Paulína Macháčová and Hanna Stengel
The emergence of more and more scandals like the NSA revelations and the Ashley Madison scandal, as well as the increased influence of social media, threw some light on the importance of personal data protection.
The protection of personal data is considered a basic human right by various international instruments, such as the European Convention on Human Rights (“ECHR”) and the Charter of Fundamental Rights of the European Union (“EU Charter”). Article 8 of the ECHR provides for the protection of the private and family life of an individual. According to the case law of the European Court of Human Rights (“ECtHR”), this also covers the right to personal data protection, as stated for example in S. and Marper v. the United Kingdom. Article 8 of the EU Charter explicitly provides that “Everyone has the right to protection of personal data concerning him or her”. The right to data protection is also guaranteed by secondary EU legislation, which forms the common ground for national legislations in all EU Member States.
Under Article 4 (1) of the Data Protection Regulation 2016, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); (…)”. It can therefore be a name, a photo, an email address, bank details, medical information, or an IP address.
As the authors are law students from Germany and the Czech Republic, the focus of this article is on comparison of the data protection laws in the Czech Republic and Germany with regard to new EU laws, including a critical assessment and proposals for possible changes to the current law.
1. Sources of data protection law and their scope of application
Both Czech and German data protection laws are anchored in EU law through the Data Protection Directive 1995. With effect from 2018, the Data Protection Regulation 2016 will replace the aforementioned directive. Another piece of new legislation effective from 2018 is the Data Protection Directive 2016, which regulates the processing of data by public authorities for the purpose of criminal proceedings.
The basic source of regulation of personal data protection in the Czech Republic is the Personal Data Protection Act (“PDPA”), which implements the Data Protection Directive 1995. In matters of liability and compensation, the PDPA refers to the general provisions of the Civil Code (“CC”). The PDPA is generally applicable to all data processing, including automated means, by public or private bodies. There is no provision in the PDPA that is dedicated specifically to the sphere of the Internet. However, considering the relevant EU laws and case law, we can conclude that the PDPA also applies in cases of personal data processing on the Internet.
Germany, on the other hand, has its own data protection acts for different areas in addition to the general rules. Data protection in Germany is mainly governed by the Federal Data Protection Act (“BDSG”), which also implements the Data Protection Directive 1995. The Act is therefore also applicable to personal data on the Internet, as long as it falls under the scope of application of the BDSG as defined in Section 1 V BDSG.
In addition, there are separate acts in both countries which deal with the limitation of liability of the providers of information society services. The laws on data protection in Germany are further complicated by the varying rules for compensation in the 16 federal states (or “Länder”) in Germany.
2. Available remedies
In both Czech and German law, the first remedy available is the right to demand cancellation, blocking or correction, completion, or liquidation of personal data. If damage was already caused by such a misuse of personal data, compensation or unjust enrichment claims follow.
In the Czech Republic, Section 21 and Section 25 of the PDPA provide for possible remedies in the case of a violation of the data subject’s right to privacy and personal life or a violation of law. In matters of liability and compensation of either material or non-material damage, the PDPA refers to the CC.
In Germany, Sections 7 and 8 BDSG govern the right to claim compensation for the misuse of personal data. Section 7 BDSG provides a separate claim for fault based liability and applies to the public as well as private sphere. The general claims stemming from a breach of contract, as in Section 278 of the German Civil Code (“BGB”), are not repressed by this claim but can be claimed in addition. The claimant may seek restitution for unjust enrichment in accordance with Section 812 BGB or claim removal and injunction following Section 1004 BGB.
Regarding compensation and liability, there are no substantial changes brought by the new EU law on data protection, but rather the existing rules are further specified.
Generally, the system in both Germany and the Czech Republic is very similar and well defined. The combination of cancellation and removal rights with consequent rights to claim damages and compensation is the fairest way to deal with the remedies without putting too much burden on either party, since it gives the infringer a chance to fix the problem before going to court.
3.1. Compensation in general
Article 82 of the Data Protection Regulation 2016 now expressly provides for a right to compensation for material or non-material damage, as well as states further conditions, while not specifying the particular means of compensation.
In both Czech and German law, the primary method of compensation is restitution. If restitution is not possible, compensation is paid in money, including actual damage and loss of profit.
The Czech CC provides for fault based liability for breaches of law or good morals. However, there is an objective liability for breach of contract with an exception for cases of unpredictable events beyond one’s control. The burden of proof generally lies with the claimant who needs to prove a violation, damage, and a causal nexus between them. However, it is worth mentioning that Section 2911 CC contains a presumption of negligence in cases of breach of a statutory duty. Although the claimant still needs to prove the violation, damage, and a causal nexus, the element of fault is presumed to be present.
The only exception where the PDPA itself provides for a special rule is Section 8 which sets forth a joint liability of the controller and the processor. Worth mentioning is the broader formulation of Section 25 PDPA compared to the Data Protection Directive 1995. The directive regulates a situation in which damage to the data subject was caused by the controller, whereas the Czech act is applicable also in cases of damage to the processor caused by the controller, and vice versa.
In Germany, to allow a claim for damages, Section 7 BDSG requires that the data processing, collection, or use must be inadmissible or incorrect, and damage has occurred. Section 8 BDSG further governs compensation for harm caused by a public body through automated collection, processing, or use of personal data. There is no such special regulation regarding public bodies in the Czech Republic.
In order to establish liability in Germany, the harm must be caused by the data breach. The situation with the burden of proof is the same as in the Czech Republic – it generally lies with the claimant. Section 7 paragraph 2 BDSG provides an exception to the obligation to provide compensation if the controller has exercised due care. This is determined by the individual circumstances of the case.
The amount of the compensation follows the general rules of Section 249 BGB. The defendant should provide restitution in kind (Naturalrestitution). Beyond the rights to compensation from Section 7 BDSG, the claimant can claim compensation also through Section 323ff BGB in cases of non-performance of a contract as well as through Section 823 I, II BGB in cases of serious infringements of personality rights and violations against informational self-determination.
Both Czech and German law follow the same general rules for establishing the right for compensation. In the Czech Republic, the CC is fully applicable, and the PDPA itself contains only a very limited number of provisions of compensation and liability. In Germany, the regulation in the BDSG is broader but refers to the BGB in certain specific matters. A reference to the general regulation can be considered as a good solution because the rules in the CC, as well as in the BGB, are complex and stable. On the other hand, the general civil law provisions do not reflect the special nature of data processing. This can however be fixed by the case law and commentators.
3.2. Compensation for immaterial damage
Article 82 of the Data Protection Regulation expressly mentions the right to receive compensation for immaterial damage.
The protection of personal data falls within the scope of protection of personality of an individual and one’s right to privacy under the Czech CC. Therefore, if non-material damage is caused by a violation of this right, the data subject is able to claim appropriate satisfaction under Section 2951 CC. Regarding the means or amount of satisfaction, the key is its appropriateness. There is no scale or authoritative guidelines for how much money is appropriate. It always depends on the particular case and its circumstances, such as the manner of infringement or its consequences for the future life of the claimant.
On the other hand, Section 7 of the German BDSG does not provide the right to claim compensation for non-material damage. According to the prevailing legal opinion, a pecuniary loss has to occur. This is in line with Section 253 BGB which states that damages for non-pecuniary loss are only possible in the cases stipulated by law. Despite the EU rules requiring compensation for non-material damage, the German legislator and courts still have not extended compensation to immaterial damage. Even though Section 7 BDSG does not provide for a claim of immaterial damage, it is possible to indirectly claim these through Sections 823 para 1, 253 para 2 BGB for violation of personal rights stemming from Articles 1 and 2 paragraph 1 of the Basic Law (“GG”). This was confirmed by the German Federal Constitutional Court (“BVerfG”) in the Soraya-decision, although these rights are generally limited to serious infringements caused mostly by the media.
If the claim involves public bodies, Section 8 provides for a separate claim to immaterial damage. This further proves how contradictory the German rules on compensation for immaterial damage are since most of the cases do not involve public bodies and an additional claim is therefore withheld from these claimants, unless they live in certain federal states. Moreover, the rules are not uniform in all the Länder. Some Länder, for example Brandenburg and Rhineland-Palatinate, provide for the right to claim compensation for immaterial damage and have added provisions accordingly.
Since the new Regulation 2016 will be directly applicable from 2018, there might not be a need for a change of German law. There will however be at least a need for a change in the practice of the courts and the manner in which they interpret certain norms as the extent of compensation with regard to immaterial goods.
Czech law has implemented the Data Protection Directive 1995 quite broadly. The rules are therefore up to the standard of the Data Protection Regulation 2016. In Germany, on the other hand, the references to the BGB rules do somewhat limit the scope. Without any doubt, non-material damage is as likely to occur as material damage during the data processing. Therefore, the Data Protection Regulation 2016 which expressly provides for a right to compensation for both material and non-material damage is to be considered as a good step in the right direction.
4. Safe harbour for the service providers
In the Internet sphere, content is commonly created by multiple users, who may be anonymous. This raises the question of determining the liability of a service provider, e.g. an operator of a website. The main source of law regulating this matter is the E-Commerce Directive, which is implemented into both Czech and German law.
In the Czech Republic, it is the Act on Certain Services of Information Society (“ACSIS”) that represents a lex specialis to the PDPA. It deals with limitation of liability of the providers of information society services (service providers) and differentiates between three types of providers – mere conduit, catching, and hosting. The most interesting is the possible liability of a hosting provider, who can be liable for content created by somebody else. In cases of content created by the service provider or under its supervision, the standard regime under the PDPA is applicable and the operator is considered to be a data controller who determines the aim and means of personal data processing. Therefore, it is fully liable for the violation and damage caused to the data subject.
The ACSIS sets forth conditions for a “safe harbour” typically applicable to different advertising, community and discussion portals, personal blogs, or news websites.
Section 5 ACSIS states that the service provider is liable for the data uploaded by its users only if it, given its activities and circumstances, could have known that the data were illegal or if it could be proved that such a service provider was informed about the illegal nature of the data in question and did not take all the necessary measures to erase or block such data. According to the Municipal Court in Prague, if grammatical interpretation is chosen, it imposes liability rather than limits it. For example, operators of advertising websites, who are generally considered to be data controllers under the PDPA, can benefit from the safe harbour. There is a lot of contact information published by their users, and even a phone number is considered to be personal data, because it enables a particular person to be contacted. The service provider is not obliged to monitor and actively seek illegal data on its websites. In fact, it is prohibited from doing so with regard to the protection of the transmitted information and personal data of the users. This does not exclude special monitoring aimed at particular data, and therefore, it does not necessarily conflict with the general obligation of prevention under the CC.
A key factor for maintaining or losing the safe harbour regime is the service provider’s knowledge about the illegal character of the information in question. Despite proper notice, the illegality of certain information may not be entirely clear. In a case decided in 2015, the claimant, an operator of a news website, published an article regarding the rape of an under-aged girl. One of the users added a comment containing the personal data of the girl’s mother which enabled the identification of the girl. The website operator did not consider a police notice of violation of the criminal procedure as proving the illegality of the comment. However, the court disagreed and ruled that safe harbour was lost.
In Germany, the Telemedia Act (“TMG”), in particular Sections 7–10, governs the responsibility for the protection of information society services and E-commerce. The TMG differentiates between three kinds of providers – content providers, access providers, and host providers.
A content provider is someone who provides its own content on the Internet and therefore is fully liable for all its information on the Internet. Access providers, on the other hand, only transfer content and convey access to the Internet. Under Section 8 TMG, they are not liable for the content and they do not have a supervisory duty, since their function is purely the technical, automatic, and passive transfer of data. According to the German Federal Court of Justice (“BGH”), the access provider can only be held liable if the utilisation of other involved parties, like the host provider, fails and a loophole would otherwise be created.
Under Section 10 TMG, host providers are generally not liable for content. An exception is made when the host provider has knowledge about the illegality of the content. Under Section 10 paragraph 1 Nr. 2 TMG, the host provider has to immediately remove information or to block access to the information when it becomes aware of the illegality, otherwise it might be subject to a liability claim. This “notice-and-take-down-principle” was also confirmed by the BGH, which held that the host provider does not have a supervisory duty and does not need to check all content preemptively, but only to act when becoming aware of an infringement. The liability for offences is therefore limited to intent.
In a 2013 case on the autocomplete function of Google, the liability was similarly limited by the BGH. The court held that Google was the creator of the content and not simply an intermediary, since it creates new data out of the behaviour of Google users, and therefore Google was liable for violations of personality rights by the autocomplete function of its search engine. The court, however, limited the liability by stating that Google did not need to check every suggested term in advance but that it was sufficient for them to stop the display of the term if it received knowledge that the specific autocompleted term violated personality rights.
In general, the Czech Republic and Germany follow a similar system. They both recognise three kinds of providers with a different extent of liability. Both countries agree that a provider cannot be required to supervise and check all the content created by other users. Following the E-Commerce Directive, the host providers can rely on the safe harbour principle in both jurisdictions.
The safe harbour rule is a sound compromise. Considering the amount of content uploaded every minute, it seems like a good solution that the service provider should be given a chance to make things right after becoming aware of the illegal nature of the data, without holding it immediately liable for something it did not have a real chance to fix.
5. Conclusion and outlook
Data protection laws in both the Czech Republic and Germany are in line with the EU legislation they are adopting. Therefore, these two national regulations are similar to a considerable extent. The main difference between the Czech and German data protection laws is in compensation for immaterial damage, which is not fully accepted in Germany. However, this will change in 2018 following the new EU legislation. The Data Protection Regulation 2016 will have direct applicability and will not require further implementation. As a consequence, defendants in Germany will not be able to avoid claims for immaterial damage in the future. Therefore, the German courts will have to change their practice and apply the EU law instead of the German national law if they conflict with each other. It will be interesting to see how the German courts will change their interpretation of certain BGB norms in cases involving data protection in the light of the new EU legislation.
As for the future of data protection in the Czech Republic, even though the PDPA itself is over 16 years old, there was a major recodification of the Czech civil law in 2014, including adoption of the new CC. As the PDPA refers to the CC, the data protection law has changed quite recently. In addition, the new Data Protection Regulation 2016 will be in full effect from 2018. Therefore, to avoid proposing “changes to changes”, we recommend first waiting for the application of these instruments and reviewing how the courts approach data protection claims under the new law. Only after that should proposals to correct mistakes or loopholes revealed by practice be made.
For the sake of clarity, it should be emphasised that the Data Protection Regulation 2016 will become the key piece of legislation in the field of data protection in all Member States. National laws will supplement the regulation in matters which it does not regulate.
A change which can be already recommended is to rephrase the wording of the ACSIS. As pointed out by the Municipal Court in Prague, the current wording of the ACSIS seems more like setting requirements for imposing liability, not limiting it.
Regarding the varying rules in the different German Länder, we would recommend aligning the laws in Germany, especially since it is difficult to determine a specific jurisdiction in an area like data protection on the Internet. The law should not be further complicated by varying legal provisions within a country.
The new EU legislation will not bring major changes to the data protection law in the Czech Republic. On the other hand, Germany will have to deal with the direct applicability of provisions requiring compensation for non-material damage.
Paulína Macháčová graduated from the Faculty of Law of the Charles University in Prague and spent a year at the University of Copenhagen in Denmark as an exchange student. Currently, she is finishing the second year of the course Diploma in European and English Law from the British Law Centre. In her studies, she focuses on the field of international arbitration, competition law, international business law and private international law. Paulína gained professional experience while working for Clifford Chance Prague and Dvořák Hager & Partners.
Hanna Stengel, studies law at Julius-Maximilians-University in Würzburg, Germany since October 2013 with an additional focus on European Union Law. As part of the Erasmus programme she spent a year abroad at KU Leuven, Belgium. Her main interest is public law, international law, cross border business law, data protection law and arbitration. She also works as a student assistant for Ralf Brinktrine, professor of Public Law at the University of Würzburg.
 European Convention on Human Rights, Rome, 4.XI.1950, as amended by Protocols Nos. 11 and 14, supplemented by Protocols Nos. 1, 4, 6, 7, 12, and 13.
 Charter of Fundamental Rights of the European Union, OJ 364/01, dated 18.12.2000.
 Decision of the ECtHR (Grand Chamber) No.  ECHR 1581, S. and Marper v the United Kingdom (Applications nos. 20562/04 and 30566/04), dated 4 December 2008.
 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1, dated 27 April 2016.
 European Commission (2012). The Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses, IP/12/46. p.2.
 Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, dated 24 October 1995.
 Directive (EU) 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119/89, dated 27 April 2016.
 Zákon č. 101/2000 Sb., o ochraně osobních údajů, ve znění pozdějších předpisů.
 Zákon č. 89/2012 Sb., občanský zákoník.
 Sec. 3 of the PDPA.
 Article 3 of the EU directive No. 95/46/EC; Article 2 of the EU regulation No. 2016/679; Article 2 of the EU directive No. 2016/680; Case 101/01 Lindquist . Office of Personal Data Protection. Opinion No. 13/2012 – Publishing of personal data on the Internet.
 Bundesdatenschutzgesetz (BDSG) vom 20. Dez.ember 1990 (BGBl. I S. 66), zuletzt geändert durch Gesetz vom 25. Februar 2015 (BGBl. I S. 162)
 Wolff, H. and Brink, S. (2016). Beck’scher Online-Kommentar Datenschutzrecht. 16th Ed. BDSG § 7 Rn. 13.
 Wolff, H. and Brink, S., op. cit., BDSG § 7 Rn. 69.
 Section 1 BDSG.
 Bürgerliches Gesetzbuch (BGB) in der Fassung der Bekanntmachung vom 2. Januar 2002 (BGBl. I S. 42, ber. S. 2909 und BGBl. 2003 I S. 738).
 Erbs, G. and Kohlhaas M. (2016). Strafrechtliche Nebengesetze. München: C.H.Beck, BDSG §7 Rn. 1.
 Section 249 BGB; Section 2951 CC.
 Hulmák, M. a kol. (2014). Občanský zákoník VI. Závazkové právo. Zvláštní část (§ 2055–3014). Komentář. Praha: C. H. Beck, p. 1563.
 Novák, D. (2014). Zákon o ochraně osobních údajů a předpisy související: Komentář. Praha: Wolters Kluwer. § 25.; Kučerová, A., Nováková, L., Foldová, V., Nonnemann, F., Pospíšil, D. (2012). Zákon o ochraně osobních údajů. Komentář. 1. vydání. Praha: C. H. Beck.
 Novák (2014), op. cit., §25.
 Section 8 BDSG.
 Wolff, H. and Brink, S.. ibid. BDSG § 7 Rn. 58.
 Section 7 BDSG.
Simitis, Spiros (2014) Bundesdatenschutzgesetz, 8th Edition, BDSG §7 Rn.57.
 BVerfG 14.2.1973, 1 BvR 112/65. Schmerzensgeld wegen Verletzung des allgemeinen Persönlichkeitsrechts. NJW 1973, 1221.
 Sec. 81 et.seq. CC.
 Telec, I. (2010). Test přiměřenosti zadostiučinění za nemajetkovou újmu. Právní rozhledy 4/2010.
 Simitis, BDSG, §7 BDSG Rn. 30.
 Section 253 BGB.
 Simitis, BDSG, §7 Rn. 32.
 Section 253, 823 BGB.
 Grundgesetz (GG) vom 23.05.1949 (BGBl. I S. 2438), zuletzt geändert durch Art. 1 G v. 23.12.2014 I 2438 (from now on GG).
 BVerfG, 14.02.1973 – 1 BvR 112/65 (Soraya), BVerfGE 34, 269.
 BVerfG, 15.12.1999 – 1 BvR 653/96, BVerfGE 101, 361.
 Simits, BDSG, §7 BDSG Rn. 32.
 BeckOK DatenSR. BDSG § 7 Rn. 24. Section 21 Landesdatenschutzgesetz (LSDG) Rheinland-Pfalz vom 5. Juli 1994 (GVBl. 1994, 293), zuletzt geändert am 20. Dezember 2011 (GVBl. S. 427).
 Simitis, BDSG §7 Rn. 82
 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market.
 Zákon č. 480/2004 Sb., o některých službách informační společnosti.
 Harašta, J. (2014). Obecná prevenční povinnost poskytovatele služeb informační společnosti ve vztahu k informacím ukládaným uživatelem. Právní rozhledy 17/2014.
 Czech Office for personal data protection – Instructions for operating e-shops. 2014.
 Polčák, R. (2009). Odpovědnost poskytovatelů služeb informační společnosti. Právní rozhledy 23/2009.
 Municipal Court in Prague, dated 2 December 2011, Ref. No. 31 C 72/2011; Harašta 2014.
 Janečková, E. (2015). Odpovědnost provozovatele za obsah na internetu. Daně a právo v praxi 5/2015.
 Czech Office for personal data protection. Opinion No. 3/2013 – Regarding liability of operators of advertising websites.
 Czech Supreme Administrative Court, dated 12 February 2009, Ref. No. 9 As 34/2008.
 Case C-70/10 Scarlet Extended v. SABAM .
 Harašta 2014, op. cit., note 42.
 Maisner, M. (2016) Zákon o některých službách informační společnosti. Komentář. Praha: C. H. Beck. p. 68.
 Municipal Court in Prague, dated 19 August 2015, Ref. No. 11 A 114/2013.
 Section 7 – TMG.
 Krüger, S. and Peintinger, S. in Martinek, M., Semler, F-J. and Flohr, E. (2016) Handbuch des Vertriebsrechts. 4th Ed. Nördlingen: C.H.Beck, Rn. 289.
 Valerius, B. in Heintschel-Heinegg (2016). StGB Providerhaftung. Beck’scher Online Kommentar StGB. 31st Ed. Rn. 16.
 LG Hamburg: Haftung des Accessproviders für Links auf rechtswidrige Download-Möglichkeiten, Urteil vom 12.3.2010 – 308 O 640/08 (nicht rechtskräftig). MMR 2010, 488.
 OLG Hamburg: Keine Störerhaftung für Access-Provider – Urteil vom 21.11.2013 – 5 U 68/10. GRUR-RR 2014, 140.
 Valerius in Heintschel-Heinegg., Rn. 26.
 BGH: Störerhaftung von Access-Providern – BGH Urteil vom 26.11.2015 – I ZR 3/14. GRUR-RS 2016, 01908.
 LG Berlin Urteil vom 25.2.2003 16 O 476/01, Verantwortlichkeit eines Onlineauktionshauses für Urheberrechtsverletzungen, MMR 2004, 195.
 Nieland, H. (2010) Störerhaftung bei Meinungsforen im Internet – Nachträgliche Löschungspflicht oder Pflicht zur Eingangskontrolle? NJW 2010, 1494.
 Härting, Niko (2014) Internetrecht, 5th Edition, p. 531 Rn. 2140.
 BGH: Haftung für persönlichkeitsrechtsverletzende Autocomplete-Vorschläge bei Google – BGH, Urteil vom 14. 5. 2013 – VI ZR 269/12. NJW 2013, 2348.
 BGH: Prüfpflichten von Hostprovidern als mittelbare Störer bei Bewertungen Dritter auf ihrem Internetportal – BGH, Urteil vom 01.03.2016, Az. VI ZR 34/15. VuR 2016, 353.
 Municipal Court in Prague, dated 2 December 2011, Ref. No. 31 C 72/2011.