Tue, Dec. 26, 2017

German Law Firms Fear Compromised IT Systems

CK - Washington.   For years, the federal legislator and the mandatory federal bar prepared German lawyers for the unified digital day: On January 1, 2018, they are supposed to use a new e-filing system with courts and agencies. BEA, the special attorneys digital mailbox, was planned to be super-safe and secure.

Many attorneys had misgivings over the quality of the JAVA-based software, the user interface, the sufficiency of supporting central server systems for the onslaught in January, and the lack of features enabling multi-attorney firms to efficiently work with the system.

The day before Christmas Eve, all dreams were shattered when news circulated widely that the Bar as administrator of the system had not only retracted security certificates under false pretenses but also instructed all lawyers to install a new security certificate which includes both the public and the private keys, thus rendering vulnerable all systems with the diligently-installed new certificate.

Over the holidays, the news spread even wider, and by now, any decently-qualified hacker will know how to infiltrate the IT systems of many German lawyers. The Bar has limited its response to turning off the system for maintenance and issuing a misleading press release. Whether and how many law firms have suffered attacks or losses as a result of the incredible failure of the Bar is presently unknown.

Thu, Sep. 28, 2017

Privacy: Data Collection, Storage, Use, Sharing and Loss

CK - Washington. The continued Equifax data breaches that by now affect half the Ame­ri­can population puzzle consumers who do not know if their financial and per­so­nal da­ta are lost. By contrast, Germans and most Europeans benefit from data trans­pa­ren­cy laws designed to protect their privacy and guide all who commercially collect, sto­re, massage and share data. A new European data directive, effective May 25, 2018, go­verns rights and obligations relating comprehensively to such data activities.

Consumers will receive detailed information on the intended activities when granting companies access to their data. They will receive additional disclosures after a com­pa­ny stores data and intends to use it for other than the original purposes. Dis­clo­su­res to con­su­mers must be clear and intellible for a lay person. Technical or le­gal jar­gon in­com­pre­hensible to average consumers will be outlawed: The binding re­gu­la­ti­on even sug­gests 15 words per sentence, separated by not more than one com­ma. Information must be provided free of charge to the person who owns it. That alo­ne is a far cry from the practices of some American data hoarders who persistently ig­no­re what a Secret Ser­vi­ce director advised more than a decade ago: Don't hoard data be­cau­se they leave you and all Americans vulnerable.

Regulation (EU) 2016/679 on the protection of natural persons with regard to the pro­cessing of personal data and on the free movement of such data, known in German as Datenschutz-Grundverordnung, lists information and reporting requirements and may increase burdens on entities that process personal data in any way. The above dis­clo­sure requirements may be more difficult than some of the other obligations, but en­ti­ties with prior exposure to the data protection directive 95/46/DC which will ex­pi­re can build on their experience.

Art. 21 defines a consumer right to object meaningfully to the collection of data, and Art. 35 requires the notification of consumers following a risk-intensive data breach. A key objective is the assurance of disclosures at the earliest possible time and by active con­duct of the data collector and processor.

In addition to active disclosures, consumers have a right to passive or responsive ac­ti­on by the data holders. The latter must respond to consumer inquiries about data held or transferred as well as requests to transfer data.

The European Union expects to achieve additional transparency and compliance by esta­bli­shing reporting requirements. Beneficiaries may be government agencies but third par­ties may also benefit, such as under the right-to-forget rules in Art. 17(2) about expunging published data.

The regulation may be implemented differently in the various E.U. member states. What­ever the national implementation, companies involved in the collection, sto­ra­ge, processing and dissemination of consumer data need to consider the fun­da­men­tal-right statement at the beginning of the new regulation:
The protection of natural persons in relation to the processing of personal da­ta is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union … and Article 16(1) of the Treaty on the Func­tioning of the European Union … provide that everyone has the right to the pro­tec­ti­on of personal data concerning him or her.
Germany has some of the strictest substantive and procedural data protection sys­tems, and the E.U. update will likely enhance the comprehensive consumer data sche­me. This summer, German law journal Kommunikation & Recht published some articles from a conference on data protection on the regulation, including Transparenz als Her­aus­for­de­rung: Die Informations- und Meldepflichten der DSGVO aus Unternehmens­sicht by attorneys Michael Kamps and Florian Schneider.

Sun, Sep. 24, 2017

Privacy: Lawyers to Outsource Cloud, Office Services

CK - Washington.   Beyond the confines of privacy laws, criminal law and professional codes constrain the disclosure of data by lawyers and other professionals. In light of §203 of the Criminal Code, professionals may be prosecuted for outsourcing janitorial work, secretarial help and certainly uploading client data to cloud services.

On September 22, 2017, the second chamber in the German parliamentary system, Bun­des­rat,composed of representatives of the 16 states, consented to a change al­rea­dy passed in the Federal Diet, Bundestag, in Berlin. The long title of the new statute, Ge­setz zur Neuregelung des Schutzes von Geheimnissen bei der Mitwirkung Dritter an der Berufsausübung schweigepflichtiger Personen, is descriptive: Statute to up­da­te the protection of secrets with the participation of third parties in the exercise of the pro­fes­si­on by per­sons bound to secrecy.

The statute amends §203 and guides access to data by employees and third parties who assist professionals. Such persons will be subject to the same constraints as the professions that engage them, for disclosures of protected information learned in pro­vi­ding their services. In addition, the statute imposes on the professionals certain ob­li­ga­tions to safeguard the information in relation to their help.

Sat, Sep. 23, 2017

No Copyright Infringement in Image Search

LB - Washington.   Displaying third-party thumbnail-size images on a website does not result in a copyright infringement when a search engine displays them, the Ger­man Su­pre­me Court for Civil Matters in Karlsruhe decided in Perfect 10 v. AOL Deutsch­land on September 21, 2017.

The defendant offered a free image research feature and linked its website to the Go­og­le search engine. Visitors would click on the defendant's URL and use the search in­put field. Google had found some images on freely accessible websites and displayed them as thumbnails, and the defendant AOL showed these on its site. Some images found by Google had been downloaded illegally by plaintiff's clients who uploaded them to dif­fe­rent unrestricted sites.

The plaintiff alleged that the defendant infringed its copyright by displaying images it found on such sites and argued that §15(2) of the German Copyright Act af­fords the co­py­right holder an exclusive right to reproduce images in public. Whether or not the works were freely accessible should not be determinative.

The court rejected these arguments, explaining that §15(2) of the German Copyright Act implements Art. 3(1) of the European Guideline 2001/29/EG. The European Court of Justice had decided that a pub­lic reproduction assumes knowledge or that a pub­li­sher must have known of an illegal publication. The German court based its de­ci­si­on on freedom of speech grounds, informational concepts and the need for reliable links as important elements of the exchange of information on the internet. These con­si­de­ra­ti­ons apply also to links which provide access to search engines. The plaintiff had fai­led to prove that the defendant had to know of the illegality. The standard refutab­le pre­sump­tion of scienter would not apply to search engines and to links to them. Search engines are too important for the functionality of the internet. Their providers cannot be ex­pec­ted to examine the legality of all results within an automated search process, the court reasoned.

The decision may affect a new Google feature. Since 2017, it displays not only thumb­nails but also full-sizes images. The Court issued a press release, and the full decision should follow within a few months.

The German American Law Journal previously reported about similar decisions and le­gal issues in the United States, see Kochinke, Texte aus Webseite schürfen: Fair Use?, Mit­telstädt Verstößt die Bildersuche von Google im Internet gegen Urheber­recht?, and Kochinke Google liefert Kode, nicht Bilder.

Fri, Aug. 11, 2017

Old Age Clause in CEO Employment Pact

SFe - Washington.   A German private limited company hired a chief executive officer with a fixed-term employment contract that ran through 2018 but terminated him in 2016 at age 60 under a retirement age clause in the same contract.

The CEO sued, claiming a violation of sections 1 and 7(1) of the General Equal Treat­ment Act. The statute is fairly new and lacks precedential construction on the issue. On June 29, 2017, the Court of Appeal, Oberlandesgericht, in the Hamm district de­ci­ded in the matter 8 U 18/17 that the contractual retirement age clause was compatible with the anti-age-discrimination statute. It determined that the parties had reasonably considered the age issue in the context of the plaintiff's eligibility for a company pen­si­on on termination.

In general, top management enjoys less protection than other employees, so company interests may legitimately outweigh the employee's interests. The court did not ad­dress the issue whether the AGG applies to top management or only their subordina­tes because it would not have changed the outcome in this dispute. However, the court granted leave to appeal its decision to the German Supreme Court for Civil Matters in Karlsruhe, where it is docketed as BGH II ZR 244/17.

Mon, Jul. 31, 2017

The Danger of Electronic Surveillance of Staff

Poisonous Digital Harvest
SFe - Washington.   The top German court for employment matters in Erfurt exa­mi­ned whether an employer may electronically monitor its employees, using a key­log­ging system. It published its decision on July 27, 2017 in the matter 2 AZR 681/16. The defendant employer had installed keylogging spyware on all of its computers in order to observe their use by its staff whom it had informed about the measure. A dismissed staffer sued the company whose spyware proved that the plaintiff had used its com­pu­ter extensively for personal matters during working hours.

The German Supreme Court for Employment Matters, Bundesarbeitsgericht, decided that the generalized, non-specific surveillance of employees violates the right of pri­va­cy in Art. 2(I) of the German Federal Constitution in conjunction with its Art. 1(I) when the employer lacks reasonable cause to suspect a violation of work rules which relates to §32(I) of the Federal Data Protection Statute. An employer needs a rea­sona­ble sus­picion that the employee commits an offense or another serious violation. The dis­pu­ted matter lacked a specific cause so that the dismissal was void, as the digital harvest was poisonous.

At first glance, German and American Federal Law seem to converge in the area of privacy at the place of employment. In New Orleans, The United States Circuit Court of Appeals for the Fifth Circuit had decided on July 25, 2017 in T-Mobile USA Inc. v. NLRB with a similar result. However, the context in the T-Mobile case was dif­fe­rent: Some monitoring is illegal when it impacts unionization efforts.

Sat, Jan. 28, 2017

New E.U. Vendor ADR Rule Now Binding in Germany

CK - Washington.   Starting February 1, 2017, vendors are required to incorporate in websites and sales terms a new statement expressing their intent to participate in, or reject, formal non-binding dispute resolution programs with consumers to settle consumer disputes. The German Statute for Alternative Dispute Resolution in Consumer Matters, known as VSBG, implements E.U. rules. A failure to provide the statement can cause costly litigation under competition law if a competitor would accuse a non-compliant vendor of unfair trade practices.

The statute explains the required ADR entities in detail but does not define the terms consumer and vendor. For the latter, it uses the term enterprise, and it exempts very small vendors from its reach. In addition to private dispute resolution bodies, vendors may refer to state-established Universal State Dispute Resolution Bodies under § 28 VSBG. These bodies may charge only vendors for their services; the fees are capped at €380. They may charge consumers for abusive complaints a fee of up to €30.

Vendors offering goods or services to German consumers should consider the reach of the statute. Court will likely consider it enforceable on vendor-consumer contracts even if a vendor is located outside of Germany. The requirements on vendors are not particularly burdensome but demand some attention because the vendor, under § 36 and § 37 VSBG, needs to:
1.   State whether it agrees to participate in mediation or not, or whether it is required to participate or not;
2.   If it agrees to participate, state the mediation body to which it will submit, and must then participate in the proceeding and bear its cost;
3.   If it uses a website, publish the statement on the site;
4.   If it uses form contracts or general terms and conditions of some other nature, include the statement therein;
5.   Once a dispute arises that it and the consumer cannot resolve, notify the consumer of the mediation body and whether or not it will participate in a mediation proceeding.
The proceeding targets a non-binding alternative resolution that will not bar litigation or arbitration. Submissions to the mediation body may be in digital form. Parties cannot be required to appear in person. The mediator may conduct telephone conferences. Mediation rules are to respect due process. The default language of the proceeding is German but the parties may agree on another language.

      CURRENT :: 2003 :: 2004 :: 2005 :: 2006 :: 2007 :: 2008 :: 2009 :: 2010 :: 2011 :: 2012 :: 2013 :: 2014 :: 2015 :: 2016 :: 2017