1. Cookie Update 1: EDPB published report of the work undertaken by the Cookie Banner Taskforce
by Florian Schwind
On January 18, 2023, the European Data Protection Board (EDPB) published and adopted the report of the Cookie Banner Taskforce. In addition to demonstrating their common views, the report occasionally shows differences in the views of the supervisory authorities. The report criticizes in particular the deceptive link design, for example, if the decline button is hidden in a paragraph of text in the cookie banner. In addition, the report discusses in detail the design of cookie banners and concludes that is always necessary to consider each banner on a case-by-case basis and that a standardized color scheme is not possible for all controllers.
Conclusion: Controllers should read the report, reassess their current cookie banner, and consider the possibility of revising it. Read more on our blog.
2. Cookie Update 2: guidance for telemedia operators (Cookie Guidance) by the German supervisory authorities: final, but not really practical
by Dr. Andreas Splittgerber
The German supervisory authorities (DSK) published an updated and final version of their Cookie Guidance at the end of 2022. The DSK had shared the draft version one year ago and invited stakeholders to comment. These comments and the DSK’s answers are available in a separate paper, which is helpful when diving deeper into certain questions. The updated Cookie Guidance is a bit more practical than the draft, but in many passages, it is still too abstract (for example, it does not provide practical guidance for if and when statistic or analytics cookies can be used without consent).
Conclusion: Even if the Cookie Guidance does not always provide practical guidance, website and app operators that address German users will have to use this document as a benchmark – together with the recently published and similar EDPB report (see above, Cookie Update 1). Authorities in other EU member states follow similar approaches, as can be seen from the recent €5 million fine imposed by the Commission Nationale Informatique & Libertés (the National Commission for Data Protection) against TikTok for not providing a clear cookie decline button.
3. Cookie Update 3: regional Court Munich I: design of a Cookie Banner
by Sven Schonhofen, LL.M.
The Regional Court Munich I addressed the design of consent in a cookie banner in its November 29, 2022 judgment (docket no.: 33 O 14766/1). In the cookie banner that the court reviewed, users had the options in the first layer to either accept the use of cookies by clicking on the “Accept” button or to click on “Settings” to access the second layer. In the second layer, users could make individual settings for 100 third-party providers and could choose between the visually highlighted buttons – “Accept all” and “Save selection” – as well as the “Reject all” link in a pale font. The court held that there was a lack of voluntary consent because users could not use the website without interacting with the cookie banner: rejecting cookies required a considerable additional effort, while the consent buttons were clearly highlighted in color.
Conclusion: The Regional Court Munich I follows the opinion of some data protection authorities: In addition to an “Accept” button, a rejection option must also be possible without additional effort, i.e., with the same number of clicks. Companies should check their cookie banners for this.
4. Data transfers: draft adequacy decision for the United States
by Christian Leuthner
The European Commission issued a draft adequacy decision for the EU-U.S. data protection framework on December 13, 2022. Together with the executive order issued by President Biden on October 7, 2022 (Executive Order), the European Commission is of the opinion that the level of data protection in the United States is comparably high to that in the EU. In particular, EU data subjects would now have several means of seeking a remedy against unlawful data processing (e.g., an arbitration board and a dispute resolution procedure). In addition, the Executive Order limits access to data for law enforcement and national security purposes to an appropriate level and provides for adequate judicial review of data processing should data subjects complain. The draft is now in consultation with the EDPB and member representatives.
The criticism already expressed regarding the Executive Order not appropriately addressing the concerns raised by the Court of Justice of the European Union (CJEU) remains in the context of the adequacy decision. Max Schrems/NYOB has already announced the possibility of taking legal steps. The Hamburg Data Protection Authority has offered a ray of hope in its statement regarding the Executive Order, which calls for a well-founded and open-ended examination.
Conclusion: The new adequacy decision is a positive development, and a quick implementation would bring legal certainty with regard to international data transfers, despite possible proceedings before the CJEU.
5. CJEU: the data subject’s access right includes the disclosure of the specific recipients
by Florian Schwind
The CJEU has strengthened the right of access under article 15 of the GDPR. In its judgment of January 12, 2023 (docket no. C-154/21), the CJEU ruled that article 15(1)(c) of the GDPR must be interpreted in such a way that not only are the categories of recipients to be disclosed, but the specific recipients must also be named. This applies regardless of whether the personal data has already been or will be disclosed to these recipients. If it is impossible to disclose the specific identity, the access request will be found to be manifestly unfounded or excessive, an exception will apply, and the disclosure of the categories is sufficient.
Conclusion: Controllers must be able to name the specific recipients in the context of a data subject access request, and they should prepare themselves accordingly for these increased requirements.
6. CJEU’s advocate general issues opinions on the GDPR’s right of access to personal data
by Dr. Thomas Fischl
In a referral to the CJEU (docket no. C-579/21) on December 15, 2022, the advocate general recommended in his opinion that the information to be provided according to an access request does not include information available to the controller to learn the identity of those employees who, under the supervision and instruction of the controller, have accessed the personal data of the data subject. The case concerned an access request from an employee of a bank who also maintained his account with his employer. In the context of his access request, the question was also whether the right to information about one's own personal data also includes information about who accessed this data, when it was accessed, and for what purpose.
Conclusion: In the event that the CJEU follows the opinion of the Spanish advocate general, it would thus be clear that employees within a controller do not qualify as recipients under the GDPR. Consequently, they would not have to be named in the context of a claim for information under article 15 of the GDPR.
7. Celle Court of Appeals: the right of access under the GDPR may also be used for purposes unrelated to data protection
by Tim Sauerhammer
With the December 15, 2022 ruling of the Celle Court of Appeals (docket no. 8 U 165/22), there is a new decision on the controversial question of the extent to which article 15 of the GDPR (right of access) can be used to pursue goals that are not related to data protection (in this case, information vis-à-vis private health insurance companies about insurance premium increases made in the past). Although this is an objective that was not related to data protection, it was not considered as obviously unfounded or excessive because the issue in this case was not seen frequently. Further, according to the judges, the motivational situation of the claimant was irrelevant. The ruling goes against a number of Regional Court decisions that held such a request to be an abuse of rights – e.g., most recently, the Magdeburg Regional Court ruling of November 17, 2022 (docket no. 11 O 466/22) and the Gießen Regional Court ruling of September 8, 2022 (docket no. 2 O 186/22).
Conclusion: Case law on the legality of access requests for purposes other than data protection remains inconsistent, and claimants should conduct a pretrial tactical analysis.
8. CJEU: search engine must delete incorrect information from search results
by Friederike Wilde-Detmering, M.A.
The CJEU ruled in a judgment dated December 8, 2022 (docket no. C-460/20) that search engine operators must “de-list” information from search results if the information is proven to be obviously incorrect. According to the CJEU, in order for the right of personality of the person concerned to be adequately protected, the person only has to provide the evidence that can reasonably be required of them, which does not apply to the provision of judicial decisions as evidence. On the other hand, the search engine operator is not obliged to cooperate in the search for facts that prove the incorrectness.
Conclusion: The decision of the CJEU illustrates that the right to protection of personal data must be weighed against other fundamental rights (in this case, the fundamental right to freedom of information) on the basis of evidence, while respecting the principle of proportionality. The evidence must lead to an obviousness of the incorrectness of information, but no excessive requirements may be placed on the evidence provision.
9. Nuremberg-Fürth Regional Court: e-mail advertising following a purchase of goods requires consent where the underlying order has already been cancelled
by Dr. Alexander Hardinghaus, LL.M.
In its decision of September 21, 2022 (docket no. 4 HKO 655/21), the Nuremberg-Fürth Regional Court ruled that the statutory exemption from the general consent requirement for email marketing in section 7(3) of the German Act against Unfair Commercial Practices (UWG) – which may be available where a business relationship exists between the sender and the recipient of the marketing email and similar products are being advertised – does not apply if the only order establishing the business relationship has been cancelled. Furthermore, the court held that there was no similarity between the FFP3 masks originally ordered and the protective products subsequently advertised (helmets, hearing protection, safety shoes).
Conclusion: German courts tend to interpret the statutory exemption in section 7(3) UWG narrowly. In the vast majority of cases, direct marketing by email is only possible with the recipient’s prior consent.
10. German supervisory authorities: effects of the new consumer provisions on digital products in the German Civil Code on data protection law
by Joana Becker
In October 2022, the German supervisory authorities (DSK) published a new resolution on the impact of the new consumer regulations on digital products in the German Civil Code (BGB) on data protection law.
In its resolution, the DSK addresses in particular the “pay with data” model that has already been practiced for a long time by platforms, social media, and search engines. The new provisions of the BGB are only applicable if a contract for digital products has actually been concluded. According to the DSK, not every use of a website can be seen as the conclusion of such a contract. If the new consumer regulations can be applied, however, they do not affect the provisions of the GDPR.
Conclusion: In practice, it must be carefully examined whether the new regulations apply at all. In any case, the applicability of the new provisions does not replace the examination of the lawfulness of data processing under the GDPR.
11. Petersberg Declaration of the German supervisory authorities: demands and recommendations for health data protection in scientific research
by Irmela Dölle
With the Petersberg Declaration on data protection-compliant processing of health data in scientific research, the German supervisory authorities (DSK) made the following specific demands on November 24, 2022: (1) data subjects must always be involved, even if a legal basis exists; (2) particularly far-reaching protective measures are required if researchers link personal data from different databases; (3) introduction of a central register for more transparency and avoidance of duplications; (4) introduction of research secrecy with the aim of making unauthorized disclosure of research data a punishable offense; and (5) introduction of new powers for data protection authorities (immediate enforcement of measures).
Conclusion: In addition to general principles, the DSK primarily addresses legislators and calls on them to act in the area of health data protection.
12. Cologne Regional Court: no required customer password request in the context of the termination button
by Florian Schwind
In its decision dated July 29, 2022 (docket no. 33 O 355/22), the Regional Court of Cologne ruled that the consumer shall not be required to provide their customer password as part of the two-step termination process of the termination button. Pursuant to section 312k (2) of the German Civil Code (Bürgerliches Gesetzbuch - BGB), companies that enable the conclusion of contracts with continuing obligations via their website are obliged to provide consumers with the option of declaring the termination with or without notice through a termination button. However, according to the Cologne Regional Court, the mandatory request for the customer password leads to the creation of a hurdle toward the consumer that is not provided for by law and is likely to deter the consumer from terminating the contract.
Conclusion: When setting up the termination button, companies should carefully observe the requirements of section 312 k BGB and, at the same time, always keep in mind the purpose of this change in the law – making termination as simple as possible for the consumer – to minimize the risk of a warning.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy, and security; data risk management; intellectual property; social media; and more. Recent episodes have covered the metaverse, unified patent court, and eComms compliance.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.