of Passenger Name Record (“PNR”) data may not be concluded in its current form. The Opinion is available here. The CJEU said that the agreement violates EU privacy and data protection laws.

Background

The EU and Canada negotiated an agreement on the transfer and processing of PNR data (“PNR Agreement”). The European Parliament, which was asked to approve the PNR Agreement, called upon the CJEU to give a ruling on its compatibility with the EU Charter of Fundamental Rights. It is the first time the European Parliament or any other EU institution obtained the opinion of the CJEU regarding the question whether a draft international agreement is compatible with EU law.

PNR Agreement

The PNR Agreement permits the systematic and continuous transfer of PNR data of all airplane passengers flying between the EU and Canada to a Canadian authority. The PNR data includes, for example, the names of air passengers, the dates of intended travel, the travel itinerary, and information relating to payment and baggage. The PNR data may reveal travel habits, relationships between two individuals, information on the financial situation or the dietary habits of individuals. For the purpose of combating terrorism and transnational crime, the PNR Agreement provides that the PNR data can be retained and transferred to other authorities and to other non-member countries. The PNR Agreement stipulates a data storage period of five years.
Continue Reading CJEU has released Opinion on EU-Canada Passenger Name Record Agreement – What it means for international data transfer mechanisms

According to a press release of the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband; ‘vzbv’) dated 19 July 2017, the German Federal Supreme Court (‘FSC’) issued a judgment that held it is unreasonable for consumers if the only payment method offered free of charge is ‘Sofortüberweisung’ (FSC, judgment of 18 July 2017, case no. KZR 39/16; not yet published). This means that at least one customary means of payment other than ‘Sofortüberweisung’ needs to be offered to the consumer free of charge.

At the same time, the FSC clarified that the business model of ‘Sofortüberweisung’ is permitted.

Underlying case

vzbv sued the provider of a German online flight booking portal (‘Booking Portal’). On the Booking Portal, only the payment method ‘Sofortüberweisung’ was free of charge. A consumer who selected to pay via other means of payment, such as credit cards, was charged with an additional credit card fee. This concept is used by a significant number of online shops and platforms that offer their goods and services to German consumers.

vzbv’ legal action aimed to secure a permanent injunction against the Booking Portal, to prohibit it from offering only one payment method free of charge, namely, the payment initiation service ‘Sofortüberweisung’, which requires the consumer to provide their online banking PIN and a transaction number.

Although the District Court in Frankfurt am Main made an adverse decision against the Booking Portal, the Court of Appeal in Frankfurt am Main dismissed vzbv’s action, stressing that ‘Sofortüberweisung’ is a widespread means of payment. Now, finally, the FSC has upheld the first instance decision from the District Court in Frankfurt am Main.Continue Reading German Federal Supreme Court: ‘Sofortüberweisung’ must not be the only free-of-charge payment method in B2C contracts

After publication in the Official Journal of the European Union, Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on cross-border portability of online content services in the internal market (‘Regulation’) enters into force 20 July 2017, and will become enforceable 20 March 2018.

The Regulation focusses on seamless access to online content services across Member States. Consumers shall have access to the online content services which they have subscribed to, regardless whether they are temporarily present in a Member State other than the Member State of residence for a limited period of time. The Regulation stresses that a number of barriers hinder the provision of online content services, such as music, games, films or entertainment programmes, to consumers temporarily present in a Member State other than their Member State of residence. The barriers stem from the fact that the rights for the transmission of content protected by copyright or related rights, such as audiovisual works, are often licensed on a territorial basis, as well as from the fact that providers of online content services might choose to serve specific markets only.

Notably, the Regulation applies also to contracts concluded before the date of the Regulation’s application.

The Regulation applies to providers whose services are provided against payment of money. Providers whose services are provided without payment of money do not fall within the scope of the Regulation. They may, however, decide to enable cross-border portability of their services in accordance with the Regulation.
Continue Reading EU Regulation on cross-border portability of online content services in force

The Bavarian Data Protection Authority (“Bavarian DPA”) has published an English-language version of a GDPR implementation audit questionnaire (“Questionnaire”). The Questionnaire is available here. The Questionnaire has been previously released in German.

Content of the Questionnaire

The Questionnaire includes questions on six topics:

  1. Structure and responsibility in the company
    • For example, is