As you know the newsletter has moved to Reed Smith together with the Olswang team. We are very happy to send you the first Reed Smith issue of our quarterly IT/Privacy newsletter today. Much of it remains the same, some things are new: The topics will now be presented by a larger team of almost ten German Reed Smith attorneys specialized in IT, data protection and digitalization.
We hope you enjoy reading it.
1. German Federal Council approves GDPR Implementation AcT
On 12 May 2017, the German Federal Council (Bundesrat) passed the GDPR Implementation Act (the “Act”), despite significant opposition. The Act is intended to bring the current German data protection laws in line with the requirements of the General Data Protection Regulation (GDPR). It contains provisions, inter alia, on the rights of data subjects, on data protection officers and on data processing, in the context of the workplace.
Conclusion: Companies looking to get ready for the new data protection regime should focus not only on the GDPR, but also on the national implementation laws. There is less than one year left!
2. CJEU: data processing on the basis of legitimate interests
The CJEU was asked to apply Article 7(f) of the Data Protection Directive in its Rigas decision dated 4 May 2017 (C-13/16). Article 7(f) lays down three cumulative conditions: first, the data controller or the third party or parties to whom the data are disclosed must be pursuing a legitimate interest; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.
Conclusion: The CJEU analysis of how legitimate interests may provide a legal basis for the processing of personal data is straightforward. What makes the Rigas decision significant is what it says about the ability of public bodies to process personal data on the basis of such a legitimate interest. The approach of the CJEU in the decision also appears to be consistent with Article 6 of the GDPR.
3. German Supreme Court: consent for marketing communications
In a judgment dated 14 March 2017 (VI ZR 721/15), the German Supreme Court held that consent to the receipt of newsletters is invalid, unless the pre-formulated declaration of consent, which also refers to advertising partners, clearly indicates the specific products and services so be advertised by the relevant advertising partner. Unfortunately, the Supreme Court did not provide any guidance on the level of detail which would be required to comply with the requirement to indicate the specific products and services.
Conclusion: Companies should specify the products and services to be advertised in as much detail as possible.
4. New case law on liability for third party content strengthens providers‘ position
The Regional Court of Cologne decided on 11 January 2017 (28 O 430/15, not yet published) that an online host does not have to start the procedure to take down content if the notice by the allegedly infringed person or entity was insufficiently detailed. The online provider does not even have an obligation to inform such person or entity that the notice was insufficiently detailed.
The Higher Regional Court of Cologne decided on 23 March 2017 (15 U 172/16, not yet published), in furtherance of judgments by the German Supreme Court in New York Times and Seven Days in Moscow, that German law does not apply to an English-language post that deals with events in Switzerland.
Conclusion: After recent judgments of the German Supreme Court in Jameda (VI ZR 34/15) and Holidaycheck (327 O 494/12) which defined notice and take-down obligations more precisely, the German courts ruled in favour of the provider in the above-mentioned recent judgments.
5. Hamburg data protection authority: use of Google Analytics
The Hamburg data protection authority (“DPA”) has updated its paper on the use of the Google Analytics (“Paper”), taking into account the CJEU’s Safe Harbor decision (C-362/14). The DPA confirmed that the lawful use of Google Analytics is still possible if website operators using Google Analytics implement several measures (data processing agreement with Google, deletion of the last octet of the relevant IP addresses, website users must be informed and able to opt out). Data that have not been obtained following the requirements of the Paper must be deleted. This does not apply if website operators already complied with a previous version of the Paper.
Conclusion: The requirements correspond with the current legal situation. Further amendments might be necessary once the GDPR and ePrivacy Regulation enter into force.
6. Draft laws and recommended reads