15 June 2020

Data Blast: German court rules on long running cookie case and more…

See below for the latest Data Blast from our legal team: German court rules on long running cookie case; US class action launched over home security camera spying; Global data protection authorities establish taskforce on Covid-19 issues; Danish company fined for deleting data before responding to a Subject Access Request…

German Federal Court rules on consent for cookies and third-party advertising

On May 28th, the German Federal Court (the BGH) issued a decision in the Planet49 case (IZR 7/16), concerning the consent requirements for the use of cookies and third-party advertising.

The BGH suspended proceedings in the Planet49 case in October 2017, and submitted questions to the Court of Justice of the European Union (CJEU) regarding the interpretation of Directive 2002/58/EC (the ePrivacy Directive), Directive 95/46/EC (Data Protection Directive) and the General Data Protection Regulation (GDPR) as they relate to the effectiveness of consent to the setting of cookies using pre-ticked boxes. The CJEU answered these questions in a judgment issued in October 2019, which we previously covered here.

The Planet49 case began in 2013, when the company began running a promotional lottery game in Germany that required users to consent to the storage of cookies prior to playing, through the use of pre-ticked boxes. When a user visited a website of a registered advertising partner, the visit was recorded alongside information regarding products the user displayed interest in.

User consent to being contacted by post, phone or email by a third-party advertising partner was also sought through the use of an unchecked box, however, in order to enter the lottery, users were required to consent by checking the box. The privacy notice then referred to 57 different partner companies and the methods of communication used for advertising (email, post or phone). Users were the provided with the option to unsubscribe from receiving advertising from individual partner companies, however, users could not unsubscribe entirely, and would still receive advertising from a certain number of businesses.

Regarding consent for cookies, the BGH aligned its decision with that of the CJEU, ruling that cookie consent obtained via pre-ticked boxes is not valid, as it represents an unreasonable disadvantage for the user. In doing so, the BGH overturned the appeal court’s ruling, restoring the first instance court’s finding against Planet49. Specifically, in applying the relevant provision of the German Telemedia Act, the BGH followed the interpretation of the ePrivacy Directive provided by the CJEU, according to which consent is not effective for the use of advertising cookies where a pre-ticked box is used; therefore affirmative consent is required.

Regarding third-party advertising activities, the BGH ruled that consent was not validly obtained from users, as it was not sufficiently informed and specific. The BGH held that the mode of declaration of consent was designed by Planet49 to confront the user with an elaborate process of selecting companies from a list to encourage users to refrain from selecting advertising partners, and instead let Planet49 choose the advertising partners. Furthermore, it was found that this did not constitute valid consent, as the user could not be considered to have full knowledge of the situation.

You can read the BGH’s full press release (in German) here.

US home security company facing class action lawsuit after years’ of unauthorised video access discovered

ADT, a major US security company, is facing a class action lawsuit filed in Florida this month, following revelations that one of the company’s technicians had used the remote capabilities of security cameras installed in clients’ homes to observe individuals in their homes. The security cameras were linked to ADT’s ‘Pulse’ home monitoring system, which allows users remotely to monitor and manage their home’s security system and other functions such as lighting and temperature control.

The rogue technician is alleged to have added his own email address and credentials to customers’ security systems, in order to be able to access the systems remotely. The conduct is thought to have affected hundreds of customers over a period of seven years. Some of those affected had reportedly reached settlements with ADT after the company alerted them to security breach earlier this year, the before the recent class action was commenced.

As a home security provider, the revelation that a security breach of networked cameras could be carried on over many years, will be particularly embarrassing for ADT. More broadly, this occurrence serves as a reminder that Internet of Things networked devices increasingly occupy our homes. With many workers now forced to work from home, heightened attention is being paid to devices such as smart speakers which may capture conversations, and with them not only personal data but also sensitive commercial data. We previously discussed the data protection concerns arising from the use of smart speakers here.

Global Privacy Assembly launches Covid-19 Taskforce

On May 27th, it was announced that the Global Privacy Assembly (GPA), a forum for data protection and privacy authorities, has launched a COVID-19 Taskforce (the Taskforce) to drive practical responses to privacy issues produced by the pandemic, and to provide insights and best practices.

The Taskforce will be chaired by Raymond Liboro, Privacy Commissioner of the Philippines National Privacy Commission, and will represent 30 data protection organisations from around the globe.

The Taskforce established its first set of priorities when it first met on May 26th, including the examination of the use of contact tracing apps and other privacy concerns arising from the enhanced use of data during the pandemic in tracking the spread of the coronavirus. The members also agreed an initial workplan, and is expected to publish regular communications regarding progress made and information on Taskforce initiatives to the GPA membership community, as well as a wider audience. They have also launched a COVID-19 Response Repository, comprising various resources, including GPA guidance, statements, and meeting summaries, as well as a calendar of COVID-related events.

The GPA’s Taskforce press release can be found here, and we will be sure to provide further updates of the Taskforce’s recommendations going forward.

Danish DPA fines company for unlawful deletion of personal data

On May 15th, the Danish DPA (Datatilsynet) announced that it was fining JobTeam A/S (JobTeam) DKK 50,000 (£6,000) for the deletion of personal data prior to the answering of a pending data access request.

Datatilsynet received a complaint, which alleged that JobTeam had deleted personal data covered by a Subject Access Request, after the request had been made but prior to the company issuing a response. Therefore, the question facing Datatilsynet was whether the deletion of personal data which is the subject of an access request, prior to responding to the request, is unlawful under Art. 15 of the GDPR.

In its decision, Datatilsynet held that by deleting the requested data, JobTeam unlawfully foreclosed the requesting party’s ability to verify whether he or she had a right to gain access to the information. As a result, they reported the company to the police and fined them DKK 50,000. In doing so, Datatilsynet pointed out that JobTeam had not complied with the basic GDPR requirements, namely that personal data must be processed legally, reasonably and transparently.

Datatilsynet’s press release regarding the case (in Danish) can be found here.

For more information please contact Partner, James Tumbridge at