Wed, Dec. 27, 2017
German Law Firms Fear Compromised IT Systems
CK - Washington. For years, the federal legislator and the mandatory federal bar prepared German lawyers for the unified digital day: On January 1, 2018, they are supposed to use a new e-filing system with courts and agencies. BEA, the special attorneys digital mailbox, was planned to be super-safe and secure.
Many attorneys had misgivings over the quality of the JAVA-based software, the user interface, the sufficiency of supporting central server systems for the onslaught in January, and the lack of features enabling multi-attorney firms to efficiently work with the system.
The day before Christmas Eve, all dreams were shattered when news circulated widely that the Bar as administrator of the system had not only retracted security certificates under false pretenses but also instructed all lawyers to install a new security certificate which includes both the public and the private keys, thus rendering vulnerable all systems with the diligently-installed new certificate.
Over the holidays, the news spread even wider, and by now, any decently-qualified hacker will know how to infiltrate the IT systems of many German lawyers. The Bar has limited its response to turning off the system for maintenance and issuing a misleading press release. Whether and how many law firms have suffered attacks or losses as a result of the incredible failure of the Bar is presently unknown.
CK - Washington. For years, the federal legislator and the mandatory federal bar prepared German lawyers for the unified digital day: On January 1, 2018, they are supposed to use a new e-filing system with courts and agencies. BEA, the special attorneys digital mailbox, was planned to be super-safe and secure.
Many attorneys had misgivings over the quality of the JAVA-based software, the user interface, the sufficiency of supporting central server systems for the onslaught in January, and the lack of features enabling multi-attorney firms to efficiently work with the system.
The day before Christmas Eve, all dreams were shattered when news circulated widely that the Bar as administrator of the system had not only retracted security certificates under false pretenses but also instructed all lawyers to install a new security certificate which includes both the public and the private keys, thus rendering vulnerable all systems with the diligently-installed new certificate.
Over the holidays, the news spread even wider, and by now, any decently-qualified hacker will know how to infiltrate the IT systems of many German lawyers. The Bar has limited its response to turning off the system for maintenance and issuing a misleading press release. Whether and how many law firms have suffered attacks or losses as a result of the incredible failure of the Bar is presently unknown.
PermalinkThu, Sep. 28, 2017
Privacy: Data Collection, Storage, Use, Sharing and Loss
CK - Washington. The continued Equifax data breaches that by now affect half the American population puzzle consumers who do not know if their financial and personal data are lost. By contrast, Germans and most Europeans benefit from data transparency laws designed to protect their privacy and guide all who commercially collect, store, massage and share data. A new European data directive, effective May 25, 2018, governs rights and obligations relating comprehensively to such data activities.
Consumers will receive detailed information on the intended activities when granting companies access to their data. They will receive additional disclosures after a company stores data and intends to use it for other than the original purposes. Disclosures to consumers must be clear and intellible for a lay person. Technical or legal jargon incomprehensible to average consumers will be outlawed: The binding regulation even suggests 15 words per sentence, separated by not more than one comma. Information must be provided free of charge to the person who owns it. That alone is a far cry from the practices of some American data hoarders who persistently ignore what a Secret Service director advised more than a decade ago: Don't hoard data because they leave you and all Americans vulnerable.
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known in German as Datenschutz-Grundverordnung, lists information and reporting requirements and may increase burdens on entities that process personal data in any way. The above disclosure requirements may be more difficult than some of the other obligations, but entities with prior exposure to the data protection directive 95/46/DC which will expire can build on their experience.
Art. 21 defines a consumer right to object meaningfully to the collection of data, and Art. 35 requires the notification of consumers following a risk-intensive data breach. A key objective is the assurance of disclosures at the earliest possible time and by active conduct of the data collector and processor.
In addition to active disclosures, consumers have a right to passive or responsive action by the data holders. The latter must respond to consumer inquiries about data held or transferred as well as requests to transfer data.
The European Union expects to achieve additional transparency and compliance by establishing reporting requirements. Beneficiaries may be government agencies but third parties may also benefit, such as under the right-to-forget rules in Art. 17(2) about expunging published data.
The regulation may be implemented differently in the various E.U. member states. Whatever the national implementation, companies involved in the collection, storage, processing and dissemination of consumer data need to consider the fundamental-right statement at the beginning of the new regulation:
CK - Washington. The continued Equifax data breaches that by now affect half the American population puzzle consumers who do not know if their financial and personal data are lost. By contrast, Germans and most Europeans benefit from data transparency laws designed to protect their privacy and guide all who commercially collect, store, massage and share data. A new European data directive, effective May 25, 2018, governs rights and obligations relating comprehensively to such data activities.
Consumers will receive detailed information on the intended activities when granting companies access to their data. They will receive additional disclosures after a company stores data and intends to use it for other than the original purposes. Disclosures to consumers must be clear and intellible for a lay person. Technical or legal jargon incomprehensible to average consumers will be outlawed: The binding regulation even suggests 15 words per sentence, separated by not more than one comma. Information must be provided free of charge to the person who owns it. That alone is a far cry from the practices of some American data hoarders who persistently ignore what a Secret Service director advised more than a decade ago: Don't hoard data because they leave you and all Americans vulnerable.
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known in German as Datenschutz-Grundverordnung, lists information and reporting requirements and may increase burdens on entities that process personal data in any way. The above disclosure requirements may be more difficult than some of the other obligations, but entities with prior exposure to the data protection directive 95/46/DC which will expire can build on their experience.
Art. 21 defines a consumer right to object meaningfully to the collection of data, and Art. 35 requires the notification of consumers following a risk-intensive data breach. A key objective is the assurance of disclosures at the earliest possible time and by active conduct of the data collector and processor.
In addition to active disclosures, consumers have a right to passive or responsive action by the data holders. The latter must respond to consumer inquiries about data held or transferred as well as requests to transfer data.
The European Union expects to achieve additional transparency and compliance by establishing reporting requirements. Beneficiaries may be government agencies but third parties may also benefit, such as under the right-to-forget rules in Art. 17(2) about expunging published data.
The regulation may be implemented differently in the various E.U. member states. Whatever the national implementation, companies involved in the collection, storage, processing and dissemination of consumer data need to consider the fundamental-right statement at the beginning of the new regulation:
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union … and Article 16(1) of the Treaty on the Functioning of the European Union … provide that everyone has the right to the protection of personal data concerning him or her.Germany has some of the strictest substantive and procedural data protection systems, and the E.U. update will likely enhance the comprehensive consumer data scheme. This summer, German law journal Kommunikation & Recht published some articles from a conference on data protection on the regulation, including Transparenz als Herausforderung: Die Informations- und Meldepflichten der DSGVO aus Unternehmenssicht by attorneys Michael Kamps and Florian Schneider.
Sun, Sep. 24, 2017
Privacy: Lawyers to Outsource Cloud, Office Services
CK - Washington. Beyond the confines of privacy laws, criminal law and professional codes constrain the disclosure of data by lawyers and other professionals. In light of §203 of the Criminal Code, professionals may be prosecuted for outsourcing janitorial work, secretarial help and certainly uploading client data to cloud services.
On September 22, 2017, the second chamber in the German parliamentary system, Bundesrat,composed of representatives of the 16 states, consented to a change already passed in the Federal Diet, Bundestag, in Berlin. The long title of the new statute, Gesetz zur Neuregelung des Schutzes von Geheimnissen bei der Mitwirkung Dritter an der Berufsausübung schweigepflichtiger Personen, is descriptive: Statute to update the protection of secrets with the participation of third parties in the exercise of the profession by persons bound to secrecy.
The statute amends §203 and guides access to data by employees and third parties who assist professionals. Such persons will be subject to the same constraints as the professions that engage them, for disclosures of protected information learned in providing their services. In addition, the statute imposes on the professionals certain obligations to safeguard the information in relation to their help.
CK - Washington. Beyond the confines of privacy laws, criminal law and professional codes constrain the disclosure of data by lawyers and other professionals. In light of §203 of the Criminal Code, professionals may be prosecuted for outsourcing janitorial work, secretarial help and certainly uploading client data to cloud services.
On September 22, 2017, the second chamber in the German parliamentary system, Bundesrat,composed of representatives of the 16 states, consented to a change already passed in the Federal Diet, Bundestag, in Berlin. The long title of the new statute, Gesetz zur Neuregelung des Schutzes von Geheimnissen bei der Mitwirkung Dritter an der Berufsausübung schweigepflichtiger Personen, is descriptive: Statute to update the protection of secrets with the participation of third parties in the exercise of the profession by persons bound to secrecy.
The statute amends §203 and guides access to data by employees and third parties who assist professionals. Such persons will be subject to the same constraints as the professions that engage them, for disclosures of protected information learned in providing their services. In addition, the statute imposes on the professionals certain obligations to safeguard the information in relation to their help.
Sat, Sep. 23, 2017
No Copyright Infringement in Image Search
LB - Washington. Displaying third-party thumbnail-size images on a website does not result in a copyright infringement when a search engine displays them, the German Supreme Court for Civil Matters in Karlsruhe decided in Perfect 10 v. AOL Deutschland on September 21, 2017.
The defendant offered a free image research feature and linked its website to the Google search engine. Visitors would click on the defendant's URL and use the search input field. Google had found some images on freely accessible websites and displayed them as thumbnails, and the defendant AOL showed these on its site. Some images found by Google had been downloaded illegally by plaintiff's clients who uploaded them to different unrestricted sites.
The plaintiff alleged that the defendant infringed its copyright by displaying images it found on such sites and argued that §15(2) of the German Copyright Act affords the copyright holder an exclusive right to reproduce images in public. Whether or not the works were freely accessible should not be determinative.
The court rejected these arguments, explaining that §15(2) of the German Copyright Act implements Art. 3(1) of the European Guideline 2001/29/EG. The European Court of Justice had decided that a public reproduction assumes knowledge or that a publisher must have known of an illegal publication. The German court based its decision on freedom of speech grounds, informational concepts and the need for reliable links as important elements of the exchange of information on the internet. These considerations apply also to links which provide access to search engines. The plaintiff had failed to prove that the defendant had to know of the illegality. The standard refutable presumption of scienter would not apply to search engines and to links to them. Search engines are too important for the functionality of the internet. Their providers cannot be expected to examine the legality of all results within an automated search process, the court reasoned.
The decision may affect a new Google feature. Since 2017, it displays not only thumbnails but also full-sizes images. The Court issued a press release, and the full decision should follow within a few months.
The German American Law Journal previously reported about similar decisions and legal issues in the United States, see Kochinke, Texte aus Webseite schürfen: Fair Use?, Mittelstädt Verstößt die Bildersuche von Google im Internet gegen Urheberrecht?, and Kochinke Google liefert Kode, nicht Bilder.
LB - Washington. Displaying third-party thumbnail-size images on a website does not result in a copyright infringement when a search engine displays them, the German Supreme Court for Civil Matters in Karlsruhe decided in Perfect 10 v. AOL Deutschland on September 21, 2017.
The defendant offered a free image research feature and linked its website to the Google search engine. Visitors would click on the defendant's URL and use the search input field. Google had found some images on freely accessible websites and displayed them as thumbnails, and the defendant AOL showed these on its site. Some images found by Google had been downloaded illegally by plaintiff's clients who uploaded them to different unrestricted sites.
The plaintiff alleged that the defendant infringed its copyright by displaying images it found on such sites and argued that §15(2) of the German Copyright Act affords the copyright holder an exclusive right to reproduce images in public. Whether or not the works were freely accessible should not be determinative.
The court rejected these arguments, explaining that §15(2) of the German Copyright Act implements Art. 3(1) of the European Guideline 2001/29/EG. The European Court of Justice had decided that a public reproduction assumes knowledge or that a publisher must have known of an illegal publication. The German court based its decision on freedom of speech grounds, informational concepts and the need for reliable links as important elements of the exchange of information on the internet. These considerations apply also to links which provide access to search engines. The plaintiff had failed to prove that the defendant had to know of the illegality. The standard refutable presumption of scienter would not apply to search engines and to links to them. Search engines are too important for the functionality of the internet. Their providers cannot be expected to examine the legality of all results within an automated search process, the court reasoned.
The decision may affect a new Google feature. Since 2017, it displays not only thumbnails but also full-sizes images. The Court issued a press release, and the full decision should follow within a few months.
The German American Law Journal previously reported about similar decisions and legal issues in the United States, see Kochinke, Texte aus Webseite schürfen: Fair Use?, Mittelstädt Verstößt die Bildersuche von Google im Internet gegen Urheberrecht?, and Kochinke Google liefert Kode, nicht Bilder.
Sat, Aug. 12, 2017
Old Age Clause in CEO Employment Pact
SFe - Washington. A German private limited company hired a chief executive officer with a fixed-term employment contract that ran through 2018 but terminated him in 2016 at age 60 under a retirement age clause in the same contract.
The CEO sued, claiming a violation of sections 1 and 7(1) of the General Equal Treatment Act. The statute is fairly new and lacks precedential construction on the issue. On June 29, 2017, the Court of Appeal, Oberlandesgericht, in the Hamm district decided in the matter 8 U 18/17 that the contractual retirement age clause was compatible with the anti-age-discrimination statute. It determined that the parties had reasonably considered the age issue in the context of the plaintiff's eligibility for a company pension on termination.
In general, top management enjoys less protection than other employees, so company interests may legitimately outweigh the employee's interests. The court did not address the issue whether the AGG applies to top management or only their subordinates because it would not have changed the outcome in this dispute. However, the court granted leave to appeal its decision to the German Supreme Court for Civil Matters in Karlsruhe, where it is docketed as BGH II ZR 244/17.
SFe - Washington. A German private limited company hired a chief executive officer with a fixed-term employment contract that ran through 2018 but terminated him in 2016 at age 60 under a retirement age clause in the same contract.
The CEO sued, claiming a violation of sections 1 and 7(1) of the General Equal Treatment Act. The statute is fairly new and lacks precedential construction on the issue. On June 29, 2017, the Court of Appeal, Oberlandesgericht, in the Hamm district decided in the matter 8 U 18/17 that the contractual retirement age clause was compatible with the anti-age-discrimination statute. It determined that the parties had reasonably considered the age issue in the context of the plaintiff's eligibility for a company pension on termination.
In general, top management enjoys less protection than other employees, so company interests may legitimately outweigh the employee's interests. The court did not address the issue whether the AGG applies to top management or only their subordinates because it would not have changed the outcome in this dispute. However, the court granted leave to appeal its decision to the German Supreme Court for Civil Matters in Karlsruhe, where it is docketed as BGH II ZR 244/17.
Tue, Aug. 01, 2017
The Danger of Electronic Surveillance of Staff
The German Supreme Court for Employment Matters, Bundesarbeitsgericht, decided that the generalized, non-specific surveillance of employees violates the right of privacy in Art. 2(I) of the German Federal Constitution in conjunction with its Art. 1(I) when the employer lacks reasonable cause to suspect a violation of work rules which relates to §32(I) of the Federal Data Protection Statute. An employer needs a reasonable suspicion that the employee commits an offense or another serious violation. The disputed matter lacked a specific cause so that the dismissal was void, as the digital harvest was poisonous.
At first glance, German and American Federal Law seem to converge in the area of privacy at the place of employment. In New Orleans, The United States Circuit Court of Appeals for the Fifth Circuit had decided on July 25, 2017 in T-Mobile USA Inc. v. NLRB with a similar result. However, the context in the T-Mobile case was different: Some monitoring is illegal when it impacts unionization efforts.
Poisonous Digital Harvest
SFe - Washington. The top German court for employment matters in Erfurt examined whether an employer may electronically monitor its employees, using a keylogging system. It published its decision on July 27, 2017 in the matter 2 AZR 681/16. The defendant employer had installed keylogging spyware on all of its computers in order to observe their use by its staff whom it had informed about the measure. A dismissed staffer sued the company whose spyware proved that the plaintiff had used its computer extensively for personal matters during working hours.The German Supreme Court for Employment Matters, Bundesarbeitsgericht, decided that the generalized, non-specific surveillance of employees violates the right of privacy in Art. 2(I) of the German Federal Constitution in conjunction with its Art. 1(I) when the employer lacks reasonable cause to suspect a violation of work rules which relates to §32(I) of the Federal Data Protection Statute. An employer needs a reasonable suspicion that the employee commits an offense or another serious violation. The disputed matter lacked a specific cause so that the dismissal was void, as the digital harvest was poisonous.
At first glance, German and American Federal Law seem to converge in the area of privacy at the place of employment. In New Orleans, The United States Circuit Court of Appeals for the Fifth Circuit had decided on July 25, 2017 in T-Mobile USA Inc. v. NLRB with a similar result. However, the context in the T-Mobile case was different: Some monitoring is illegal when it impacts unionization efforts.
Sat, Jan. 28, 2017
New E.U. Vendor ADR Rule Now Binding in Germany
CK - Washington. Starting February 1, 2017, vendors are required to incorporate in websites and sales terms a new statement expressing their intent to participate in, or reject, formal non-binding dispute resolution programs with consumers to settle consumer disputes. The German Statute for Alternative Dispute Resolution in Consumer Matters, known as VSBG, implements E.U. rules. A failure to provide the statement can cause costly litigation under competition law if a competitor would accuse a non-compliant vendor of unfair trade practices.
The statute explains the required ADR entities in detail but does not define the terms consumer and vendor. For the latter, it uses the term enterprise, and it exempts very small vendors from its reach. In addition to private dispute resolution bodies, vendors may refer to state-established Universal State Dispute Resolution Bodies under § 28 VSBG. These bodies may charge only vendors for their services; the fees are capped at €380. They may charge consumers for abusive complaints a fee of up to €30.
Vendors offering goods or services to German consumers should consider the reach of the statute. Court will likely consider it enforceable on vendor-consumer contracts even if a vendor is located outside of Germany. The requirements on vendors are not particularly burdensome but demand some attention because the vendor, under § 36 and § 37 VSBG, needs to:
CK - Washington. Starting February 1, 2017, vendors are required to incorporate in websites and sales terms a new statement expressing their intent to participate in, or reject, formal non-binding dispute resolution programs with consumers to settle consumer disputes. The German Statute for Alternative Dispute Resolution in Consumer Matters, known as VSBG, implements E.U. rules. A failure to provide the statement can cause costly litigation under competition law if a competitor would accuse a non-compliant vendor of unfair trade practices.
The statute explains the required ADR entities in detail but does not define the terms consumer and vendor. For the latter, it uses the term enterprise, and it exempts very small vendors from its reach. In addition to private dispute resolution bodies, vendors may refer to state-established Universal State Dispute Resolution Bodies under § 28 VSBG. These bodies may charge only vendors for their services; the fees are capped at €380. They may charge consumers for abusive complaints a fee of up to €30.
Vendors offering goods or services to German consumers should consider the reach of the statute. Court will likely consider it enforceable on vendor-consumer contracts even if a vendor is located outside of Germany. The requirements on vendors are not particularly burdensome but demand some attention because the vendor, under § 36 and § 37 VSBG, needs to:
1. State whether it agrees to participate in mediation or not, or whether it is required to participate or not;The proceeding targets a non-binding alternative resolution that will not bar litigation or arbitration. Submissions to the mediation body may be in digital form. Parties cannot be required to appear in person. The mediator may conduct telephone conferences. Mediation rules are to respect due process. The default language of the proceeding is German but the parties may agree on another language.
2. If it agrees to participate, state the mediation body to which it will submit, and must then participate in the proceeding and bear its cost;
3. If it uses a website, publish the statement on the site;
4. If it uses form contracts or general terms and conditions of some other nature, include the statement therein;
5. Once a dispute arises that it and the consumer cannot resolve, notify the consumer of the mediation body and whether or not it will participate in a mediation proceeding.
CURRENT :: 2003 :: 2004 :: 2005 :: 2006 :: 2007 :: 2008 :: 2009 :: 2010 :: 2011
:: 2012
:: 2013
:: 2014
:: 2015
:: 2016
:: 2017
:: 2018
:: 2019
German Reports: