Olswang Germany IT and Data Protection Newsletter - Summer Edition 2014

Germany

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

Content:

I. Canvas Fingerprinting - Tracking without Cookies
II. District Court of Berlin: WhatsApp must provide terms and conditions in German, and improve the legal notice
III. "No-Spy decree" of the German Federal Ministry of Interior requires guarantee in procurement procedures
IV. German Supreme Court: Collection of minors' personal data for marketing purposes in the course of a competition is not permitted
V. ECJ: Copies on the user's computer screen as well as in the 'cache' of a computer's hard disk, created in the course of viewing a website, do not infringe copyright

I. Canvas Fingerprinting - Tracking without Cookies

(von Carsten Kociok)

Researchers at Princeton University (USA) and KU Leuven University (Belgium) have documented in a recently published study that a new and, until now, widely unnoticed user-tracking technology has been used on 5.5% of the 100,000 most visited websites which users can hardly defend: canvas fingerprinting.

The technology makes the user's browser leave a "browser fingerprint" which is invisible for the user and composed of individual features that depend on various factors such as the operation system, the screen resolution, the font type and the browser version of the user's device. Due to its individuality the "fingerprint" makes it highly likely that the user can be recognized when visiting other websites.

As the tracking-technology operates without cookies, it is, depending on the individual technological features used for the fingerprinting, not subject to cookies law. However, the user must be notified by the operator of the website in advance of the tracking (sec. 13. para. 1 Telemedia Act) and user profiles may only be created if certain strict conditions are met (sec. 15 para. 3 Telemedia).

Conclusion: The study shows that functioning tracking-technologies do not necessarily need to be based on cookies. However, this does not mean that canvas fingerprinting is operating in a legal vacuum, even though the legal boundaries are somewhat more relaxed compared to cookies.

II. District Court of Berlin: WhatsApp must provide terms and conditions in German, and improve the legal notice

(von Christian Leuthner)

The District Court of Berlin has ruled (Decision of May 9, 2014 - AZ.: 15 O 44/13) that instant messaging provider WhatsApp must provide terms and conditions in German and must also provide for a legal notice (sec 5 Telemedia Act) on the Website www.whatsapp.com ("Website").

Users must accept the terms and conditions to be able to use the app. However, although the Website is addressed to German users and most of the content is available in German, the terms and conditions are only available in English. A legal notice is missing, besides a contact form. The District Court of Berlin decided: Website providers cannot assume that their German customers understand English language terms and conditions, in particular the legal terms contained therein.

Conclusion: Although the decision is not a big surprise it illustrates that entrepreneurs around the globe must comply with German consumer laws when dealing with German customers. This case and recent cases against Apple and Samsung show that consumer laws are actually enforced before courts, mainly by consumer protection agencies.

III. "No-Spy decree" of the German Federal Ministry of Interior requires guarantee in procurement procedures

(von Dr. Andreas Splittgerber)

On April 30, 2014 the German Federal Ministry of the Interior published its administrative no-spy guidance. It provides that bidders in (mainly IT) tender procedures of the German Federal Government with possible security relevance have to declare the following:

Bidders must declare that they are legally and factually capable of treating all confidential information confidentially, which includes not passing such information to third parties. The declaration does not apply where bidders are under a legal obligation to disclose such information. However, obligations towards foreign security authorities fall outside the scope of this exception and the declaration applies.

Generally and with a view to the NSA scandal, the decree is a step into the right direction. However, it is rightly criticized, for example also by the Germany Federal Association for Information Technology (BITKOM). Main aspects of the criticism are the broad definition of "possible security relevance" and of "confidential information". Also, the decree should provide for special provisions for multinationals and subcontractor situations.

Conclusion: Keep your eyes open in German procurement proceedings! This is a new stumbling block that will have legal implications for bidders and likely will also have economic implications for bidders as well as the German Government. We expect that similar rules will be implemented also on a federal basis.

IV. German Supreme Court: Collection of minors' personal data for marketing purposes in the course of a competition is not permitted

(von Lena Kroesen)

The German Supreme Court has ruled (decision of January 22, 2014 - Ref: I ZR 218/12) that a minors' consent to marketing activities in connection with a competition is anti-competitive and therefore not valid.

The defendant had distributed cards for a raffle in the course of a trade fair which was primarily directed at children. The children were asked to provide extensive personal data on the back of the cards and to consent to use of their personal data for marketing purposes. The Supreme Court ruled that the link between this consent and the participation in the raffle took unfair advantage of the inexperience in business matters of the minors aged under 18 ( sec. 4 no. 2 Act against Unfair Competition). The court argued that minors are not sufficiently able to appreciate the consequences of disclosing personal data in this situation.

Conclusion: The Supreme Court has clearly rejected the collection of minors' personal data for advertising purposes in connection with raffles, thereby creating legal certainty. It should be noted that the collection of minors' data for the sole purpose of carrying out the raffle and which is essential in this context remains permissible. As a rule, raffles constitute a merely unilateral legal transaction, meaning minors can generally participate in these. However, the effectiveness of the consent as required by data protection law and of the terms and conditions for participation depends on the minors' cognitive capacity in the individual case.

V. ECJ: Copies on the user's computer screen as well as in the 'cache' of a computer's hard disk, created in the course of viewing a website, do not infringe copyright

(von Anne Brandenburg)

The ECJ ruled ( decision of June 5, 2014, C-360/13 - Public Relations Consultants Association Ltd vs. Newspaper Licensing Agency Ltd i.a.) that the mere viewing of copyright protected works on a website does not require a license by the copyright holder. Copies that are created on the user's computer screen and in the cache of the computer made by an end-user in the course of viewing a website are subject to the exception of art. 5 para. 1 and 5 of the Directive 2001/29/EC.

The ECJ had to decide if copies were temporary as well as transient or incidental in nature and constituted an integral and essential part of a technological process. The ECJ confirmed all these requirements and stated that this finding would not conflict with the normal exploitation of a work. And as the copyright holder already agreed that its work was made available on the Internet in the first place, the legitimate interests of the copyright holders concerned would also be properly safeguarded.

Conclusion: This ruling could have an impact on the assessment of Internet streaming as the court clarified that the transient view of copyright protected works via internet does not constitute a copyright infringement. However, for a full assessment of streaming also the further requirements of art. 5 para. 1 of the Directive 2001/29/EC would have to be fulfilled. If this is the case however, and this seems rather disputable, at least if the works streamed have been made available without permission of the copyright holder.

For more information please contact Andreas Splittgerber