By: Gregory P. Bufithis, Esq.
Chairman / The Project Counsel Group
12 August 2015 – I was in Berlin earlier this week for two workshops: one was on machine translation (MT) applications for the Arabic language. Arabic is one of the major languages that have been given attention by MT researchers since the very early days of MT. The language has always been considered, due to its morphological, syntactic, phonetic and phonological properties, to be the most difficult languages for written and spoken language processing.
As one commentator noted German courts or lawmakers will have to resolve the dilemma between two conflicting EU law principles: privacy regulation on a ‘country of origin’ basis vs. consumer protection and unfair competition laws that apply wherever consumers are targeted. In the short term, he said companies are well advised to formulate Germany-specific privacy policies, or delete wording that talks about consent or curtailing consumers’ rights “in order to at least keep the policy from being subjected to full consumer protection scrutiny.”
Thorsten Ihler, one of the speakers and a technology and privacy expert for the German law firm Field Fisher, noted “the European digital market is there for the taking. Except that the EU is not the digital single market it strives to be just yet. Recent years have seen a rise in legal disputes in Germany over allegedly unlawful clauses in standard business terms – in more and more cases including privacy policies and consent wording. Apple, Facebook, Google have all been there. They all lost on part of the language.”
And it addresses the key question in Europe today: international business looking to have a single global or pan-European privacy policy. It has created a labyrinth of compromises between addressing multiple local law requirements, keeping your business scalable, and creating transparency for customers. Now, with global expansion comes the inevitable local litigation.
The typical scenario that arises for international businesses expanding into Germany is this: An aggressive local market player trying to hold on to its “new economy” (a frequent term at this event) assets sends you a warning letter, alleging your privacy policy breaches German law requirements, and includes a cease-and-desist undertaking aimed at forcing you to refrain from using unlawful privacy policy clauses.
If you are big and established, the warning letter may come from a consumer protection association that happens to have singled out you or your industry. If you refuse to comply with the warning letter, the dispute may go to court. If you lose, the court will issue an injunction preventing you from using certain language in your privacy policy. If you infringe the injunction after being served the same, judicial fines may ensue.
Says Ihler:
“These warning letters typically allege that your privacy policy is not in full compliance with strict German data protection and consumer protection law. Where this is the case, privacy infringements can be actioned by competitors and consumer protection associations – note: these actions are based solely on the language of your privacy policy, irrespective of your actual privacy practices. These actions are a kind of “privately-initiated law enforcement” as there is no public regulator generally watching over use of privacy policies.
Furthermore, in certain cases – and especially where privacy policies are peppered with language stating that the user “consents” to the collection and use of their information – the privacy policy may even qualify as ‘standard business terms’ under German consumer protection law, opening the door for the full broadside of German consumer protection law scrutiny.”
So, what’s the solution?
In the long run, courts or lawmakers will have to resolve the dilemma between two conflicting EU law principles: privacy regulation on a “country of origin” basis vs. consumer protection and unfair competition laws that apply wherever consumers are targeted. In essence, the question is: Which should prevail, applicable law principles under the Data Protection Directive (or the General Data Protection Regulation bound to be issued any decade now) or local law consumer protection principles under Rome I and II Regulations?
In the short term, an approach to mitigating legal and practical risks is to provide a localized privacy policy just for German consumers that is compliant with local law. Or, usually less burdensome, make your policy information-only, i.e. delete consent wording and clauses curtailing consumers’ rights in order to at least keep the policy from being subjected to full consumer protection scrutiny.
The downside to this approach is that it may require deviating from your global approach on a privacy policy. On the upside, it will spare you the nuisance of dealing with this kind of warning letter which is difficult to fight off. Remember: this is all about the language of your privacy policy, not what your real-world privacy compliance looks like.
An e-discovery chat
I had a chance to button-hole two German privacy lawyers during the lunch break to discuss e-discovery. German-based companies, as well as non-EU companies that collect, process or use personal information in Germany, are subject to the Bundesdatenschutzgesetz (German Data Protection Act, BDSG) prohibition on the disclosure of personal information of individuals. However, if that company is sued in a U.S. court, it is likely to be subject to e-discovery. As the lawyers stated, this leads to the real possibility of the company being forced to choose either to violate German law or face crippling sanctions in the United States.
And the lawyers were pretty frank: “in these litigations or cross-border transactions, when personal data generated in Germany is to be transferred to other countries that do not guarantee an adequate level of data protection — like the U.S. of which few of us have any faith in data protection — additional special conditions must be fulfilled in order to legitimize the data transfer”.
Yes, it is recognized in Germany that disclosing personal data during litigation may constitute legitimate interests of a litigating party. These interests may prevail over the interests of a third party whose data is being transferred and used therefore. The German Data Protection Act provides for an explicit exception if the “exercise or defense of legal interests before a court is required”.
From a German perspective e-discovery is a data protection issue. It remains difficult because there is no German equivalent to e-discovery. The German Code of Civil Procedure applies to general civil litigation as well as to litigations before specialized labor courts. According to the law, no party is obliged make accessible “any document of possible relevance” at an early or late stage of litigation. As a rule, a party must only deliver such electronic or hardcopy documents that support its case. The burden of proof lies with the party that intends to take advantage of the document.
However, in particular when it comes to litigation before labor courts, the burden of proof may shift: It is generally the employer who is in possession of documents that can prove facts and circumstances. Therefore, if an employee cannot deliver documents supporting his case and if the company typically is in possession of such documents, the courts will ask the company to provide such documents. But, here too, the company will only be requested to deliver individual documents with relevance to a defined and precise question. There is no obligation to provide documents that are of “general interest” or that do not reply to a clearly defined question that could be relevant to the outcome of the litigation. On the contrary, requesting general facts in order to find out further facts that could be of interest (“Ausforschungsbeweis”) is inadmissible.
However, the case law shows that the U.S. perspective is becoming more decisive. The German Data Protection Act lays down that data necessary in litigation can be transferred. This means that the data must be “necessary” under the applicable law. If a company is involved in litigation in the U.S., “necessary” is defined by U.S. law, in principle. A restriction has to be made, here if fundamental principles of data protection are not respected.
I have been invited to a special one-day “U.S. e-discovery vs. German data protection” workshop next month so I will expand on this post.