News

11/2019 Judgment of the ECJ on (tracking) cookies

At the beginning of October, the European Court of Justice (ECJ) passed a significant judgment on cookie information obligations of website operators, which we would like to inform you about in this news.

Cookies and similar tracking methods may no longer be used unless customers have previously given their consent. The only exception is the operation of technically necessary cookies such as cookies for the login or the shopping cart. According to the court, website owners must now provide detailed information on the collection of cookies on their pages. The usual cookie notes (cookie banners) do not fulfill the requirements of the ECJ for three reasons:

  • Users cannot really agree.
  • These notes do not clarify anything about the data transfer and data usage in detail.
  • Bare information banners don’t interrupt the automatic data transmission until the consent of the users. But that’s necessary to implement the privacy policy.

The judgment is important for everyone who is using cookies in the area of tracking or marketing on their website. It is also important for everyone who has included a Facebook like button or any similar button of social networks (Twitter, Instagram, LinkedIn etc.) on their pages.
The ECJ has also commented on four important issues:

  • Website owners are always responsible for privacy violations, along with Facebook and other social networks.
  • The unsolicited transmission of user data through the buttons of social networks on websites violates the data protection law.
  • Competition associations may charge a fee for websites which have implemented the Facebook like button without consent.
  • Cookies which are set up for tracking or advertising purposes must have a real consent of the website visitors. A cookie hint banner is not suitable for this purpose.

The ruling now can also be interpreted as an announcement to the German legislator to readjust German law to the EU rules. It is very likely that this will be closely aligned with the legal requirements of the ECJ.

We would like to point out to you that we are not allowed to offer legal advice. For further information we recommend the following page of the European Commission: https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

10/2019 Environmental protection by aixzellent

Environmental protection is one of the most important and current challenges of our time. That’s why we implemented those criteria’s into our corporate philosophy a long time ago.

As a company we are aware of our responsibility and therefore focus on sustainable solutions, such as the sensitization of our employees: The sensitization helps us to identify potentials for savings of energy and resources in our company, in the administration, for our business trips and even for our daily way to work. This is implemented and lived by our employees. By video conferencing, switching to public transport or establishing bicycles instead of cars we can reduce a significant amount of our companie’s CO2 emissions.

We also want to promote the energy-efficient use of the Internet. By running our servers exclusively in Germany at the provider Hetzner, we make sure that they are operated with 100% carbon dioxide-free and environmentally friendly hydropower. When selecting hardware or network components we use power consumption as essential criteria. If possible, we rely on the reuse of already manufactured server hardware and avoid energy-consuming and resource-consuming new productions.

 

More information about our climate-neutral servers can be found here: https://www.hetzner.de/unternehmen/umweltschutz/

09/2019  End-to-end encryption (I)
Increasing cooperations between IT companies and states – Is this the end of secure messaging in Germany?

Billions of data with a standard end-to-end encryption are sent and received daily. Meanwhile the surveillance interests of states and authorities are steadily increasing. For years opponents and proponents of encryption have been forming worldwide.

Many states want to massively expand the hacking capacity of state authorities: Not only authoritarian regimes but more and more western democracies nowadays see encrypted communication as a major threat to public safety. They demand to weaken encryption of communication and the ability to use spyware on smartphones. The encryption keys are managed by large Internet corporations, which can also specify who can access the plain text secretly. Access to these cloud systems or hardware implants for preempted data traffic interception is becoming more and more a focus. The big Internet companies such as Facebook, Google or Amazon are now so powerful that states seek to cooperate with them and the interests of users are taken less care of. The opponents demand a strong and secure encryption which, however, at the same time cannot interfere with investigations. However, a concrete and feasible implementation of such a technical solution does not exist yet.1

Nevertheless, the pressure on suppliers is increasing and is currently very high, especially in the USA. Germany’s position is contradictory, but a turn away from a German cyber security policy seems more and more likely.

"This is demonstrated by the BKA law of June 2017, which legitimizes the use of surveillance Trojans on end devices such as smartphones, or the creation of the Central Information Security Authority (ZITiS), which is to develop the same surveillance solutions. While the encryption software remains technically untouched, the communication on the terminals should instead be read out before encryption by means of state monitoring software."2

In June of this year, according to plans of the Interior Ministry, encrypted messenger services should be forced to set up a listening interface.3 Thus, the operation of a secure messenger within Germany will no longer be possible.

----------
1 https://netzpolitik.org/2018/fbi-klagt-ueber-verschluesselte-handys-mal-wieder/
2 https://netzpolitik.org/2017/stiftung-wissenschaft-und-politik-warnt-vor-schwaechung-der-verschluesselung/
3 https://www.golem.de/news/crypto-wars-protest-gegen-entschluesselungszwang-bei-whatsapp-co-1906-141825.html

05/2019 Tracking Cookies - Currently still illegal!

Cookie Banner:

• The banners show an overview of all processing operations requiring consent, which can be explained and activated in function.

• Access to privacy and imprint may not be prevented by cookie banners.

• Before and while the banner is being displayed all further scripts from a website or web app are blocked if they can potentially capture user data. Only after approval, the data processing may actually take place.

• Without the option to refuse cookies it lacks the required voluntariness.

• A consent must be revocable as simple as possible.

As of late Cookie banners have been appearing almost everywhere. For most of the time they cover the content when visiting a website and require an "accept" or "ok". This could be seen as a direct implication of the General Data Protection Regulation which was released at the end of May 2018.  Accordingly, this task should first have been taken over by the European E-Privacy Regulation, which still does not exist. Thus, shortly before the entry into force of the GDPR, a position paper was published which required explicit consent of users regarding site tracking mechanisms. Through creating a user profile these mechanisms are able to track the behavior of people on the internet. According to the position paper the informed consent must "be obtained in the form of a statement or other clearly confirming act before the data processing"1. From the beginning this special route of consent solution was very controversial.

By examining 40 websites of larger providers in early 2019, the Bavarian data protection authority found out that not one provider meets all the strict requirements. Many of the currently displayed banners are clearly unlawful. Especially the missing option of rejecting cookie usage is a common problem. In addition, operators must present the processing of data to users in a transparent and comprehensible manner. In addition to a listing of the individual forms of processing, the function of a specific consent to individual forms of data processing is often absent. Only then will it be possible for users to make decisions with the complete knowledge of the specific situation and to understand the scope of the consent. It has to be acknowledged that in specific cases, the interest of the website provider has to be weighted with the interest and the fundamental rights and freedoms of the individual user. Even after a year, there is still much legal uncertainty in this area.

04/2019 Copyright reform – What you should know

The Internet is no longer unknown territory. This basic consensus also prevailed in the European Parliament as it initiated the negotiations on a copyright reform. Now a decision has been made. On the final vote for the copyright reform 19 states voted in favor, six against and three abstained. As a conclusion the EU member states collectively approved the copyright reform.

Why?

Through the reform authors of texts, pictures and videos should be better protected and fair payment should be ensured. The intention is to balance the claims of right-holders on one hand and users and online providers on the other hand.

How?

The package contains a total of 23 articles, two of those are highly controversial: Article 15 (formerly 11) and Article 17 (formerly 13):

  • Article 11/15 – also known as ancillary copyright for publishers – is intended to establish a so-called ancillary copyright law which prohibits the use of protected works or parts of them without the consent of the authors. So all of those, who want to use the smallest excerpts of journalistic content on the web, need the publisher's license.
  • Article 13/17 explicitly deals with user-generated content and thus with all websites where internet users can upload something. The article intends that these websites are forced to review any uploaded content for copyright infringement or to authorize them. In order to meet the simple abundance of content with software, it is feared that an upload filter must be introduced.
    • Exceptions apply to platforms that are less than three years old or gain a maximum of 10 million € per year.
    • In the protocol statement of the vote the Federal Government promises to interpret the definition of affected platforms in such way that Article 17 applies only to market-dominant platforms such as YouTube or Facebook.

It is still unclear how the requirements of copyright reform can be transposed into national law. It will take some time until the users will feel the change as the members of the EU have two years to implement them.