Online.Spiele.Recht http://spielerecht.de Fri, 19 Sep 2014 21:42:06 +0000 de-DE hourly 1 http://wordpress.org/?v=3.8 German Federal Court of Justice confirms Runes of Magic decision http://spielerecht.de/german-federal-court-of-justice-confirms-runes-of-magic-decision/ http://spielerecht.de/german-federal-court-of-justice-confirms-runes-of-magic-decision/#comments Thu, 18 Sep 2014 08:38:17 +0000 http://spielerecht.de/?p=3454 This morning, the German Federal Court of Justice (the highest German civil court; “BGH”) has confirmed its July 2013 “Runes of Magic” decision (docket no. I ZR 34/12), banning an advertisement for in-game items allegedly targeted at children. This decision will likely have a considerable impact on anyone advertising and selling goods or services online.

Legal Background

In its earlier decision, the court, following the arguments of a consumer watchdog organisation, had ordered the operator of a game to refrain from using the contested ad, which included the line

“Seize the advantageous opportunity and add that certain something to your armour & weapons”.

The BGH saw this language as an illegal direct exhortation to children to buy the relevant items. In making this finding, the court relied on the address with the German informal “you” (the German language has different words and grammatical constructions for “formal” and “informal” address, the latter being commonly used for family, close friends and children) and the use of other words it considers typical for children’s speech.

Therefore, the court BGH found the advertisement to be illegal commercial practice under § 3 para. 3 of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb; “UWG”) in connection with no. 28 of the appendix to the UWG (the so-called Black List).Under this no. 28 of the Black List, it is an illegal commercial practice to include in an advertisement a direct exhortation to children to buy advertised products or services or persuade their parents or other adults to do so. This provision is based on an EU directive on unfair commercial practices (Directive 2005/29/EC of May 11, 2005), which also contains such a Black List with almost identical provisions.

Criticism

The earlier judgment hat been criticized in legal literature for its formal flaws and tenous interpretations of the term “Child” under EU law and its consideration that informal speech – nowadays very common in online communication among adults – automatically indicated a target audience of minors under 14 years of age.

The court today did not comment on the reasons for its judgment. While the judges could technically take up to 5 months to issue the written reasons, we expect to have them in a matter of a few weeks in this particular case.

Action Items

In the meantime, our intial guidance on how online vendors and service providers should react now applies more than ever:

  • Exercise even greater care should be exercised in making advertising language legally compliant. Direct purchase invitations to children should be avoided at all costs. The selection of available payment methods seems to play a certain role in the legal analysis.
  • Where terms and conditions state a minimum age, it might be argued that ads for in-game items cannot be targeted at younger individuals.
  • Terms and conditions (and privacy policies) need to be adapted to German law. Merely translating “universal” terms is not a solution.
  • Advertisements within or with regards to a game and the embedding of advertisements as such should be legally vetted and, when in doubt, worded more carefully (indirectly).
]]>
http://spielerecht.de/german-federal-court-of-justice-confirms-runes-of-magic-decision/feed/ 0
Endgültig: BGH bestätigt Runes of Magic Entscheidung http://spielerecht.de/endgueltig-bgh-bestaetigt-runes-of-magic-entscheidung/ http://spielerecht.de/endgueltig-bgh-bestaetigt-runes-of-magic-entscheidung/#comments Thu, 18 Sep 2014 07:52:21 +0000 http://spielerecht.de/?p=3450 Der BGH hat soeben sein neuerliches Urteil in Sachen Item-Werbung bei Runes of Magic verkündet und damit das Versäumnisurteil vom 17. Juli 2013 (Az. I ZR 34/12) bestätigt.

Die neuerliche Entscheidung war nach einem Einspruch der Beklagten gegen das Versäumnisurteil erforderlich geworden. Bereits am 18. Juni 2014 war vor dem BGH erneut mündlich über den Fall verhandelt worden.

Ausgangspunkt der Auseindersetzung zwischen Verbraucherzentrale Bundesverband (vzbv) und dem Spielbetreiber ware ein Werbetext in einem Forum, in dem unter Anderem mit der Überschrift “Pimp deinen Charakter” und dem Satz

“Schnapp Dir die günstige Gelegenheit und verpasse Deiner Rüstung & Waffen das gewisse Etwas” .

für den Erwerb von Items im Spiel geworben wurde. Diese Aussagen sollte nach Ansicht des BGH wegen der Verwendung des informellen “Du” und von “Kindersprache, einschließlich gängiger Anglizismen” eine unzulässige Kaufaufforderung an Kinder darstellen. Der BGH stützte damals seine Entscheidung auf § 3 Abs. 3 UWG i.V.m. Nummer 28 des Anhangs zum UWG, der sog. “schwarzen Liste”. Danach ist eine unmittelbare Aufforderung an Kinder innerhalb einer Werbeanzeige wettbewerbsrechtlich unzulässig, wenn Kinder dazu aufgefordert werden, selbst die beworbene Ware zu erwerben oder ihre Eltern dazu zu veranlassen.

Unverständnis und Verunsicherung waren die Folge für die Branche und weit darüber hinaus. Aber auch aus rechtswissenschaftlicher Sicht wurde das Urteil zu Recht ausgiebig kritisiert. Problematisch waren insbesondere die Auslegung des Begriffs “Kind” in der Schwarzen Liste und die Ausführungen des Gerichts zum Adressatenkreis der Werbung: Die Anrede in der zweiten Person ist in vielen Kreisen, und gerade auch bei erwachsenen Onlinespielern, heute allgemein üblich und stützt nicht die Annahme, dass damit automatisch ein Kind gemeint sein muss. Auch trug die damalige Begründung schon ihrem Wortlaut nach nicht den ausgeurteilten Tenor. Eine ausführlichere Zusammenfassung der Mängel und Kritikpunkte haben wir hier zusammengestellt.

Von diesen Argumenten, die in der neuerlichen Verhandlung auch dem BGH vorgetragen worden waren, hat sich das Gericht allerdings offenbar nicht beeindrucken lassen, sondern das Versäumnisurteil aufrecht erhalten.

Zu den Gründen für diese Entscheidung hat es in dem Verkündungstermin allerdings abermals nichts durchblicken lassen. Wir warten daher gespannt auf die Urteilsbegründung. Das Gericht könnte sich dafür zwar wohl grundsätzlich abermals 5 Monate Zeit nehmen – wir rechnen aber eher damit, schon in einigen Wochen mehr zu wissen und werden die Entscheidung dann eingehend analysieren.

]]>
http://spielerecht.de/endgueltig-bgh-bestaetigt-runes-of-magic-entscheidung/feed/ 0
Apps and Digital Games: Complying with the new consumer protection laws in Germany http://spielerecht.de/apps-and-digital-games-complying-with-the-new-consumer-protection-laws-in-germany/ http://spielerecht.de/apps-and-digital-games-complying-with-the-new-consumer-protection-laws-in-germany/#comments Tue, 16 Sep 2014 08:21:30 +0000 http://spielerecht.de/?p=3410 The Consumer Rights Directive (2011/83/EU – “CRD”) has introduced quite a few new provisions specifically addressing the distribution of digital content like apps, digital games and any kind of digital content. In theory, the idea of implementing special regulations for digital businesses is not a bad one. But in practice there are some serious pitfalls to consider. We give an overview of the new rules and guidance on how to comply with the new consumer rights.

The new consumer rights are largely harmonised within the EU and member states have little discretion for implementation – which means that the new regulations that came into force in June 2014 are almost identical in all countries of the European Union. However, Germany has a special status to some extent: The CRD was widely inspired by German law. As a result, Germany already has experience with many of the CRD’s regulations and German case law could be a blueprint for future European court decisions.

Therefore, it is worth taking a deeper look into the legal situation in Germany.

New consumer rights for apps, digital games and other digital content

The CRD has introduced several new obligations which affect publishers of apps, digital games and all kinds of digital content. The most important are several new duties to provide information about products and their features as well as the revised right of withdrawal, which now explicitly includes digital goods.

Digital goods and the right of withdrawal

As a basic principle, consumers are entitled to withdraw their contractual statement within 14 days after they entered the contract – without any obligation to give any reason. If the consumer cancels the contract he loses the right to use the purchased item and the seller has to refund the full price. In other words: Every sale is in principle temporary until the 14 days cancellation notice period has passed.

The period of 14 days is now harmonised and applies equally in all member states of the EU. However, it can even be extended if certain formal requirements, such as duties to provide certain information in a certain way, are not met precisely.

The right of withdrawal now also explicitly applies to digital goods such as apps, games, in-game items or any other virtual purchases. Obviously, it is not always possible to actually “return” a digital item. And even if it is – in most cases it would be impractical to allow users to return their items for a full 14 days. Fortunately, the CRD implemented a way to effectively exclude the right of withdrawal.

According to Article 16 (m) CRD, the right of withdrawal terminates immediately after the contractual performance has begun, if the user has expressed their consent. So it is possible to exclude a right of withdrawal for digital goods. But this solution has one catch: It requires the users’ consent.

It has not yet been decided by the courts whether such consent needs to be explicit or whether it would be sufficient to obtain the consent within general terms and conditions. However, the CRD requires that users “express” their consent which implies at least some kind of action. Therefore, the exclusion of a right of withdrawal probably requires a dedicated checkbox or some equivalent means. Not surprisingly, also consumer watchdog organisations and certification bodies have taken this conservative position.

So whenever possible, publishers should require from their users to declare their explicit consent to immediately begin with their contractual performance. Additionally, users need to be informed that this operates as a waiver of their right of withdrawal.

Mandatory information

The CRD also requires publishers to provide a variety of information about the offered product, the purchase process and company information. The most important new obligations are to provide information about the exact functionality and interoperability of digital goods as well as information about technical protection measures.

Publishers should provide this information on the game description page. We recommend providing at least the following information:

  • System requirements and technical restrictions (e.g. “Requires Android 4+ and internet connection”)
  • Details on the core features (e.g. “3D action shooter – includes 7+ levels, 10+ different characters, 8+ weapons, chat feature”)
  • Details on known limitations that customers should be aware of (e.g. “Does not work on Sony Xperia phones”)
  • Detailed information about in-app sales for freemium apps or games (e.g. “Additional weapons may require payment; character level beyond 10 requires paid add-on”)
  • Information about TPM (e.g. “Requires registration”; “Cannot be installed on multiple devices”)

Furthermore, the following information should be provided:

  • Clear and unambiguous prices including VAT
  • Information that VAT is included in the displayed price
  • For subscriptions: Potential costs that may incur in the future

Additionally, there is more mandatory information that does not specifically address digital items but is nevertheless important to consider:

  • Name and geographic address of the publisher’s company
  • Contact information (e-mail and phone)
  • VAT number
  • Register and registration number

This information should be made available on the publisher’s website, the distribution platform and within the app or game as well, e.g. in the credits section. The information must be continuously available and easy to find. German courts have held that a user must never be further than two clicks away from this information anywhere on a website. If publishers fail to fulfil these duties, the legal requirements cannot only be enforced by consumer watchdogs and competitors with written warning letters or court proceedings. Depending on the violated law, it can also lead to extended customer rights, for example a right to withdraw from a contract up to a year after the initial purchase.

The above list is not exhaustive. There are many more regulations that only apply in certain cases, for example if financial transactions or certain goods are involved. Furthermore, there are several national regulations such as data privacy or youth protection that publishers should keep in mind.

As of 2015 there are also new tax regulations regarding VAT in the European Union apps and games publishers should have on the radar.

Responsibility when distributing digital goods through third-party app stores and digital platforms?

But who is actually responsible for ensuring compliance with consumer rights when publishers distribute their products through third-party platforms such as app stores or online distribution platforms for games? This question is trickier than it seems. In fact, it is one of the key issues for digital distribution.

In general, the person responsible for complying with consumer rights is the vendor of the product. Who is the vendor of an app or a game on a game distribution platform like Steam?

The situation is fairly easy if the operator of the distribution platform unambiguously acts as the vendor – i.e. if the operator is distributing apps or games in its own name and on its own account. Then the platform operator is also responsible for compliance with consumer rights. Publishers should keep in mind, though, that they often stay responsible for any compliance issues in the context of their in-app or in-game sales as the relevant contracts are made with the publisher and not with the platform.

The situation gets even more complicated, if the platform, as usual, states to solely act as an agent or commissionaire for the publishers. In this case the publishers are the vendors of their products, although the customer might have a different impression when purchasing digital goods.

For example, if you want to buy an app at Apple’s AppStore, you first have to create an account – with Apple. Then you have to provide your payment information – to Apple. Now you can browse the AppStore – provided by Apple. If you choose to buy an app, you have to accept the terms and conditions – of Apple. After that, the payment is processed – by Apple. And finally the app is being installed on your device – by Apple.

However, Apple’s terms and conditions, similar to other app store and platform terms and conditions, clearly say that Apple itself does not sell any third-party apps but solely acts as an agent or commissionaire. Moreover, product pages in Apple’s app store clearly disclose the publisher as “seller” of his app – despite the different first impression of the customer.

All in all, one has to come to the conclusion that apps are indeed sold by their publishers in this constellation. Accordingly, solely the publishers as the vendors of the apps and games are responsible for the compliance with the new consumer laws.

This leads to a serious problem: Neither app stores nor gaming platforms usually allow publishers to actually implement many of the legal requirements. For example, publishers have only limited control on how their game or app is presented to the customer and practically no control over the design of the purchase process on digital distribution platforms such as checkboxes to avoid a right of withdrawal for apps or digitally distributed games resulting from distant selling laws.

How to ensure compliance on third-party digital distribution platforms?

This situation seems like a déjà vu. eBay sellers had similar problems back when eBay had not yet implemented all required features to fully comply with consumer rights. The common recommendation then was: Do not just lean back and wait. Instead, demonstrate best efforts to be as compliant as possible with consumer rights. This motto still holds true today.

An idea on how to practically implement this comes from the working group of German data protection watchdogs who recently published a guideline for app developers on how to ensure data protection compliance. The guideline addresses, inter alia, the problems with digital distribution platforms and suggests integrating the required information into the product page in the respective app store and, additionally, within the app itself. If there is not enough space for all information, publishers can use links to websites providing the required information.

This data protection guideline is also a reasonably passable route for ensuring compliance, at least with information duties resulting from consumer protection regulations.

Furthermore, publishers can and should consider the new consumer rights when designing their in-game and in-app sales processes. In particular, the user should be provided with all required information before the actual purchase is made. Additionally, publishers should obtain the users’ explicit consent that the items or services are provided instantly after the purchase with the consequence that they lose their right of withdrawal.

The fact that publishers do not have any influence on how exactly the right of withdrawal is implemented in app stores or game platforms may even work as a defence in court if consumer protection organisations were to start considering them as responsible for the compliance with this specific aspect of consumer protection regulations. After all, it seems unreasonable to blame publishers for something they do not have any influence on.

Conclusion

Publishers should definitely have the new consumer rights on their agenda. Failure to comply with them can lead to serious consequences, but most of them are more or less easy to implement.

However, things can get complicated on digital distribution platforms. Unless the platforms expressively act as vendor for the apps and games, we have the quite unsatisfying situation where full compliance requires a close cooperation between publishers and platforms without having clear responsibilities. Fortunately, there are at least ways for publishers to limit the risk.

]]>
http://spielerecht.de/apps-and-digital-games-complying-with-the-new-consumer-protection-laws-in-germany/feed/ 0
German Court: Key Selling Infringes Copyright http://spielerecht.de/german-court-key-selling-infringes-copyright/ http://spielerecht.de/german-court-key-selling-infringes-copyright/#comments Fri, 12 Sep 2014 08:29:53 +0000 http://spielerecht.de/?p=3360

Key Selling is a serious problem for the games industry. The resale of product keys compromises price structures and harms consumers and businesses equally. The games industry has now made a big step forward against such key selling practices. In the first case of its kind in Germany, the Regional Court of Berlin has decided that the business model of key selling infringes copyright and is illegal. The decision was not appealed and has become binding.

What happened?

A German company was running the typical key seller business: They sold the product keys of boxed computer games which allow users to download the games from Steam, Origin and other digital distribution platforms. The keys came from unknown suppliers in countries where the games are sold at a lower price than in Germany.

A large German computer game publisher and distributor who held the exclusive rights to a popular game had issued a cease and desist letter to the merchant, requesting that they cease the resale of the game’s product keys. The merchant had then seized the court, asking it to declare the cease and desist letter illegal and their business model legit in order to obtain a carte blanche for the key selling industry. In particular, the plaintiff argued, it was just doing away with unnecessary shipment cost regarding the boxed products, which it claimed it purchased from partners in different EU member states.

The court’s decision

But his attempt to turn the tables boomeranged. In its decision dated 11 March 2014, the Regional Court of Berlin (docket no. 16 O 73/13) ruled that German law does not allow merchants to purchase boxed computer games and then resell the license keys only. This business model, according to the court, infringes copyright in the games and, in particular, is not subject to any copyright exceptions based on the doctrine of exhaustion or the ECJ’s UsedSoft decision.

According to the court, the doctrine of exhaustion, which permits the resale of individual physical copies of a copyrighted work that the copyright owner or their licensees have intentionally put onto the market within the EU, did not grant merchants the right to separate different components sold as one product – in this case the physical data medium and the license key.

Decision in accordance with ECJ case law

Furthermore, the ECJ’s UsedSoft decision, under which exhaustion could exceptionally also apply to digital copies of computer software, did not apply in such cases for the simple reason that the initial boxed product was not itself digitally distributed by the copyright owner/licensee. Although the court did not have to discuss in any detail, it even implied that the UsedSoft case might not be applicable to computer games at all. According to the court, games are not only simple computer software but complex hybrid works and therefore not only protected as software but also under classic copyright rules. As a result, the matter could not be compared to the UsedSoft case in any way.

What does that mean for the games industry?

The decision is an important first step for the industry’s efforts to stop the grey market resale of their products. But it is the first decision of its kind and the procedural situation was not very common. Furthermore, digital distribution and key selling are fairly new legal issues. Accordingly, many questions still remain open. However, the decision sends a clear message: In Germany, “key selling” infringes copyright. And as publishers and distributors can now take legal actions to stop merchants engaging in such business practices, it is an important landmark in the development of further strategies.

(Full disclosure: Our firm represented the defendant in this case.)

]]>
http://spielerecht.de/german-court-key-selling-infringes-copyright/feed/ 0
Privacy Alert: “Cookie Sweep” about to take place in Europe http://spielerecht.de/privacy-alert-cookie-sweep-about-to-take-place-in-europe/ http://spielerecht.de/privacy-alert-cookie-sweep-about-to-take-place-in-europe/#comments Mon, 08 Sep 2014 06:00:25 +0000 http://spielerecht.de/?p=3403

Following an announcement by the CNIL, (the French data protection authority) “Cookie Sweep Days” will take place across the EU between 15 – 19 September 2014. Now is a good time for companies to ensure that the use of cookies on their websites in the EU complies with the applicable data protection laws – which are unfortunately not as harmonized throughout the EU as one might hope. After Germany’s initiative regarding privacy compliance in mobile apps, this is the second time in only a few weeks that data protection authorities are announcing extra scrutiny regarding privacy law questions highly relevant for the games industry.

What is “Cookie Sweep Day”?

During “Cookie Sweep Day” (which is actually a week) the French CNIL and other European data protection authorities will conduct online investigations (involving automatic scans of selected websites) to verify compliance with the legal requirements regarding the use of cookies under EU data protection laws.

What is the focus of the investigation?

The focus of the investigation will be on the following aspects of the use of cookies:

  • What types of cookies are used on the website?
  • What is the purpose of the cookies (i.e., do the cookies serve the functions of the website or do they enable web tracking or online behavioural advertising)?
  • Does the website collect opt-in consents from the users into the use of cookies?
  • ŸIf so, how is this consent obtained (implied vs. explicit consent)?
  • What information does the website provide on the use of cookies? Is the information comprehensive and accessible?
  • Can users still use the website even though they have refused to give their consent? Do the users have the option to deny their consent only with regards to specific cookies (e.g., cookies used for purposes of online behavioural advertising while still using the cookies which support the functions of the website)?
  • Can users withdraw their consent at any time?
  • What is the duration of cookies?

How should companies prepare?

Companies can prepare themselves for the “Cookie Sweep Day” by taking steps to ensure their compliance with data protection laws. Clearly it is better to proactively address compliance weaknesses in advance of any DPA website investigation – not least because fines can be imposed against organisations which do not comply with the existing rules.

Therefore, we recommend taking the following measures:

  • Determine which kind of cookies are used on your websites and which purposes they serve.
  • Assess whether consent is required (opt-in vs. opt-out) and how it must be obtained (implicit vs. explicit consent).
  • Assess the comprehensiveness, clarity and accessibility of the information on cookies provided on the website / in the privacy policy.
  • Adjust the website according to the legal requirement, e.g. by updating the information on the website or by implementing a correct opt-in mechanism.

Diverging legal requirements regarding the use of cookies in the EU

Any assessment of the EU’s cookie law regime needs to take into account which EU Member State the website operator is established in or in which the cookie is actually used. This is because – unfortunately – legal requirements regarding the use of cookies on websites still differ across Europe even though an EU directive governs this area of law (Directive 2009/136/EC). The reason for this divergence being that the Directive is not directly applicable but instead is implemented into national law in each EU Member State. The resulting national laws differ considerably. Furthermore, the interpretation by the various national DPA’s vary, too.

By way of example, we have summarised the main requirements regarding the use of cookies for some EU jurisdictions below (please note that the information is not comprehensive and additional requirements might be applicable in the individual case):

ŸIn France, the CNIL requires websites to only set cookies after user consent has been obtained. In this regard, the CNIL has taken a two step ”soft opt-in” approach to consent requirements: the CNIL recommends posting a dedicated banner on the home page that states that by continuing to use of the website, the user agrees to have cookies set on his/her terminal (the first step). The banner shall also include a link to another page with the practical ways to oppose such use (opt-out) (e.g. a “more information” link on the banner to the cookie policy) (the second step). The CNIL has recently imposed a fine on Google in part because cookies were already set while the banner informing about the use of cookies was displayed on the website. Furthermore, the CNIL requires web publishers to give users the possibility to only refuse the use of specific cookies (like those for behavioural advertising). Some exceptions apply, (e.g., session cookies; authentication cookies; basket cookies) for which no consent is necessary.

ŸAs is the case in France, Belgian law requires websites to only set ‘non-functional’ cookies after user consent has been obtained. (No consent must be obtained for the use of so called ‘functional’ cookies such as e.g., session cookies, authentication cookies, basket cookies). The Belgian legislator however failed to clarify what constitutes valid user consent or how it must be obtained.  In an effort to tackle the legal uncertainties surrounding the use of cookies under Belgian law, the Belgian Privacy Commission launched a consultation round on 24 April 2014. All the relevant stakeholders have been invited to participate and submit their advice and suggestions before 31 July. The Privacy Commission is expected to publish its report with recommendations later this year.

In contrast to the situation in France, Germany has not implemented the opt-in requirement stemming from Sec. 5 of Directive 2009/136/EC into national law. Rather, the German government takes the view that the existing opt-out regime already complies with the requirements under the Directive. This has caused some legal uncertainty because several legal scholars in Germany (and also some DPA’s) argue that the national law must be interpreted in the light of Directive 2009/136/EC and that, therefore, an opt-in would be required also in Germany.

ŸThe ICO in the UK has recently recognised an implied “soft opt-in” consent approach similar to that accepted by the CNIL in France as a valid form allowing the use of cookies. However, as is the case in France, if a company is relying on implied consent, it must be satisfied that users understand that their actions will result in cookies being set. Otherwise, the company would not have their informed consent.  For that reason website operators are encouraged to include links to further information via banners and pop up notices.

ŸIn the Netherlands, clear and complete information on the use and purpose of cookies as well as prior opt-in consent is required before placing cookies on the equipment of an internet user. In addition, the Dutch cookie legislation contains a legal presumption that tracking cookies constitute the processing of personal data. Based on this legal presumption the Dutch DPA has enforced the cookie legislation twice over the last six months – making the enforcement of the cookie legislation a top priority in the Netherlands at the moment.

In Italy, a decision by the national DPA on the use of cookies has just been published on 3 June 2014, according to which an implied consent for the use of profiling cookies has been accepted. Yet, as soon as the user accesses the website, a banner of appropriate dimensions must immediately be visualized, informing about the use of cookies. The banner must contain detailed information about the use of cookies, their purposes and how to accept or deny them. Compliance with these requirements must be ensured within 1 year after the publication of the decisions, i.e. by 3 June 2015.

The Spanish DPA also accepts implied consent as a condition to use specific cookies (e.g. analytic and behavioural advertising cookies), provided that users are given clear and accessible information on their purposes, origin (whether these are first or third party cookies) and they are warned that a specific action is considered an acceptance to use them (lack of action cannot be considered valid consent). Moreover, website editors must permanently inform users on how to uninstall said cookies, without this implying the automatic termination of the website service. The Spanish DPA has recently imposed sanctions to small and medium sized enterprises due to the lack of compliance with consent and information requirements on the use of cookies.

This posting is brought to you with the invaluable support of colleagues in the various European offices of Osborne Clarke, and in particular Flemming Moos and his team of our Hamburg office. If you have any further questions, Flemming would be happy to take them. ]]> http://spielerecht.de/privacy-alert-cookie-sweep-about-to-take-place-in-europe/feed/ 0 Nach Urteil: Rechtssicherheit für Facebook-Fanpage Betreiber http://spielerecht.de/nach-urteil-rechtssicherheit-fuer-facebook-fanpage-betreiber/ http://spielerecht.de/nach-urteil-rechtssicherheit-fuer-facebook-fanpage-betreiber/#comments Fri, 05 Sep 2014 10:50:49 +0000 http://spielerecht.de/?p=3397 Gestern entschied das Schleswig-Holsteinische Oberverwaltungsgericht (OVG) in einem Urteil (Az.: 4 LB 20/13), dass Betreiber von Facebook Fanpages keine Verantwortung für die über die Fanpages ausgelöste Verarbeitung von personenbezogenen Daten bei Facebook tragen. Die Betreiber der Seiten sind weder verantwortliche Stelle im Sinne des Datenschutzrechts noch als Störer verantwortlich zu machen. Das Gericht bestätigt damit ein Urteil der Vorinstanz  (Schleswig-Holsteinisches VG,Urteil vom 9. Oktober 2013, Az. 8 A 218/11) und gibt somit Seitenbetreibern Rechtssicherheit.

Was war passiert?

Im Herbst 2011 hatte das Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Unternehmen in Schleswig-Holstein gedroht, Bußgelder zu verhängen, sollten Facebook- Fanseiten nicht deaktiviert werden. Gleichzeitig wurde der der Wirtschaftsakademie der Industrie- und Handelskammer (WAK) per Bescheid aufgegeben, ihre Fanpage bei Facebook zu deaktivieren. Der damalige Musterbescheid ist hier zu finden. Hiergegen hatte die WAK geklagt.  Beide Schleswig-Holsteinischen Gerichte entschieden im Sinne der WAK und aller Facebook-Seitenbetreiber und stellten klar, dass der Fanpage-Seitenbetreiber datenschutzrechtlich nicht verantwortlich sei, sondern insoweit allein Facebook die datenschutzrechtliche Verantwortung trifft.

Die Reaktionen

Die Reaktionen auf das Urteil fielen erwartungsgemäß unterschiedlich aus. Während der Schleswig-Holsteinische Datenschutzbeauftragte das Urteil in einer ersten Stellungnahme als “Katastrophe und Rückschlag für den Datenschutz” bezeichnete, zeigte sich die IHK Schleswig-Holstein erwartungsgemäß erfreut.

Formal besitzt das Urteil nur Relevanz für die beiden Beteiligen des Rechtsstreits und allenfalls noch für Facebook-Seitenbetreiber mit Sitz in Schleswig-Holstein. Tatsächlich muss man das Verfahren jedoch wohl als Musterverfahren ansehen, so dass für alle deutschen Facebook-Fanpage-Betreiber datenschutzrechtliche Rechtssicherheit hergestellt wurde. Die Entscheidungsgründe liegen noch nicht vor. Eine Revision zum Bundesverwaltungsgericht ist zulässig.

]]>
http://spielerecht.de/nach-urteil-rechtssicherheit-fuer-facebook-fanpage-betreiber/feed/ 0
Beware of the (Watch)Dog: German Authorities on Mobile App Privacy Policies http://spielerecht.de/beware-of-the-watchdog-german-authorities-on-mobile-app-privacy-policies/ http://spielerecht.de/beware-of-the-watchdog-german-authorities-on-mobile-app-privacy-policies/#comments Mon, 01 Sep 2014 08:53:03 +0000 http://spielerecht.de/?p=3356 In a joint effort, a working group reuniting all German Data Protection Authorities (“DPAs”) has now published its long awaited guidelines for developers of mobile games and apps. The 33 page document defines legal requirements for apps and also addresses the underlying technical framework, and announces more intense enforcement action in the weeks and months ahead.

The end of the ceasefire

The document does not really contain any surprises, but it is still a useful and interesting read, because for the first time ever the regulators are letting us know how they believe data privacy legislation should be interpreted for mobile games and other apps. And anyone commercializing apps in Germany would be well advised to heed these rules of the game: The DPAs have announced that they will now get down to business with non-compliant apps.

The regulators had conducted “app sweep days” before to examine apps with regard to their legal compliance. Among the recurring grievances was a lack of clarity as to what data are collected by the apps and for what purpose they are used and shared. However, until now the DPAs had only followed up with actual enforcement action in exceptional cases.

Disregarding the new guidelines can carry fines of up to EUR 300,000 and lead to considerable brand damage. We are already seeing increased activity from the DPAs, but also from consumer protection watchdog groups. The days of the legal ceasefire are over.

Guidance in a nutshell

In a nutshell and amongst many other points, the guidelines require app developers to comply with the following:

  • During the development process, app developers must ensure that only such personal user data is collected and processed as is absolutely necessary for the performance of the app.
  • Users have to be informed about the type, scope and objective of the collection, the processing and the use cases of their personal data in a comprehensible manner. This requires an app-specific privacy policy.
  • The privacy policy should ideally be integrated into the product page in the respective app store so that users can take note of it before the download. It is insufficient to use a privacy policy designed for a similar web service.
  • The privacy policy must specifically address the data collection and use via the app. For instance, any collection of data via the various sensors of a mobile device, like the camera or the microphone, must be disclosed, along with any mobile tracking technologies.
  • The privacy policy and the developer’s contact information must be integrated into the app and be easily accessible from within the app.
  • The principle of “Privacy by Design” is a leitmotiv of the guidance paper – app developers need to build their product with privacy requirements in mind from the outset, and integrate privacy mechanisms into their design.
  • Specific requirements apply to location data, generally considered as particularly sensitive. Thus, the guidelines require not only transparency but also reducing the granularity of such data to the extent possible.
  • Similarly, stricter rules apply with regard to health, banking data and other sensitive personal data, including data of minors. Finally, the guidelines set forth a number of technical safeguards that app developers are required to implement (again: privacy by design), including sufficient server backend encryption, secure password requirements, etc.

Why this matters to international businesses

German data protection law applies not only to businesses based in Germany. It also applies to any data collection processes within Germany (for example by an app installed on a German user’s smartphone) controlled by an entity outside the European Union.

Even though as a general rule, entities within the European Union only need to adhere to their own member state’s privacy law when doing business across the EU, recent ECJ case law suggests that a consumer’s local privacy laws may even apply in many cases when data collection processes are controlled by an EU entity that has an affiliate or branch office in such consumer’s jurisdiction.

The DPAs primarily regard the providers (developers and operators) of mobile games and other apps responsible for complying with privacy rules. Therefore, the paper is primarily targeted at such app providers, while making it clear that also other parties, including the app stores, bear a certain responsibility under data privacy laws.

Anyone involved in the mobile games business should therefore now make sure their apps are compliant – before the regulators do.

]]>
http://spielerecht.de/beware-of-the-watchdog-german-authorities-on-mobile-app-privacy-policies/feed/ 0
Plakatwerbung, Leerboxen und der Jugendschutz (reloaded) http://spielerecht.de/plakatwerbung-leerboxen-und-der-jugendschutz-reloaded/ http://spielerecht.de/plakatwerbung-leerboxen-und-der-jugendschutz-reloaded/#comments Wed, 27 Aug 2014 12:42:59 +0000 http://spielerecht.de/?p=3364 Vor einigen Jahren haben wir schon einmal über Alterskennzeichen Marke Eigenbau in der Plakatwerbung für ein brandaktuelles Computerspiel berichtet. Anlässlich der gamescom dieses Jahr konnte man nun wieder eine Menge Werbung für noch nicht erschienene (und noch nicht altersgeprüfte) Spiele sehen, und das sah auch schon viel besser aus (Foto nach dem Break). Eine jugendschutzrechtliche Frage stellt sich natürlich trotzdem…

cod-vorverkauf

Wie alt muss man denn jetzt sein, um (legal) an diese Leerbox zu kommen?

Ein Alterskennzeichen ist nicht vorhanden, und ein Spiel ohne Alterskennzeichen wird nach § 12 Abs. 3 JuSchG grundsätzlich so behandelt wie ein Spiel mit dem Kennzeichen “keine Jugendfreigabe” (wenn es nicht sogar indiziert ist oder nach § 15 Abs. 2 JuSchG als indiziert gilt). Ein Überlassen an Minderjährige ist damit verboten.

Andererseits gilt § 12 JuSchG von vorne herein nur für Datenträger mit Filmen oder Spielen, und ein solcher wird mit der Leerbox ja noch nicht direkt abgegeben. Kann also jedes Kind diese Leerbox kaufen?

Für die Antwort auf diese Frage kommt es darauf an, ob § 12 Abs. 3 JuSchG auch für Gutscheine oder sonstige “Stellvertreterprodukte” gelten kann, die später den Bezug von Spielen ermöglichen. Immerhin verbietet diese Vorschrift nicht nur das Überlassen, sondern auch das Anbieten und das sonstige Zugänglichmachen. Ein Anbieten an Minderjährige soll nach einer Literaturansicht auch schon im Auslegen einer Hülle gesehen werden, wenn nicht anderweitig aus den Umständen deutlich wird, dass bestimmte Altersgrenzen eingehalten werden. Solche Umstände sollen schon vorliegen, wenn die Hüllen mit USK-Kennzeichen, oder, falls keine deutschen Kennzeichen vorliegen, mit ausländischen Kennzeichen oder sonstigen Hinweisen versehen sind. Bei der Box, so wie sie auf dem Plakat abgebildet ist, ist das aber gerade nicht der Fall. Damit besteht mindestens ein erhebliches Risiko, dass diese Aufmachung als Angebot (auch) an Minderjährige verstanden werden kann.

Ein sonstiges Zugänglichmachen liegt dagegen noch nicht vor, da dies immer die Möglichkeit zur Kenntnisnahme vom Inhalt des Bildträgers erfordert – und der ist ja noch nicht einmal veröffentlicht.

Sollte aber nicht wenigstens im Laden deutlich darauf hingeweisen werden, dass das Spiel, wenn es denn dann altersgeprüft und erschienen ist, auch nur einem Kunden der entsprechenden Alterskohorte ausgehändigt werden wird, steht bei dieser Aufmachung ein Jugendschutzverstoß im Raum.

In jedem Fall wäre es ratsam, schon die Leerbox nur an Volljährige abzugeben (vor allem auch vor dem praktischen Hintergrund, dass ohnehin für diesen Titel kaum eine Freigabe ab 16 zu erwarten ist…). Dies entbindet den Händler aber natürlich nicht von der Verantwortung, beim Umtausch der Leerbox gegen das Spiel erneut den Ausweis des Kunden zu kontrollieren, denn dieser Vorgang ist dann definitv ein Überlassen des Bildträgers.

Anders liegt der Fall aber bei Gutscheinen oder Guthabenkarten, die sich nicht schon auf ein konkretes Produkt beziehen. Diese können frei abgegeben werden. Es liegt dann in der Verantwortung des jeweiligen Händlers (oder Online-Anbieters), bei der Einlösung des Gutscheins für ein konkretes Produkt ggf. das Alter des Käufers zu überprüfen.

]]>
http://spielerecht.de/plakatwerbung-leerboxen-und-der-jugendschutz-reloaded/feed/ 0
Let’s Play! But Who Wins the Copyright Battle? http://spielerecht.de/lets-play-but-who-wins-the-copyright-battle/ http://spielerecht.de/lets-play-but-who-wins-the-copyright-battle/#comments Wed, 27 Aug 2014 06:28:46 +0000 http://spielerecht.de/?p=3354 The concept of “Let’s Play” is simple: Gamers make a video of themselves while playing and comment on the event like a TV reporter during a telecasted sporting event. Live-streams and video clips of game performances produced this way are uploaded to video platforms accessible for the interested public. The market for Let’s Play videos is booming. While in Germany the online audience of Let’s Play users is growing constantly, there are already entire dedicated streaming channels for Let’s Play content in the US, on which registered users follow extensive gaming sessions.

However, from a German and European copyright point of view, this market raises some issues and uncertainties that have yet to be addressed in case law.

Legal protection of content

Computer games enjoy copyright protection. The individual works of art as graphics, music and user interfaces are protected as a “personal intellectual creations” in accordance with the German Copyright Act (§ 2 UrhG). Besides, the overall composition of the computer game is an audiovisual or similar work and is therefore granted copyright protection under § 2 para. 1 no. 6 UrhG. The publisher’s proprietary rights of use and exploitation of the game also include the sole authority to release the work in intangible form, e.g. on internet platforms accessible to third parties.

Recently, it has been discussed to grant the players of such games a “neighbouring right of the performing artist” pursuant to § 73 UrhG and give them the right to record and publicly release their performances, especially on internet platforms like YouTube.

However, there are rights of third parties on the copyright protected content of Let’s Play videos. Consequently, anyone publishing  such content online needs the rights owner’s consent. A legal exception to this requirement – similar to the fair use doctrine in US copyright law – does not exist in German law. Some voices refer to the “right of quotation” (§ 51 UrhG). This, however, does not apply, as a quotation – apart from scientific purposes – may only refer to extracts of a work and must serve the purpose of supporting or proving the creator’s own intellectual content. Only in very rare cases will the comments on game performances rise to a level that would permit considering the game content a supporting quotation of such commentary.

Publication permitted?

So what is the explanation for the amount of publicly accessible Let’s Play content in the World Wide Web? Did producers and/or players give their explicit consent for recording and publication?

Surprisingly, the answer is yes! At least some of them did. Most game producers abstain from proceedings, or even actively encourage production of Let’s Play videos, as the publication of game content comes with a significant advertising effect. The game is presented to a broad audience, target-oriented and above all at no charge. As a result, this is a very effective marketing measure for the producer (which also raises interesting questions of advertising law).

Therefore, various big computer game providers have indeed backed down, adjusted their Terms of Use and permit the non-commercial publication of Let’s Play content with prior consent. But beware: “non-commercial” means that even the monetization of YouTube videos with ads is technically forbidden.

Despite the partly generous position of the game producers, Let’s Play users are not entirely safe from trouble. In late 2013, a big purge swashed through YouTube’s repertoire, when YouTube selectively deleted all content of the players and also suspended various accounts. There was no consultation of game producers in advance. Thus, some producers now offer “declarations of tolerance”, in which they declare that they do not have any objections against the publication of video material or screen shots on YouTube, as long as these do not contain (otherwise) unlawful or explicit content. At the same time the producers emphasize that in case of deletion by YouTube, they will not intervene.

Legal Outlook

So, what does apply exactly? – It is hard to say. As long as there is no clarification by the courts, players uploading Let’s Play videos can be considered safeguarded, if they ask the producer for prior consent or declared tolerance before publishing one of their clips. It is also conceivable that courts will expand their legal position on Google image search thumbnails in this case. According to a 2010 ruling by the German Federal Court of Justice (the highest regular civil law court in Germany), the rights owner may not take action against the display of photographs as preview images in search engines, if an objective declaration of consent for the use by an image search engine can be taken from the right owner’s coherent action. A coherent action can already be assumed when the right owner presents his works to image search engines without further protection.

As long as computer game producers continue tolerating the publication of Let’s Play content and offer specific tolerance declarations, these objective declarations are close enough to a consent. ]]> http://spielerecht.de/lets-play-but-who-wins-the-copyright-battle/feed/ 0 Datenschutz in den USA: Ist COPPA ein Kinderspiel? http://spielerecht.de/datenschutz-in-den-usa-ist-coppa-ein-kinderspiel/ http://spielerecht.de/datenschutz-in-den-usa-ist-coppa-ein-kinderspiel/#comments Wed, 13 Aug 2014 06:48:34 +0000 http://spielerecht.de/?p=3338 Seit gut 15 Jahren regelt in den USA der Children’s Online Privacy Protection Act (COPPA) den Schutz personenbezogener Daten von Kindern unter 13 Jahren im Onlinesektor. Grundgedanke: Die Erziehungsberechtigten sollen über die Sammlung und Verarbeitung der Daten ihrer Kinder bestimmen. Das soll vor allem durch vorherige Einwilligung der Eltern erzielt werden.

COPPA gilt für kommerzielle Webseiten und Onlinedienste, einschließlich Apps und Online-Spiele, die sich gezielt an Kinder unter 13 Jahren richten und deren personenbezogenen Daten sammeln, verwenden, oder weitergeben. Ebenso erfasst sind Webseiten und Dienste, die sich zwar an ein altersunabhängiges Publikum wenden, aber deren Betreiber oder Entwickler Kenntnis davon haben, dass auch persönliche Daten von Kindern erfasst werden könnten. Auch wenn die Daten über Dritte erlangt werden, findet COPPA Anwendung. Relevant ist COPPA hierzulande dann, wenn sich Webseiten, Spiele oder Apps gezielt an Kinder in den USA richten oder wenn wissentlich auch persönliche Daten von US-amerikanischen Kindern erfasst und verarbeitet werden könnten.

Die Anforderungen, die COPPA an Betreiber und Entwickler stellt, entsprechen im Wesentlichen den Grundaussagen des deutschen bzw. europäischen Datenschutzrechtes: Neben einer klar und verständlich formulierten Datenschutzerklärung und umfangreichen Informationspflichten müssen die Daten zugänglich und löschbar sein. Sie dürfen nur solange gespeichert werden, wie sie zur Verfolgung des bewilligten Zwecks erforderlich sind. Der Umgang mit den Daten muss vertraulich, sicher und integer sein und darf nur insoweit durch Dritte erfolgen, wie die Einwilligung reicht und/oder die Weitergabe dem vor der Einwilligung bekanntgegebenen Vertragszweck entspricht.

Abweichend von der hiesigen Rechtslage bedarf es jedoch in den USA einer expliziten Verifizierung, dass die Erziehungsberechtigten der Erhebung der Daten ihrer Kinder zugestimmt haben, damit sichergestellt ist, dass der Einwilligende hierzu auch rechtlich befugt ist – in Deutschland ist ein solches Verfahren nicht ausdrücklich vorgeschrieben. Die Verifikation kann beispielsweise über die Angabe von Zahlungsdaten, also Kredit-, Debit- oder EC-Karte erfolgen. Bisher bedurfte eine gültige Verifikation auch eines Geldtransfers mit der angegebenen Karte. Die Handelsaufsichtsbehörde FTC hat diese Anforderungen ihren Angaben in den FAQ von Juli 2014 nach zwar gelockert, die Feststellung der Zahlungsinformationen allein reicht aber weiterhin nicht aus. Ein Geldtransfer ist allerdings dann nicht mehr zwingend erforderlich, wenn andere zusätzliche Sicherheitsmaßnahmen ergriffen werden, wie Sicherheitsfragen, die nur von den Erziehungsberechtigten beantwortet werden können. Seit Juli 2014 sollen App-Entwickler zudem auch mit Hilfe von Dritten – insbesondere App-Stores – die verifizierte Einwilligung einholen können. Der App-Store kann bei der Einholung der Einwilligung und deren Verifikation behilflich sein wenn versichert wird, dass die hierbei verwendete Methode “gut durchdacht” ist und nach dem aktuellen Stand der Technik sichergestellt werden kann, dass die Einwilligung auch tatsächlich von den Erziehungsberechtigten des Kindes erteilt wurde. Das soll laut FTC heißen, dass allein die Angabe eines App-Store-Accounts oder eines Passwortes ohne weitere Sicherheitsindizien keine ausreichende Verifikationsmethode ist. Weitere Sicherheitsindizien können beispielsweise Autorisierungsfragen sein, die auf spezifischer Kenntnis der Erziehungsberechtigten basieren oder ein staatlicher Identifikationsnachweis wie z.B. der Personalausweis. Noch eine weitere wichtige Neuerung bringen die aktuellen FAQ mit sich: App-Stores oder sonstige Plattformen, die Mechanismen für die verifizierte Einwilligung anbieten, sind nun nicht mehr verantwortlich für COPPA-Verstöße seitens der App-Entwickler. Allerdings warnt die FTC davor, dass die Plattformen sich aufgrund ihrer mangelnden Kenntnis über deren Datenschutzniveau explizit von den Inhalten der jeweiligen Apps distanzieren müssen, um eventuellen Haftungsrisiken wegen irreführender Handelspraktiken zu entgehen.

Die Kommission bemüht sich sichtlich um die Verbesserung der praktischen Durchsetzbarkeit von COPPA. Es ist ein Balanceakt, die technische Durchführbarkeit der Vorgaben trotz hohen Datenschutzniveaus zu gewährleisten, ohne Entwicklung und Innovation durch die Anforderungen und Sanktionen auszubremsen. Gerade Sanktionsmöglichkeiten können einschüchternde Wirkung entfalten: Verstöße gegen COPPA werden mit Bußgeldern von bis zu USD 16.000 bestraft und die Verteidigung im Rahmen eines Ermittlungsverfahrens kann auch dann zu fünf- bis sechsstelligen Kosten führen, wenn am Ende kein Verstoß angenommen wird. Aufgrund der hohen finanziellen Belastung – insbesondere auch für Startups –, der vielen offenen Detailfragen bei COPPA und der damit verbundenen Unklarheiten, wie COPPA genau umzusetzen ist, sollten sich Entwickler und Publisher von Apps, Games und Online-Services daher frühzeitig mit den Vorgaben befassen, um unangenehme Überraschungen zu vermeiden.

Wir danken unserer wissenschaftlichen Mitarbeiterin Leonie Schneider und unserer amerikanischen Praktikantin Lauren Snyder für die Mitwirkung an diesem Beitrag. ]]> http://spielerecht.de/datenschutz-in-den-usa-ist-coppa-ein-kinderspiel/feed/ 0