On 2 August 2011, the Higher Regional Court in Hamburg handed down a really remarkable judgment on the applicability of German data privacy rules. As a matter of fact, the court found that any publication of personal data on the Internet could be scrutinized under German data privacy rules if only the website is directed to and accessible in Germany.
In the case decided by the Hamburg judges, the defendant operated a weblog from outside of the European Union. The plaintiff found that the publication of his name and his former address that had been incorporated into a comment in this blog by a user would infringe his right to privacy and not be compliant with German data protection rules. Even though the court in the end denied an infringement and found the publication of his name and address to be permissible; it seems noteworthy that the judges affirmed the applicability of German data protection rules in the first place.
According to the court’s view, the publication of personal data on the Internet is tantamount to a communication of personal data within Germany in data privacy law terms. Thereby, it should be of no relevance whether the operator of the website (i.e. the data controller in respect of the “communication”) is neither situated within Germany or the EU nor uses any technical means—like servers or even communication lines—for data processing measures within Germany. The court recognized that the German rules might therefore go beyond the provisions in the directive 95/46/EC concerning applicability of data privacy rules. However, since this was just a matter of international applicability (i.e. towards non-EU member states), the court accepted this incompatibility. It remains to be seen whether other courts will also follow this route. It seems questionable whether the ruling is compliant with the European Court of Justice’s interpretation of international data transfers over the Internet in the Lindqvist judgement.
