Dear readers,

Since January 1, 2023, Microsoft has made available a revised version of its data processing agreement, offering companies with various products – cloud suite online services, including Microsoft 365, Dynamics 365, Power Platform and Azure – the option to have their customer data stored and processed exclusively within the EU (notice dated December 15, 2022). After such an “EU Data Boundary” had already been demanded by various parties in the past, Microsoft announced its implementation in May 2021. With the introduction of the EU data boundary, Microsoft is also responding to the rulings of the European Court of Justice (ECJ), which has already made several critical statements on the legal protection of a transfer of data to the USA. Documents and data created with Microsoft programs and stored or processed in the cloud are now to remain exclusively on servers in Europe, specifically within the EEA, and are to be stored and processed there in accordance with the product terms and conditions, provided the customer requests this and selects the corresponding option. In addition, Microsoft wants to support its customers in fulfilling their data protection accountability by means of transparency documentation. However, the extent to which the current data protection amendment can actually defuse the discussion about the far-reaching access powers of American security authorities, for example on the basis of the American CLOUD Act, remains questionable. On the positive side, however, the introduction of the data boundary is at least likely to significantly reduce the flow of data from the EU to the US.

In a next step, Microsoft plans to extend the new residency option beyond customer data to pseudonymized personal data starting in late 2023. Finally, from mid-2024 onwards, there should be the possibility that all data generated and processed as part of the support for the aforementioned systems will also remain on servers within the EU or EEA.

Apple also announced the release of its new enhanced privacy feature in Germany, according to media reports. The iOS 16.3 update is supposed to introduce end-to-end encryption for various iCloud services.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Procedure in the event of data protection incidents

Data breaches, data loss and data theft are significant risk factors for all companies that process personal data, as there can be no absolute protection of stored data. As long as personal data is collected, stored or otherwise processed by the company, there is always the possibility, and therefore also the risk, that the data may be disclosed to unauthorized third parties or lost as a result of an accident or criminal act. In the event that such an outflow or unauthorized knowledge occurs, the General Data Protection Regulation (GDPR) places various obligations to action – in particular information and notification obligations – on the data controller. The corresponding requirements are based, among other things, on the principle of transparency under data protection law, which results in the obligation to inform data subjects about the scope of data processing and the purposes for which the data are processed. This also includes information on whether the data of the data subject is sufficiently protected against access by unauthorized persons. This information serves as a basis for data subjects to decide whether they wish to consent or object to (further) data processing by the company.

Since a data protection incident can mean, in addition to consequences such as fines or claims for damages, a potential loss of image for the company in view of the information obligations applicable under the GDPR, it is important to prevent such incidents wherever possible and, should a data protection incident actually occur in practice, to act quickly to mitigate negative consequences.

To the complete main topic

LG Munich I: Data protection compliant design of cookie banners

The Regional Court Munich I ruled on November 29, 2022, that the cookie banner used in the past on the Focus.de site was illegal, as it did not allow effective user consent due to its specific design (LG Munich I, judgment dated 29.11.2022 - Ref. 33 O 14766/19).

This cookie banner was designed in such a way that the user was shown the option “Accept” and “Settings” on the first page of the banner in addition to various information. However, there was no button to reject the cookies. If the user clicked on the “Accept” button, he fully consented to the setting of technically unnecessary cookies and the associated data processing. A click on the “Settings” button led to the user being shown an extensive selection menu on a second page. This gave users the option of making individual settings for more than 100 third-party providers by confirming individual sliders. Two additional, visually highlighted buttons also gave users the option of accepting all services or saving their selection. In contrast, the option to reject all cookies was placed in pale letters in the upper corner of the window.

The Regional Court Munich considered such a design to be illegal and stated that no effective consent could be obtained by means of such a cookie banner. In particular, the characteristic of voluntary consent was lacking in this respect. The court stated that consent can only be considered voluntary if the data subject has a genuine choice. This was already not the case because the first page of the cookie banner lacked an option for refusal, and because the refusal of consent was accordingly associated with an additional effort. In addition, the large number of setting options leads to a further complication of the refusal of consent. The court also criticized the fact that the button for accepting cookies was visually highlighted, while the button for rejecting cookies was designed very inconspicuously. It would therefore seem obvious that the user’s right to choose was being influenced in an impermissible manner. The scope of the processing operations described and the structure of the cookie banner by means of various menus also indicate a breach of the relevant information obligations.

(Christina Prowald)

AG Charlottenburg: No claim for payment with Google Fonts

In the meantime, the wave of warnings and claim letters due to the dynamic integration of Google Fonts has subsided. On the one hand, many website operators have now made the necessary technical changes, and on the other hand, criminal or professional proceedings are now underway against the key players and their lawyers. Most recently, the Berlin-Charlottenburg Local Court has now also granted a negative declaratory judgment action and determined that the claimant cannot demand damages of 170 euros due to the data protection infringement (AG Berlin-Charlottenburg, judgment dated 20.12.2022 – Ref. 217 C 64/22, BeckRS 2022, 37243). In doing so, the district court primarily focused on the fact that a claim for damages would have required a more precise presentation of what damage the claimant was supposed to have suffered. In the meantime, the investigations have revealed that the claimants did not even visit the relevant sites in person, but only checked them with the help of special software. The court did not have to address the question of abuse of rights because it could not identify any compensable damage.

(Dr. Sebastian Meyer )

ECJ: Designation of recipients in the case of a right of access

In its decision of January 12, 2023, the European Court of Justice (ECJ) ruled on the hitherto controversial question of whether it is sufficient, in the context of a request for information pursuant to Article 15 GDPR, to merely name the categories of recipients in the case of disclosure of data to third parties, or whether the recipients must be named individually (ECJ, judgment dated 12.01.2023 - Ref. C-154/21).

The ECJ commented that the controller is obliged to inform the data subject in detail about the identity of the recipients in the context of the request for information. The court reasoned that the wording of Article 15 GDPR was not unambiguous. However, taking into account recital 63, which does not provide for any limitation to the categories of recipients, and the principle of transparency, the data subject should have the right to be informed of the identity of the specific recipients if his or her data have already been disclosed to them. The Court had also previously ruled that data subjects must be able to verify that their data are processed lawfully and disclosed only to recipients who are also authorized to process them. For this purpose, concrete information going beyond categories would be required. Such an interpretation of Article 15 GDPR is also in line with the overarching objective of the GDPR to ensure a high level of data protection for natural persons within the EU.

In practice, however, the right of access has so far often been interpreted more restrictively and, at most, information has been provided in the abstract about which types of processors, if any, receive access to the personal data.

(Christina Prowald)

ECJ hears fundamental question on sanctioning data protection violations

On January 17, 2023, the oral hearing in the proceedings “Deutsche Wohnen” (C-807/21) before the European Court of Justice (ECJ) took place (press release of the DSK dated January 18, 2023).

The background to the proceedings is a fine of 14.5 million euros that the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) had imposed on the real estate company Deutsche Wohnen because of the rampant storage of tenant data. The Regional Court Berlin discontinued the proceedings because it was of the opinion that fines under the GDPR can only be imposed on legal entities if it can be established at the same time that the infringement was committed by a management person’s own actions or breach of supervisory duties. This corresponds to the law on administrative offenses in Germany, but is not linked to the GDPR in any way. In agreement with BlnBDI, the public prosecutor filed an appeal against the decision of the Regional Court Berlin. The Berlin Court of Appeal then referred the central questions to the ECJ for a preliminary ruling.

The ECJ must now clarify the fundamental question of whether a legal person in Germany can be sanctioned directly under the European principles for data protection infringements under the GDPR without having to establish that an identified natural lead person has committed a misdemeanor. According to the DSK, at the hearing the ECJ was particularly interested in the extent to which national regulations in Germany represent obstacles to European harmonization. In this respect, the supervisory authorities have already objected in advance that the requirements of German administrative offenses law would make it significantly more difficult to sanction data protection violations than in other countries.

Marit Hansen, the Schleswig-Holstein State Commissioner for Data Protection and Chair of the 2023 Data Protection Conference, commented, “The decision in these proceedings will mark a fundamental change of course for Germany. It is therefore eagerly awaited by the German supervisory authorities.”

(Christina Prowald)

EDPB: Cookie banner decision

On January 18, 2023, the European Data Protection Board (EDPB) commented on the topic of cookie banners, among other things, at its meeting (press release dated 19.01.2023).

The EDPB reiterated that in this respect it was in favor of a harmonized application of data protection legislation within the EU. To this end, a task force on cookie banners was recently set up to coordinate the response to complaints about cookie banners. On January 18, 2023, the task force issued a report on its work. Among other things, the report contains descriptions of various cookie banner designs as well as assessment by the task force members on their permissibility. The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, welcomed the progress made and commented on the cookie banner issue as follows: “A well-made and fair website does not need a cookie banner because it uses only technically necessary cookies. However, if website operators absolutely want to collect personal data, they must not obtain consent to do so by unfair or unlawful means. Following the guidelines on deceptive design patterns, I have now agreed with my colleagues in EDPB on how we will implement this as uniformly as possible in supervision. The results of the Cookie Banner Task Force’s final report now largely correspond to what we in Germany have already recorded in the Telemedia Orientation Guide.”

(Christina Prowald)

HmbBfDI: Advanced competences

On January 18, 2023, the Hamburg Parliament expanded the powers of the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) in the application of the Telecommunications Telemedia Data Protection Act (TTDSG) (press release dated 19.01.2023). The newly enacted Section 19 (7) of the HmbDSG declares the HmbBfDI to be the competent supervisory authority for telemedia in Hamburg and assigns the HmbBfDI the power to impose fines under the TTDSG as well as the investigative and remedial powers under Article 58 GDPR. The new regulation will enable the Hamburg Data Protection Commissioner to impose fines and remedial measures on telemedia providers in Hamburg, for example if they fail to comply with the data protection requirements for the use of cookies. Among other things, the new regulation is intended to counter the sometimes not completely legally compliant integration of cookies and design of consent banners. Users of online services should be able to assume that only data that is actually required to provide the service is in fact processed. Due to the relatively broad scope of the TTDSG, different responsibilities may exist, for example with the Federal Data Protection Commissioner or the Federal Network Agency; in some cases, responsibility must also be determined at the state level. The HmbBfDI, Thomas Fuchs, welcomed the decision as well as the new possibilities and already announced a review of the telemedia offerings of Hamburg companies for their compatibility with the requirements of the TTDSG for the first quarter of 2023.

(Christina Prowald)

Ireland: Fine of 390 million euros against Meta

The Irish Data Protection Commissioner (DPC) imposed a fine totaling 390 million euros on Meta Platforms Ireland Limited (“Meta”) in connection with the provision of its Facebook and Instagram services (press release dated 04.01.2023). In addition, the DPC ordered Meta to adjust the offending data processing operations within three months.

The background of the proceedings was the complaints of one user each of Facebook and Instagram, which referred to the update of the terms of use subsequent to the introduction of the GDPR. In each case, the fact that consent to the updated terms of use was required in order to continue using the Facebook and Instagram services was criticized. The two users argued that Meta was effectively forcing them to consent to the processing of their personal data for behavioral advertising and other personalized services if continued access to the services was made conditional on consent to the updated terms of use. The users further claimed that, contrary to the statements in the new terms of use, Meta still wanted to rely on the legal basis of consent with regard to the processing of user data in this respect. Meta, on the other hand, was of the opinion that by accepting the terms of use, a contract was concluded between the parties, for the fulfillment of which the data processing was necessary.

In its investigation, the DPC found that Meta did not sufficiently inform its users about the purposes of the data processing and the relevant legal basis in each case, and provided draft decisions. Regulators also affected by the issue subsequently objected to the drafts, criticized the DPC’s rather low-key approach, and in particular called for an increase in the fine proposed by the DPC. After no agreement could be reached between the regulators, the European Data Protection Board (EDPB) instructed the DPC in December to take decisive action against the group. In particular, the EDPB took the view that Meta had used users’ data in an unlawful manner for advertising, as the group could not in principle rely on the legal basis of contract performance in this respect. Subsequently, in its final decision dated December 31, 2022, the DPC stated that Meta had not been entitled to rely on the legal basis of contract performance in connection with the provision of behavioral advertising as part of the Facebook and Instagram services and that the data processing to date constituted a breach of Article 6 GDPR. Meta has already announced that it will take action against the fine.

(Christina Prowald)

Ireland: Fine in the amount of 5.5 million euros against WhatsApp

A further fine of 5.5 million euros was imposed by the Irish Data Protection Commissioner (DPC) on the Meta Group on January 12, 2023, for data processing operations in connection with the provision of its WhatsApp service. WhatsApp was also ordered to adapt its processes to the requirements of the GDPR within six months.

The proceedings against Meta regarding data processing at WhatsApp also concerned WhatsApp’s terms of use, which were updated subsequent to the introduction of the GDPR, and the requirement to agree to the terms in order to continue using the service. Meta made the same case for WhatsApp as for Facebook and Instagram. It was argued by agreeing to the terms of use, a contract was concluded between WhatsApp and the user and that the data processing by WhatsApp was necessary to fulfill this contract, so that Article 6 (1) (b) GDPR could be used as a legal basis. In contrast, the complainant also argued in this case that WhatsApp was actually seeking to rely on consent and was in effect forcing users to agree to data processing to improve the service and increase security.

After no agreement could be reached between the supervisory authorities involved in this case either, the EDPB also determined with regard to the data processing carried out on the part of WhatsApp that this could not be based on the performance of a contract within the meaning of Article 6 (1) (b) GDPR. The DPC subsequently ruled that WhatsApp is not entitled to rely on Article 6 (1) (b) GDPR as a legal basis for providing service enhancements and security. WhatsApp announced that it would take action against the decision.

(Christina Prowald)

On our own account: 4th BRANDI-Data Protection Law Day on May 12, 2023

On May 12, 2023, our 4th BRANDI-Data Protection Law Day will take place. We would like to take this opportunity to extend to you an early invitation to this event.

We plan to use the day to discuss issues relating to cloud usage, cybersecurity and liability risks with you and external experts. This year the Data Protection Law Day will finally take place again in presence in Bielefeld, but of course, there will also be the possibility to participate online. We will keep you informed about the registration options as well as the more concrete contents of the event, including scheduled guests speakers and attendees, in our data protection newsletter and on our homepage.