German Federal Supreme Court: ‘Sofortüberweisung’ must not be the only free-of-charge payment method in B2C contracts

According to a press release of the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband; ‘vzbv’) dated 19 July 2017, the German Federal Supreme Court (‘FSC’) issued a judgment that held it is unreasonable for consumers if the only payment method offered free of charge is ‘Sofortüberweisung’ (FSC, judgment of 18 July 2017, case no. KZR 39/16; not yet published). This means that at least one customary means of payment other than ‘Sofortüberweisung’ needs to be offered to the consumer free of charge.

At the same time, the FSC clarified that the business model of ‘Sofortüberweisung’ is permitted.

Underlying case

vzbv sued the provider of a German online flight booking portal (‘Booking Portal’). On the Booking Portal, only the payment method ‘Sofortüberweisung’ was free of charge. A consumer who selected to pay via other means of payment, such as credit cards, was charged with an additional credit card fee. This concept is used by a significant number of online shops and platforms that offer their goods and services to German consumers.

vzbv’ legal action aimed to secure a permanent injunction against the Booking Portal, to prohibit it from offering only one payment method free of charge, namely, the payment initiation service ‘Sofortüberweisung’, which requires the consumer to provide their online banking PIN and a transaction number.

Although the District Court in Frankfurt am Main made an adverse decision against the Booking Portal, the Court of Appeal in Frankfurt am Main dismissed vzbv’s action, stressing that ‘Sofortüberweisung’ is a widespread means of payment. Now, finally, the FSC has upheld the first instance decision from the District Court in Frankfurt am Main.

Continue Reading

Article 29 Working Party releases detailed opinion on data processing in the workplace

The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”).

The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the need for a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees, because of risks posed by advancements in modern technologies since the other documents were published.

The Opinion is primarily concerned with the Data Protection Directive 95/46/EC (“DPD”), so employers should continue to take account of the fundamental principles of the DPD when processing personal data in an employment context. Technological developments and new methods of processing have not changed this position.

The Opinion also looks towards the “new” obligations placed on all controllers, including employers, under the General Data Protection Regulation 2016/679 (“GDPR”) – including data protection by design, the need to carry out Data Protection Impact Assessments for high-risk processing, and any specific national rules that are introduced pursuant to Article 88 relating to processing employees’ personal data.

WP29 has considered various scenarios in the Opinion which describe how certain technologies might be used to process personal data in the workplace, and the points that employers should consider. Some of these include: Continue Reading

EU Regulation on cross-border portability of online content services in force

After publication in the Official Journal of the European Union, Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on cross-border portability of online content services in the internal market (‘Regulation’) enters into force 20 July 2017, and will become enforceable 20 March 2018.

The Regulation focusses on seamless access to online content services across Member States. Consumers shall have access to the online content services which they have subscribed to, regardless whether they are temporarily present in a Member State other than the Member State of residence for a limited period of time. The Regulation stresses that a number of barriers hinder the provision of online content services, such as music, games, films or entertainment programmes, to consumers temporarily present in a Member State other than their Member State of residence. The barriers stem from the fact that the rights for the transmission of content protected by copyright or related rights, such as audiovisual works, are often licensed on a territorial basis, as well as from the fact that providers of online content services might choose to serve specific markets only.

Notably, the Regulation applies also to contracts concluded before the date of the Regulation’s application.

The Regulation applies to providers whose services are provided against payment of money. Providers whose services are provided without payment of money do not fall within the scope of the Regulation. They may, however, decide to enable cross-border portability of their services in accordance with the Regulation. Continue Reading

Bavarian DPA has released GDPR implementation audit questionnaire

The Bavarian Data Protection Authority (“Bavarian DPA”) has published an English-language version of a GDPR implementation audit questionnaire (“Questionnaire”). The Questionnaire is available here. The Questionnaire has been previously released in German.

Content of the Questionnaire

The Questionnaire includes questions on six topics:

  1. Structure and responsibility in the company
    • For example, is there awareness in the company that data protection is management’s responsibility?
  2. Overview of processing activities
    • For example, do you have records of your processing activities according to Article 30 GDPR?
  3. Involvement of third parties
    • For example, have you entered into the necessary agreements containing minimum content of Article 28 (3) GDPR with all your processors?
  4. Transparency, information duties, and assurance of data subject rights
    • For example, have you adapted your texts providing information regarding data protection for data subjects in the course of data collection, to the requirements of Article 13 and 14 GDPR?
  5. Accountability and risk management
    • For example, have you adapted your existing security review processes to the new requirements of Article 32 GDPR?
  6. Data breaches
    • For example, have you ensured that the notification of a personal data breach to the supervisory authority can be performed within 72 hours, according to Article 33 GDPR?


The Bavarian DPA has sent the Questionnaire to 150 randomly chosen organizations. It did not expect organizations to respond to the Questionnaire, but rather wanted to provide an opportunity for organizations to assess their progress in implementing the requirements under the GDPR.

We expect that the data protection authorities will be very active in the second half of 2018. Organizations had two years to prepare for the GDPR. The authorities will likely conduct audits of many organizations. The Questionnaire provides a good indication of what should be on top of every organization’s agenda, and what data protection authorities will particularly look for in the upcoming audits.


Let’s Talk about Data Ownership

Data: The new oil. Does anyone own this asset? If no, does the digital economy call for the creation of a right to data? Reed Smith IP partner Anette Gärtner co-authored an in-depth analysis titled “Let’s Talk about Data Ownership,” published in the current issue of the European Intellectual Property Review.

The analysis focuses on the status quo according to German and English law. Against the background of the European Commission’s consultation “Building a European Data Economy” the authors ask whether the economic case for the creation of a new right to data has already been made. The article also explains why the GDPR and the introduction of the data portability right add a further layer of complexity.

Compliance with COPPA: So easy, even a kid can do it

The Federal Trade Commission has published a new guide that seeks to make compliance with the Children’s Online Privacy Protection Act (COPPA) as easy as 1, 2, 3, 4, 5, 6. Drawing from its detailed FAQs, the FTC has developed an even more streamlined, six-step DIY instruction manual designed for busy businesses that want a basic compliance document that can help them pinpoint areas in their data management flow that might require additional attention.

The FTC’s Six-Step Compliance Plan for Your Business describes in some detail:

  1. How to determine if your company is operating a website or online service that collects personal information from kids under 13
  2. Whether your company has effectively posted an appropriate privacy policy
  3. Whether your company is appropriately notifying parents directly before collecting personal information from kids under 13
  4. How to obtain “verifiable parental consent” before collecting personal information from kids under 13
  5. Whether your company has a system in place to honor parents’ ongoing rights with the personal information collected from kids under 13
  6. Whether your company has implemented reasonable procedures to protect the security of kids’ personal information

As an added bonus, the FTC has fleshed out in a useful chart how a company can comply with the enumerated exceptions that permit a company to collect some personal information from a child under 13 with less than full-blown “verifiable parental consent.”

It is worth noting, as was identified by other commenters, that in this document, the FTC specifically calls out the applicability of COPPA in the context of “connected toys or other Internet of Things devices.” This has not been highlighted previously in the COPPA FAQs, although toys that learn, collect, and possibly share a child’s voice, photos, or other personal information are an area of high interest at the FTC.

There is interest also on Capitol Hill (at least from the Democrats) in ensuring that the FTC adequately polices this growing segment of the Internet of Things. Public interest groups have also been actively urging the Commission to be vigilant when it comes to connected toys and devices directed to children. There’s no question the Internet of Things will take center stage in the coming months at the FTC, and connected toys are in the spotlight.  The Commission’s new compliance guide will be a useful tool as companies face this scrutiny.

ICO publishes International Strategy

The Information Commissioner’s Office (“ICO”) has released its International Strategy 2017-2021  (“Strategy”). The Strategy supports its Information Rights Strategic Plan, which we reported on earlier this year. The first part of the Strategy refers to the challenges and priorities for the next five years, particularly in light of changes brought about by the General Data Protection Regulation (“GDPR”) and the UK’s exit from the European Union. The second part outlines how the ICO proposes to meet those challenges and priorities.

Challenges and priorities

The first challenge identified by the ICO is the need to operate as an influential data protection authority, particularly as its relationship with its EU equivalents and the European Data Protection Board (EDPB) will change as a result of Brexit. The ICO intends to meet this challenge by continuing to provide expert advice to the UK government, combined with continued engagement with the Article 29 Working Party, the EDPB and other EU institutions, such as the Council of Europe and the European Parliament.

Second, the Strategy highlights the need to maximise the ICO’s relevance and delivery against its objectives in an increasingly globalised world. The ICO proposes to engage and exchange knowledge with leading international privacy networks, for example, in the Asia Pacific region and via the Commonwealth’s Common Thread Network ( which the ICO leads). The ICO also intends to take a leading role in enforcement activity, including cooperating with other data protection authorities, as appropriate, with a view to ensuring a joined-up approach.

The third challenge is to ensure that the UK data protection law remains a benchmark for high global standards. Among other provisions, the Strategy sets priorities for collaborating with the international business community to turn the accountability principles under the GDPR into a flexible but robust global business solution.

Finally, the Strategy addresses the challenge of ensuring effective safeguards for international data transfers. To that end, the ICO will focus on the interoperability of the UK and other data protection laws and systems globally, including the APEC Cross Border Privacy rules, which we recently discussed here.

Next steps

The Strategy concludes by outlining the ICO’s plans to structure and resource its team to implement the Strategy. This entails the creation of an International Strategy and Intelligence Department within the ICO: the ICO’s first-ever department with a core focus on international activity. The Strategy also suggests the possibility of staff exchanges and secondments with other data protection authorities.

These international activities will be subject to ongoing measurement and evaluation, the results of which will be detailed in the ICO’s annual report.





Subject access requests: ICO publishes updated guidance

The Information Commissioner’s Office (ICO) has published an updated data subject access code of practice (the Code) to reflect developments following two major Court of Appeal judgments published in early 2017: Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017] EWCA Civ 121.

The main updates to the Code concern the extent of a data controller’s obligation to respond to subject access requests (SARs) made under section 7 of the Data Protection Act 1998 (DPA).

‘Disproportionate effort’ exception

While previously stating that the disproportionate effort exception should only be relied on in the most exceptional cases, the ICO has relaxed its position slightly, with reference to the clarification provided by the Court of Appeal, in determining that, when assessing whether complying with a SAR would involve disproportionate effort, a company “may take into account difficulties which occur throughout the process of complying with the request, including any difficulties you [the company] encounter in finding the requested information”.

However, the ICO expects the data controller to:

  • evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject; and
  • engage with the applicant and have an open conversation about the information they require. This readiness to engage with the data subject may be considered by the ICO where a complaint is received about the handling of a SAR.

Collateral purposes

In some instances, a SAR can appear to be a ‘fishing expedition’ for information not associated with a genuine privacy concern; however, the Code states that whether the applicant has a ‘collateral’ purpose for making the SAR (i.e., other than seeking to check or correct their personal data) is not relevant.

Electronic records

Chapter 6 of the Code sets out the ICO’s expectations in relation to checking electronic records for the data subject’s personal data. In particular:

  • Data controllers should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.
  • If a data controller deletes personal data held in electronic form by removing it (as far as possible) from its computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean that the data controller must go to such efforts to respond to a SAR.
  • It is good practice to have a company policy restricting the circumstances in which staff may hold information on their own devices or in private email accounts. If staff are permitted to hold personal data on their own devices, this may be within the scope of a SAR. However, the ICO would not expect a data controller to instruct staff to search their private emails or personal devices in response to a SAR unless it has good reason to believe they are holding personal data.

Dealing with SARs involving third-party information

The Code includes a three-step approach to help data controllers decide whether to disclose information relating to a third-party individual:

  • Step 1 – does the request require the disclosure of information that identifies a third party?

For example, it may be possible to comply with the request without revealing information that relates to and identifies a third-party individual.

  • Step 2 – has the third-party individual consented?

This is the clearest basis for justifying disclosure of third-party information in response to a SAR, so it is therefore good practice to ask the relevant third parties for consent where it is appropriate and/or possible to do so.

  • Step 3 – would it be reasonable in all the circumstances to disclose without consent?

The ICO notes that the DPA provides a non-exhaustive list of factors to be taken into account when making this decision, including any duty of confidentiality owed to the third-party individual; whether the third-party individual is capable of giving consent; and any stated refusal of consent. The Code also sets out other points that are likely to be relevant:

  • Whether the information is generally known to the individual making the request – e.g., it has previously been provided to the requester, is already known by them, or is generally available to the public.
  • Circumstances relating to the individual making the request, such as the importance of the information to them.
  • Special rules governing health, educational and social work records (as explained further in chapters 9 and 10 of the Code).

Where a data controller decides to withhold third-party information, the ICO considers that it may still be possible to provide some information, having edited or redacted it to remove information that would identify the third-party individual. The data controller must also be able to justify the decision to disclose or withhold third-party information so it is good practice to keep a record of any decisions made, including why consent was not sought or why it was inappropriate to do so in the circumstances.

Importantly, the updated Code reflects these recent case law developments, providing practical guidance on what the ICO and courts will expect to see from data controllers in responding to SARs, particularly where they are likely to require extensive search efforts. It will also provide data controllers with some comfort to know that efforts they may make to engage with data subjects to facilitate a positive or helpful interaction with regard to their SAR might help mitigate any fallout in the event of a future SAR-handling complaint to the ICO.

FCA guidance on tackling cyber crime

The Financial Conduct Authority recently released guidance regarding cyber resilience (in the form of new webpages) which FCA regulated firms should take account of. While many larger regulated firms have substantial cyber resilience systems in place, the FCA is well aware that all firms are still vulnerable to attack, and that cyber attacks can impact customers.

The FCA notes that 66% of medium/large UK businesses were subjected to cyber attacks in 2016, and 54% of UK businesses have been hit by ransomware attacks. Since 2014, there has been a 1,700% increase in cyber attacks reported to the FCA.

The FCA raises a number of pertinent questions that firms should consider:

  • Do you review who has access to your most sensitive data?
  • Do you understand where you are vulnerable to cyber attack?
  • Do you use encryption software?
  • Do you know if you are able to restore services in the event of an attack?
  • Do you make sure your computer network is configured to prevent unauthorised access?
  • Do you use two-factor authentication where the confidentiality of the data is most crucial?
  • Do you educate your staff on cyber security risks?
  • Do you align your firm to a recognised cyber scheme?
  • Are you a member of any information-sharing arrangements?

While, because of the nature of their business, not all firms will need to adopt all of the measures mentioned by the FCA, it clearly expects firms to have thought about these questions.

The FCA’s Principles for Business include an obligation for firms in the financial services sector to report material cyber incidents. ‘Material’, for these purposes, is any incident that:

  • Results in the firm losing control of its IT systems
  • Results in a significant loss of data
  • Impacts a large number of victims, or
  • Results in unauthorised access to a firm’s information and communication systems, including the implementation of malicious software

The guidance informs firms of how to report incidents, and the relevant authorities to which incidents must be reported; namely the FCA, the Prudential Regulatory Authority (if the firm is dual-regulated), and the Information Commissioner’s Office, in the event of a data breach. The FCA’s webpage will be updated in line with future regulations to ensure that firms are able to report incidents correctly.

Links to the National Cyber Security Centre and related FCA publications have also been provided to guarantee that firms are given a broad range of information and guidance on how best to implement cyber security measures into their systems.

The challenge for firms, and for the FCA, will be keeping on top of what is a fast-moving area, and ensuring that firms have robust yet proportionate cyber security systems in place.

German Parliament to adopt WiFi Act and Hate Speech Act this week

In two last-minute decisions, the German Parliament (Bundestag) will likely adopt the WiFi Act (Entwurf eines Drittes Gesetz zur Änderung des Telemediengesetzes) and the Hate Speech Act (Entwurf eines Gesetzes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken) in the last session of the current legislative term. The parliament will vote on both bills on 30 June 2017.

Scope of the WiFi Act

The WiFi Act shall contribute to increase the availability of open WiFis across Germany and is available online in German here. The bill will change the current provisions in the German Telemedia Act. Providers of open WiFis shall not be liable as intermediaries (so-called “Störerhaftung”) anymore if a user of a WiFi violates intellectual property rights by using the WiFi.

Criticism of the WiFi Act

Some serious concerns about the WiFi Act have previously been raised:

  • Rightholders of intellectual property rights can request the blocking of websites, if they were used to infringe the rights of the rightholder. Those blocking orders, however, might lead to massive overblocking.
  • Providers may provide the WiFi without a registration process or a password. Open WiFis may be used easily by criminals. The possibility of using WiFis anonymously may hinder a sufficient criminal prosecution.


German Parliament to vote on Hate Speech Act

In addition, the German Parliament will vote on the Hate Speech Act, which is available in German here, on 30 June 2017. We have previously reported on the scope of the bill here, and the criticism it has gained here.


Germany will have its general elections on 24 September 2017. The government is trying to push the WiFi Act and the Hate Speech Act across the finish line in the German Parliament’s last session within the current legislative period. However, the government should drop such a swift passage. Both acts would have devastating consequences. After the prominent criticism of the Hate Speech Act, it is highly likely that its constitutionality will be challenged.