Find out more about our IT law & data protection practice group - now regularly summarised for you at a glance! On a quarterly basis, we will be presenting you with the most important developments in IT law and data protection. In addition to informing you of the latest draft laws and developments in the field, we advise you on classic IT law, data protection law and new media. Please also feel free to contact us for audits, IT project support and consulting, including cloud computing, e-commerce topics and social media issues.
1. Permissibility of cheat software: FCJ referral to the EC
2. Cookie banners: what are the legal requirements?
3. German Commercial Code: requirements for a waiver of the plea of a late notice of defects
4. ECJ: duty to provide information relates to specific identity of recipients
5. Artificial intelligence: can Chat predict GPT rulings?
6. ECJ on credit reports: scoring practice illegal under data protection law?
1. Permissibility of cheat software: FCJ referral to the ECJ
23 February 2023 was eagerly awaited in the gaming scene. The Federal Court of Justice (FCJ) [Bundesgerichtshof, BGH](decision of 23 February 2023 - I ZR 157/21) had to rule on the permissibility distributing cheat software pursuant to copyright law. As expected, the FCJ suspended the proceedings and referred two questions to the ECJ for a preliminary ruling.
What exactly is cheat software?
Cheat software is commonly used in gaming. However, its permissibility is the subject of controversial debate. In the past, the FCJ has already ruled that offering cheat software for "massively multiplayer online" (MMO) games can constitute a violation of the German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG] (FCJ, ruling dated 12 January 2017 - I ZR 253/14). Cheat software is software that enables users to enjoy advantages in the actual video game that are otherwise not provided by the video game, such as flying a car in a racing game or making the game character invulnerable. A variety of different cheat software is available (even several for one and the same video game), which differ considerably in the technical way in which they work (i.e. how they interfere with or access the video game). However, the identification of the technical functionality plays a decisive role for the legal assessment.
In the case at hand, the cheat software changed the game content by accessing data that the video game had stored in the game console's main memory. The question was therefore whether this constitutes a copyright-relevant intervention in a computer programme's scope of protection, respectively a copyright-relevant reworking of a computer programme.
Different assessment by the lower courts
To put it succinctly and in simple terms, the lower courts assessed these questions differently. While the Regional Court [Landgericht, LG] of Hamburg (judgement of 24 January 2012 - 310 O 199/10) proceeded on the basis of a copyright infringement through the reworking of the video game by changing data in the main memory, the appellate court, the Higher Regional Court [Oberlandesgericht, OLG] of Hamburg (judgement of 07 October 2021 - 5 U 23/12), took the opposite position. It did not consider the modification of data in the main memory to be an interference with the source code or the internal structure of the video game software, but merely an interference with the flow of the video game, against which it is not protected by Sec. 69a German Copyright Act [Urhebergesetz, UrhG] or Sec. 69c UrhG, however.
What does the FCJ say?
The relevant standard provisions at issue are based on Directive 2009/24/EC. For this reason, the FCJ suspended the proceedings and referred the following questions to the ECJ for clarification of the scope and interpretation of the terms:
1. Is the scope of protection of a computer programme infringed pursuant to Article 1(1) to (3) of Directive 2009/24/EC where it is not the object code or source code of a computer programme or its reproduction which is altered, but where another programme running at the same time as the protected computer programme alters the content of variables created by the protected computer programme in the main memory and used in the running of the programme?
2. Does rewriting within the meaning of Article 4(1)(b) of Directive 2009/24/EC occur where it is not the object or source code of a computer programme or its reproduction that is altered, but where another programme running at the same time as the protected computer programme alters the content of variables created by the protected computer programme in the main memory and used in the running of the programme?"
Outlook
The gaming scene will therefore still have to wait for clarification of the legal dispute that has now been going on for more than ten years. In view of the large amount of cheat software in circulation, it cannot be ruled out that, depending on the outcome of the proceedings, there will be further legal disputes on this issue. For those interested in further reading material in connection with cheat software and anti-cheat measures, information can be found here and here (SpoPrax 2022, 419).
2. Cookie banners: what are the legal requirements?
What exactly is the current status of cookies on your own website? When does the user's consent have to be obtained and how exactly does this work?
For some time now, companies have been occupying themselves with the question of how cookies and comparable technologies can be embedded on the website and which legal requirements apply. Every time you visit a website, you inevitably come into contact with cookie banners, declarations of consent and more or less clear options for refusing consent. But what is the current legal situation?
The Conference of Independent Data Protection Authorities of Germany [Datenschutzkonferenz, DSK] provides recommendations for website design in its Guidance for Telemedia [Orientierungshilfe für Telemedien] updated in December 2022 (first published in 2019). The recent update is especially based on the new provisions in the German Telecommunications Telemedia Data Protection Act [Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG] and on a public consultation process conducted by the DSK, which took into account comments of representatives from politics, business, science, society and administration on this topic.
What impact does the TTDSG have on the operation of the website?
Pursuant to Sec. 25 (1) TTDSG, consent is required for storing information or accessing information already stored on end devices. The storage of information on the end device primarily concerns cookies and similar technologies such as localStorage or sessionStorage, where data packets are temporarily stored on the respective end device when a website is used (e.g. for analysis purposes). It is irrelevant here whether the information is personal data. According to the law, consent may only be given on the basis of clear and comprehensive information, and it must be obtained in a manner compliant with the principles of the GDPR. However, according to Sec. 25 (1) sentence 2 TTDSG, consent can be dispensed with if the sole purpose of the storage and readout of the data is the data transmission and the information is "absolutely necessary" for the service requested by the user.
This means that the TTDSG does not lead to any significant changes for website operators. In order to use cookies that are not absolutely necessary for the operation of the website, the prior consent of the user must be obtained. In individual cases, however, website operators will need to change data privacy notices that, among other things, describe the processing using cookies in more detail, since the TTDSG has created a new legal basis for the processing of end device information. Data privacy notices must also include Information on the specific applicability of this legal basis with immediate effect.
What new insights does the update of the Guidance bring?
In addition to the effects of the TTDSG, the authorities have made further selective supplementations and concretisations regarding the use of cookies:
According to the authorities, the processing of user behaviour on the website for the purpose of "online audience measurement" or analysis should generally only be possible with prior consent. In individual cases, however, the user's consent will not be necessary if the use of certain analysis cookies is required for the "error-free provision of the website". Furthermore, the authorities have concretised their view on the design of cookie banners to the effect that a reject option must be provided on the first level of the banner if the user is also able give consent on the first level.
What are the current requirements for embedding cookies?
Taking into account the updated Guidance, according to the authorities, the following requirements must be met in order to permissibly obtain insight into users' personal behaviour through the use of cookies and to use the information and data for own purposes:
- Before using cookies that are not technically necessary for operating the website or the specific service, the user's express consent must be obtained.
- The user must be informed comprehensively before giving consent (e.g. through the cookie banner and the data privacy notices on the website).
- Consent must be given voluntarily by the user by means of an unambiguous and clear action.
- It is permissible to obtain consent for individual categories (analysis, marketing, etc.).
- If the cookie banner offers the possibility of giving consent on the first level, it must also be possible to refuse consent on this level.
- The cookie banner must not be designed in terms of colours and arrangement in such a way that the user is influenced to give consent.
- The revocation of consent must be possible and easy for the user at any time.
If the aforesaid requirements are not met on the website, website operators may be subject to regulatory remedies and possibly fines. Even though the Guidance published by the authorities contains concrete recommendations on essential topics, in practical terms certain individual questions are still unanswered. In all events, website operators are advised to check their own website, including the cookies used, in consideration of the Guidance provided by the data protection authorities.
3. German Commercial Code: requirements for a waiver of the plea of a late notice of defects
The Federal Court of Justice (FCJ) [Bundesgerichtshof, BGH] (docket no. VIII ZR 383/20) has ruled that a seller in the B2B sector may at any time, also tacitly, waive the legal consequences arising from Sec. 377 (2), (3) German Commercial Code [Handelsgesetzbuch, HGB]. However, such waiver requires clear indications of the seller's relinquishment of the plea of the belatedness, which can also be understood as such by the buyer.
Factual situation
A businessman demanded repayment of the purchase price, or alternatively replacement delivery, from a VW dealer on grounds of an impermissible defeat device installed in the vehicle. In October 2016, the VW dealer had initially agreed with the buyer to install a software update for the engine of the purchased car that would create a condition compliant with requirements. It was not until November 2016 that the buyer declared rescission on the grounds of fraudulent misrepresentation and, in the alternative, rescission of the purchase contract. The lawsuit was filed in April 2017. One of the points at issue was whether the defect in the defeat device could be deemed to have been approved to the buyer's detriment due to the late notice of defects pursuant to Sec. 377 (2) and (3) HGB, thus precluding a rescission. During the proceedings, the seller informed the buyer again that an update was available for the vehicle. The Federal Court of Justice examined the question of whether such a notification is already sufficient to assume the seller's implied waiver of a notice of defects.
Legal background
The purpose of the notice of defects pursuant to Sec. 377 HGB is to provide legal certainty in the context of fast-paced commercial transactions. Accordingly, in the case of a bilateral commercial transaction, the immediate notification of defects serves to provide the seller with the earliest possible clarification of the factual and legal situation. If the buyer fails to report a defect promptly, this results in the defect being deemed approved and thus all warranty rights lapse. In order to create the greatest possible legal certainty for the parties, when the buyer becomes aware of a defect he has a few days at most to notify the seller.
However, this does not apply if the seller indicates that it will not raise the plea of the late notice of defects. Besides express conduct, a tacit waiver is also possible. For this, it often suffices if the seller takes back the rejected goods without reservation and promises to remedy the defect. However, such a tacit waiver cannot generally be assumed in this context. Rather, there must be clear indications to the effect that the buyer may understand this as a relinquishment of the right under Sec. 377 (2), (3) HGB.
Decision of the Federal Court of Justice
It can basically be assumed that a buyer who only gives notice of a defect one month after becoming aware of it (at the latest upon receipt of the offer for the software update) has no longer acted "without undue delay" within the meaning of Sec. 377 (2), (3) HGB.
However, since the VW dealer pointed out the possibility of eliminating the defeat device by means of a software update again in a letter addressed to the plaintiff during the course of the lawsuit, there could be sufficient indications for the buyer of a waiver of the plea of notice of the defect.
However, this was rejected by the Federal Court of Justice in its ruling on the grounds that the letter had more the character of a general information letter, and that the purpose of the renewed indication had been to promote the buyer's involvement in the technical implementation of the measure offered. This was especially underlined by the fact that the VW dealer had emphasised in its letter that the costs incurred would be borne by VW itself as the manufacturer. Consequently, the VW dealer was still entitled to raise the plea of the late notification of defects, with the result that the buyer's legal action for repayment of the purchase price was unsuccessful.
Conclusion
The obligation to inspect and give notice of defects under Sec. 377 HGB is a "double-edged sword", and it is not uncommon for warranty cases in the B2B sector to be decided on this basis. A (tacit) waiver by the seller of the plea of the notice of defects would therefore be extremely advantageous for the buyer. In principle, a tacit waiver is possible. However, the requirements imposed by case law insofar are high. Thus, the decisive factor is whether, from the buyer's point of view, there are clear indications of the waiver of rights. In addition to an interpretation of the specific wording of the relevant documents or e-mails, all accompanying circumstances must also be taken into account here. A simple information letter concerning the offer of the manufacturer of a product, who is not also the seller of the product, to remedy a defect is not enough to fulfil this requirement.
4. ECJ: duty to provide information relates to specific identity of recipients
The European Court of Justice (ECJ) has answered another question referred to it on the scope of the data subject's right of access under Art. 15 GDPR (ruling dated 12 January 2023 - case C-154/21).
This decision concerns the interpretation of Art. 15(1)(c) GDPR: According to this, a person whose personal data has been processed has, among other things, the right to obtain from the controller information on the recipients or categories of recipients to whom the controller has disclosed or is going to disclose their personal data. It had been unclear to date under which conditions the controller may limit itself to merely naming abstract categories of recipients to the data subject in its response to the data subject's request for information.
With its decision, the ECJ has clarified that the controller is generally obliged to inform the data subject of the exact identity of the recipients. An exception exists if other fundamental rights conflict in such a way that comprehensive information is disproportionate. This is the case, for example, if it is not possible for the controller to identify the recipients. The ECJ additionally points out the ground for exclusion in Art. 12(5) sentence 2 lit. b GDPR: According to this, the controller can, under certain circumstances, plead the fact that a request for information is (partially) excessive or manifestly unfounded. In this case, it may be sufficient to merely name the categories of the recipients concerned.
The ECJ's ruling only deals with a partial aspect of the claims of Art. 15 GDPR, namely the scope of the general information to be provided pursuant to Art. 15(1) GDPR. The literature and case law focus on a different question, namely the extent to which the data subject's right to a copy (Art. 15(3) GDPR) grants them a claim to the surrender of all raw data held by the controller, and under what conditions such surrender can be refused on grounds of preclusive circumstances. In this regard, the German Federal Court of Justice [Bundesgerichtshof, BGH] had already stated in 2021 that Art. 15(3) GDPR also covers internal notes and e-mails processed by the controller about a data subject (BGH, judgement of 15 June 2021 - VI ZR 576/19).
The ECJ will be making a final decision on the scope of the right to a copy in other proceedings (case C-487/21).
Measures to implement the ruling in the company
As far as the obligation to provide information about recipients of personal data is concerned, companies do not have to "reinvent the wheel". This is due to the fact that the other provisions of data protection law, first and foremost the principle of accountability according to Art. 5(2) GDPR, stipulate in any event that companies must document any and all processing of personal data in their organisation - including any recipients of such data.
The assessment of the legality of data processing already presupposes that it is known to which recipients the data are passed on for processing purposes or which recipients have access thereto.
The decision is therefore only likely to lead to more work for some companies. Many other companies will probably be able to rely on their existing documentation for information on recipients of personal data.
The situation is often more difficult where mass data transfers are involved. For example, in online advertising there may be a large number of recipients that the company cannot immediately identify and name specifically.
Scope of the ECJ ruling with regard to the definition of recipients in the GDPR
The ECJ's ruling on Art. 15 GDPR cannot automatically be applied to the information obligations under Arts. 13 and 14 GDPR. This follows from the different purpose of the regulations. The purpose of the claim to information is to enable data subjects to verify the lawfulness of the data processing. They should then be able to decide on whether they wish to assert further rights (such as to deletion).
The information obligations under Arts. 13 and 14 GDPR serve as a preliminary stage to the right of access and provide a group of data subjects with initial general information. According to the ECJ's ruling, concrete recipients specifically do not yet have to be named here.
Eagerly anticipated issues are to what extent the answers to further questions referred to the ECJ will result in concrete requirements for the right to information under Art. 15 GDPR, in particular for the scope of the right to a copy (case C-487/21), and individual questions on the scope of the preclusion principle of Art.12 (5) GDPR (case C-672/22). Generally speaking, the right to a copy is even comprehensive and more difficult for companies to comply with than the right of access.
5. Artificial intelligence: can Chat predict GPT rulings?
In the USA, the artificial intelligence programme ChatGPT-3 of the company Open AI took the legal exam - with notable success. Here in Germany, statements of claims have already been drafted with this on a test basis. We have taken a look at whether AI can also provide useful answers in the complex area of data protection and how it can support the work of lawyers in the future.
As a starting point for our test, we used the ECJ's decision on the right to information under data protection law pursuant to Art. 15 GDPR. We submitted the following question referred to the ECJ to ChatGPT-3 for its response: "For the right to information under data protection law, can I limit myself to disclosing only the category of recipients to whom personal data have been disclosed or do I also have to disclose the identity of the recipient?"
Chat GPT-3 answers the question as follows:
"In principle, it is not enough to disclose only the category of recipients to whom personal data was disclosed. Under data protection laws, you must inform the data subject of the specific identity of the recipients. It may be sufficient to state the category of recipients in some cases where naming the specific recipients is impractical or would require a disproportionate effort. An example of this might be if you shared personal data with a variety of companies in the same industry."
In the ECJ's reasoning published at the beginning of the year (ECJ 12 January 2023 C 154/21) it states:
"It therefore also follows from the objective pursued by the GDPR that the data subject is entitled to obtain from the controller information on the specific recipients to whom their personal data has been or will be disclosed.(...) It should also be noted that, pursuant to Art. 12(5)(b) GDPR, in accordance with the principle of accountability set forth in Art. 5(2) and Recital 74 of this Regulation, the controller may refuse to act on requests from the data subject if the requests are manifestly unfounded or excessive, in which case the controller must provide evidence of the manifestly unfounded or excessive nature of the requests."
Thus, both the AI and the ECJ come to the conclusion that the obligation to provide information under Art. 15 GDPR relates to the specific identity of recipients, as long as the request for information is not manifestly unfounded or would involve disproportionate effort.
So, can AI predict judgements?
First of all, the AI response is noteworthy because the programme only had access to records up to the autumn of 2021. Secondly, when the question was put to the AI-controlled chatbot, it turns out that the AI's assessment is based on a reproduction of older judgements. Hence, ChatGPT-3 can basically (still) be classified as an aid for reproducing existing content. Artificial intelligence is currently incapable of the autonomous and original creation of ideas or solutions to problems. For example, when you ask it the same questions in a slightly different way, it will give you different results. And what's more - the programme itself indicates that a request should be "regenerated". If exactly the same question is re-entered, it is reprocessed. You receive a new, possibly different result.
However, ChatGPT-3 can in some cases already imitate authors, musicians and courts in a deceptively realistic manner. Publishers are therefore currently testing programmes that can detect artificial intelligence in texts that have supposedly been written by the authors themselves. Artificial intelligence programmes such as ChatGPT can partially already assume activities in which humans perform pure organisation and reproduction tasks. And there are AI chatbots that have been developed specifically for the legal industry and are being used in some major US law firms for support in contract drafting. Numerous legal tech providers are also starting to implement AI in their products or connect them via interfaces.
This development will accelerate with the successor programme ChatGPT-4, which has just been released. On the one hand, the programme is significantly more powerful due to the amount of data processed - Chat GPT-4 was reportedly trained with 17 trillion items of training data, about 100 times more than GPT-3. This should make the programme more efficient, faster, more articulate, and able to describe images.
On the other hand, even the company Open AI warns against taking ChatGPT-4's "statements" as gospel. On its website, the company writes in this respect: "GPT-4 is not yet entirely reliable. It hallucinates facts and makes errors in reasoning."
Specifically, this means that the accuracy of the answers is less than 80 percent, i.e. experts from the respective field would confirm their correctness only for about 80 percent of the answers.
Despite these limitations in reliability, it is impressive what AI is already capable of today. We will continue to monitor its concrete impact on the legal industry and the opportunities that are also emerging for this in the legal tech sector, and will include them in future newsletter articles.
6. ECJ on credit reports: scoring practice illegal under data protection law?
The work of private credit agencies is of immense importance for commercial trade and the consumers concerned: on the one hand, credit reports serve to keep the economy functioning, and on the other hand, they protect consumers from overindebtedness. In preliminary ruling proceedings according to Art. 267 TFEU (case C-634/21) following a referral from the Administrative Court [Verwaltungsgericht, VG] of Wiesbaden, the ECJ is currently scrutinising this practice in terms of data protection law.
In this context, the ECJ's decision will not only answer questions on the interpretation of Art. 22 GDPR with regard to automated data processing for score values and the classification of Sec. 31 German Data Protection Act [Bundesdatenschutzgesetz, BDSG] as an (un)suitable legal basis for creating score values. It will also shed light on the relationship between the right to information under Art. 15(1)(h) GDPR and the protection of trade secrets, which will doubtlessly be of practical relevance to any commercial enterprise that makes (partially) automated decisions in the course of its business practice.
The background to the referral to the ECJ is a legal dispute concerning the protection of personal data between a data subject, the plaintiff, and the State of Hesse, represented by the Hessian Commissioner for Data Protection and Freedom of Information [Hessischer Beauftragter für Datenschutz und Informationsfreiheit, HBDI]. The plaintiff was denied a loan based on a credit assessment performed by SCHUFA Holding AG (SCHUFA). The plaintiff subsequently requested SCHUFA to delete the entries relating to her and to provide her with information about the data.
In reference to business secrets, however, SCHUFA limited itself to informing the plaintiff of the corresponding score value and, in general terms, of the principles underlying the method used to calculate the score value. Since the HBDI did not resolve the plaintiff's complaint, she brought an action against the HBDI's decision before the VG Wiesbaden. The VG then turned to the ECJ with two questions for clarification as to whether automatically generated score values are to be understood as a decision within the meaning of Art. 22 GDPR if they are decisive for the credit decision, and whether Sec. 31 of the BDSG is compatible with the GDPR.
With regard to the scoring practice, case law and legal literature have to date (indeed) predominantly held that an automated decision within the meaning of Art. 22 GDPR only exists if the scoring leads directly to a decision by the decision-maker, such as the lending institution. The purpose of score values from credit agencies, on the other hand, is regularly only to prepare the actual (credit) decision and are thus not covered by Art. 22 GDPR.
In his Opinion of 16 March 2023, Advocate General at the ECJ Pikamäe has now concluded that the automated generation of a probability value about a data subject's ability to service a loan in the future is already a case of automated processing within the meaning of Art. 22 GDPR. If the ECJ adopts this view, the data subject would have a right to information under Art. 15(1)(h) GDPR, which, according to the Advocate General, would also include sufficiently detailed explanations of the method used to calculate the score value. However, the permissibility of automated data processing by a credit agency would especially regularly require a legal basis in the member state within the meaning of Art. 22 (2) lit. b GDPR. With regard to the second question referred by the VG, however, the Advocate General takes the view that Sec. 31 BDSG, on which the scoring practice is currently based, is not a suitable legal basis for justifying the lawfulness of the creation of score values in the context of the activities of credit agencies, as the standard is not compatible with the GDPR.
It remains to be seen whether the ECJ will follow the Advocate General's legal opinion, which is not binding on it. A decision is expected in a few months at the earliest. We will inform you about this in an upcoming newsletter.
Tobias Kollakowski
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
