Category: GDPR

HmbBfDI vs. WhatsApp: an Update

IPlens

In an order with immediate enforcement, Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), has prohibited Facebook Ireland Ltd. from further processing WhatsApp user data in Germany, if this is done for their own purposes. As part of the emergency procedure under Art. 66 GDPR already discussed on this blog, this measure will remain valid for three months in the respective territory. In light of this short time frame, the Commissioner’s aim is to refer this issue to the European Data Protection Board (EDPB) in order to find a solution on a European level.

In the last months, WhatsApp had requested their users to agree to the new terms and conditions of use and privacy by May 15, 2021. With the new privacy terms and conditions, WhatsApp would receive wide-ranging data processing powers. This applies, among other things, to the evaluation of location information, the transfer of personal data to third-party companies including Facebook and cross-company verification of the account. Furthermore, the companies’ legitimate interest for data processing and transfer is brought forth in a blanket manner – even with regard to underage users.

After hearing Facebook Ireland Ltd. – and notwithstanding a consent to the terms of use – the HmbBfDI believes that there is no sufficient legal basis for justifying this interference with the users’ rights and freedoms. This is especially true when considering that the data transfer provisions are unclear, misleading and contradictory. The users’ consent is neither transparent, nor voluntary since users would have to agree to the new terms in order to continue using WhatsApp.

While this close connection between the two companies was to be expected, many stakeholders find it surprising that WhatsApp and Facebook actually want to expand their data sharing. At the same time, Johannes Caspar is confident that on the basis of the GDPR procedure, he will be able to “safeguard the rights and freedoms of the many millions of users who give their consent to the terms of use throughout Germany. The aim is to prevent disadvantages and damage associated with such a black-box procedure.”

In view of the upcoming elections in Germany, it is to be hoped that – in dialog with the companies – data protection-compliant solutions will be found quickly.

Dario Henri Haux

Anordnung des HmbBfDI: Verbot der Weiterverarbeitung von WhatsApp-Nutzerdaten durch Facebook (11.05.2021): https://datenschutz-hamburg.de/pressemitteilungen/2021/05/2021-05-11-facebook-anordnung

What’s Up, WhatsApp?!

IPlens1 Comment

In a GDPR urgency proceeding, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), Johannes Caspar, has taken action against Facebook. The aim of this proceeding – whose decision is expected before May 15, 2021 – is to comprehensively protect WhatsApp users in Germany, who are confronted with the company’s new terms of use. Against this backdrop, May 15 can be emphasized as an important deadline, since by that date users must consent to data processing by the parent company Facebook. The fear is, that the data will be used in particular for marketing purposes, which goes beyond the scope of analysis and security.

After Facebook had announced the new terms and conditions at the beginning of this year, a discussion arouse. As a result, the company decided to postpone the introduction to May. With many million Whatsapp users in Germany alone, Johannes Caspar now stressed the importance of having functioning institutions in place, in order to prevent the misuse of data power. At this point, Caspar could not exclude, that the data-sharing provisions between WhatsApp and Facebook would be enforced illegally, due to the lack of voluntary and informed consent. In order to prevent a potentially unlawful exchange of data and to put an end to any impermissible pressure on users for giving their consent, the formal administrative procedure was initiated.

Based on Art. 66 GDPR (“exceptional circumstances”), the emergency procedure is aimed at the European headquarters in Ireland. The American company is given the opportunity to state its position, whereby it can be expected that Facebook will consider the adjustments to be sufficient. However, the Hamburg data protection authorities had already issued an injunction against such data matching in 2016. Although Facebook took legal action, the company did not prevail in court (OVG Hamburg, February 26, 2018 – 5 Bs 93/17 – K&R 2018, 282).

The outcome of the proceedings in Hamburg is eagerly awaited since it may have an impact on the entire European market, given the direct applicability of Art. 66 GDPR in the different Member States. Although the decision from 2018 could delineate a trend, the outcome is open.

Dario Henri Haux

See the media statement at: https://datenschutz-hamburg.de/pressemitteilungen/2021/04/2021-04-13-facebook

Unwanted Email Advertising: Trivial Damage or Significant Data Protection Violation?

IPlens

In a case concerning damages for unwanted email advertising as a data protection violation, the Federal Constitutional Court in Germany (BVerfG) recently ruled, that the European Court of Justice (ECJ) has to decide on the interpretation of the prerequisites and scope of Art. 82 (1) GDPR. It has to be clarified how Art. 82 (1) GDPR is to be interpreted against the background of Recital 146. In other words, under which conditions the article would grant a claim for monetary compensation.              

The plaintiff, a German lawyer, had received one (!) unintentional advertising email and sued for injunctive relief, access to the stored data and damages of at least 500 €. Whilst the District Court of Goslar (September 7, 2019 – Case No. 28 C 7/19) upheld the claim for injunctive relief and access, it refused to award immaterial damages. The judges claimed that these were not evident. Hence, the threshold for a monetary compensation for a violation of personality rights had not been exceeded. In response, the plaintiff decided to file a constitutional complaint, arguing that the decision of the District Court violated his right to the lawful judge of Article 101 (1) sentence 2 of the German Basic Law (GG). He claimed that the District Court had wrongly refrained from submitting the question of the threshold for GDPR damage claims to the ECJ for a preliminary ruling.            

In the ruling of the BVerfG, the judges now emphasized that the claim for damages under Art. 82 GDPR may not be denied just because of a minor or trivial loss. The Federal Constitutional Court underlined in fact, that the District Court would have had to make a preliminary reference to the ECJ beforehand. Hence, the plaintiff’s right to the lawful judge according to Article 101 (1) sentence 2 of the German Basic Law (GG) had been violated: the District Court did not comply with the obligation to refer the matter to the ECJ by way of preliminary ruling proceedings pursuant to Article 267 (3) of the Treaty on the Functioning of the European Union (TFEU). The District Court disregarded this obligation by interpreting European Union law itself.                

The court in Goslar must now decide anew and it can be assumed that the judges will refer the questions to the ECJ. It is to be hoped, that the European judges will define a de minimis threshold for damages due to data protection violations. At the same time, clarification of all underlying issues is not expected. However, general principles of high practical relevance can be laid down, already discussed in literature and case law.

Dario Haux

German Federal Constitutional Court, Decision of the 2nd Chamber of the First Senate, January 14th 2021, 1 BvR 2853/19 -, 1–24