IT and DP Newsletter Summer Edition 2016

GermanyUnited Kingdom

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

1. EU General Data Protection Reform - Update

  • Only a bit more than 652 days until GDPR applies.
  • GDPR has been published in the EU Official Journal and will apply 25 May 2018.
  • Expert opinion on the need for national legislation under the GDPR (only available in German).
  • Important links on the application of the GDPR: "Get ready now"
    • Bavarian Data Protection Authority releases mini guides on the GDPR every two weeks
    • 12 steps to take now by the Information Commissioner's Office (UK)
    • Olswang Data Date on GDPR – the next Date will be in December 2016

2. Privacy Shield

3. ECJ's Advocate General votes for IP addresses as personal data

Campos Sánchez-Bordona, Advocate General of the Court of Justice of the European Union (ECJ), states in the case Patrick Breyer v. Federal Republic of Germany (C-582/14) that dynamic IP addresses are personal data within the meaning of data protection law if the internet access provider has additional data that in combination with the IP address would allow for the re-identification of the user.

Conclusion: If the ECJ follows the opinion of the AG, personal data will have to be interpreted broader in the future. The judgment will also influence that interpretation of personal data under the GDPR.

4. Missing privacy policy in online contact form is unfair competition

The Higher Regional Court of Cologne held in its decision dated 11 March 2016 (file number 6 U 121/15) that a missing privacy policy in an online contact form is unfair competition. However, the case law on this issue is inconsistent. For example, the Regional Court of Berlin recently held that there was no violation of the German unfair competition law.

Conclusion: Even if a website does not collect any data and only provides for an online contact, the operator of the website must provide a data privacy policy.

Note: An analysis of the decision by the Higher Regional Court of Cologne by Sven Schonhofen can be found in GRUR-Prax 2016, 248.

5. T&Cs must be provided to German users in German language

The Court of Appeal in Berlin ruled on April 8, 2016 (file number 5 U 156/14) in last instance that WhatsApp has to provide its T&Cs for German users in German language. Also WhatsApp is obligated to provide to users two possibilities to contact WhatsApp in the legal notice. If the T&Cs are only available in English an unreasonable disadvantage may arise for the other party to the contract. Further, a link to the company's Twitter and Facebook accounts next to the email address is not sufficient as a second means to contact the company.

Conclusion: Companies must ensure that their obligations to provide information are fulfilled, in particular with regard to consumers. This means, above all, that T&Cs and the Privacy Policy must be provided in German language. An app must have a legal notice – like websites.

6. Governing law clause misleading without indicating conflict laws

The European Court of Justice (ECJ) decided on July 28, 2016 (Az. C-191/15) that governing law clauses used in terms and conditions with consumers are misleading without indicating that mandatory consumer protection provisions apply (Art. 6 para. 2 Rome I Regulation).

If a controller addresses its business to a member state deviating from the country where the controller is established, the member state's data protection law does not apply until personal data is processed by a branch in the member state.

Conclusion: Companies must review their governing law clauses in terms and conditions and include information to consumers re application of mandatory provisions under conflict laws. No changes are required under data protection law.

7. Changes to online order process of digital content required

Consumers have a 14-day right to withdraw from a contract if they purchase digital content off-premise under German law. The right to withdraw may be excluded, if the consumer has expressly consented to the performance of the contract before lapse of the withdrawal period. The Regional Court Karlsruhe now held in its decision dated 25 May 2016 (file number 18 O 7/16) that a company may not ask for the consent of a consumer in combination with the order (e.g. by using an additional box), but has to ask for the consent thereafter.

Conclusion: Websites and apps must be changed: Operators, like sellers, should ask for the "withdrawal right consent" at least on a separate page after the order or at a later stage.

8. Outlook on new legislation and recommended reads

Proposed legislation

Reading recommendations