This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.
1. EU General Data Protection Reform - Update
- Only a bit more than 652 days until GDPR applies.
- GDPR has been published in the EU Official Journal and will apply 25 May 2018.
- Expert opinion on the need for national legislation under the GDPR (only available in German).
- Important links on the application of the GDPR: "Get ready now"
- Bavarian Data Protection Authority releases mini guides on the GDPR every two weeks
- 12 steps to take now by the Information Commissioner's Office (UK)
- Olswang Data Date on GDPR – the next Date will be in December 2016
2. Privacy Shield
3. ECJ's Advocate General votes for IP addresses as personal data
Campos Sánchez-Bordona, Advocate General of the Court of Justice of the European Union (ECJ), states in the case Patrick Breyer v. Federal Republic of Germany (C-582/14) that dynamic IP addresses are personal data within the meaning of data protection law if the internet access provider has additional data that in combination with the IP address would allow for the re-identification of the user.
Conclusion: If the ECJ follows the opinion of the AG, personal data will have to be interpreted broader in the future. The judgment will also influence that interpretation of personal data under the GDPR.
Note: An analysis of the decision by the Higher Regional Court of Cologne by Sven Schonhofen can be found in GRUR-Prax 2016, 248.
5. T&Cs must be provided to German users in German language
The Court of Appeal in Berlin ruled on April 8, 2016 (file number 5 U 156/14) in last instance that WhatsApp has to provide its T&Cs for German users in German language. Also WhatsApp is obligated to provide to users two possibilities to contact WhatsApp in the legal notice. If the T&Cs are only available in English an unreasonable disadvantage may arise for the other party to the contract. Further, a link to the company's Twitter and Facebook accounts next to the email address is not sufficient as a second means to contact the company.
6. Governing law clause misleading without indicating conflict laws
The European Court of Justice (ECJ) decided on July 28, 2016 (Az. C-191/15) that governing law clauses used in terms and conditions with consumers are misleading without indicating that mandatory consumer protection provisions apply (Art. 6 para. 2 Rome I Regulation).
If a controller addresses its business to a member state deviating from the country where the controller is established, the member state's data protection law does not apply until personal data is processed by a branch in the member state.
Conclusion: Companies must review their governing law clauses in terms and conditions and include information to consumers re application of mandatory provisions under conflict laws. No changes are required under data protection law.
7. Changes to online order process of digital content required
Consumers have a 14-day right to withdraw from a contract if they purchase digital content off-premise under German law. The right to withdraw may be excluded, if the consumer has expressly consented to the performance of the contract before lapse of the withdrawal period. The Regional Court Karlsruhe now held in its decision dated 25 May 2016 (file number 18 O 7/16) that a company may not ask for the consent of a consumer in combination with the order (e.g. by using an additional box), but has to ask for the consent thereafter.
Conclusion: Websites and apps must be changed: Operators, like sellers, should ask for the "withdrawal right consent" at least on a separate page after the order or at a later stage.
8. Outlook on new legislation and recommended reads