OLG Frankfurt am Main - 6 U 192/23

From GDPRhub
Revision as of 12:31, 6 August 2024 by Ec (talk | contribs)
OLG Frankfurt am Main - 6 U 192/23
Courts logo1.png
Court: OLG Frankfurt am Main (Germany)
Jurisdiction: Germany
Relevant Law:
§2 TTDSG
§25 TTDSG
Decided: 27.06.2024
Published: 05.08.2024
Parties: Microsoft Corporation
National Case Number/Name: 6 U 192/23
European Case Law Identifier:
Appeal from: LG Frankfurt am Main (Germany)
2-02 O 217/22
Appeal to:
Original Language(s): German
Original Source: Bürgerservice Hessenrecht (in German)
Initial Contributor: ec

An appeal court ordered Microsoft to refrain from placing and storing cookies on the data subject's end devices without consent, even if this requires Microsoft to stop placing tracking cookies at all.

English Summary

Facts

The controller, Microsoft Corporation, provides the service “Microsoft advertising” which enables website operations to place adverts in the search results of the "Microsoft Search Network". It can also collect information about the visitors to a website and to place targeted adverts for these visitors via cookies.

The data subject visited third-party websites. She claims that the controller’s cookies were placed on her device without her consent. A forensic analysis of the recorded network traffic revealed that cookies from the controller had been placed on the data subject’s device without their consent.

The data subjected sought injunctive relief at the Regional Court of Frankfurt am Main (“Landgericht Frankfurt am Main”) and requested the court to order the controller to refrain from using cookies on her end devices without her consent.

The court refused to issue an interim injunction and dismissed the case. The court stated that grounds for an injunction were lacking and that the data subject did not demonstrate that the data subject would otherwise suffer considerable disadvantages that it cannot reasonably be expected to wait for the main proceedings. The court held data subject had the option to block the storage or reading of cookies via the internet browser settings, while the controller would have to change its complete processing, costing enormous effort in terms of time and money. Thus, the balance of interests is therefore in favour of the controller.

The data subject appealed this decision at the higher regional court of Frankfurt (“Oberlandesgericht Frankfurt am Main”), arguing that the balance of interests is in favour of the data subject, as there can be no right to exercise an unlawful business model. Moreover, the data subject had to live with the uncertainty of the whereabouts of its data, the associated loss of control and the fear of disclosure to unauthorised third parties. The data subject requested the court to amend the first judgement, to grant the injunctive relief and to refrain the controller from using cooking and similar technologies on the data subject’s devices without their consent.

Holding

Claim for injunctive relief

The court held that the German national implementation of the e-Privacy Directive (“Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TTDSG” does not exclude a claim for injunctive relief under civil law.

Obtaining consent

The court held that under §25 TTDSG, the controller must ensure that the consent of the end user is transmitted to it by the website operator before it stores its cookies on the end user’s device. By failing to obtain consent, the controller violated §25 TTDSG.

The court dismissed the controller’s argument that the data subject could possibly have given her consent during an earlier visit. The court held that the controller had the burden of proof to provide evidence of prior consent. The fact that the controller could not provide this evidence, as it outsourced the obtaining of consent to third parties (the website operators) could not change its burden of proof.

The court found it irrelevant whether ensuring obtained consent is possible for the controller through appropriate technical precautions. The court held that it could not understand why it should not be possible for the controller to store its cookies on the end devices of users only after it has received their consent. The court further held that even if such technical precautions do not exist, this does not affect the requirements of §25 TTDSG.

Liability

The court further dismissed the controller’s argument that it is not liable under §25 TTDSG for placing cookies without the consent of the end user, but the website operators. The court held that the fact that the website operators are responsible for obtaining consent according to their general terms and conditions does not exonerate the controller form liability. Liability is not limited to only the website operators, but also those who stores or accesses the cookies, such as the controller. The court held that the controller was also a provider under the meaning of §2 TTDSG, as it contributes to the provision of the website operator's telemedia by setting the cookies. According to this provision, a "provider of telemedia" is any natural or legal person who provides their own or third-party telemedia, contributes to the provision of telemedia or provides access to the use of their own or third-party telemedia.

Balancing of interests

The court did not agree with the first instance court that the injunction would lead to an unduly heavy burden for the controller. The court did take into account that the data subject cannot be recognised on the Internet when visiting pages, and therefore, the injunction cannot only be limited to the data subject, but rather has an overarching effect and requires a universal solution. However, the court held that the fact that the effect of the injunction extends beyond the devices of the data subject does not call into question the grounds for an injunction, but is the consequence of how the controller organised its business model.

As the data subject had also argued, the court held that there are technically easy-to-implement solutions that enable consent to be transmitted to the website setting the cookie. If the controller cannot convince its customers of implementing these solutions, and thus being legally compliant, this should not negatively impact the data subject. Furthermore, the violations of the data subject’s rights were also intensifying daily, as the storage period of the cookie was 13 months and the storage of further user behaviour on other visited websites was possible.

Conclusion

Thus, the court ordered the controller to refrain from placing and storing cookies on the data subject's end devices without consent. If the controller violates the injunctive order, the controller could be fined up to €250,000 for each violation.

Comment

The decision of the Higher Regional Court of Frankfurt seems to be in line with a recent Dutch court decision that prohibited Microsoft, LinkedIn and Xandr from placing tracking cookies without user consent and imposed a penalty of €1,000 per company for every day of non compliance with the decision (see Rb. Amsterdam - C/13/747731).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

If you see this message, you do not have JavaScript enabled in your browser. Please enable JavaScript to use the citizen service.