LG Berlin - 16 O 420/19: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
Line 73: Line 73:


=== Facts ===
=== Facts ===
The complainant in this case is a German Consumer Protection Association (''Verbraucherzentrale Bundesverband e.V.''), while the controller is LinkedIn Ireland Unlimited Company, an Irish social media company operating throughout the EU and worldwide.  
The plaintiff in this case is a German Consumer Protection Association (''Verbraucherzentrale Bundesverband e.V.''), while the defendant is LinkedIn Ireland Unlimited Company, an Irish social media company operating throughout the EU and worldwide.  


The complainant found that the website of the controller makes use of cookies and other technologies like fingerprinting that automatically process personal data and monitor users behavior for analytics and marketing purposes. In its privacy notice of 2018, the controller clearly stated that it ignores ''“do not track”'' (DNT) signals on its users’ browsers. DNTs are a browser setting that users can decide to activate, to request websites not to track their online activities. The controller claimed it would not react to DNT signals, as there was no established “DNT standard” yet.  
The plaintiff found that the website of the defendant makes use of cookies and other technologies like fingerprinting that automatically process personal data and monitor users behavior for analytics and marketing purposes. In its privacy notice of 2018, the defendant clearly stated that it ignores ''“do not track”'' (DNT) signals on its users’ browsers. DNTs are a browser setting that users can decide to activate, to request websites not to track their online activities. The defendant claimed it would not react to DNT signals, as there was no established “DNT standard” yet.  


Firstly, the complainant claimed that the use of DNT signals constitutes an expression of the right to objection of users under [[Article 21 GDPR#5|Article 21(5) GDPR]] against processing activities carried out for marketing purposes under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], and that the controller should stop ignoring such signals. Secondly, the complainant found that when a user decides to first set up a LinkedIn account, the “off-LinkedIn visibility” option is usually pre-activated, which means that personal data of users is shown on the controller’s partner websites. This, according to the complainant constituted a violation of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 25 GDPR#2|Article 25(2) GDPR]], third sentence and [[Article 4 GDPR#11|Article 4(11) GDPR]] as well as provisions of the German Federal Law against deceptive commercial practices (''[https://www.gesetze-im-internet.de/uwg_2004/ Bundesgesetz gegen unlauteren Wettbewerb, UWG]''). Further, the complainant asserts that the controller wrongfully relied on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis and acted contrary to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
Firstly, the plaintiff claimed that the use of DNT signals constitutes an expression of the right to objection of users under [[Article 21 GDPR#5|Article 21(5) GDPR]] against processing activities carried out for marketing purposes under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], and that the defendant should stop ignoring such signals as doing so constitutes an unfair commercial practice.  


After the controller rejected the complainant’s warning letter, the complainant brought an action before the LG Berlin under [[Article 79 GDPR#2|Article 79(2) GDPR]].
Secondly, the plaintiff found that when a user decides to first set up a LinkedIn account, the “off-LinkedIn visibility” option is usually pre-activated, which means that personal data of users is shown on the defendant’s partner websites. This, according to the plaintiff constituted a violation of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 25 GDPR#2|Article 25(2) GDPR]], third sentence and [[Article 4 GDPR#11|Article 4(11) GDPR]] as well as provisions of the German Federal Law against deceptive commercial practices (''[https://www.gesetze-im-internet.de/uwg_2004/ Bundesgesetz gegen unlauteren Wettbewerb, UWG]''). Further, the plaintiff asserted in this respect that the defendant wrongfully relied on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis and acted contrary to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
 
After the defendant rejected the plaintiff’s warning letter, the plaintiff brought an action before the LG Berlin under [[Article 79 GDPR#2|Article 79(2) GDPR]].


=== Holding ===
=== Holding ===
The LG held the action to be partially inadmissible, as the court considered the first claim to be too broad, since it lacked the description of a concrete infringement, which could then not be established.  
The LG held the action to be partially inadmissible, as the court considered the first claim to be too broad, since it lacked the description of a concrete infringement, which could then not be established.  


However, the court held that the initially unclear request by the complainant that the controller should stop communicating to its users that it ignores DNT signals and does not consider it as an objection under [[Article 21 GDPR#5|Article 21(5) GDPR]], was substantiated by an attached screenshot and thus concerned a concrete violation. The court held that this behaviour constituted an unfair commercial practice under the UWG. Further, the court agreed with the complainant that the use of a DNT signal constitutes an objection by automated means using technical specifications for the purposes of [[Article 21 GDPR#5|Article 21(5) GDPR]]. As regards the submission of the controller that it does not consider DNTs as objections because there is no established standard about them yet, the court held that this is irrelevant to the question whether an objection is valid or not. As a consequence, the court found that the decision of the controller to ignore DNTs constitutes a deceptive practice.  
However, the court held that the initially unclear first claim of the plaintiff that the defendant should stop communicating to its users that it ignores DNT signals and does not consider it as an objection under [[Article 21 GDPR#5|Article 21(5) GDPR]], was substantiated by an attached screenshot and thus concerned a concrete violation. The court held that this behaviour constituted an unfair commercial practice under the UWG. Further, the court agreed with the plaintiff that the use of a DNT signal constitutes an objection by automated means using technical specifications for the purposes of [[Article 21 GDPR#5|Article 21(5) GDPR]]. As regards the submission of the defendant that it does not consider DNTs as objections because there is no established standard about them yet, the court held that this is irrelevant to the question whether an objection is valid or not. As a consequence, the court found that the decision of the defendant to ignore DNTs constitutes a deceptive practice.  


As regards the third claim, the court held that the complainant was right in asking the controller to refrain from automatically activating the “off-LinkedIn visibility” setting. By leaving the option pre-ticked, the controller deceives the users as to their consumer right to decide whether or not they want their data to be accessible to the public, in particular to third party websites. In this way, the average users are deceived as they may think they gave consent to have the option activated, even though it is likely that users would not activate this option themselves if it wasn’t pre-ticked. The court further held, making reference to [[CJEU - C-673/17 - Planet49|CJEU case C-673/17 - Planet49]], that the pre-ticked option offered by the controller cannot constitute a valid consent.
As regards the second claim, the court held that the plaintiff was right in asking the defendant to refrain from automatically activating the “off-LinkedIn visibility” setting. By leaving the option pre-ticked, the defendant deceives the users as to their consumer right to decide whether or not they want their data to be accessible to the public, in particular to third party websites. In this way, the average users are deceived as they may think they gave consent to have the option activated, even though it is likely that users would not activate this option themselves if it wasn’t pre-ticked. The court further held, making reference to [[CJEU - C-673/17 - Planet49|CJEU case C-673/17 - Planet49]], that the pre-ticked option offered by the defendant cannot constitute a valid consent.


The LG hence ordered the controller to refrain from communicating to its users that it does not consider DNTs as an objection to processing and to deactivate the automatic “off-LinkedIn visibility” setting when users first set up an account.
The LG hence ordered the defendant to refrain from communicating to its users that it does not consider DNTs as an objection to processing and to deactivate the automatic “off-LinkedIn visibility” setting when users first set up an account.


== Comment ==
== Comment ==

Latest revision as of 08:39, 15 November 2023

LG Berlin - 16 O 420/19
Courts logo1.png
Court: LG Berlin (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 4(11) GDPR
Article 21(5) GDPR
UWG
Decided: 24.08.2023
Published:
Parties: LinkedIn
Verbraucherzentrale Bundesverband e.V.
National Case Number/Name: 16 O 420/19
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: vzbv.de (in German)
Initial Contributor: co

The Regional Court of Berlin (Landgericht Berlin, LG Berlin) held that LinkedIn engaged in unfair commercial practices, also in violation of the GDPR, by not considering the use of “do not track” settings as an objection to processing and by pre-ticking the “off-LinkedIn visibility” setting when users first set up an account.

English Summary

Facts

The plaintiff in this case is a German Consumer Protection Association (Verbraucherzentrale Bundesverband e.V.), while the defendant is LinkedIn Ireland Unlimited Company, an Irish social media company operating throughout the EU and worldwide.

The plaintiff found that the website of the defendant makes use of cookies and other technologies like fingerprinting that automatically process personal data and monitor users behavior for analytics and marketing purposes. In its privacy notice of 2018, the defendant clearly stated that it ignores “do not track” (DNT) signals on its users’ browsers. DNTs are a browser setting that users can decide to activate, to request websites not to track their online activities. The defendant claimed it would not react to DNT signals, as there was no established “DNT standard” yet.

Firstly, the plaintiff claimed that the use of DNT signals constitutes an expression of the right to objection of users under Article 21(5) GDPR against processing activities carried out for marketing purposes under Article 6(1)(f) GDPR, and that the defendant should stop ignoring such signals as doing so constitutes an unfair commercial practice.

Secondly, the plaintiff found that when a user decides to first set up a LinkedIn account, the “off-LinkedIn visibility” option is usually pre-activated, which means that personal data of users is shown on the defendant’s partner websites. This, according to the plaintiff constituted a violation of Article 6(1)(a) GDPR, Article 25(2) GDPR, third sentence and Article 4(11) GDPR as well as provisions of the German Federal Law against deceptive commercial practices (Bundesgesetz gegen unlauteren Wettbewerb, UWG). Further, the plaintiff asserted in this respect that the defendant wrongfully relied on Article 6(1)(f) GDPR as a legal basis and acted contrary to Article 5(1)(a) GDPR and Article 5(1)(c) GDPR.

After the defendant rejected the plaintiff’s warning letter, the plaintiff brought an action before the LG Berlin under Article 79(2) GDPR.

Holding

The LG held the action to be partially inadmissible, as the court considered the first claim to be too broad, since it lacked the description of a concrete infringement, which could then not be established.

However, the court held that the initially unclear first claim of the plaintiff that the defendant should stop communicating to its users that it ignores DNT signals and does not consider it as an objection under Article 21(5) GDPR, was substantiated by an attached screenshot and thus concerned a concrete violation. The court held that this behaviour constituted an unfair commercial practice under the UWG. Further, the court agreed with the plaintiff that the use of a DNT signal constitutes an objection by automated means using technical specifications for the purposes of Article 21(5) GDPR. As regards the submission of the defendant that it does not consider DNTs as objections because there is no established standard about them yet, the court held that this is irrelevant to the question whether an objection is valid or not. As a consequence, the court found that the decision of the defendant to ignore DNTs constitutes a deceptive practice.

As regards the second claim, the court held that the plaintiff was right in asking the defendant to refrain from automatically activating the “off-LinkedIn visibility” setting. By leaving the option pre-ticked, the defendant deceives the users as to their consumer right to decide whether or not they want their data to be accessible to the public, in particular to third party websites. In this way, the average users are deceived as they may think they gave consent to have the option activated, even though it is likely that users would not activate this option themselves if it wasn’t pre-ticked. The court further held, making reference to CJEU case C-673/17 - Planet49, that the pre-ticked option offered by the defendant cannot constitute a valid consent.

The LG hence ordered the defendant to refrain from communicating to its users that it does not consider DNTs as an objection to processing and to deactivate the automatic “off-LinkedIn visibility” setting when users first set up an account.

Comment

Note that this decision is not final, as it might be appealed before a higher court.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The social network LinkedIn is no longer allowed to announce on its website that it does not respond to “do-not-track” signals with which users object to the tracking of their surfing behavior via their browser settings. The Berlin Regional Court decided this following a lawsuit from the Federal Association of Consumer Organizations (vzbv). The court also prohibited the company from setting a default that would make the member's profile visible on other websites and applications. Last year, the court banned the sending of unsolicited emails to non-members.

“When consumers activate the ‘Do Not Track’ function of their browser, it sends a clear message: They do not want their surfing behavior to be spied on for advertising and other purposes,” says Rosemarie Rodden, legal officer at vzbv. “Website operators must respect this signal.”

Objection to tracking ignored

Internet surfers can use their browser to set the websites they visit to receive a “Do-Not-Track” (DNT) signal. It conveys your wish that online activities not be tracked and evaluated. LinkedIn announced on its website that it does not respond to such DNT signals. This means that even against the will of the user, personal data such as the IP address and information about the use of the website can be evaluated for analysis and marketing purposes, including by third parties.

The Berlin Regional Court agreed with the vzbv's opinion that the company's communication was misleading. It suggests that the use of the DNT signal is legally irrelevant and that the defendant does not need to observe such a signal. That is not the case. According to the General Data Protection Regulation, the right to object to the processing of personal data can also be exercised using automated procedures. A DNT signal represents an effective contradiction.

The court rejected a further application in this context for procedural reasons.

Profile published without necessary consent

In all other points the vzbv lawsuit was successful without any restrictions. The court prohibited LinkedIn from activating the “profile visibility” function when logging in for the first time. This default setting made the personal LinkedIn profile publicly visible to non-members and outside the network - for example on search engines - without consent. The judges made it clear that a switch activated in advance does not meet the requirements for effective consent to the publication of personal data. “User profiles must not automatically be publicly visible when they are created,” says Rosemarie Rodden.

Unsolicited email sending prohibited

The Berlin Regional Court had already upheld part of the lawsuit last year. LinkedIn is now prohibited from sending email invitations to consumers who are not members of the network and who have not agreed to the use of their email address. In addition, in a further partial acknowledgment judgment, the court prohibited the use of several provisions in the company's terms and conditions, including clauses that only the English version of the contract should be binding and that litigation may only be brought in Dublin, Ireland.