Apps and Data Privacy – New Guidelines from the German DPAs
Under the auspices of the Bavarian state data protection authority, the so-called Düsseldorfer Kreis (an association of all German data privacy regulators for the private sector) has published guidelines for developers and providers of mobile apps on June 23, 2014. Since mobile applications increasingly become the focus of regulators, the guide points to data privacy and technical requirements regarding the field of app development and operation, and provides practical examples. In the spring, the Bavarian data privacy regulatory agency had randomly selected 60 apps for closer examination. In the process, the agency looked at privacy notices and compared them with the type of data that, at first glance, was transmitted. In its conclusion, the agency noted that “every app provides some data privacy information, but that this information cannot be adequately reviewed.” Based on this finding, the agency has more closely examined ten apps, and subsequently created an orientation guide for appdevelopers and app-providers. Among other things, the 33-page guide addresses the applicability of German data privacy laws, permit-related statements of fact regarding the collection and processing of personal data in the context of operating a mobile application, technical data privacy and the notification obligations to be adhered to by the app-provider. In addition to the legal notice, the latter include an app-specific privacy statement and other legal obligations. With regard to app-development, the guide of the German DPAs recommends that by utilizing data privacy preferences (“privacy by default”) one must ensure that the app can later be offered without deficiencies in data privacy. Regarding technical data privacy, the guide elaborates on secure data transmission, as well as the application’s access to the location data of the respective device. In addition to the above aspects, the guide also addresses specific issues arising during the development of mobile applications, such as the integration of functions for payments or apps for young people and children. For the future, it can be expected that regulators will be even more concerned with infringements related to apps, and that they will also initiate procedures to impose fines. The guidelines are a must read for every app developer making apps available in Germany and throughout Europe. Dr. Thomas Fischl Counsel – Munich Dr. Alin Seegel Associate – Munich4 New Developments in Cybersecurity Regulation On 13 March 2014, members of the European Parliament voted by a huge majority to approve a new draft draft Network and Information Security Directive, known as the Cybersecurity Directive. The Directive contains new rules designed to improve the cybersecurity of the European Union. The progress to date In February 2013, the European Commission published a strategy for “An Open, Safe and Secure Cyberspace” and a proposed Cybersecurity Directive. This comes on top of existing EU legislation covering cyber incidents only sporadically. Current legislation includes in particular: � The E-Privacy Directive (2002/58/EC) � The European Critical Infrastructures Directive (2008/114/EC) � The Data Protection Directive (95/46/ EC) The Cybersecurity Directive aims to facilitate information sharing about cybersecurity threats between the public and private sectors and between Member States. It also sets out in broad terms the obligations that Member States will be expected to impose at industry level on those private undertakings providing certain critical infrastructure within the EU. These obligations include a requirement that critical infrastructure providers have an adequate strategy and take appropriate steps to deal with cybersecurity threats as well as mandatory reporting of significant breaches, which may be made public at the discretion of the national authority. The initial proposal of the Cybersecurity Directive has proven controversial. Its scope and overlap with existing regulation was challenged and greater clarity on which breaches must be reported was demanded. It was questioned whether the draft legislation would achieve anything other than imposing an additional regulatory burden on those caught under its wide definition of “critical infrastructure operators”. Revised draft cybersecurity Directive The recently approved revised draft of the Cybersecurity Directive reflects some of these concerns. The revisions include: (i) a reduced scope and removed “key internet enablers” such as social media and e-commerce platforms, (ii) greater clarity for when a cyber incident would be sufficiently “significant” to trigger an obligation to report it to the national authorities, and (iii) more comfort for companies that do report an incident by limiting the circumstances in which they would be subject to a legal penalty. However, there are still a number of potentially contentious issues with the Cybersecurity Directive, for example the mechanics of how Member States plan to co-operate with each other and what role proposed national competent authorities will play. Developments in Germany To add further complexity, it is also unclear how the Cybersecurity Directive will interact with further proposed European regulation such as the new EU Data Protection Regulation and national initiatives in the Member States, in particular Germany. Dr. Thomas Fischl Counsel – Munich5 In a recent decision from September 2013 (published in December 2013) the German Federal Court of Justice (Bundesgerichtshof – BGH) took the chance to rule on the permissibility of “refer-a-friend” functionalities on websites in light of § 7 of the Act Against Unfair Competition (reference no. I ZR 208/12). According to § 7 (2) no. 3 of the Act Against Unfair Competition, it is considered to be unreasonable harassment and thus prohibited to use emails for advertisement without having obtained the prior express consent of the recipient. The facts The facts of the case were that a company provided a recommendation function on its website. The function is described as a mechanism by which a visitor to the website can enter their own email address and that of a third party and the website of the company automatically generated an email and sent it to the third party that only contained a reference to the company’s Internet presence and nothing else. No incentives were given by the company to the website visitor for referring the website. In the present case, the recipient had explicitly requested to be taken off of the email list, but the company ignored this request and continued to send unsolicited – and expressly unwanted – commercial electronic mail messages. Even after receiving a cease and desist letter, and after committing to stop sending such unsolicited referral emails, the company continued to do so when a website visitor inserted the recipient’s email address. Understandably frustrated, the recipient (a lawyer) sued the Refer-a-Friend Functionality on the Internet – Federal Court underpins its view Katharina A. Weimer, LL.M. Associate – Munich In Germany, with the revelations around the NSA scandal, the IT Security Act, which was first proposed in March 2013, has resurfaced and gained attention again. It appears that Germany currently heads toward mandatory regulations for numerous industries and will impose certain minimum IT security standards on operators of critical infrastructure and telecommunications and information society service providers. There are indications that the German IT Security Act will almost certainly come into effect before the Cybersecurity Directive becomes law. next steps The European Council will now work together to agree a common approach across Member States to Cybersecurity Directive before moving towards the anticipated deadline for adoption in December 2014. Whether the EU will continue with its regulatory approach to cybersecurity or adopt something more akin to the voluntary approach being followed in the U.S. should become clearer over the next few months. However, even companies that do not own, operate, or supply technology to critical infrastructure facilities, or provide other goods or services that are or become subject to cybersecurity regulation, should follow regulatory developments in this area. Continued from page 4: New Developments in Cybersecurity Regulation6 company. In this decision, the BGH specified its judicature in relation to unreasonable harassment through advertisement pursuant to § 7 Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG): � The sending of the unsolicited recommendation emails by the company to this recipient constituted unsolicited email advertising (§ 7 II No. 3 UWG) � It did not matter that the website visitor who provided the email of the friend may have wanted the company to send the email; it was still unsolicited email advertising by the company � The recipient had not consented to receiving such emails and had no practical means for defending itself against it � The BGH also took into consideration the purpose pursued with the recommendation function. In the present case, the purpose was to notify the third party of the Internet presence and the services of the company This most recent BGH decision on email marketing neither questions previous decisions, nor does it change the legal assessment. It is unlawful for a commercial entity to send an unsolicited commercial email to a recipient who has not previously expressly opted in to receiving email advertisement from that entity (§ 7 II Nr. 3 UWG). In light of this recent BGH decision, the following principles apply: � A company must not initiate commercial email without prior express consent of the recipient � A company may operate refer-a-friend program (in particular incentivised programs) in Germany only if its distribution list contains only recipients that have expressly consented to receiving email advertisement from the company � The operation of a refer-a-friend program (without a “reward” of the recipient) can only be permissible subject to very narrow restrictions: � The company may place a callto-action on its website or in an email that it is sending to an existing customer from whom it has obtained a prior express consent � The call-to-action should, at the most, offer the opportunity to share or recommend the service or webpage to a friend � The website operator must not offer any incentive of any kind such as monetary consideration or other quid pro quo � The referral must be expressed by the existing customer voluntarily and independently, without any technical or factual influence by the company Refer-a-friend functionalities, share buttons, and similar functions on a website are common across the Internet. Companies will have to place a stronger focus on the permissibility of such functions as the BGH’s decision seems to indicate that the court is not willing to accept circumventions of the UWG by creative recommendation solutions. In particular, but not limited to, incentivised solutions seem problematic because, in such cases, the referring friend might not be interested in the product at all, or even find it good, but is simply interested in receiving the incentive. Continued from page 5: Refer-a-Friend Functionality on the Internet – Federal Court underpins its view7 On June 19 2014, the Court of Justice of the European Union (CJEU) responded to several questions referred to it by the Irish Supreme Court concerning the requirements for the validity of an unregistered Community design (CJEU, decision of June 19, 2014, case C 345/13 – Karen Millen Fashions Limited/Dunnes Stores). After Dunnes Stores had copied and marketed a striped shirt and a black knit top designed by Karen Millen Fashions (KMF) and marketed by KMF in Ireland, KMF applied for injunctive relief against Dunnes Stores, an Irish retail chain, with respect to the use of its unregistered Community designs and also claimed for damages in this respect. The requirements for a Community design to be protected are that it is new and that it has individual character. With respect to the requirement of individual character, Dunnes Stores claimed that KMF had failed to prove individual character with respect to the striped shirt and the black knit top. Therefore, KMF – in Dunnes Stores’ view – is not the proprietor of an unregistered Community design. Dunnes Stores was of the opinion that the individual character must be assessed on the one hand by comparing the design with one or several designs previously made available and, on the other hand, by comparing it to combinations of isolated elements of more senior designs. Pursuant to Dunnes Shops’ view, a design has no individual character if it is just a combination of special elements or parts of more senior designs. The Irish Supreme Court referred to the CJEU’s two questions by asking: � Whether the individual character can also be assessed by comparing the design with a combination of isolated elements of more senior designs (as claimed by Dunnes Stores). � Whether the proprietor of an unregistered Community design is obliged to prove that its design has individual character or whether it is sufficient to state in what respect it has individual character. The CJEU held in favor of KMF. It decided that the individual character does not need to be assessed by comparing the design with a combination of certain isolated elements of more senior designs but that only a comparison with one or more clearly identified and separately mentioned designs is necessary. Furthermore, the CJEU pointed out that the Regulation on Community Designs (Council Regulation (EC) no. 6/2002 of December 12, 2001 on Community Designs) establishes a presumption of validity of an unregistered Community design in an infringement proceeding. Therefore, the proprietor of an unregistered Community design does not need to prove individual character in the proceedings. Rather, it is sufficient for the proprietor to indicate what the individual character of its design is. By this decision the CJEU has clearly limited product counterfeits and strengthened the unregistered Community design as an IP right. The Irish Supreme Court in Dublin will now have to decide on the damages claimed, in particular, by KMF. Decision of the Court of Justice of the European Union regarding the validity of unregistered Community designs Kathrin Schlüter, LL.M. Associate – Munich Dr. Alexander R. Klett, LL.M. Partner – Munich8 Kathrin Schlüter, LL.M. Associate – Munich Dr. Alexander R. Klett, LL.M. Partner – Munich On January 1, 2014 the new Regulation on Customs Enforcement of Intellectual Property Rights (Regulation (EU) 608/2013 of the European Parliament and of the Council) came into force which replaces the previous Regulation (EU) 1383/2013. The aim of the old as well as the new Regulation on Customs Enforcement of Intellectual Property Rights was, and still is, to fight product and trademark piracy. Proprietors of intellectual property rights have the possibility to let infringing goods be confiscated by the customs at the time of the import into the European Union and thereby prevent infringements of their intellectual property rights. For this purpose, the proprietors of intellectual property rights may file an application for action of customs at the national custom authorities. As far as Community trademarks and Community designs are concerned, it is not only possible to file a national application for action of national customs but also an EU-wide application for action of customs of several other or all Member States of the EU. When applying for action of the customs authorities one needs to provide evidence with respect to the relevant intellectual property rights and, if possible, information on the identification of the original goods/infringing goods with as much detail as possible. Under the old Regulation, if an application was granted and certain goods were assumed to be infringing, customs suspended the release of the respective goods and informed the respective proprietor of the intellectual property rights the name and the address of the recipient and the sender. In most cases, customs also sent the proprietors of the IP rights samples or photographs. Within ten working days the proprietor could then apply for the destruction of the respective goods. For the execution of the destruction, the consent of the owner/recipient of the goods was necessary as well. However, in most cases in Germany the optional simplified destruction proceeding was conducted in which the consent of the recipient was assumed if he or she did not explicitly refuse consent. Due to the rising amount of small deliveries (induced, among others, by the increase of online orders) the customs authorities were confronted with a rising administrative workload and costs. With the new Regulation on Customs Enforcement of Intellectual Property Rights, the EU would like to remove the weaknesses of the old Regulation and give the proprietors of the intellectual property rights a faster, more effective, and more comprehensive measure to fight product and trademark piracy. Therefore, the catalogue of the protected rights in the new Regulation on Customs Enforcement of Intellectual Property Rights has been broadened. In addition to trademarks, design rights, copyrights, and patents which were already protected under the old Regulation (and topographies of semiconductor products, utility patents and trade names) are now covered by the new Regulation as far as these are exclusive intellectual property rights pursuant to national legislation. EU Regulation on Customs Enforcement of Intellectual Property Rights9 Moreover, the simplified destruction proceeding (which was optional under the old Regulation) is now mandatory. Therefore, in all Member States suspicious goods may be destroyed by customs if the proprietor confirms that the goods are counterfeit and has given his consent to the destruction and if the importer has not objected to the destruction. A court order is not necessary anymore. The new Regulation on Customs Enforcement of Intellectual Property Rights also introduces a special proceeding for small deliveries by which the administrative workload and the costs for customs shall be minimized. A small delivery is a delivery via mail or courier which only contains of a maximum of three units or the gross weight of which is less than two kilograms. The special proceeding for small deliveries provides for the destruction without the previous explicit consent of the proprietor. Of course it is necessary that the importer/ owner of the suspicious goods consents within ten working days. However, the so called simplified destruction proceeding is also applicable in this case. So, customs may assume that no objection against the destruction is made if they receive no objection within the deadline of ten days. By this proceeding customs are able to work faster and more efficiently. The new Regulation on Customs Enforcement of Intellectual Property Rights in particular is of an advantage for proprietors who are confronted with infringements of copied mass product. Moreover, proprietors benefit from the extended catalogue of intellectual property rights. However, the question regarding the applicability of the Regulation on Customs Enforcement of Intellectual Property Rights on parallel imports and transit goods has (still) not been solved by the new Regulation. Continued from page 8: EU Regulation on Customs Enforcement of Intellectual Property Rights On June 18 2014, the German Federal Supreme Court again had to deal with the reasonable amount of copyright royalties for the use of music. In three different cases (file no. I ZR 215/12, 215/12 and 220/12) the issue was a collective agreement set by the Court of Appeals in Munich concerning copyright royalties for the use of music in dancing lessons and ballet lessons. The full decisions have yet to be published. The plaintiff was the German collecting society called Society for the Exploitation of Neighboring Rights (Gesellschaft zur Verwertung von Leistungsschutzrechten) which is responsible for the exploitation of neighboring rights of various artists and audio carrier producers protected by copyright. The defendants were three associations whose members (dancing schools and/or ballet schools) play recorded music in their dancing lessons or in their ballet lessons. To play the music the members have to pay royalties to the Collecting Society for the Protection of Rights Associated with Musical The German Federal Supreme Court decides on copyright royalties for the use of music in dancing schools Kathrin Schlüter, LL.M. Associate – Munich Dr. Alexander R. Klett, LL.M. Partner – Munich10 Performances and Dissemination of Music (Gesellschaft für musikalische Aufführungs- und Vervielfältigungsrechte/GEMA) as well as to the plaintiff. In this respect collective agreements between the parties exist which provide that the defendants have to pay a royalty corresponding to 20% of the respective tariff of GEMA to the plaintiff, which means that GEMA receives fivesixths and plaintiff one-sixth of the overall royalties for the use of the music. The plaintiff did not agree with this royalty amount of 20% any more and applied for a collective agreement providing a royalty amount of 100% at the Court of Appeals. The plaintiff argued that such a royalty amount is justified as the effort of the owners of neighbouring rights must be regarded as equal to the effort of the authors. The Court of Appeals raised the royalty amount up to 30%. Neither the plaintiff (which wanted 100%) nor two of the three defendants (which wanted to keep the 20%) accepted this and therefore appealed the decision. The German Federal Supreme Court held that the Court of Appeals may take into account prior practice with respect to copyright royalty amounts when assessing their reasonableness. However, the German Federal Supreme Court took the view that the Court of Appeals did not sufficiently substantiate why a royalty amount of 30% is reasonable in the case at issue. The Court of Appeals only stated that artists had become more important with respect to the public performance of musical works within the last few decades. At the same time, the Court of Appeals had assumed that this fact does not have a significant impact in case of a typical use of music in dancing schools. Moreover, the German Federal Supreme Court pointed out that the Court of Appeals did not take into account the provisions for copyright royalties concerning artists and sound carrier producers as well as authors of musical works in connection with cable retransmission, private copying and radio. Based on these reasons the German Federal Supreme Court remanded the case to the Court of Appeals for a further oral hearing and a further decision. It remains to be seen what the Court of Appeals will decide when taking into account the criteria hosted by the German Federal Supreme Court in its decision. Continued from page 9: The German Federal Supreme Court decides on copyright royalties for the use of music in dancing schools11 court of Appeals decides again over „usedSoft ii“ Article in the newsletter Deutscher AnwaltSpiegel, issue 5/2014 – in German http://www.deutscheranwaltspiegel.de/nichtder-letzte-akt/ The eu cyber Security Directive: Latest Developments Reed Smith Blog, 26 March 2014 http://www. globalregulatoryenforcementlawblog. com/2014/03/articles/data-security/ the-eu-cyber-security-directive-latestdevelopments/ consumer Rights Directive: Significant implications for online businesses with effect from 13 June 2014 Reed Smith Newsletter February 2014 http://www.reedsmith.com/ConsumerRights-Directive-Significant-implicationsfor-online-businesses-with-effect-from-13- June-2014-02-20-2014/ first case for the uRS system: a successful prospect for trademark holders Reed Smith Client Alert February 2014 http://www.reedsmith.com/First-case-forthe-URS-system-a-successful-prospect-fortrademark-holders-02-26-2014/ Report on the initial gTLD Launch: Taking a Ride with .BiKe Reed Smith Client Alert February 2014 http://www.reedsmith.com/Report-on-theInitial-gTLD-Launch-Taking-a-Ride-withBIKE-02-11-2014/ Safety of uS-eu Safe harbor Given Boost Reed Smith Blog, 7 April 2014 http://www.globalregulatoryenforcementlawblog. com/2014/04/articles/data-security/safetyof-useu-safe-harbor-given-boost/ Article 29 Working Party proposes clauses for data transfers from eu processors to non-eu subprocessors Reed Smith Blog, 24 April 2014 http://www.globalregulatoryenforcementlawblog. com/2014/04/articles/data-security/article- 29-working-party-proposes-clauses-fordata-transfers-from-eu-processors-tononeu-subprocessors/ french data protection authority ramps up inspections for 2014 – will it be a knock on the door or a “remote audit”? Reed Smith Blog, 2 May 2014 http://www.globalregulatoryenforcementlawblog. com/2014/05/articles/data-security/frenchdata-protection-authority-ramps-upinspections-for-2014-will-it-be-a-knock-onthe-door-or-a-remote-audit/ Further Publications by Reed Smith Discover more alerts, blogs, newsletter and articles on our website http://www.reedsmith.com/publications/12 If you have questions or would like additional information on the topics covered in this newsletter, please contact: Daja Apetz-Dreier, LL.M. Associate email@example.com +49 (0)89 20304 144 Dr. Thomas fischl Counsel firstname.lastname@example.org +49 (0)89 20304 178 Alexander hardinghaus Associate email@example.com +49 (0)89 20304 163 Dr. Alexander R. Klett, LL.M. (iowa) Partner firstname.lastname@example.org +49 (0)89 20304 145 Dr. Stephan Rippert, LL.M. Partner email@example.com +49 (0)89 20304 160 Kathrin Schlüter, LL.M. Associate firstname.lastname@example.org +49 (0)89 20304 145 Dr. Alin Seegel Associate email@example.com +49 (0)89 20304 163 Dr. Philipp Süss, LL.M. Partner firstname.lastname@example.org +49 (0)89 20304 151 Katharina A. Weimer, LL.M. Associate email@example.com +49 (0)89 20304 160LEGAL NOTICE Provider of the Newsletter according to Sec. 5 German Act for Telecommunications Media Services (Telemediengesetz) and to Sec. 55 para 1 Interstate Treaty on Broadcasting (Rundfunkstaatsvertrag): Reed Smith LLP Von-der-Tann-Strasse 2 80539 Munich T: +49 (0)89 20304 10 F: +49 (0)89 20304 199 www.reedsmith.com Responsible editor according to Sec. 55 para 2 Interstate Treaty on Broadcasting (Rundfunkstaatsvertrag): Dr. Alexander R. Klett, LL.M. Disclaimer: The information contained in this Newsletter was compiled by Reed Smith LLP as a summary of the subject matter covered and is intended to be a general guide only and not to be comprehensive, nor to provide legal advice. All information provided in the newsletters and publications is thoroughly reviewed by Reed Smith LLP. However, Reed Smith LLP takes no responsibility for the correctness, completeness and up-to-dateness of the information. The complete Impressum (Legal Notices) can be viewed at http://www.reedsmith.com © Copyright 2014 Reed Smith.