Newsflash IT / Privacy
Stay informed about latest developments, court decisions and news in the IT- and privacy sector.
Data Protection | European Court of Justice: Usage of Facebook Like-button creates joint data controller relationship and responsibility
23 August 2019
To what extent can a website operator be considered as a controller, jointly with the provider of a social network, when he embeds the Facebook “Like” button (social plugins) on his website and thereby collects personal data, which he then forwards to the provider? Which legal bases can justify such a processing?
The European Court of Justice addressed these issues in its ruling (LINK) of 29th July 2019 in Case C-40/17 (so called Fashion ID-ruling). The starting point for the ECG procedure was a request for a preliminary ruling from the OLG Düsseldorf in a procedure initiated by the Verbraucherzentrale NRW e.V. and aimed at issuing an injunction.
A website operator decided to embed the so-called Facebook “Like” button, a social media plugin, on its website in order to optimize the publicity of his goods by making them more visible on the social network Facebook.
Upon accessing the website of the operator, personal data of the visitor, such as the IP address of the user’s devise (mobile phone, laptop), were automatically collected and transmitted to the operator of the social network, Facebook.
In its decision, following the opinion of the Advocate General, Michal Bobek, the European Court of Justice held that a website operator who integrates a social media plugin into its website and the social media network operator who provides the social media plugin are to be considered joint controllers and, therefore, jointly responsible for data processing which is compliant with the relevant provisions set out in the EU GDPR.
In the Court’s view, however, the responsibility of the website operator is limited to those phases of data processing for which the website operator has control over purposes and means, which in this case concerned the collection and transfer of the website visitors' data to Facebook. The ECJ argues that it is sufficient for a responsibility of the website operator coming into play that the website operator integrates the social media plugin and thus deliberately enables Facebook to collect data.
In addition, the ECJ clarified that the collection of information about the devices used by website visitors initiated by accessing the website was only permissible on the basis of a respective consent declaration by the visitor in question.
While without direct relevance to the decision on the present case, the Court also clarified that, within the context of joint responsibility, Art. 6 para. 1 (f) GDPR requires that all controllers involved must demonstrate a legitimate interest in the processing of the data.
Consequently, if data processing is to be based on the consent of the data subjects, the declaration of consent must include and authorize all companies who are jointly responsible for data processing.
Finally, the ECJ clarified that the information to be provided in case of a joint controllership shall be limited to those phases during which the participating companies actually decide on the purposes and means of the data processing. In the present case, this means that the website operator has to inform about the collection and transfer of the personal data at the time the website is downloaded.
Best practices advice
In its long-awaited ruling, the ECJ has clarified some essential principles relating to the joint controllership. At the same time, the ECJ has given important guidance with respect to the scope of the joint responsibility for the processing of data, which is influenced jointly by the controllers involved.
In accordance with the decision, website operators who use social media plugins, in particular the Facebook Like button, are required to inform their users of the planned data processing before collecting and transmitting data to Facebook, and to obtain their users' consent. The information to be provided in this context and the consent itself must in particular include the joint data processing with the respective social network and the use of the data by it.
Special plugins or so-called 2-click solutions are available as technical solutions. If necessary, special references within the framework of the cookie banners, by means of which the special features and functionality of the social media plugins and the relevant right of objection are pointed out, are also conceivable. If the social media plugin also collects information about the end user devices, the cookie banner must be extended by a possibility to declare the consent to this data collection.
Declarations of consent and data protection notices must be (re)designed in such a way that all responsible parties involved in data processing are named in them and authorized by them.
Although the decision relates to a specific social media plugin, namely the Facebook "Like" button, the principles laid down by the ECJ must also be observed when using other social media plugins. Before their use, it should be carefully checked which user-related data are collected and made available to social networks and for what purposes they are used there.
Based on past experience, in particular Facebook's reaction to the ECJ's June 2018 Facebook Fanpages ruling, it can be assumed that Facebook will soon make a Joint Controller Agreement available. It remains to be seen whether these agreements will then meet the relevant requirements.
Our colleagues, who specialise in advising on digital business models and data protection issues, will be happy to provide you with further information.
Data Protection | The German Parliament brings national law into line with the GDPR
29 July 2019
The General Data Protection Regulation (GDPR) has been applying since 25 May 2018 and is directly applicable across the EU.
In order to bring German law into line with the GDPR and to alleviate the frequently criticized burdens which the DSGVO has brought especially for small and medium-sized enterprises, the German Parliament (Bundestag) adopted (LINK) the so called “2nd Act to Adapt Data Protection Law EU” (2nd DSAnpUG-EU) on 28 June 2019.
The act aims at harmonizing the use of certain key concepts, adjusting the national legal basis for processing of personal data and determining the rules concerning the exercise of the rights of data subjects.
In addition to modifications of purely editorial nature and the adaptation of different legal bases for the processing of personal data, the 2nd DSAnpUG-EU also provides for amendments to the Federal Data Protection Act (BDSG), which have practical impacts for companies.
The conditions relating to the designation of a Data Protection Officer (DPO) have been relaxed with the aim of sparing small and medium sized enterprises.
On the basis of the so-called opening clause contained in Art. 37(4) GDPR, the German legislator obliged controllers and processors up to now to designate a DPO “if they constantly employ as a rule at least ten persons dealing with the automated processing of personal data” (Art. 38(1) sentence 1 of the Federal Data Protection Act). The 2nd DSAnpUG-EU has now set the threshold at 20 persons with the consequence that many companies won´t be obliged to designate a DPO anymore.
Nevertheless, despite this relaxation, it should be recalled that controllers and/or processors still remain subject to other data privacy provisions which provide for an obligation to designate a DPO.
If data processing operations are carried out which are subject to a data protection impact assessment pursuant to Art. 35 of the GDPR, or if personal data is processed commercially for the purpose of transfer, anonymised transfer or for purposes of market or opinion research, a data protection officer must be appointed regardless of the number of persons employed in processing (Art. 38(1) sentence 2 of the Federal Data Protection Act).
An obligation to designate a DPO may also arise from the provisions of the GDPR. In its Art. 37(1), the GDPR provides for situations where a controller/processor has to designate one. This is the case, for example, when the core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale or when the core activities consist of processing on a large scale of data relating to criminal convictions and offences).
Companies should therefore verify if they are obliged, under Art. 37(1) GDPR, to designate a DPO, or assess whether or not it would be advisable to designate one for preventive reasons.
The German Federal Council (Bundesrat) must now give its approval to the final version of the law.
Data Protection | Corporate liability for data protection infringements by employees
7 June 2019
The German Data Protection Conference (DSK) is an association of the independent data protection authorities of the German federal government and the German federal state governments. It regularly publishes guidelines dedicated to promote the uniform application of data protection law in Germany and the European Union.
The DSK has recently published a resolution in which it positions itself on the question of corporate liability for data protection infringements by employees (link) .
According to this resolution, companies, pursuant to Art. 83 of the General Data Protection Regulation (GDPR), shall be liable for data protection infringements conducted by employees, regardless of their position within the company or independent of a breach of supervisory duties by the company owner.
In DSK's view, the addressee of fines imposed in this connection should be the company itself, not the employee concerned.
Exceptions shall only apply where an employee infringes data protection regulations and where this infringement constitutes an “excess”. For example, where employees of hospitals deliberately act in a way contravening the data protections laws shall in general not be attributed to the company. An example would be the sale of patient data by the employee of a hospital with the aim of personal enrichment.
The DSK justified its view by referring to the "functional corporate concept" of the European primary law. According to this concept, companies shall be liable for attributable infringements by all employees.
This understanding deviates from the national regulation in § 41 of the Federal Data Protection Act (BDSG). The provision refers to the Act on Administrative Offences (OWiG) in the context of the sanction of data protection infringements. According to § 130 Abs. 1 OWiG, the owner of a company can be fined for data protection violations committed by employees if these are based on the violation of supervisory duties. This misdemeanour can then be attributed to the company via § 30 OWiG. However, the OWiG differs from the sanction regime of the GDPR in a multitude of issues. The extent to which the (functional) corporate concept used in the GDPR corresponds to that of the OWiG remains controversial, which leads to uncertainties particularly with regard to corporate structures.
The DSK therefore calls on the federal legislator to make appropriate changes when adapting national data protection legislation.
The resolutions of the DSK do not constitute legally binding acts and are therefore more of a recommendatory nature. However, the DSK correctly points out that the coalition agreement between the German government parties (link) already provides for amendments of the penalty law in the area of white-collar crime for companies in line with the above-mentioned interpretation of liability attribution.
A future adaptation of the national provisions on corporate liability to the regulations of the GDPR cannot be excluded.
In order to avoid data protection infringements, it is advisable for companies to familiarise all employees intensively with the current data protection law and keep them informed of the relevant developments.
Data Protection | The German Parliament passes the Act on the Protection of Trade Secrets
4 April 2019
The German Parliament has recently passed the Act on the Protection of Trade Secrets which is expected to enter into force later in April this year (Link).
Thereby, the German legislator has implemented the provisions of the European Directive on the Protection of Undisclosed Know-how and Business Information (Link) into national law and for the first time comprehensively regulates the protection of trade secrets.
The main novelty is the legal definition of trade secrets. Not only the confidentiality of the information is decisive, but also whether appropriate confidentiality measures have been taken in order to protect the information. Whether or whether not the information is protected under the Act will therefore no longer be a matter of the subjective intention of secrecy. Further novelties are extended claims for breach of secrecy: In addition to claims for injunction, damages and information, the companies affected are also entitled to claim for destruction, recall and return of the information.
As regards the specific opportunities that the Act and the underlying Directive may bring along when it comes to the Protection of algorithms in big data applications, we refer to the article published by our colleague Katharina Scheja.
It is recommended that companies examine whether their trade secrets are appropriately protected in order to fall within the scope of the Act.
Data Protection | The German Federal Cartel Office prohibits Facebook from combining user data from different sources
25 February 2019
In a recent decision, the German Federal Cartel Office, the Bundeskartellamt, has expressed its concerns regarding the collection of user data by Facebook. In that context, if first concluded that Facebook holds a dominant position in the market for social networks in Germany. According to the Bundeskartellamt, this market power is violated by Facebook’s unrestricted collection and combination of data from Facebook subsidiaries such as Instagram and WhatsApp or third party pages related to the company (e.g. through the use of "Like" buttons) without the relevant consents of the data subjects having been obtained. Facebook will now within the next twelve months have to adapt its data processing so as to comply with current data protection law, as interpreted by the German FCO.
The decision met great approval from consumer protection organizations. Nonetheless, critical voices questioned the approach of the Bundeskartellamt and denied its competence for such an important data protection decision. These voices also refer to the possibility of lawful data processing based on other legal grounds, such as legitimate interest or the purpose of performing a contract. In such cases, the consent of the data subject is not needed.
The present case shows how difficult the implementation of the provisions of the EU General Data Protection Regulation (GDPR) can be. In particular, the issue of consent repeatedly leads to uncertainties in the daily (digital) business. This is also shown by the result of a data protection audit on digital services carried out by the Bavarian State Office for Data Protection Supervision dated 5 February 2019: Out of forty websites using tracking tools, not even one provided for sufficient tools to obtain valid consent to the use of tracking tools compliant with the GDPR.
Data Protection | Guidance related to declarations of consent and data processing agreements
15 February 2019
Dealing with the requirements of the EU General Data Protection Regulation (“GDPR”) involves considerable effort for many companies. In practice, companies in particular complain that it is not always possible to clearly establish the scope of data protection obligations associated with certain factual circumstances. In view of the fact that certain parts of this piece of legislation may require some interpretation and the differing views held on these issues, many companies often find it difficult to implement elementary legal projects of the GDPR. Against this background, many companies would like to see more clarity with regard to their existing data protection obligations and possibilities.
At the same time, since the attempt to comply with all rules is often associated with considerable effort, templates that provide an initial orientation and take up the elements prescribed by data protection law are often of considerable value to legal department employees and data protection officers.
In this context, it should be noted that the data protection authorities regularly publish helpful information, templates and statements on various data protection issues. For example, the data protection authority of Hessen recently published a German language formulation aid for data processing agreements and the data protection authority of Thuringia recently published an example of a German language form for a declaration of consent to data processing.
Notwithstanding the fact that the use of templates can contribute to an efficient and legally compliant implementation of data protection requirements, it should always be examined on a case-by-case basis whether the templates are suitable for the respective purpose and whether and to what extent they have to be adapted against the background of the respective case constellation.
With regard to consent to data processing, it should in particular be noted that such consent is only effective if it is freely given. Particular attention must therefore be paid to this for example in employment relationships due to the typically existing dependence of the employee on the employer. Particular care should also be taken when obtaining consent for the processing of specific data categories (e.g. health data or bio-metric data). Here, an explicit explanation is always necessary.
In view of these special requirements, it is always advisable to examine whether legal bases other than consent could be used to justify the data processing. Depending on the facts of the case, data processing may be justified, for example, by the fact that it serves to fulfil a contract or is necessary to safeguard the legitimate interests of the data subject or a third party. The latter can, however, be accompanied by increased argumentation and documentation efforts.
Templates for data processing agreements can also serve as helpful guidance and aid for the drafting of contracts. However, it should always be critically examined whether the regulations provided for in the template are appropriate for the individual case in question. Particularly when concluding intragroup data processing agreements, careful consideration should be given to whether the agreement should generally be drafted in favor of or to the detriment of one of the parties or whether balanced regulations are recommendable. Particularly in the case of intra-group agreements, it may also be advisable, for example, to include or adjust regulations on the inspection rights of the controller, on the remuneration of the processor and on the liability of the parties in accordance with internal company practice.