Dear readers,

On May 12, 2023, our BRANDI-Data Protection Law Day will take place and we are looking forward to exciting discussions on the topic “Data Protection in the Cloud and Cybersecurity”. There is still the possibility to register for the event; we have summarized the information regarding the registration options for you again in this newsletter.

As usual, we also report on current events in data protection law, including this time the recent decision of the Munich Regional Court I on the use of Google Fonts, the decision of the Austrian supervisory authority on scoring by the credit agency CRIF, the EDPB guidelines on the right of access, and the ban on ChatGPT in Italy.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: User tracking, cookie banners and pure subscription models

Many companies integrate user-tracking tools into their online offerings. These software applications, which are also provided primarily by (American) third party providers, allow companies to analyze the “shopping journey” and behavior of the customer, to create evaluations of the customer structure, their interests and purchasing behavior, and to present users with information, offers and advertising tailored to them, among other things. Companies often have a great interest in this tracking, as it helps them understand their customers better, and adapt and improve their offerings to the customers’ interests. In contrast, users of the online offering have an interest in protecting their data and privacy. In this context, users’ constitutionally enshrined right to informational self-determination has to be considered. This means that data subjects can generally decide for themselves which of their personal data may be processed by which bodies and for what purpose. Based on this, various requirements have been developed, particularly by the courts, which must be complied with when carrying out user tracking.

To the complete main topic

On a personal note: BRANDI-Data Protection Law Day

In our data protection newsletters of the past months, we have sent out the invitation and given information about our Data Protection Law Day on May 12, 2023 and the registration options. Together with you and external experts, we would like to discuss the topic of “Data Protection in the Cloud and Cybersecurity” at the event.

The event will take place at the end of next week. There is still the possibility to register for the event under the following link: https://www.brandi.net/news/detail/4-brandi-datenschutzrechtstag-praesenzveranstaltung-am-12052023/.

If there are specific content-related questions that you would like to talk about at the event, you can send them to us in advance at the following e-mail address: WissMit-DatenschutzBI@brandi.net. In addition, you will have the opportunity to ask questions during the event and actively participate in the discussion. We will of course also be happy to answer any organizational questions you may have in the run-up to Friday.

We are looking forward to welcoming a lot of you to the event!

(Christina Prowald)

OLG Dresden: Injunctive relief cannot be claimed by legal entities

On March 14, 2023, the Higher Regional Court of Dresden ruled that legal entities cannot assert claims for injunctive relief on the basis of data protection law (OLG Dresden, decision dated 14.03.2023 - Ref. 4 U 1377/22, BeckRS 2023, 6302). The OLG Dresden justified its decision by stating that the GDPR requires the existence of personal data. Furthermore, the court stated that vacation lists of a company do not constitute trade secrets.

In the underlying case, the plaintiff, a legal entity, sought an injunction against the use of data from its payroll accounting and of information about the possession and surrender of further documents containing confidential information from its company. Specifically, the case involved two e-mails detailing absences due to vacation and illness sent by a former employee of the plaintiff who now works for the defendant association. The plaintiff filed a claim for injunctive relief and restitution against the defendant on account of these e-mails, also alleging violations of data protection law.

The court found that, according to the clear wording of Art. 4 No. 1 GDPR, legal persons cannot resort to the claims contained in the GDPR. From this, as well as from EWG 14 (2) GDPR, it follows that the protection of the GDPR does not refer to legal persons, but exclusively to natural persons. Neither does the obligation of the plaintiff resulting from the BDSG to protect the data it collects on its employees lead to a claim of the plaintiff as a legal person against a third party. Moreover, the BDSG does not contain any basis from which claims of private employers against private third parties can be derived. The court denied claims under the German Trade Secret Act, as the information in question was not a trade secret.

(Christina Prowald)

LG München I: Use of Google Fonts

On March 30, 2023, the Regional Court of Munich I ruled that the mass assertion of claims for injunctive relief and damages due to the integration of Google Fonts on websites is an abuse of rights, and that the respective request is therefore unfounded (LG München I, decision dated 30.05.2023 - Ref. 4 O 13063/22).

At the end of 2022, the defendant asserted mass claims against operators of websites that had integrated Google Fonts into their online presence. As a result, house searches and account seizures were carried out at the premises of the defendant and his lawyer in Berlin. The two defendants were suspected of (attempted) warning notice fraud and (attempted) extortion in at least 2,418 cases (we reported in our data protection newsletter January 2023).

The court now found that the dynamic integration of Google Fonts as well as the transmission of the IP address to the USA without compelling technical reasons and without consent could in principle constitute a violation of the right to informational self-determination. However, such a violation presupposes that the data subject is personally affected. This was not the case in the present circumstance. It cannot be assumed that the warning party visited the plaintiff’s website; rather, an automated program was used for this purpose. In addition, a claim for injunctive relief was also ruled out from the point of view of provocation. The software had been used precisely to find websites on which Google Fonts were dynamically integrated. Anyone who deliberately puts themselves in a situation in which they are threatened with an infringement of personal rights solely in order to experience the infringement is not in need of protection.

The court also denied a claim for damages by the warning party under Art. 82 GDPR. Art. 82 GDPR requires damage in any case, which is obviously not present in the matter at hand. Due to the use of an automated program, the defendant could not have had any feelings such as fear or uncertainty. In addition, claims for damages are excluded due to abuse of rights.

(Christina Prowald)

Federal Press Office files suit against Facebook ban

In a decision from February 17, 2023, the Federal Data Protection Commissioner had formally prohibited the Federal Press Office from operating the Facebook fan page for the Federal Government (see our newsletter for March 2023). The Federal Press Office did not want to accept this decision and therefore filed an action with the Cologne Administrative Court in due time. According to the Federal Press Office, it would like to create legal clarity for the operation of Facebook pages within the framework of a type of test case. In this regard, the Federal Press Office states that “Facebook alone is responsible for its data processing under data protection law and to this extent data protection issues are to be clarified solely in relation to Facebook”. Until the court decision, the German government intends to continue operating the fan page in its current form.

(Dr. Sebastian Meyer)

Austria: Scoring by credit agency CRIF violates data protection laws

In its decision of March 24, 2023, the Austrian data protection authority determined that the scoring carried out by the credit agency CRIF was contrary to data protection law, as the underlying data of millions of Austrians should not have been used for those very purposes (decision dated 24.03.2023). The decision of the supervisory authority can be appealed within four weeks.

The credit agency CRIF carried out credit checks on the basis of data it had received from the Austrian address publisher AZ Direct Österreich. However, AZ Direct Österreich was only allowed to use and pass on the data in question for marketing purposes. Nevertheless, the credit agency CRIF received the data to use as the basis for calculating creditworthiness data for the Austrian population.

The subject of the complaint in the underlying case was the question of whether the scoring carried out by CRIF violates the principle of legality and the principle of purpose limitation. The Austrian Data Protection Authority classified the data transfer and processing in question as unlawful due to the lack of a sound legal basis. It stated that the data protection authority had already found a violation of the lawfulness of the data processing in the parallel proceedings against AZ Direct Österreich. In the context of the balancing of interests with regard to Art. 6 (1) (1) (f) GDPR, it therefore had to be taken into account in favor of the complainant that AZ Direct Österreich was not authorized to disclose the data to the respondent for the purpose of assessing creditworthiness. As a rule, the unlawfulness of the original data determination also entails the unlawfulness of further data processing. A different situation could arise if data was originally collected unlawfully by one data controller but processed lawfully by another. However, compelling interests of the respondent CRIF worthy of protection are not apparent in this respect. In addition, the credit agency had not been able to prove that it had carefully selected its contractual partner (AZ Direct Österreich). The data protection authority therefore found that the data processing was unlawful due to the lack of a sound legal basis. It further stated that AZ Direct Österreich’s violation of the purpose limitation principle, on the other hand, could not be attributed to CRIF; this, however, does not change the permissibility of the data processing, since all data protection principles of Art. 5 GDPR must be complied with in the case of permissible data processing.

(Christina Prowald)

Italy: Ban von ChatGPT

At the end of March, the Italian data protection supervisory authority (GPDP) prohibited OpenAI, L.L.C., the operator of ChatGPT, from processing personal data of Italian citizens in the context of the ChatGPT application (communication dated 30.05.2023). The supervisory authority relied, among other things, on the fact that neither the users nor the data subjects whose data were collected by OpenAI and processed through ChatGPT were provided with sufficient and transparent information under data protection law. In addition, there was no sound legal basis for the data processing operations at issue and there was a lack of safeguards for minors.

On April 12, 2023, the Italian supervisory authority then announced that it would lift the restrictions, provided that OpenAI implemented various measures by April 30, 2023. For example, the authority required the provision of an information notice on the company’s website describing the modalities and logic of the data processing operations required for the operation of ChatGPT and outlining the rights of all data subjects. The information notice would have to be placed in such a way that it could be perceived and read before logging in to the service. In addition, OpenAI is to conduct an information campaign on radio, television, newspapers and the Internet by May 15, 2023, in coordination with the data protection authority. In addition, users should have to undergo an age check. With regard to the legal basis, the GPDP instructed OpenAI to delete all references to contractual services. Instead, data processing operations should be based on the user’s consent or the company’s overriding legitimate interest. In addition, OpenAI was required to provide easily accessible tools to allow data subjects to obtain the rectification or erasure of their data and to exercise their right to object to the processing of their personal data.

In Germany, according to the LDI NRW, the ChatGPT application is also currently the subject of a data protection review coordinated in the DSK. In a first step, the information required for an examination is to be obtained from OpenAI and jointly evaluated.

(Christina Prowald)

EU Parliament: Adequacy decision for the USA rejected

On the basis of the Transatlantic Data Privacy Framework, the successor to the EU-US Privacy Shield, the European Commission plans to use an adequacy decision to establish that an adequate level of data protection can also be assumed for the USA when applying the framework. The Commission’s draft adequacy decision is already available, and the European Data Protection Board (EDPB) and the German Data Protection Conference have already expressed some criticism of it (see our newsletter for April 2023). The responsible committee of the EU Parliament (Civil Liberties Committee - LIBE) has now - as can be seen from the press release of April 13, 2023 - taken an even clearer position and has spoken out in favor of not approving the adequacy decision, but rather of once again attempting follow-up negotiations with the USA. However, the Committee’s decision, which was reached without any dissenting votes, has no binding effect.

(Dr. Sebastian Meyer)

EDPB: Guidelines on the right of access

On March 28, 2023, the European Data Protection Board (EDPB) published guidelines on the right of access pursuant to Art. 15 GDPR (EDPB Guidelines dated 28.03.2023). The guidelines are designed to achieve a uniform implementation of the right of access within the EU. The final version of the guidelines, which has now been published, also incorporates the results of the public consultation, in which the LDI NRW, for example, also participated (communication from the LDI NRW).

In the guidelines, the EDPB first describes that the general objective of the right of access is to provide data subjects with comprehensive and transparent information about the processing of their personal data and to enable data subjects to check the lawfulness of the processing and, if necessary, assert further rights. In the first part, the guidelines then first provide an overview of the structure of the regulation as well as the essential principles to be observed in the context of the right of access. Subsequently, various substantive issues relating to the right of access are dealt with in greater depth. For example:

• When is a request for information within the meaning of the GDPR? How is this to be interpreted by the controller? To whom may information be provided?
• What data must be provided as part of the response to the request for information?
• What measures must be taken to trace the data subject’s data in the controller’s systems?
• In what way is the information to be provided? What exactly is meant by the terms “copy of the data” and “common electronic format”?
• Under which conditions must a response to the request for information be refrained from?

The guidelines also contain a flowchart that can be used by data controllers to understand how to proceed when a data subject asserts his or her right of access under Art. 15 GDPR.

(Christina Prowald)

DSK: Opinion on the European Health Data Space

The EU Commission has already drafted several specific data laws on the basis of the data strategy developed in 2020, through which data subjects may rely on compliance with the GDPR and with Art. 7 and 8 of the Charter of Fundamental Rights of the European Union. On a first sector-specific data space, a draft regulation on the creation and regulation of a European Health Data Space (EHDS) was presented in May 2022. In its published opinion of March 27, 2023, the Data Protection Conference takes a critical view of the draft regulation in its current form and drafting.

The draft regulation states that the EHDS is intended to enable and harmonize the use of health data for treatment purposes (primary purpose) in an electronic manner throughout Europe. Secondary purposes of use, such as research purposes or the training of artificial intelligence, are also regulated in the draft regulation. In principle, DSK welcomes the plan to create a uniform regulation in the European area, as long as data protection requirements and rights are not undermined in the process. For the creation of the European Health Data Space, the fundamental right to data protection or informational self-determination must be appropriately balanced with the public interest in scientific research in particular. According to the DSK, the draft regulation falls far short in this respect. In particular, the DSK calls for improvements with regard to data subjects’ rights, legal clarity, and regulations on technical and organizational measures. Particularly with regard to the secondary use of electronic health data, the DSK criticizes the fact that it is not apparent whether and, if so, to what extent the data subjects are granted any rights at all. The Data Protection Conference also calls for the deletion of the planned regulation on the provision of personal genome data, as this encroaches on the most intimate sphere of the data subjects and their relatives. In the view of the Data Protection Conference, the technical implementation to ensure a high level of security must also be regulated much better. The electronic systems, i.e., devices or software intended to process electronic patient data, should have to be approved by an independent body. It is important to ensure end-to-end encryption and the possibility of anonymization and pseudonymization.

Health data is particularly sensitive data that requires a high level of protection. The more personal the data, the stricter the requirements for processing it must be. The effects of misuse or a data breach can have drastic consequences for the data subject in individual cases. Data subjects must have a right to the secure and confidential processing of their health data and be able to control it effectively.

(Eva Ritterswürden)