In an order with immediate enforcement, Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), has prohibited Facebook Ireland Ltd. from further processing WhatsApp user data in Germany, if this is done for their own purposes. As part of the emergency procedure under Art. 66 GDPR already discussed on this blog, this measure will remain valid for three months in the respective territory. In light of this short time frame, the Commissioner’s aim is to refer this issue to the European Data Protection Board (EDPB) in order to find a solution on a European level.
In the last months, WhatsApp had requested their users to agree to the new terms and conditions of use and privacy by May 15, 2021. With the new privacy terms and conditions, WhatsApp would receive wide-ranging data processing powers. This applies, among other things, to the evaluation of location information, the transfer of personal data to third-party companies including Facebook and cross-company verification of the account. Furthermore, the companies’ legitimate interest for data processing and transfer is brought forth in a blanket manner – even with regard to underage users.
After Facebook had announced the new terms and conditions at the beginning of this year, a discussion arouse. As a result, the company decided to postpone the introduction to May. With many million Whatsapp users in Germany alone, Johannes Caspar now stressed the importance of having functioning institutions in place, in order to prevent the misuse of data power. At this point, Caspar could not exclude, that the data-sharing provisions between WhatsApp and Facebook would be enforced illegally, due to the lack of voluntary and informed consent. In order to prevent a potentially unlawful exchange of data and to put an end to any impermissible pressure on users for giving their consent, the formal administrative procedure was initiated.
Based on Art. 66 GDPR (“exceptional circumstances”), the emergency procedure is aimed at the European headquarters in Ireland. The American company is given the opportunity to state its position, whereby it can be expected that Facebook will consider the adjustments to be sufficient. However, the Hamburg data protection authorities had already issued an injunction against such data matching in 2016. Although Facebook took legal action, the company did not prevail in court (OVG Hamburg, February 26, 2018 – 5 Bs 93/17 – K&R 2018, 282).
The outcome of the proceedings in Hamburg is eagerly awaited since it may have an impact on the entire European market, given the direct applicability of Art. 66 GDPR in the different Member States. Although the decision from 2018 could delineate a trend, the outcome is open.
In a case concerning damages for unwanted email advertising as a data protection violation, the Federal Constitutional Court in Germany (BVerfG) recently ruled, that the European Court of Justice (ECJ) has to decide on the interpretation of the prerequisites and scope of Art. 82 (1) GDPR. It has to be clarified how Art. 82 (1) GDPR is to be interpreted against the background of Recital 146. In other words, under which conditions the article would grant a claim for monetary compensation.
The plaintiff, a German lawyer, had received one (!) unintentional advertising email and sued for injunctive relief, access to the stored data and damages of at least 500 €. Whilst the District Court of Goslar (September 7, 2019 – Case No. 28 C 7/19) upheld the claim for injunctive relief and access, it refused to award immaterial damages. The judges claimed that these were not evident. Hence, the threshold for a monetary compensation for a violation of personality rights had not been exceeded. In response, the plaintiff decided to file a constitutional complaint, arguing that the decision of the District Court violated his right to the lawful judge of Article 101 (1) sentence 2 of the German Basic Law (GG). He claimed that the District Court had wrongly refrained from submitting the question of the threshold for GDPR damage claims to the ECJ for a preliminary ruling.
In the ruling of the BVerfG, the judges now emphasized that the claim for damages under Art. 82 GDPR may not be denied just because of a minor or trivial loss. The Federal Constitutional Court underlined in fact, that the District Court would have had to make a preliminary reference to the ECJ beforehand. Hence, the plaintiff’s right to the lawful judge according to Article 101 (1) sentence 2 of the German Basic Law (GG) had been violated: the District Court did not comply with the obligation to refer the matter to the ECJ by way of preliminary ruling proceedings pursuant to Article 267 (3) of the Treaty on the Functioning of the European Union (TFEU). The District Court disregarded this obligation by interpreting European Union law itself.
The court in Goslar must now decide anew and it can be assumed that the judges will refer the questions to the ECJ. It is to be hoped, that the European judges will define a de minimis threshold for damages due to data protection violations. At the same time, clarification of all underlying issues is not expected. However, general principles of high practical relevance can be laid down, already discussed in literature and case law.
German Federal Constitutional Court, Decision of the 2nd Chamber of the First Senate, January 14th 2021, 1 BvR 2853/19 -, 1–24