Dear readers,

Our 4th BRANDI Data Protection Law Day took place on May 12, 2023. At the event, there were exciting discussions on the topic of “Data Protection in the Cloud and Cybersecurity”. We have summarized the contents of the event for you in this month’s main topic of our data protection newsletter.

In addition, the Big Brother Awards were presented in Bielefeld on April 28, 2023. The data protection negative award honors data sinners from business and politics. The jury of data protection experts included the former data protection commissioner of the state of Schleswig-Holstein Dr. Thilo Weichert, as well as Prof. Dr. Peter Wedde from Frankfurt University of Applied Science and Frank Rosengart from “Chaos Computer Club”, and prizes were awarded in the various categories to Microsoft, Deutsche Post DHL Group, the German Federal Ministry of Finance, finleap connect GmbH, and Zoom. Criticisms included the digital compulsory collection of parcels, the transfer of data to the USA, the incorrect sending and disclosure of data, and the Platform Tax Transparency Act.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: BRANDI Data Protection Law Day on the topic “Data Protection in the Cloud and Cybersecurity”

On May 12, 2023, Prof. Dr. Alexander Roßnagel was a guest at BRANDI in Bielefeld. Prof. Roßnagel is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI). Previously, he was a senior professor of public law with a focus on the law of technology and environmental protection at the University of Kassel. As part of this year’s Data Protection Law Day on the topic of “Data Protection in the Cloud and Cybersecurity”, he gave fascinating insights into various data protection law topics, current procedures and the daily work of the Hessian Data Protection Authority and the Data Protection Conference (DSK) in conversation with lawyers from BRANDI including Dr. Sebastian Meyer, Dr. Christoph Rempe, Dr. Laura Schulte, Dr. Christoph Worms and Dr. Daniel Wittig.

During the event, issues relating to the use of cloud services and cybersecurity were examined. In the first part, the participants discussed, among other things, the legal advantages and disadvantages of on-premise solutions and cloud-based applications, the use of Microsoft 365, as well as aspects of contract negotiations with the providers of cloud solutions and the protection of third-country transfers, including the consequences of the Schrems II ruling and the current status of the new adequacy decision for the USA. Prof. Roßnagel began by speaking on the topic of “Data Protection in the Cloud”. In the second part, following the keynote speech “Liability Risk Cyber Incidents” by Dr. Schulte, the discussion turned to the legal protection of cyber incidents, insurance law and criminal law aspects and various strategies for dealing with cyber incidents. In the third part of the event, prospective lawyers gave presentations on various current data protection law topics as part of the BRANDI Young Lawyers Award.

To the complete main topic

ECJ: Mere breach of data protection does not justify a claim for damages

In the preliminary ruling case UI vs. Österreichische Post AG, the European Court of Justice (ECJ) ruled on May 4, 2023 that a mere breach of the GDPR does not give rise to a claim for damages (ECJ, decision dated 4.5.2023 - Ref. C-300/21). The ECJ largely followed the opinion of the Advocate General (we reported in December 2022).

In the original proceedings underlying the decision, the plaintiff asserted a claim for damages under Article 82 GDPR against Österreichische Post AG in the amount of 1,000 euros. Starting in 2017, the defendant had collected information on the political affinity of the Austrian population and processed it without the consent of its customers, defining as well “target group addresses” based on various characteristics. The plaintiff, who was also affected by the data processing, claimed that he was annoyed by the data processing and demanded damages from Österreichische Post in this respect. The party affinity attributed to him was an insult and shameful as well as damaging to his credit, he said. In order to clarify whether the plaintiff’s allegations were sufficient for an award of damages, the OGH referred to the ECJ the question of whether a mere infringement of the GDPR is sufficient to give rise to a claim for damages, and whether it is a prerequisite for an award of non-material damages that there is a consequence or result of the infringement of at least some weight which goes beyond the annoyance caused by the infringement.

The ECJ stated that not every breach of the GDPR gives rise to a claim for damages. Rather, the claim for damages provided for in the GDPR has three connecting factors that must be cumulatively present: a breach of the GDPR, material or non-material damage, and a causal connection between the damage and the breach. This understanding is supported by the wording of Article 82 GDPR as well as the recitals. However, the court further stated that the claim for damages was not limited to non-material damages that exceeded a materiality threshold. On the one hand, such a requirement does not result from the GDPR and, on the other hand, is not compatible with the broad understanding of the concept of damage. The amount of the respective damages is to be determined in consideration of the respective circumstances of the individual case, whereby the principle of equivalence and the principle of effectiveness are to be observed. With regard to the materiality requirement, the ECJ deviated from the Advocate General’s Opinion in its decision.

(Christina Prowald)

ECJ: Scope of the right of access - transmission of a copy

On May 4, 2023, the European Court of Justice (ECJ) ruled that the right to receive a “copy” of one’s personal data must be understood as providing the data subject with a faithful and intelligible reproduction of all his or her data (ECJ, decision dated 4.5.2023 - Ref. C-487/21).

In the main proceedings, the plaintiff had asserted a claim for information against CRIF, a credit-reporting agency, and requested that a copy of his data be provided. The plaintiff then received a list of his personal data in aggregated form. He believed that he should have received a copy of all documents containing his data and therefore filed a complaint with the Austrian data protection authority. The latter was of the opinion that CRIF had duly complied with its obligation to provide information, whereupon a court dispute arose. The Federal Administrative Court of Austria wondered in particular whether the obligation to provide a copy of the personal data is fulfilled if the controller transmits the personal data as a table in aggregated form, or whether it also includes the transmission of extracts from documents or even entire documents as well as extracts from databases in which these data are reproduced, and referred various questions to the ECJ regarding the regulation of Article 15 (3) (3) GDPR.

In its ruling, the ECJ deals with the content and scope of the right of access. In doing so, it states that Article 15 (3) (3) GDPR is to be understood as meaning that the data subject receives a faithful and comprehensible reproduction of all his or her data. This also includes copies of documents or excerpts from databases, insofar as the provision of corresponding copies is indispensable to enable the data subject to effectively exercise his or her rights, provided that the rights and freedoms of others are taken into account. The ECJ states that the term “copy” in its ordinary sense does not mean only a general description or a reference to certain categories. However, the term “copy” does not refer to a document as such, but to the personal data contained in it, which must be complete. In this respect, the copy must contain all of the personal data that are the subject of the data processing. Furthermore, the ECJ points out that the data subject must not only be able to check whether his or her data are correct, but also whether they are processed in a permissible manner. In particular, if personal data is generated from other data or is based on missing information, the respective context is required in order to obtain transparent and comprehensible information.

(Christina Prowald)

ECJ: Data processing not automatically unlawful in the absence of a procedure directory or joint responsibility agreement

The European Court of Justice (ECJ) ruled on May 4, 2023 that a lack of a processing directory or joint responsibility agreement does not automatically render a data processing operation unlawful in the case of a breach of the accountability principle, and that the individual data subject has a right to erasure of his or her data (ECJ, decision dated 4.5.2023 - Ref. C-60/22).

The ECJ pointed out that compliance with the obligation to conclude a joint responsibility agreement provided for in Article 26 GDPR and the obligation of Article 30 GDPR to establish a procedure directory were not among the grounds for lawfulness of processing set out in Article 6 (1) GDPR. Accordingly, a breach of the obligations set out in Articles 26 and 30 GDPR cannot constitute “unlawful processing” within the meaning of Articles 17 and 18 GDPR. The absence of a corresponding agreement or a corresponding list does not in itself prove that the rights and fundamental freedoms of data subjects have been violated by the data processing.

(Christina Prowald)

Advocate General ECJ: fault requirement in fine proceedings

In the preliminary ruling Deutsche Wohnen SE v. Staatsanwaltschaft Berlin, the Advocate General of the European Court of Justice (ECJ), Manuel Campos Sánchez-Bordona, published his opinion on April 27, 2023 (Opinion of 27.4.2023 - Ref. C-807/21). The content of the opinion is primarily concerned with the requirement of fault in fine proceedings.

In 2017, Deutsche Wohnen was notified by the Berlin data protection supervisory authority as part of an on-site inspection that the Group companies were storing tenants’ personal data in an archiving system without it being possible to determine the extent to which proper storage and deletion of the data was ensured. Deutsche Wohnen was also requested to delete certain data. Deutsche Wohnen did not comply with this request and was subsequently fined almost 14.4 million euros following a further inspection by the supervisory authority. In the course of the ensuing legal dispute, the Berlin Appellate Court referred to the ECJ the question of the extent to which fine proceedings can be brought directly against a company and whether it is necessary to establish an administrative offense committed by a natural and identified person in order to impose a fine. The court also asked whether the violation must be culpable or whether an objective breach of duty is sufficient.

The Advocate General states that it is compatible with Union law to consider Deutsche Wohnen as the perpetrator and debtor of the sanction imposed. The direct sanction of legal persons is a key mechanism to ensure the effectiveness of the GDPR. It follows quite naturally from the provisions of Articles 4, 58 and 83 GDPR that legal persons can be the direct addressee of fines. If, in addition, the determination of an administrative offense of a natural person were required, this could lead to violations falling outside the scope of the sanction system of the GDPR which, according to the GDPR, are attributable to a legal person.

 The Advocate General recognizes that the application of Section 30 OWiG may lead to an unjustified weakening or limitation in the sanction system of the GDPR. However, the Advocate General also points out that the provision of Article 83 GDPR argues against a system of strict liability in the area of sanctions. This means that Article 83 GDPR requires intent or negligence with regard to the punished infringement, which means that the supervisory authorities must also make findings on this in the context of the fine proceedings.

(Christina Prowald)

BGH: Delisting request against Google

In its ruling of May 23, 2023, the German Federal Court of Justice (BGH) ruled on delisting requests against Google’s Internet search service (press release dated 23.5.2023). The full text of the decision is not yet available.

The background to the decision is a case in which two people from the financial services industry felt discredited by various online articles because the reports allegedly made incorrect claims about their investment model. The two individuals requested Google to remove the links to the articles, but Google refused. The parties concerned then brought an action against Google. The Federal Court of Justice then turned to the ECJ regarding the interpretation of the right to erasure. In December 2022, the ECJ ruled that search engine operators must delete links to false information even without a corresponding ruling (we reported in January 2023). Anyone wishing to have an entry on Google removed merely has to prove that the information in question is incorrect. A court decision is not necessarily required to provide this proof.

On the basis of the ECJ’s decision, the Federal Court of Justice has now confirmed the decisions of the lower courts dismissing the action with regard to the references to the allegedly incorrect online articles objected to by the plaintiffs. The reason given was that, firstly, one article lacked the necessary reference to the person of the plaintiff and, secondly, the two plaintiffs had failed to prove to the defendant that the information in question was obviously incorrect. Furthermore, the Federal Court of Justice ruled with regard to various preview images that were also objected to, that the defendant was obliged to delist them. A display of the plaintiffs’ photos, which alone was not meaningful, lacked context and was not justified.

(Christina Prowald)

OLG Frankfurt: Injunctive relief for private individuals

On March 30, 2023, the Higher Regional Court of Frankfurt ruled that a data subject whose data was transmitted to a third party in an unlawful manner is not entitled to injunctive relief (OLG Frankfurt, decision dated 30.3.2023 - Ref. 16 U 22/22, GRUR-RS 2023, 9321). Such a claim under Article 82 GDPR only exists if the data subject has suffered damage and the infringing act or the condition created in breach of duty is still ongoing. Recourse to injunctive relief under national law is not possible.

In the underlying case, the plaintiff asserted a claim for injunctive relief against the operator of the online store due to, among other things, the integration of various tools into an online store without corresponding consent. The plaintiff demanded that the defendant cease and desist from providing the website with certain services in such a way that data is transmitted to the respective operator of the services when the page is called up, if this is done without consent. The lower court dismissed the action.

The OLG Frankfurt agreed with the opinion of the lower court and based its decision on the fact that the GDPR does not provide for an individual claim for injunctive relief. A claim to cease and desist from the transfer of data to third parties could also not result from Article 17 GDPR. A possible claim under Article 82 GDPR is ruled out for the simple reason that no damage has occurred. Recourse to provisions of national law is also not possible, since the provisions of the GDPR constitute a final regulation. There is no opening clause for this case.

(Christina Prowald)

LG Köln: Integration of Google Analytics on Telekom website illegal

On March 23, 2023, the Regional Court of Cologne ruled that the integration of Google Analytics on Telekom’s website is unlawful as this results in an insufficiently secure transmission of data to the United States (LG Köln, decision dated 23.3.2023 - Ref. 33 O 376/22).

The Court first determined that the IP addresses transmitted were personal data. It also stated that an adequate level of data protection was not guaranteed in the USA. The data transfer could not be justified by the mere conclusion of standard contractual clauses, as this did not guarantee a level of data protection that complied with the GDPR and the clauses did not protect against access by the authorities in the USA. Furthermore, no additional safeguards had been implemented. Since data subjects were not informed about the transfer of their data to Google in the data protection notices, consent would also be excluded as a legal basis for the data transfer.

The court also criticized the cookie banner used by Telekom. It pointed out that the voluntary nature of consent requires that the consumer has a genuine choice when giving consent and is not unilaterally steered towards consent by the design of the cookie banner. While the option to accept the cookies was designed clearly and as an eye-catcher, the rejection option was hidden within the body text. In the opinion of the court, such a design is not sufficient in size, shape and design to be considered as an equivalent selection option. Moreover, a “Change settings” button is not an unambiguous indication of an alternative option for rejection. Where consumers are confronted with an “Accept all” button and a vaguely defined configuration option, clicking the “Accept all” button does not constitute a free choice between two declarations of intent.

(Christina Prowald)

LG Heidelberg: Joint responsibility of Google Ireland in the event of claims for deletion

The Regional Court of Heidelberg is of the opinion that Google Ireland is jointly responsible for the display of search results and can therefore also be held liable in the event of requests for deletion (LG Heidelberg, decision dated 31.3.2023 - Ref. 6 S 1/22, GRUR-RS 2023, 6833).

The court found that the activities of a search engine, which the ECJ classified as processing operations of personal data, were divided between Google LLC and Google Ireland. While Google LLC finds, indexes, stores and ranks data, Google Ireland makes the information available to users within the EEA and Switzerland under Google’s terms of use. Google Ireland is to be regarded as co-operator of the search engine and co-responsible party in this respect, taking into account the broad concept of processing.

(Christina Prowald)

Ireland: Fine of 1.2 billion euros imposed on Meta

On May 12, 2023, the Irish Data Protection Commission (DPC) concluded its investigation into Meta Platforms Ireland Limited and, among other things, imposed a fine of 1.2 billion euros on the company
(press release dated 22.05.2023). The sanction imposed by the DPC is the highest fine imposed to date.

The investigation focused on the question of the legal basis on which Meta transfers personal data to the USA in connection with the provision of its Facebook service. The DPC has now ruled that Meta violated Article 46 (1) GDPR when it continued to transfer personal data from the EU or EEA to the U.S. after the ECJ’s Schrems II decision. It also found in its decision that the standard contractual clauses used by Meta, in combination with the additional safeguards taken by the company, were not sufficient to eliminate the risks to the fundamental rights and freedoms of data subjects identified by the ECJ.

The investigation was already initiated in August 2020 and subsequently suspended by a decision of the High Court of Ireland until May 2021. In July 2022, the DPC then submitted a draft decision, which was coordinated with the supervisory authorities of the other member states as part of the cooperation procedure required under Article 60 GDPR. As no agreement could be reached with regard to the measures to be imposed on Meta, the European Data Protection Board (EDPB) was consulted in a dispute resolution procedure under Article 65 GDPR. The DPC has now ruled, based on the EDPB’s decision, that Meta will be required to suspend future data transfers to the U.S. within five months and to bring its data processing operations into compliance with Chapter V of the GDPR by ceasing the unlawful processing operations within six months. It is also imposing a fine of 1.2 billion euros on Meta.

Meta has already announced that it will take action against the DPC’s decision, pointing out that the issues at stake are not an individual problem of Facebook, but a fundamental legal conflict between U.S. data access regulations and European data protection laws (communication dated 22.5.2023).

(Christina Prowald)

United Kingdom: Fine against TikTok for processing data of minors

The U.K. Information Commissioner’s Office (ICO) fined TikTok Information Technology UK Limited 12.7 million pounds (14.5 million euros) on April 4, 2023 for unlawful use of children’s personal data (ICO notice dated 4.4.2023).

 In 2020, the company had allowed up to 1.4 million children under the age of 13 to create a TikTok account, even though this was illegal under the video app’s own rules. In addition, children’s data had been used without their parents’ consent. TikTok had not implemented sufficient controls to identify and remove accounts of minors. In addition, users of the platform were not provided with adequate and easily understandable information on data processing.

John Edwards, the UK Information Commissioner, made the following comments: “There are laws in place to ensure that our children are as safe in the digital world as they are in the real world. TikTok has not complied with these laws.” According to the regulator’s assessment, these requirements have not been met. “TikTok should have known better. TikTok should have done better. Our 12.7 million pound fine reflects the serious impact their failings may have had. They didn’t do enough to check who was using their platform or take sufficient action to remove the underage children using their platform.”

(Christina Prowald)

Austria: Decision against Clearview AI

On May 10, 2023, the Austrian supervisory authority issued a decision against facial recognition company Clearview AI (notice dated 12.5.2023).

The company owns a database of facial images extracted through web scraping from public web sources such as websites and social networks. It markets access to its database in the form of a search engine in which a person can be searched for using a photo. The service is offered in particular to law enforcement agencies. The profiles created using AI systems based on biometric data can also be enriched with further information linked to the respective images.

In the underlying proceedings, the complainant discovered that his data was also processed by Clearview AI and subsequently filed a complaint with the Austrian supervisory authority. The latter now states that Clearview AI violated various provisions of data protection law, including the principles of lawfulness and transparency of processing, the principle of purpose limitation, and the principle of data minimization. Furthermore, there is no legal basis for the processing of special categories of personal data. With regard to the processing of other personal data, there was also a lack of a sound legal basis, as there was also no overriding legitimate interest of the company in the data processing. Clearview AI was therefore ordered to delete the complaint’s data and to appoint a representative in the European Union.

There have also been investigations and resolutions against the company in the past in other European countries, including Italy and France.

(Christina Prowald)