OLG Schleswig - 9 Wx 23/21

From GDPRhub
Revision as of 18:37, 6 April 2022 by Kc (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
OLG Schleswig - 9 Wx 23/21
Courts logo1.png
Court: OLG Schleswig (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(4) GDPR
Article 23(1) GDPR
§ 21 Telekommunikation-Telemedien-Datenschutzgesetz (Telecommunication Telemedia Data Protection Act - TTDSG)
Decided: 23.02.2022
Published: 04.04.2022
Parties: Instagram
National Case Number/Name: 9 Wx 23/21
European Case Law Identifier:
Appeal from: LG Flensburg (Germany)
Appeal to:
Original Language(s): German
Original Source: openjur.de (in German)
Initial Contributor: kc

The Higher Regional Court of Schleswig-Holstein held that in cases where one user's content infringes another user's personality rights under criminal law, Instagram must provide the affected person information about the perpetrator.

English Summary

Facts

The plaintiff is a minor. A person unknown to the plaintiff opened an account on the social media platform Instagram at an unknown time with the user name "plaintiff_was_hacked". Pictures were posted on the account showing a young woman dressed only in underwear, with her face covered by a smartphone. The photos contained statements that gave the impression that the person depicted was interested in a variety of sexual contacts. After the plaintiff was recognised by other persons and approached about the content of the account, she reported the account to the platform operator and it was blocked.

The plaintiff requested the Regional Court of Flensburg (LG Flensburg) to order both Instagram and the telemedia service provider to disclose information about the owner of the account, including their IP-address, based on the old German Telemedia Act. She claimed that she needed the requested information to enforce civil law claims in the form of injunctive relief and claims for damages for violations of personal rights against the owner of the user account.

The LG Flensburg dismissed her application as the plaintiff had no substantive right to information against Instagram. Furthermore, it held that a general right to information against telemedia services as "non-interferers" did not exist under the current legal situation. A complaint at the same court was not successful either.

The plaintiff appealed that decision at the Higher Regional Court of Schleswig-Holstein (OLG Schleswig). Before the OLG Schleswig, she requested that Instagram be allowed and obliged to provide her with the user's IP address used for uploading the posts and images retrievable, together with the exact upload time, their name, e-mail address, the IP address last used to access the account, and the user's telephone number.

Holding

The appeal succeded with regard to the inventory data, but not regarding the IP addresses.

The OLG Schleswig applied § 21(2) Telecommunication Telemedia Data Protection Act (TTDSG) which states that a "telemedia provider may in individual cases provide information on inventory data held by it, insofar as this is necessary for the enforcement of civil law claims due to the infringement of absolutely protected rights due to illegal content [...] To this extent, it shall be obliged to provide information to the infringed party." This provision of information "requires a prior court order on the admissibility of the provision of information, which must be applied for by the injured party" (§ 21(3) TTDSG). Inventory data means "personal data whose processing is necessary for the purpose of establishing, structuring the content of or amending a contractual relationship between the telemedia provider and the user concerning the use of telemedia" (§ 2(2)(2) TTDSG).

The court did not see an issue with the relationship to the GDPR. According to the court, § 21(2), (3) TTDSG as a national provision constitutes a necessary and proportionate measure in a democratic society to protect the objectives set out in Article 23(1) GDPR. § 21(2) TTDSG serves the enforcement of civil claims and thus pursues an objective mentioned in Article 23(1)(j) GDPR, which allows Member State legislation that limits the obligations and rights under Articles 12 to 22 and 34 GDPR.

The court held that the creation of the fake account and the uploading of the photos with comments fulfilled the offence of insult according to the Criminal Code and violated her personality rights. In order to be able to assert her rights against the unknown creator of the fake account under civil law, the plaintiff was dependent on information from the operator of the platform. She had no other possibility to determine the creator of the user account. However, the right to information was limited to the inventory data. The court emphasised that § 21 TTDSG does not concern any usage data and therefore does not extend beyond the inventory data, Consequently, the IP addresses did not need to be disclosed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



1. Section 21 (2) TTDSG now contains a special statutory basis for a claim for the operator of a social media platform - here Instagram - to provide information to those affected by violations of personal rights.

2. The regulation replaces the two-stage procedure according to § 14 TMG old version, which only provided for a court permit, but not the obligation to provide information and therefore made it necessary to enforce a separate claim for benefits.

3. The right to information according to § 21 TTDSG only includes the inventory data, but not the usage data.
tenor

1. The decision of the Flensburg District Court of September 20, 2021 is amended to the complaint of October 27, 2021.

The party 2) is obliged to provide the applicant with information about the inventory data of the user registered on the "www.instagram.com" platform under the user name "X_was_hacked" (https://www.instagram.com/X_was_hacked/), by providing the following data stored with the party involved:

a. user name,

b. e-mail address of the user,

c. User's phone number.

2. Otherwise, the applicant's application and the complaint are rejected.

3. The applicant bears the costs of the first instance proceedings and the appeal proceedings.
reasons

I

The applicant asserts claims for information about a user account on Instagram, the content of which she believes has violated her general personality rights.

The party 2) operates, among other things, the social media platform "Instagram", which gives users the opportunity to publish texts, photos and videos. At the choice of the account holder, these contributions can be viewed either by a private group of people or by the general public. The minor applicant runs a user account herself on the platform www.instagram.com of the parties to 2).

At an unknown time before January 15, 2021, a third party unknown to the applicant opened an account on the social media platform "Instagram" with the username "X_was_hacked" and posted pictures and statements in a folder labeled "Nudes". The account was initially public and was changed to private on January 16, 2021. The images showed a young woman with long brown hair wearing only her underwear, her face covered by a smartphone. The following statements could be read in the photos:

- "I'm a slut with push up",

- "I'm the kachi next door",

- "Wants you to lick me, babe, you can go backstage with me",

- "Write to me if you want to fuck".

On January 19, 2021, the applicant reported the account at issue to party 2), who deactivated it on January 22, 2021, so that the images can no longer be accessed.

The applicant has claimed that the photos show her head on a different body. Classmates would have recognized her in the pictures. Two former classmates approached her about the profile via WhatsApp on January 15, 2021, which gave her knowledge of it. The applicant took the view that she had a claim for permission under Section 14 (3) TMG old version, since the contents of the false profile fulfilled the facts of Sections 185 ff. StGB. You need the requested information to enforce civil claims in the form of injunctive relief and claims for damages due to violations of personal rights against the owner of the user account.

The party 2) denied with ignorance that the applicant had been recognized in the photos by her classmates. It is impossible for it to provide the requested information about IP addresses, since it cannot determine whether a specific IP address was used at the time a content was uploaded.

The regional court rejected the application for permission to provide information by decision of September 20, 2021, since the applicant had no substantive legal right to information against the 2nd party. This arises neither from the contractual obligation, which only refers to the account operated by the applicant herself, nor does there exist a legal right to information according to § 242 BGB. Because the party to 2) is not liable as an indirect troublemaker according to § 1004 paragraph 1 BGB, since they violated no inspection obligations and deactivated the disputed account immediately after notification by the applicant. According to the current legal situation, there is no general right to information against telemedia services as "non-disturbers".

The applicant's complaint of October 27, 2021 is directed against this decision. She argues that a right to information follows from the contract of use between her and the party 2) in connection with Section 242 BGB and from a statutory obligation. It is sufficient for this that a violation of rights has taken place on the platform of the parties to 2), which could result in civil claims against the perpetrator. For the existence of a legal obligation, it cannot depend on whether the party 2) removes illegal content within a reasonable period of time after being informed accordingly, since the right to information then depends solely on the speed of the reaction of the party 2), which is not the case correspond to the protective purpose of the Network Enforcement Act.

For the details of the statement of grounds of appeal, reference is made to the pleading of October 27, 2021.

The party 2) defended the decision of the regional court. Permission requires a still existing substantive legal right to information, which is not given. In the present case, there were no connections between the applicant's user account and the account created by a third party, except that the user name partially matched the applicant's first name. This is not sufficient for a link to the applicant's usage contract, which is a prerequisite for the existence of a contractual obligation to provide information. There is also no legal obligation, since the participant to 2) does not have an examination duty or obligation, so that the claim as a non-disturber is ruled out. The complaint is also to be rejected in accordance with Section 74 (2) FamFG because the contested decision is also correct for other reasons. The applicant had already failed to sufficiently demonstrate the existence of an infringement. She did not explain and prove that she was affected by the insulting statements. For this, she must have reasonable grounds to assume that she could be recognized within a more or less large circle of acquaintances on the basis of the circumstances communicated. She was neither identifiable in the photos nor had she proven that a third party had connected her to the user account at issue in the proceedings. On the other hand, it was actually impossible for her, the party 2), as already explained, to provide the requested information due to the lack of assignment of the IP addresses, which is why she could not be obliged to do so.

With the decision of December 7, 2021, the regional court did not remedy the complaint. Obligations to provide information only exist towards the persons who have a user account, due to the resulting special protection and care obligations of those involved in 2) towards them. Persons without their own account would only have claims for injunctive relief, but not for information, against those involved in 2). However, the alleged violation of rights is not related to the applicant's user account, since the infringing action took place from another account. There is also no special connection between the parties involved in the form of a legal obligation, since party 2) is only responsible for third-party content under the conditions of § 7 Para. 2 to § 10 TMG and in this case by the immediate blocking of the account according to § 10 Sentence 1 No. 2 TMG release from liability had occurred. The party to 2) is also not liable as a disruptor, since they fulfilled their obligation to remove the reported information immediately within the meaning of this provision.

In a letter dated December 21, 2021, the applicant added the user's telephone number to its first-instance application and is now applying for

to allow the parties involved to provide the applicant with information about the inventory and usage data of the user registered on the "www.instagram.com" platform under the user name "X_was_hacked" (https://www.instagram.com/X_was_hacked/), by providing the following data stored with the party involved:

a. IP addresses used by the user to upload the articles and images that can be accessed under the user name, together with the exact time of upload, stating the date and time including minutes, seconds and time zone (time of upload),

b. user name,

c. e-mail address of the user,

i.e. IP address last used by the user to access his user account under the user name "X_was_hacked", together with the exact time of uploading, including the date and time including minutes, seconds and time zone (time of access),

e. User's phone number.

The applicant submits that information about the telephone number is necessary because numerous people no longer register on Instagram with their e-mail address but with their telephone number, so that their rights can only be protected if information is provided .

In response to a corresponding notice from the Senate, the applicant stated in a brief dated February 9, 2022 that her application was not limited to ordering the admissibility of the disclosure of information, but that the court should also decide on the obligation of those involved to 2) to provide information.

The Senate heard the parties involved. Reference is made to the minutes of the hearing dated March 23, 2022.

II.

The complaint was successful with regard to the requested information about inventory data.

1. The international jurisdiction of the German courts, which is to be examined ex officio, is given. The international jurisdiction for the judicial approval procedure according to Section 21 Paragraph 2 and Paragraph 3 of the Telecommunications Telemedia Data Protection Act (TTDSG) is based on the EuGVVO, as this is a civil matter within the meaning of Art. 1 Paragraph 1 EuGVVO acts (BGH, decision of September 24, 2019 - VI ZB 39/18, juris para. 19). It can remain open here according to which provision of this regulation the international jurisdiction of German courts would have to be assumed, since party 2) entered into the proceedings before the Flensburg Regional Court without objection in accordance with Art. 26 (1) sentence 1 EuGVVO (cf. BGH, loc.cit., juris para. 15).

2. Due to the change in the law that took place on December 1, 2021, the right to information is now to be assessed according to Section 21 Paragraph 2, Paragraph 3 TTDSG. Since there is no transitional provision, the new law applies to the asserted claims for information from the time it comes into force.

3. The Telecommunications Telemedia Data Protection Act is also applicable to party 2), although it has no domestic branch. According to Section 1 (3) TTDSG, this law applies to all companies and individuals that have a branch within the scope of the law or that provide services or are involved in them. According to the market location principle, the participant 2) is also included, whose platform Instagram can be accessed in the territory of the Federal Republic of Germany, whereby it provides services within the scope of the TTDSG (cf. the justification for the law, BT-Drs. 9/27441 p. 34; Golland, The Telecommunications Telemedia Privacy Act, NJW 2021, 2238, paragraph 4).

4. The complaint is admissible in accordance with Section 21 Paragraph 3 Clause 8 TTDSG, Sections 58 et seq. FamFG and also admissible in other respects.

In particular, the complaint received by the district court on October 27, 2021 was lodged in good time. The one-month period from Section 63 (1) FamFG begins in accordance with Section 63 (3) sentence 1 FamFG with the written notification. However, the contested decision of the Flensburg District Court of September 20, 2021 was only informally sent to the applicant. An informal transmission does not constitute notification within the meaning of Section 41 (1) FamFG, according to which a contestable decision that contradicts the recipient's declared will is to be served. Since there is no presumption of receipt of the informally sent decision, the period under Section 63 (1) FamFG has not started to run (BGH, decision of May 13, 2015 - XII ZB 491/14, NJW 2015, 2576, 2577, Paragraph 7; decision of March 29, 2017 - XII ZB 51/16, MDR 2017, 661 marginal number 8).

5. The applicant's complaint is also partly justified, namely with regard to the claim for information on inventory data.

a) According to Section 21 (2) TTDSG, a provider of telemedia is obliged to provide information about inventory data available to them, insofar as this is necessary to enforce civil law claims due to the violation of absolutely protected rights due to illegal content that is defined by Section 10a (1) TMG or Section 1 (3) NetzDG is required.

(1) The party to 2) is a provider of telemedia within the meaning of the regulation. According to the legal definition in § 1 paragraph 1 sentence 1 TMG, to which § 2 paragraph 1 TTDSG refers, these are all electronic information and communication services, insofar as they are not telecommunications services according to § 3 No. 61 of the Telecommunications Act, telecommunications-supported services according to § 3 No. 63 of the Telecommunications Act or broadcasting according to Section 2 of the Interstate Broadcasting Agreement. The exceptions mentioned are not relevant here; rather, the Instagram service offered by the parties involved is a telemedia within the meaning of the provision (Federal Court of Justice, judgment of January 13, 2022 - I ZR 35/21, juris para. 57).

(2) The content of the user account "X_was_hacked" unlawfully infringes the applicant's absolutely protected rights. This requirement requires a criminally relevant violation of the general personality rights of the applicant (Auernhammer, GDPR/BDSG, 7th edition 2020, § 14 TMG Rn. 30; Paschke/Berlit/ Meyer/Kröner, Hamburger commentary on all media law, 4th edition 2021, Section 46 (rights to information), para. 9). This results from the reference in § 21 Para. 2 Sentence 1 TTDSG to § 1 Para. 129 to 129b, 130, 131, 140, 166, 184b, 185 to 187, 189, 201a, 241 or 269 of the Criminal Code and are not justified.

(a) In the present case, the creation of the fake account and the posting of the photos with comments in the context of the offense in the sense of § 185 StGB. On the one hand, the fake account suggests that the applicant was "hacked", i.e. that her user profile was exposed to access by third parties. This claim is not insulting as such. However, photos that are supposed to represent the applicant were also posted on the account in question here, and in connection with this, statements are attributed to her that give the impression that she is interested in sexual contacts and that she is a "slut". Therein lies an insult, since these sexual innuendos are apt to make the applicant, who as a minor needs more protection in her personal development than adults, contemptible and degrading in public opinion. By creating the fake account and uploading the photos along with comments, the user suggests that the applicant wants to put herself on display in this way and communicate her sexual interest to visitors to the site. The fact that this immoral behavior is assigned to her reduces the social validity of the applicant, which constitutes an insult within the meaning of § 185 StGB (Schönke/Schröder/Eisele/Schittenhelm, StGB, 30th ed. 2019, § 185 para. 2 ).

The statements on the user account are also not justified because of the protection of legitimate interests according to § 193 StGB, which expresses the concerns of freedom of expression from Art. 5 Para. 1 Sentence 1 GG (BVerfG, decision of December 19, 2021 - 1 BvR 1073 /20 -, juris para. 26 with further references). Rather, it is pure abuse that does not fall under the scope of protection of freedom of expression and makes it unnecessary to weigh up the fundamental rights concerned. An abuse in the constitutional sense is given when a statement no longer has any comprehensible reference to a factual dispute and it is basically only about the baseless disparagement of the person concerned as such (BVerfG, loc.cit., Rn. 29 with further references). The comments are aimed solely at disparaging the applicant, without any reference to a factual dispute being recognizable. In addition, the actual author remains unknown and the wording of the comments suggests that they were made by the applicant herself. The author is therefore only concerned with a groundless disparagement of the applicant. The content of the user account that is the subject of the proceedings is therefore not a matter of expressions of opinion that fell under the protection of Article 5(1) sentence 1 of the Basic Law.

(b) Contrary to the opinion of the parties to 2), the applicant has also sufficiently demonstrated that she is the party affected by the infringement. It is sufficient that the applicant is recognizable as the person affected by the insult (Schönke/Schröder/Eisele/Schittenhelm, StGB, loc. cit., § 185 para. 9). Recognizability does not require full or even abbreviated naming. Rather, it is sufficient to transmit partial information from which the identity of the factually interested readership is readily apparent or can be easily determined. It is sufficient if the person concerned has reasonable grounds to assume that they can be recognized within a more or less large circle of acquaintances (OLG Dresden, final judgment of August 30, 2016 - 4 U 314/16, BeckRS 2016, 127424 with further references).

In the present case, the applicant is not only recognizable, but was actually "recognized". The chat she submitted with her former classmates shows that "someone from the class" "found" the account, that it was identified as the applicant's account and was the subject of conversations among the former classmates. The chat partner asks the applicant whether this is her account and draws her attention to it so that she can do something about it. This proves that the wrong account was assigned to the applicant and that its content led to speculation among her former classmates. It has thus been recognizable for a significant number of people or has been recognized by them. The question of whether the content of the user account, in particular its designation in connection with the photos, is also abstractly suitable for assigning it to the applicant is therefore irrelevant, since the actual (also false) "being recognized" compared to mere recognisability represents a significantly greater encroachment on the personal rights of those affected.

(3) The provision of information is also necessary so that the applicant can assert their rights under civil law against the unknown third party. The applicant does not know who created the user account that is the subject of the proceedings and has no other way of finding out. It is therefore dependent on the information provided by those involved in 2).

(4) However, the information only includes the inventory data available to the party 2), but not the usage data. According to the legal definition in § 2 Para. 2 No. 2 TTDSG, inventory data is the personal data whose processing is necessary for the purpose of establishing, designing the content or changing a contractual relationship between the provider of telemedia and the user regarding the use of telemedia. This includes the user's name, email address and phone number, but not the IP addresses from which the content was uploaded. This is usage data within the meaning of the legal definition of § 2 Para. 2 No. 3 TTDSG, according to which usage data [are] the personal data of a user of telemedia, the processing of which is necessary to enable and bill the use of telemedia.

The claim of the applicant therefore does not include the information requested from her under points a) and d) about the IP addresses used when accessing the account. An analogous application of Section 21 (2) TTDSG to usage data is also out of the question here, since there is no apparent regulatory gap that is contrary to the plan. Because the information procedure in relation to usage data is currently regulated in § 24 TTDSG, without - as in the previous standard § 15 paragraph 5 sentence 3 TMG old version - referring to the information procedure applicable to inventory data. Rather, the information about usage data according to § 24 Abs. 3 TTDSG is only permitted to the places mentioned in this paragraph. Although the explanatory memorandum to the law contains no explanation as to why the possibility of obtaining information provided for under the previous law is no longer provided for, this is not sufficient to assume that the legislature was merely editorially mistaken or that there is an unplanned loophole. Rather, there is currently no legal basis for private individuals' claims for information regarding usage data against telemedia providers. In this respect, the only way for those affected is to file a criminal complaint.

The objection of the parties to 2), the requested information about the IP addresses is not technically possible, can therefore be ignored in the present case.

b) Contrary to the statements of the district court, according to the current version of § 21 TTDSG (as already in the version of § 14 paragraph 3 sentence 2 TMG applicable from June 3, 2021; see also the justification for the law in BR-Drs 169/ 20, page 58 f.) no separate substantive legal right to information of the applicant against the party to 2). Rather, it follows from Section 21 (2) sentence 2 TTDSG that party 2) is obliged to provide information to the injured person if the requirements of Section 21 (2) sentence 1 TTDSG are met. This is to be seen as an independent substantive legal claim, so that there is no need to explain the question, which was extensively discussed in the first instance, from which a right to information could arise.

c) Contrary to a view expressed in the literature, the Senate also has no concerns regarding the compatibility of § 21 TTDSG with the standards of the General Data Protection Regulation (cf. Spindler/Schuster/Nink, TMG, 4th edition 2019, §§ 11 -15 Rn. 1 ff.; Kühling/Sauerborn, CR 2021, 271 ff., each with further references). Rather, the Senate follows the opinion of the Federal Court of Justice, according to which § 21 TTDSG (or the previous standard § 14 TMG old version) is a legal provision within the meaning of Art. 6 Para. 4 DSGVO (BGH, decision of September 24, 2019 - VI ZB 39/18, juris para. 40 ff.). These are legal provisions of the Member States which, in a democratic society, represent a necessary and proportionate measure to protect the objectives set out in Art. 23 (1) GDPR. Section 21 (2) TTDSG serves to enforce claims under civil law and thus pursues an objective specified in Article 23 (1) (j) GDPR, which allows member state legislation that restricts the obligations and rights under Articles 12 to 22 and 34 GDPR. The regulation of the right to information is also a necessary and proportionate measure to protect this goal in a democratic society, so that it fulfills the requirements of Art. 6 (4) GDPR (BGH, loc. cit., para. 40).

In a decision of December 19, 2021 (1 BvR 1073/20, juris para. 25), the Federal Constitutional Court also recognized Section 21 TTDSG and its predecessor as the legal basis for a right to information, without problematizing a possible restriction under European law.

6. The decision on costs follows from Section 21 (3) sentence 7 TTDSG. This standard is lex specialis to the general cost regulation in § 81 FamFG, so that a different cost decision is not possible (BGH, decision of September 24, 2019 - VI ZB 39/18, juris para. 13).