Christian Wulff, a former German Federal President who resigned in February 2012, caught the attention of the public in May 2015 with his announcement that he was back together with his ex-wife Bettina Wulff. Following this, the press published a photograph of him pushing a cart at the parking lot of a supermarket next to his wife, Bettina Wulff. Mr. Wulff felt hurt in his right to privacy. He filed a lawsuit aiming to prohibit the publication of this private photo. In first and second instance Mr. Wulff was successful; the German Federal Court now overruled the previous decisions and decided that Mr. Wulff’s right to privacy were not infringed by the publication of the photo.

Legal Assessment

The German Constitution protects both individuals’ private sphere and the freedom of press. Moreover, the German Copyright Act for Art Work and Photography (“Kunsturhebergesetz”) stipulates that the press may publish photos where the depicted person has agreed with its publication (Section 22). Without such consent, publication is only allowed if the image refers to history, and where no legitimate interest of the depicted person is infringed (Sections 23(1) no. 1 and Section 23(2) of the same law). The German Federal Court thus had to decide between the principles of the German Constitution, and whether the legal conditions for the lawfulness of publication of the photo without consent of Mr. Wulff were fulfilled in the present case.

On 6 February 2018, the German Federal Court ruled that the publication of the photo is lawful. The image refers to a historic figure and could thus be published without his consent, pursuant to Section 23(1) no. 1 of the German Copyright Act for Art Work and Photography. The interest in Mr. Wullf’s person has not expired with his resignation in 2012, but instead, Mr. Wulff remains a public figure, still attends public events and is recognized in his position as a former Federal President of Germany. Moreover, no legitimate interest of Mr. Wulff exists in avoiding the publication of the photo. The picture was taken in a public space and is to be attributed to Mr. Wulff’s social sphere. It does not show Mr. Wulff in an unkind or private way, but would rather convey the image of a providing father.

Another key reason for the decision of the Federal Court was the fact that Mr. Wulff informed the public himself about his private and family life not only in the past but also in the present, which shows his content to having these issues publicly discussed. Furthermore, the journalistic worth of the article is the discussion about the distribution of roles between man and woman and especially between husband and wife, which is a discussion of public interest.


Once a show-off, forever prey of paparazzi? Can – or should – the past consent of famous people to public discussions about their private life lead to their every step being followed and photographed? Most people would probably tend to answer negatively. In the present case, however, Mr. Wulff was the one who released to the press very private news about his relationship with his wife. This was the trigger to the paparazzi, as considered by the Federal Court. The present decision sends a clear sign: there is already a general public interest in following public figures; their privacy is thus already limited when compared to other people that do not occupy public positions. If they show they are open to being on everyone’s tongue, they shall carry the consequences.

Businessmans crew working banking investment project modern office.Man holdingAn increasing number of financial institutions and fintech companies are coming together to create consortia or shared utility service providers that will identify, design, build and provide emerging technologies like blockchain and the possibility of using decentralized, distributed ledger technology that can be accessed and used by market participants to record information.

Rather than keeping its own record of numerous relevant events about a transaction each bank could instead, using blockchain technology, hold a copy of a ledger that is used to record this information according to a common standard, with every change in the information about a client, ownership to an asset traded or action performed between participants recorded in each copy of the ledger held by those participants. So the potential benefits of using blockchain to ensure that transactions are recorded accurately, that contracts are automatically performed according to their terms and that information about clients has been provided correctly by every market participant are clear. However, there are a number of challenges for any consortium trying to launch this technology to overcome.

Building a Consortium and Establishing the Benefits from Participating in it

Defining the objectives of the consortium and the role that each member will have in its success can be difficult to establish, with each participant often having different and competing interests. While some financial institutions will try to influence the consortium in that way so that the outcome will satisfy their particular standards and legal requirements, others may focus more on the potential financial return resulting from the successful exploitation of the technology. Still others may have joined to obtain a seat at the table. Service providers meanwhile may be interested in creating, marketing and launching the solution as quickly as possible in order to establish themselves as the preeminent players within the industry, to maximize the return on their investment and to expand their business into other areas with or without the partner banks. These differences can often create tension over the direction and operation of the consortium between members. To keep this system functioning properly it is very important to clearly define the rights and obligations of every participant in a memorandum of understanding executed at the start of the project.

Establishing Ownership and Exploitation of the Technology

Agreeing who will own and will be able to exploit the developed technology is critical to the success of any initiative. While the foundations of blockchain and similar technologies may be built on open source software which allows quick and free development, the project consortia will frequently require their members to contribute their own software, materials and know-how to the project, which may result in complex and thorough negotiations between the participants regarding the use of each other’s intellectual property. Otherwise consortium members risk losing control over their intellectual property, with rivals potentially able to use it to develop, monopolize and exploit the technology created from it, to the detriment of the contributing participant and others in the industry and the success of the initiative.

Understanding the Regulatory Environment in which the Technology will Operate

As banks and other financial institutions cannot outsource their responsibilities to regulators, the understanding of how new adapted technological solutions can be used in compliance with the laws and existing regulatory framework is crucial.

For example, while blockchain may allow financial institutions to share, validate and update information about the identities of the ultimate shareholders of common clients, it is important to protect privacy rights of individuals in different countries, such as the right to object to the distribution of information about them and the so called “right to be forgotten”. Similarly, although financial institutions may be willing to share information about the identity of its clients, a bank may not be able to accept any liability to other banks for any inaccuracies in the information it has provided, preventing those other banks from relying on it for anti-money laundering, client onboarding and other compliance purposes.

A Look Ahead

So while there are many potential benefits of using blockchain and other similar technologies in the financial services industry, there are also a number of strategic and legal challenges which the consortia developing them will need to overcome.

A version of this article was first published in Financial IT on 7 December 2016 –

Business conceptOn 7 November 2016, the Standing Committee of the National People’s Congress has formally passed China’s first comprehensive privacy and security regulation for cyberspace. Since the new Cyber Security Law (CSL) will come into effect on 1 June 2017, technology companies that are operating in or planning to expand to the Peoples Republic of China (PRC) are well advised to adapt their IT infrastructure and data architecture to the new law. Violations of the law may, at worst, lead to high fines, website shutdowns or license revocations. Some of the most significant changes brought about by the new law are briefly outlined below.

Who Is Affected and What Is New?

The CSL applies to operators of Critical Information Infrastructures (CIIs) and network operators. A network operator is defined as an operator of basic telecommunication networks, internet information service providers and key information systems. However, it is not clear which companies qualify as operators of CIIs. The exact definition of CIIs was left to the State Council of the PRC. So far, the Council has not given any specifications.

The new law includes several important and consumer protection provisions, but also some very controversial ones affecting technology companies.

Some provisions of the new law have aroused particular criticism. For example, instant messaging services and other companies qualifying as CIIs are only allowed to provide users with their full service if the users have registered under their real identities. In addition, CIIs are under an obligation to remove “prohibited content” from their service. In case of non-compliance with the latter requirement, CIIs are liable for a fine or worse. These requirements are believed to potentially restrict anonymity on the internet and to encourage self-censorship for online communication.

Under another controversial provision, companies are required to report to the relevant authorities any cyber security incident and vulnerabilities that they have experienced and to technically support and assist the authorities on national security matters and crime investigation. However, the nature and scope of the required technical support and assistance have not been defined. Thus, it is not clear whether the process might entail the provision of confidential information.

Among all the changes, the most significant change might be the so-called Data Localization Requirement. Under that provision, CIIs are required to store personal data and other important information within mainland China. However, it is not clear whether this provision only applies to personal data of Chinese citizens or to any personal data, including those of foreigners. In the first case, companies might be required to separate the personal data of Chinese citizens from the personal data of other individuals.

A Look Ahead

The CSL brings a lot of changes in the fight against cyber security threats. However, the law should be criticized for its lack of legal certainty, mostly resulting from overly broad formulated terms. As the CSL comes to effect in less than three months, technology companies are allowed little time to adapt to the new provisions. Compliance may in particular be of crucial importance for multinational companies with regard to the Data-Localization Requirement, as cross-border data transfer may be daily business. It remains to be seen whether the legal uncertainties will somehow be eliminated by the relevant authorities. Until then, affected companies need to be very cautious.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Cloud conceptOn 14 February 2017, the organization Cloud Infrastructure Services Providers in Europe (CISPE) issued a press release that a number of leading cloud computing vendors operating in Europe have declared compliance with the CISPE Data Protection Code of Conduct (the “Code”) for some or all their services. All cloud infrastructure services compliant with the Code requirements are listed on the CISPE Public Register. The providers of these services can display a certification mark on their websites to notify their customers of their services’ compliance with the Code.

CISPE said that the Code is supposed to guide customers in assessing whether cloud infrastructure services being offered by a particular provider are suitable for the data processing activities that they wish to perform. This includes, in particular, compliance with all EU data protection laws that are applicable and binding on them, including the EU Data Protection Directive and the General Data Protection Regulation (GDPR). The GDPR will come into effect on 25 May 2018. Cloud service providers adhering to the Code must, inter alia, give customers the choice to store and process their data entirely within the European Economic Area. They must also commit that they will not access or use their customers’ data for their “own purposes, including, in particular, for the purposes of data mining, profiling or direct marketing.”

In creating the Code, the CISPE acknowledged that there are a wide variety of cloud computing models and that data protection considerations vary based on the type of model a service provider uses. The Code focuses on Infrastructure-as-a-Service providers (IaaS) which host hardware, software, servers, storage and other infrastructure components on behalf of their customers. (Other categories of cloud computing services include Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS).)

The Code has yet to be approved by the European Commission or any national data protection supervisory authority for GDPR purposes.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Pokemon Go game in a hand. ZubatAccording to press reports, German car giant Volkswagen has banned its employees from using the wildly popular smartphone app Pokémon GO during work hours. Reportedly, the company cited impaired attention and distraction from work as the primary grounds for the prohibition, but data security and privacy issues are supposedly involved as well. Volkswagen has not yet made an official statement on the ban.

This app in particular and augmented reality in general pose many legal questions, especially, in the field of privacy law. The most pressing privacy issue with Pokémon GO seems to be the constant tracking of geolocation data. By agreeing to the Pokémon GO Privacy Policy, the user allows Niantic, the company behind the app, to track the user’s “device location […] and some of that location information, along with [the] user name” any time he or she uses the app.

The Concept of Augmented Reality

The app is based on the concept of “augmented reality,” meaning that the real world environment is “augmented” with virtual elements. The app relies on the users’ GPS location data and images taken by their smartphones’ camera devices to let them catch virtual Pokémon monsters on a map overlaying their real surroundings. The real world is used as the setting for the chase.

Data Protection and Privacy Concerns

All gathered data is processed at Niantic’s headquarters in San Francisco, California, United States. While, according to the privacy policy, “information that can be used to identify or recognize [the user]” will, in principle, not be shared, there are still concerns in the Pokémon community regarding the extent to which third parties can access that information. The users’ tracking data could provide information not only on their residency or workplace but also, for example, on their preferred mode of transportation, walking speed and frequency of smartphone use. This information could, by itself or in combination, be considered personal data.

The rules on the collection, use and disclosure of personal data differ among jurisdictions. For example, pursuant to section 3 para. 1 of the German Federal Data Protection Act, personal data is defined as “any information concerning the personal or material circumstances of an identified or identifiable individual.” Within the territory of application of that act, the collection, processing and use of personal data is only permissible in rare prescribed circumstances (see section 4) or with the consent of the data subject. The requirements might be significantly lower in other countries.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Mobile phone users.On 12 August 2016, the Cyberspace Administration of China (“CAC”), the General Administration of Quality Supervision, the Inspection and Quarantine of China (“GAQSIQ”), and the Standardisation Administration of China (“SAC”) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the “Guidelines”). Under the Guidelines, mandatory national standards will be introduced to regulate critical fields such as major information technology infrastructure and classified networks in an effort to harmonise the current divergent local practice.

The National Information Security Standardisation Technical Committee will be the agency solely responsible for the review, approval, and release of national cybersecurity standards. The Guidelines propose to enhance the role of cybersecurity standards in guiding industrial development by, inter alia, establishing a standard-sharing mechanism for major cybersecurity projects as well as by incorporating standard requirements into the evaluation criteria of such projects and setting up professional qualifications. The Guidelines also stress the importance of establishing essential standards such as the “Internet +” Action Plans, “Made in China 2025,” and “Action Plans for Big Data” for critical projects such as big data security and cybersecurity audits. Finally, the Guidelines call for China’s active participation in international standard-setting activities with the aim of elevating China’s influence at the international level. As a sign of commitment to this, China will selectively adopt international standards which are deemed to suit China’s own situation.

The release of the Guidelines, on the one hand, is consistent with the Chinese government’s intent to have a tighter grip over China’s Internet and networks. On the other hand, standards unification will likely improve the transparency of cybersecurity governance and the predictability of cybersecurity enforcement, a positive step as we are still waiting for the finalisation of the draft Cybersecurity Law. While the content of the national cybersecurity standards may be redolent of heavy “Chinese characteristics,” there is a glimmer of hope as China has now signalled a desire to be involved in international cybersecurity standards-setting.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

network cables connected to switchEfforts to coordinate and enhance cybersecurity across the European Union (“EU”) have taken a step forward with the publication on 19 July 2016 of the new Network and Information Security Directive (2016/1148/EU) (the “Directive”) in the Official Journal of the European Union. Member States will have until 9 May 2018 to transpose the Directive into their national laws.

The key objectives of the Directive are: (1) to introduce a set of minimum cybersecurity standards for network and information systems maintained by operators of essential services and digital service providers; (2) to ensure each Member State has in place strategies and resources relating to cybersecurity; and (3) to enhance cooperation amongst EU Member States for the prevention, detection and response to cyber-attacks. The Directive will have a direct impact on organisations that fall within the categories of “operators of essential services” and “digital service providers” both of which are given a particular meaning by the Directive.

Operators of Essential Services and Digital Service Providers

The Directive applies to operators of essential services and digital service providers. An operator of an essential service is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, the provision of which relies on network and information systems, and in respect of which a cyber incident would have a significant disruptive effect on the provision of the service. Digital service providers are defined as organisations providing online marketplaces, online search engines and/or cloud computing services.

Security and Notification Obligations

Since the impact of disruption to operators of essential services are potentially more serious for the social and/or economic activities of the EU, the Directive draws a distinction between operators of essential services and digital service providers, imposing less strict obligations on the latter. The Directive permits Member States to adopt measures to achieve higher security standards for operators of essential services but not digital service providers (subject to each Member State’s right to safeguard their essential state functions, for example national security).

Implementation and Enforcement

The Directive also takes a differentiated approach to enforcement against operators of essential services and digital service providers. As one of the recitals explains, digital service providers should be subject to a light-touch, “reactive” supervisory approach. Therefore competent authorities will take action, if necessary, if they receive evidence that a digital service provider has not met the requirements. In contrast, competent authorities will have the power to initiate assessments of the security measures applied by operators of essential services. They can request information and evidence of effective implementation of security measures, including the results of security audits. Binding instructions may be issued to remedy any deficiencies identified. It will be up to Member States to set appropriate penalties for any failure by either operators of essential services or digital service providers to comply with the national rules implementing the Directive.

Click here to read the full Mayer Brown Legal Update on the Network and Information Security Directive.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Alushta, Russia - November 3, 2014: Businessman holding a iPhone 6 Space Gray with application Stocks of Apple on the screen. iPhone 6 was created and developed by the Apple inc.In banking, open data, a common pool of customer data that can be freely used and redistributed by anyone, could provide a number of benefits to customers and could increase competition in banking in the UK as well as in other jurisdictions. For example, open data could be used to improve the ability to make effective decisions about the use and management of money, or enable comparison applications to make more detailed and accurate assessments of how customers can save money.

The Open Banking Working Group was formed in 2015 to develop a framework for the design of an open API standard in UK banking focusing on personal and business current accounts. This Group is made up of experts representing a wide range of private and public sectors which should provide a diverse range of views. It is thought that having an open standard and open data in the UK will help improve the innovation and competition in financial services. However, datasets that contain personal or commercially sensitive information are not covered by this initiative.

APIs, or application programming interfaces, allow different software applications to communicate with each other and exchange data directly, without the need for third party input each time. APIs can, inter alia, be used to enable financial technology firms to make use of customers’ bank data on their behalf and with their permission in innovative and helpful ways. For example, through external bank APIs customers can make use of applications on their smartphones which allow them to see clearly how much money they spend on food, and how their spending on food fluctuates through the course of a month or year. This initiative interacts with the trend of banks and financial institutions exploring new models for the delivery of relatively standard services required in their industry from a single, shared provider. We expect open data standards to gain greater exposure over the course of 2016.


Today’s cars include up to 100 electronic control units as well as numerous sensor networks and assistance systems. While these devices can improve the comfort and safety of the driver and passengers, they also can collect and store a great deal of information about the current driving pattern, geolocation, traffic or even weather conditions. Some data collected this way Continue Reading Data Privacy and Ownership – Who Owns Car-Generated Data?

unlock security lock on credit cards representing data encryption to prevent data theftThe final draft of the new European General Data Protection Regulation (GDPR) was agreed on 15 December 2015 and, once it has been approved by the European Parliament in early 2016, is expected to take effect by early 2018. This reform aims to update data protection law to address the challenges of the digital age while simultaneously protecting the rights of individuals and enabling businesses to utilise personal data in a more consistent manner across the European Union. The GDPR will be directly applicable in the same form in all EU Member States with the intention of reducing the burden on international organisations that, up until now, have had to vary their compliance to satisfy the particular data protection requirements of each Member State.

The key points to take away from the GDPR are as follows:

  1. International application of the GDPR
    European data protection law will now apply depending on the type of data processing being undertaken and not necessarily depending on where that processing is being carried out. In addition to data controllers (persons that determine the purposes for which personal data is processed) that are established in the European Union, data controllers located outside the EU that process personal data in relation to offering goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will be subject to the GDPR. Non-EU organisations will need to consider whether their activities are caught by the GDPR and whether they must appoint a European representative to take responsibility for their actions.
  2. Tougher sanctions
    The GDPR has substantially increased the maximum fine that may be imposed on organisations that breach EU data protection law. The maximum fines for a breach of the GDPR will be 4% of an enterprise’s worldwide turnover or €20 million, whichever is higher.
  3. Data breach notification obligations
    GDPR introduces an express obligation for controllers to notify breaches of security relating to personal data to the relevant data protection authority where the breach is likely to cause a degree of risk to the data subject. Data controllers must notify the authority without undue delay and where feasible within 72 hours of the breach. Where an authority has not been notified within 72 hours, a reasoned justification for the delay must also be given. Controllers must also communicate the fact that there has been a personal data breach to the data subject without undue delay where there is a high risk to the individual’s rights and freedoms. Data processors (persons that process personal data on a data controller’s behalf) must notify the relevant data controller of a security breach without undue delay. Policies of controllers and processors that relate to responding to security breaches will need to be amended and tested ahead of the implementation of the GDPR.
  4. Liability for data processors
    Data processors will have direct obligations to comply with the GDPR under certain circumstances and data protection authorities may take action against them for breaching the GDPR. Processors will be held accountable for their own level of appropriate security and must document their processing to the same extent required by controllers under the GDPR. Processors must obtain the prior consent of the controller to employ sub-processors, while controllers must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR. Data controllers will need to amend their contracts with processors (typically service providers) to address the shift in the processors’ responsibilities.
  5. Privacy by design
    GDPR introduces the concept of ‘privacy by design’, whereby appropriate levels of security are built-in to an organisation’s data processing procedure. Data controllers are required to take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed. The controller must take into account the cost of implementing the required technical and organisational measures. Controllers need to consider the risks posed to individuals by the processing instead of setting precise benchmarks for compliance, and make suggestions about how to minimise risk, for example using anonymisation or pseudonymisation.
  6. Stricter governance
    Data controllers will be required to undertake impact assessments for higher risk processing. These assessments would generally include an evaluation of the risk posed to the data subject as well as the measures envisaged to address the risk. The data controllers and data processors will need to appoint a data protection officer to carry out relevant assessments of an organisation’s data processing in certain circumstances.
  7. Strengthening of data subjects’ rights
    An individual will have the right to have their personal data removed from a controller or processor’s system or online content (the ‘right to be forgotten’). Controllers will need to judge whether freedom of expression and information prevails over the protection of personal data. Individuals will also have the right not to be subject to automated data profiling (where this would produce a ‘legal effect’). An individual will also have the right to be given a copy of the personal data relating to them by a data controller in a commonly used format and to have that information transmitted to another data controller without hindrance (the ‘right to data portability’).