MediaLaws Archives - IPOsgoode /osgoode/iposgoode/category/medialaws-2/ An Authoritive Leader in IP Wed, 22 Jun 2022 16:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Regulating Netflix, YouTube, and TikTok: Reactions to Bill C-11 /osgoode/iposgoode/2022/06/22/regulating-netflix-youtube-and-tiktok-reactions-to-bill-c-11/ Wed, 22 Jun 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39724 The post Regulating Netflix, YouTube, and TikTok: Reactions to Bill C-11 appeared first on IPOsgoode.

]]>

HeadshotEmily Chow is anÌęIPilogueÌęWriter and a 2L JD Candidate at Osgoode Hall Law School.


In the age of streaming, social media, and subscription-based entertainment platforms, critics have called for amendments to Canada's , which was last updated in 1991 – long before the internet we know today materialized. On February 2, 2022, Minister of Canadian Heritage Pablo Rodriguez , proposing sweeping changes to Canadian broadcasting regulation and policy directives. Referred to as the Online Streaming Act, this proposed legislation purports, among other things, to uplift and amplify Canadian creators by regulating online streaming services such as YouTube, Disney+, Amazon Prime Video, and Netflix.

Its predecessor, Bill C-10, was passed by the House of Commons but was unable to secure Senate approval before the dissolution of Parliament in 2021. Like Bill C-10, the proposed Online Streaming Act seeks to bring unregulated digital media platforms within the mandate of the Canadian Radio-television and Telecommunications Commission (CRTC). Currently, these foreign-based platforms operate outside the regulation of the CRTC as distinct from traditional TV/radio broadcasts, and thus are not required to invest significant resources in Canada's domestic creative industries. The Canadian broadcasting, film and television production sectors are substantial players in the Canadian economy, accounting for approximately $14 billion to Canada's GDP in 2019 and predicted to rise in the coming years. According to a poll cited by the Canadian Media Producers Association (CMPA),

The Online Streaming Act coins the concept of an "online undertaking," broadly defined as "an undertaking for the transmission and retransmission of programs over the internet," giving the CRTC wide discretion in determining what is considered a "program" under its framework. Furthermore, the CRTC would be empowered with the ability to order and impose conditions upon online services to advance various policy objectives, including promoting Indigenous and racialized community-produced content. Ìę

Reactions to the proposed legislation have been mixed. The CMPA, which represents over 600 independent production companies across Canada, have launched a They argue that the Online Streaming Act will redirect some of the streaming giants' profits back into Canada's creative sectors and make it easier for Canadian audiences to access Canadian and Indigenous content outside platform algorithms. Jennifer Brown, CEO of the Society of Composers, Authors and Music Publishers of Canada (SOCAN) told The Globe and Mail that she thinks .

Others are concerned with how the proposed amendments would affect user-generated content and individual rights to curate one's own media feed. Ramneet Bhullar from OpenMedia.org takes issue with , arguing that the threshold of "Canadian"-ness is inherently problematic and that the CRTC's expanded powers will only amplify "officially recognized content", rather than the content individual consumers want to see.

YouTube also spoke to CTV News, Youtube noted that arbitrarily promoting Canadian content could skew their algorithms. These algorithms take into account whether a video has been watched, ignored or turned off part way, thus affecting how the content is promoted.

Michael Geist, a law professor from the University of Ottawa that he believes “the starting point in the bill is that all audio-visual services anywhere in the world with some Canadian users or subscribers are subject to the Canadian jurisdiction and it will fall to the Commission to establish thresholds exempting some services from regulation. However, even with some exemptions, the Canadian approach will require registration and data disclosures, likely leading many services to block Canada altogether, reducing choice and increasing consumer cost.”

is currently at consideration in committee at the House of Commons, having completed its second reading as of May 12, 2022.

Further Reading:

Bill C-11 in its entirety:

CMPA's Campaign to pass the Online Streaming Act:

Global News: What’s a Canadian Film?

The post Regulating Netflix, YouTube, and TikTok: Reactions to Bill C-11 appeared first on IPOsgoode.

]]>
The Secret’s Out: US Court dismisses ±Ê°ùŽÇłÙéȔé Biomedical’s Trade Secret Lawsuit Again /osgoode/iposgoode/2022/05/17/the-secrets-out-us-court-dismisses-protege-biomedicals-trade-secret-lawsuit-again/ Tue, 17 May 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39587 The post The Secret’s Out: US Court dismisses ±Ê°ùŽÇłÙéȔé Biomedical’s Trade Secret Lawsuit Again appeared first on IPOsgoode.

]]>

Meena AlnajarMeena Alnajar is an IPilogue Senior Editor, IP Innovation Clinic Fellow, and a 2L JD Candidate at Osgoode Hall Law School.


It may be no secret that trade secrets contribute to a business’ economic value and confer a ‘competitive edge.’ However, when that secret is lost by insiders who had a duty of confidence, how can the law step in to help? On , biomedical company ±Ê°ùŽÇłÙéȔé Biomedical LLC (“±Ê°ùŽÇłÙĂ©Č”Ă©â€) received no recourse or remedy for a revealed trade secret. ±Ê°ùŽÇłÙéȔé failed to persuade the US Court of Appeals for the Eighth Circuit to revive a trade secrets against the consultant it had hired to find a buyer.

Trade secrets, unlike other intellectual property rights, are not registered nor publicly disclosed. Trade secrets require such as: value (economic/industrial), that it is kept secret, and that there are reasonable measures in place to keep it confidential. Once disclosed, the trade secret loses its necessary quality of confidence that makes it confidential and valuable to a business. Therefore, the most important element of a trade secret is that it is kept secret.

A of US trade secret litigation demonstrated that, in satisfying the court that ‘reasonable measures’ were taken, confidentiality agreements like non-disclosure agreements (“NDAs”) are most often a determining factor. NDAs are particularly useful where a company must disclose its trade secrets to fellow employees, which was the case for ±Ê°ùŽÇłÙéȔé.

In 2017, ±Ê°ùŽÇłÙéȔé, a biomedical company focused on blood-clotting products, entered into an agreement with the consulting firm to find a buyer. Duff & Phelps then contacted , a Managing Director at a private equity firm and a board member at Z-Medica, another medical company in the blood-clotting products space. Both Schillinger and Duff & Phelps (on behalf of ±Ê°ùŽÇłÙéȔé) entered into an NDA. During a for the potential deal between Z-Medica and ±Ê°ùŽÇłÙéȔé, ±Ê°ùŽÇłÙéȔé some confidential information regarding its products to Schillinger, who then revealed the information to Z-Medica. Z-Medica then applied for a continuation of a that allegedly contained ±Ê°ùŽÇłÙéȔé’s confidential information and pulled out of a potential deal.

±Ê°ùŽÇłÙéȔé sued Z-Medica, alleging that it stole trade secrets and violated NDAs. The parties there settled, but ±Ê°ùŽÇłÙéȔé subsequently sued their consulting firm, Duff & Phelps, for breaching their contract in failing to prevent ±Ê°ùŽÇłÙéȔé from disclosing its trade secrets. This suit was first dismissed by a court. On appeal, the Court held that their contract only required Duff & Phelps to be responsible for its . , on behalf of his private equity firm, signed the NDA, making him not liable for Z-Medica’s conduct and use of the trade secret. The Court found that disclosed its own secrets to Schillinger, so ±Ê°ùŽÇłÙéȔé is responsible for revealing its own secrets. It is a classic case of claim construction and ambiguity in contractual agreements. This case serves as a reminder that when you ask someone to keep a secret, be very specific about whom you are asking, what the secrets are, and from whom they should be kept.Ìę

While trade secrets are valuable and protected by law, if the company itself is disclosing that information and is not careful to track who is not obligated to keep it a secret, then the company has not taken reasonable measures to keep it confidential. If a business does not act to protect trade secrets, courts may not help either.

The post The Secret’s Out: US Court dismisses ±Ê°ùŽÇłÙéȔé Biomedical’s Trade Secret Lawsuit Again appeared first on IPOsgoode.

]]>
Facebook and Whatsapp Fined for Breaching EU Law and Deceiving Consumers /osgoode/iposgoode/2017/06/02/facebook-and-whatsapp-fined-for-breaching-eu-law-and-deceiving-consumers/ Fri, 02 Jun 2017 17:53:12 +0000 http://www.iposgoode.ca/?p=30673 The re-posting of this comment is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On 18 May 2017, the European Commission fined €110 million Facebook for providing misleading information during the 2014 takeover of WhatsApp in case COMP/M.7217. Calling it a “proportionate and deterrent fine”, the […]

The post Facebook and Whatsapp Fined for Breaching EU Law and Deceiving Consumers appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On 18 May 2017, the European Commission fined €110 million Facebook for providing misleading information during the 2014 takeover of WhatsApp in case . Calling it a “proportionate and deterrent fine”, the Commission established that Facebook infringed the procedural obligations laid down by the EU Merger Regulation.

Most notably, this decision follows the 2016 WhatsApp terms of service and privacy update, which included the automatic linking of WhatsApp users’ data with Facebook users’ identities for advertising and marketing purposes. When Facebook notified the acquisition of WhatsApp to the Commission in 2014 under the EU Merger Regulation, which requires undertakings to provide correct information to allow a timely and effective review of the merger process, it ensured an automated matching between Facebook and WhatsApp users could not be established.

However, the Commission’s scrutiny revealed that the technical possibility of matching users’ profiles between the two platforms, which was made effective in 2016 after the terms of use update, already existed in 2014 but had not been communicated to the Commission at the time of the merger.

Although it could impose a fine of up to 1% of the company’s aggregated turnover (it could have amounted to more than €250 million), the European Commission’s assessment was mitigated by Facebook’s cooperation during the investigation proceedings, where the company acknowledged its infringement and convinced the authority to reduce the amount of the penalty. The EU’s competition watchdog concluded that Facebook negligently provided incorrect information, but the gravity of these infringements would not affect the Commission’s clearance decision regarding the WhatsApp acquisition of 2014.

The 2016 WhatsApp terms of use update has also drawn the attention of the Italian Competition Authority (ICA), which on 11 May 2017 has imposed a penalty of €3 million on WhatsApp for infringing consumers’ rights (see ICA decision Ìę).

First, the company was fined for undermining Article 20 of the Italian Consumer Code, most notably for infringing the ban on unfair business practices. According to the ICA, WhatsApp led users to believe they could use WhatsApp Messenger only if they accepted in full the new terms of use, including the provision of sharing users’ data with its parent company Facebook.

However, those who were already users at the time of the update could partially accept the new terms of use and still be able to use the application, but – according to the ICA – the existence of such an option had not been sufficiently represented.

On 11 May 2017, the ICA concluded a second investigation concerning the unfair nature of some contractual clauses of the WhatsApp terms of use, which were assessed as illicit since they caused a significant imbalance into consumers’ rights and obligations arising from the contract in breach of Article 33 of the Italian Consumers Code (see ICA decision ).

These clauses included inter alia a general limitation of WhatsApp liability, as well as the possibility for the company to unilaterally interrupt the service without notice, the right to introduce changes of economic nature to the terms of use without reason and the application of the Law of California.

WhatsApp has now 60 days for filing an appeal against the two ICA decisions before the Administrative Court of Lazio.

 

The post Facebook and Whatsapp Fined for Breaching EU Law and Deceiving Consumers appeared first on IPOsgoode.

]]>
Towards an EU-wide strategy on Fintech /osgoode/iposgoode/2017/04/19/towards-an-eu-wide-strategy-on-fintech/ Wed, 19 Apr 2017 16:24:01 +0000 http://www.iposgoode.ca/?p=30580 The re-posting of this article is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On March 23 the European Commission organized a conference devoted to institutions, regulators, professionals and scholars from all EuropeÌę on ‘#FinTechEU – Is EU regulation fit for new financial technologies?’. The conference […]

The post Towards an EU-wide strategy on Fintech appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On March 23 the European Commission organized a conference devoted to institutions, regulators, professionals and scholars from all EuropeÌę on .

The conference was also the occasion for the Commission to announce an .ÌęÌę The existing EU legislative framework on financial services for consumers is considerable and therefore the Commission does not foresee the adoption of fresh legislation. The innovations in the retail financial services determined by the burst of Fintech require instead to enforce and adapt the existing applicable rules to the new technological scenario. Online payments, robo-advisory, P2P lending and virtual coins are only some examples of such disruption which proposes new legal challenges at all levels.

The Action Plan focuses on two main issues:

  1. cross-border provision of services across the EU single market, by enhancing the eIDAS regulation infrastructure (which enables consumers to be recognized via an electronic identification system) on one hand and, on the other, by introducing common creditworthiness assessment standards;
  2. consumer protection and in particular pre-contractual disclosure requirements in light of the new technologic environment.

In the context of the Action plan, the Commission launched a public consultation on ‘Fintech: a more competitive and innovative European financial sector’ (is the consultation document) to collect the stakeholders’ views on the following policy objectives that according to the Commission constitute the main opportunities, and the relevant challenges, related to Fintech:

  • fostering access to financial services for consumers and businesses;
  • reducing operating costs and increase the efficiency of services;
  • improving market competitiveness by removing or lowering entry barriers;
  • finding an appropriate balance among data sharing, transparency, security and privacy needs.

Based on the and the work of the EU Fintech task force, the Commission will propose an European strategy for FinTech, to develop and improve the most promising sector in financial services area.

The UE Commission’s interest in Fintech as a new frontier of financial services is meaningful. Also, it should be stressed that the Commission decided to focus on the characteristic areas of the European action, such as creation of an integrated internal market and consumer protection.Ìę To this purpose the consultation document is particularly interesting as it presents the main challenges raised by the innovations in the financial services.Ìę From the use of AI and big data analytics for automated financial advice and execution, to the use of sensor data for risk evaluation in the Insurtech sector, to the Regtech impact on compliance costs, to the use of DLT in financial services, to the regulatory barriers for new market entrants, etc.

According to the Commission the EU policies on Fintech should be:

  1. Technology neutral – to ensure that the same activity is subject to the same regulation;
  2. Proportional;
  3. Integrity-enhancing with a focus on market transparency to the benefit of consumers and businesses.

In the above depicted scenario, consumers’ protection appears to be particularly challenging. An example is the pre-contractual information allowing consumers to make well-informed choices. In this respect, the spread of online services determines a growing need of simplicity in the access of information.

This aspect, however, will certainly require adapting the existing rules.Ìę An example of this issue is the robo-advisory, where the traditional information asymmetries are combined with significant technological information asymmetries. Do the consumer have to be informed, for instance, about the characteristics of the robo-advisor’s algorithm? How detailed should be consumer information, considering the great influence that the calculation power might have on investment choices?

A first answer to the above questions may be found in the and addressing the issue of disclosure. These guidelines, amended where necessary, might be a model for one of the action of the announced EU Fintech strategy.

The post Towards an EU-wide strategy on Fintech appeared first on IPOsgoode.

]]>
4th Circuit Appeals Court Rules No Warrant Needed for Suspects’ Cell-Site Location Data /osgoode/iposgoode/2016/07/19/4th-circuit-appeals-court-rules-no-warrant-needed-for-suspects-cell-site-location-data/ Tue, 19 Jul 2016 19:36:28 +0000 http://www.iposgoode.ca/?p=29464 The re-posting of this article is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On May 31, the U.S. Court of Appeals, 4th Circuit, in a 12-3 decisionÌęruledÌęthat a warrant is not needed to obtain suspects’ cell-site location information held by carriers, meaning that a court […]

The post 4th Circuit Appeals Court Rules No Warrant Needed for Suspects’ Cell-Site Location Data appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On May 31, the U.S. Court of Appeals, 4th Circuit, in a 12-3 decisionÌęÌęthat a warrant is not needed to obtain suspects’ cell-site location information held by carriers, meaning that a court order, which – unlike a search warrant – does not require to show the court probable cause that a crime has been committed, is sufficient for this.

The 4th Circuit overturned a previous three-judge panel’s decision, which held that the government’s warrantless procurement of CSLI was a unreasonable search in violation of the Fourth Amendment and that defendants had a legitimate privacy expectation in that data.

This Supreme Court still has the final word if the decision is appealed (as it likely will be). This case, which ensued in the wake of other precedents on cell-phone and GPS tracking, is of particular interest for the debate around digital privacy and the future development of surveillance law.

 

Facts

The ruling concerns a series of armed robberies of several business establishments located in Maryland in 2011. The government obtained two court orders for disclosure of CSLI for calls and text messages transmitted to and from the phones of two suspects, which eventually led to their conviction. The agents obtained from the cell phone provider information over 221 days that included roughly 29,000 location-identifying data points for each defendant, which placed them in the vicinity of the robberies when they occurred.

Defendants filed a motion to suppress use of the CSLI at trial, arguing that the length of time and extent of the CSLI monitoring conducted by the government without a warrant, intruded on defendants’ expectation of privacy and was therefore in violation of their Fourth Amendment rights.

The Fourth Amendment of the U.S. Constitution provides that “[T]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.”

District court held that government needed no warrant to obtain CSLI; therefore, government had not violated defendants’ Fourth Amendment rights

The district court denied the defendants’ motion, holding that the government’s conduct was not an unreasonable search: the court relied on the Supreme Court’s third-party doctrine, according to which individuals have no legitimate expectation of privacy in information voluntarily turned over to third parties (, 442 U.S. 735, 1979). Under this legal theory, the U.S. government can obtain from third parties information voluntarily conveyed by individuals without a warrant, since this information is beyond the reach of the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.

According to the district court, since defendants voluntarily transmitted signals to cellular towers in order for their calls to be connected, the third-party doctrine applied. U.S. courts have relied on this doctrine for a broad range of scenarios, from financial records and dialed telephone numbers to card statements, employment records and internet subscriber information.

4th Circuit’s panel reversed the district court’s ruling and found government’s data acquisition in breach of Fourth Amendment

The U.S. Court of Appeals, 4th Circuit, reversed the district court’s ruling –ÌęUnited States v. Graham, 796 F. 3d 332 (4th Cir. 2015). The court began by acknowledging that the government conducts a search under the Fourth Amendment when it obtains and inspects a cell-phone user’s historical CSLI for an extended period of time.

The court then held that examination of a person’s historical CSLI can enable the government to trace the movements of the cell phone and its user across public and private spaces and thereby discover the user’s private activities and personal habits.

Therefore, mobile phone users have an objectively reasonable expectation of privacy in this information and its inspection by the government requires a warrant.

The court concluded that government’s warrantless procurement of CSLI violated the Fourth Amendment’s guarantee against unreasonable searches and seizures (although the court also acknowledged that the government acted in good faith in doing so, therefore it declined to suppress the evidence). In the court’s words, “The fact that a provider captures this information in its account records, without the subscriber’s involvement, does not extinguish the subscriber’s reasonable expectation of privacy.

Applying the third-party doctrine in this context would simply permit the government to convert an individual’s cell phone into a tracking device by examining the massive bank of location information retained by her service provider, and to do so without probable cause.”

4th CircuitÌęEn BancÌęfound that government did not breach the Fourth Amendment since users voluntarily disclosed CSLI under third-party doctrine

Now, the full panel of the U.S. Court of Appeals reversed the three-judge panel’s decision by holding that the government’s warrantless acquisition of historical CSLI from defendant’s cell-phone provider did not breach the Fourth Amendment.

First, the court contends that the government’s acquisition of this data constituted a Fourth Amendment “search”. Defendants had no reasonable expectation of privacy under the third-party doctrine since the government obtained the CSLI records from a third party (i.e. the carrier), which, in turn, collected this information in the course of its business activity and did not obtain this data through a direct surveillance of defendants.

In this respect, the court relies on the Supreme Court’s precedents that applied the third-party doctrine, recalling that the Fourth Amendment does not protect information voluntarily disclosed to a third party because even a subjective expectation of privacy in such information is “not one that society is prepared to recognize as ‘reasonable’”(, 442 U.S. 735). More recently, the 6th Circuit of the Court of Appeals held that a warrantless acquisition of cell-phone location data did not breach the Fourth Amendment (United States v. Carpenter, April 13, 2016).

The court notes that defendants “exposed” the information at issue to the phone carrier, which used it to route defendants’ cell-phone calls and texts. By doing so, they could not expect the phone carrier to keep that information secret and “assumed the risk” that it would disclose their information to the government.

The court hastened to add that the Supreme Court may in future limit, or even eliminate, the third-party doctrine, and that Congress may require a warrant for CSLI.

However, it concluded that current legislation and established precedents weigh in the government’s favor.

Dissenting Judge Wynn deems that government’s warrantless search breached Fourth Amendment

Dissenting Judge Wynn highlights many of the majority’s shortcomings. First, he disagrees that CSLI is beyond the Fourth Amendment’s reach since it would be “voluntarily conveyed” by users to phone carriers under to the third-party doctrine.

According to Judge Wynn, the Supreme Court’s precedents suggest that “voluntary conveyance” means that defendant (i) knew he was communicating particular information, and (ii) acted to submit the particular information he knew. For example, when users type a form providing their details to a service provider to secure internet access, they have knowledge of the typed information and affirmatively act to communicate it.

Judge Wynn reasons that CSLI is different from other data because it is not voluntarily disclosed by phone users, who likely are unaware that they are providing this information and do not know which cell-phone tower their call will be routed through. They also do not generally act to disclose this information – for example, CSLI is generated when a phone receives a call, even if the user does not answer.

Judge Wynn concludes that by acquiring large amounts of CSLI to trace defendants’ long-term movements the government infringed defendants’ reasonable expectation of privacy and thereby engaged in a search. Because the search was warrantless, the government breached the Fourth Amendment.

 

Next

The decision can still be appealed to the Supreme Court, which will have the task to clarify whether the 1970s third-party doctrine is still fit for a time where individuals reveal large quantities of information about themselves, sometimes without being aware of this.

For example, “Internet of Things” technologies (e.g., wearable devices, home automation, connected toys) may reveal many aspects of an individual’s private life – habits, behaviors and preferences, religious or political beliefs, sexual orientation, driving habits, whether they are at home or not, etc.

Yet this extensive information may represent a valuable resource for law enforcement authorities to prevent and detect crimes or other wrongdoings. The debate around the appropriate balance between privacy and public security is certainly set to continue, with the possible review of the 4th Circuit’s decision in the Supreme Court, the Microsoft Ireland email privacy case pending (where the company is challenging a U.S. government search warrant seeking access to customers’ emails in a data center located in Ireland) and the ongoing EU-U.S. Privacy Shield negotiations.

 

This article was first published on the IAPP’sÌęÌęČú±ôŽÇČ”

The post 4th Circuit Appeals Court Rules No Warrant Needed for Suspects’ Cell-Site Location Data appeared first on IPOsgoode.

]]>
Compliance with EU Data Protection Regulation /osgoode/iposgoode/2016/05/04/compliance-with-eu-data-protection-regulation/ Wed, 04 May 2016 14:47:24 +0000 http://www.iposgoode.ca/?p=29173 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. Introduction By means of an innovative and modern directive (Directive 95/46/EC – the “Data Protection Directive”), in 1995, the European Community adopted its first data protection legislation aimed at providing common legal […]

The post Compliance with EU Data Protection Regulation appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

Introduction

By means of an innovative and modern directive (Directive 95/46/EC – the “Data Protection Directive”), in 1995, the European Community adopted its first data protection legislation aimed at providing common legal principles (to be implemented by European Union (“EU”) Member States by means of national legislation) to protect personal data and to align the bases of Member States’ provisions in respect to privacy and data protection.

However, the Data Protection Directive was adopted when the Internet was not widely used. The Internet technology has advanced in recent years and has posed new challenges to the protection of individuals’ data. The accelerating take-up of social networking, user-generated content platforms, mobile apps, cloud computing, location-based services, the “Internet of Things” (i.e. the ability of everyday objects to connect to the Internet and to send and receive data, e.g. wearables devices, home automation, etc.) and the growing globalization of data flows have significantly increased the risk for individuals to lose control on their own personal data.

Further, one of the main recurrent complaints about the Data Protection Directive is the lack of actual harmonization, which led to a certain fragmentation in the way personal data protection has been implemented across EU Member States. This resulted in additional costs and administrative burdens for operators as well as widespread uncertainty. This is particularly true for data controllers established in several Member States, who should comply with the requirements and practices in each of the countries where they are established. Guidance provided by the Article 29 Data Protection Working Party, an independent advisory body to the EU Commission set up under Article 29 of the Data Protection Directive (the “Working Party 29”), on several data protection issues certainly contributed to harmonization of data protection principles at EU level, although the Working Party 29’s opinions are not binding.

A uniform and coherent application of the data protection rules among the European countries is fundamental, in light of the proposed creation of the .

Seventeen years after, on January 25, 2012, the EU Commission proposed a new uniform legislation on privacy and data protection in Europe, by means of a General Data Protection Regulation (the “Regulation”) which, once adopted, would be directly applicable in all Member States without the need for national legislation. The Regulation comes together with a proposed directive 5833/12 on the processing of personal data with the purpose to prevent, investigate or prosecute crimes or to adopt criminal sanctions, intended to replace the 2008 Data Protection Framework Decision (see Article 29 Data Protection Working Party’s no. 1/2013, of February 26, 2013, providing further input into the discussions on the draft Police and Criminal Justice Data Protection Directive).

Henceforth, the European legislators have been discussing on the new proposals and on March 12, 2014 the European Parliament adopted its on the Regulation, proposing amendments aimed at enhancing the guarantees on data protection, in respect to the text approved by the EU Commission.

On June 11, 2015, the EU Council (the “Council”) approved its and the discussion among the three organisms (the so-called ‘trilogue’) has officially , with the purpose to reach an agreement and to finalize the approval of the Regulation and the attached directive before the end of 2015.

This article focuses on some of the most groundbreaking provisions of the proposed Regulation which are expected to be a major concerns for in-house counsel, in particular those advising businesses with multi-jurisdictional operations. The Regulation also introduces new provisions that, amongst others, would: (i) make international data transfers easier; (ii) decrease the requirements and the costs of dealing with more than one Privacy Authority with differing rules (so-called “one-stop shop”); (iii) implement specific provisions on the so-called “right to be forgotten,” as interpreted by the European Court of Justice in the Google Spain case (European Court of Justice, decision of May 13, 2014, case C-131/12); (iv) provide for more effective sanctions and penalties to data controllers and data processors.

 

Territorial Scope of the Regulation

One of the major changes to be brought by the Regulation concerns the territorial scope of the EU data protection laws.

Today, Article 4 of the Data Protection Directive contains the rules governing its territorial scope and jurisdictional reach. According to this provision, the EU rules apply to personal data processing:

  • where the processing is carried out in the context of the activities of an “establishment” of the data controller in the territory of the Member State. If the same controller is established in more than one Member State (e.g., by means of subsidiaries), the controller must take the necessary steps to ensure that each of these establishments complies with the obligations laid out by the applicable national law. Security measures depend on the location of a possible processor, as provided in Article 17, paragraph 3 of the Directive; and
  • where a controller not established in the EU, for purposes of processing personal data, makes use of “equipment,” automated or otherwise, located on the territory of that Member State, unless such equipment is used only for purposes of transit through the territory of the EU.

Article 3, paragraph 1, of the Regulation, as recently amended by the Council based on the Parliament’s position, would still keep the “establishment criterion” mentioned above for the applicability of its provisions to controllers or processors established in the European Union. In addition to that, however, the Regulation would expand the “use of equipment” criterion currently provided by the European data protection law by making data controllers established outside the EU, but “targeting” EU residents, subject to EU data protection obligations.

Indeed, the Regulation would be applicable whether the processing of personal data concerns:

  • the offer of goods or the provision of services to residents in the EU, even where no payment is required (e.g. “free” services, where individuals in fact pay for the service by providing their personal data);
  • the monitoring of data subjects’ behavior within the EU. In order to determine whether a processing activity can be considered to ‘monitor the behavior’ of data subjects, it should be ascertained whether individuals are tracked on the Internet with data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes (see Recital 21 of the Regulation, in the text approved by the Council on June 11, 2015).

Because of its potential broad reach, the new criterion poses challenges for businesses directing their activity to the EU and also gives rise to questions on how the Regulation’s requirements can be readily enforced outside the EU.

It is worth mentioning that the Council uses different wording from the position adopted by the Parliament: in fact, the latter proposed that controllers, and even processors not residing in the EU, would be subject to the provisions of the Regulation. In its regarding the proposed regulation, the Working Party 29 stressed the fact that the Regulation should also cover non-EU processors, in order to provide for a legal liability for these subjects.

 

Automated Data Processing and Profiling

Generally speaking, “profiling” enables an individual personality or aspects of his or her personality – especially behavior, interests and habits – to be determined, analyzed and predicted. “Profiling” of individuals is increasingly used by companies to offer personalized and targeted services (e.g., discounts, special offers and targeted advertisements based on the customer’s profile).

The Data Protection Directive does not contain any specific provision on “profiling”, but it includes a general provision concerning “automated individual decisions” in Article 15, which grants to data subjects the right not to be subject to a decision which “produces legal effects” concerning him or “significantly affects” him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. An automated decision by a bank not to grant credit may fall within the aforementioned provision.
Automated decisions can, however be made in certain cases, notably in the course of entering into or performance of a contract, provided that data subject’s legitimate interests are protected, e.g. by taking arrangements allowing him to express his point of view, or as otherwise provided by the law.

This provision has sometimes been implemented across EU Member States in different ways. It is worth mentioning Italy, where the prohibition to make decisions involving the assessment of a person’s conduct based solely on the automated processing of personal data aimed at defining the data subject’s profile or personality is limited to measures or act taken by judicial or administrative authorities (see article 14 of Legislative Decree of June 30, 2003, no. 196 – the Italian Data Protection Code).

The Regulation builds on Article 15 of the Data Protection Directive and on the Council of Europe’s Recommendation on profiling of November 23, 2010 and it specifically addresses “profiling” of data subjects.

Article 4 of the Regulation defines “profiling” as “any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behavior, location or movements”.

The main provision on profiling is Article 20 of the Regulation (“Automated individual decision making”), which, similar to the Data Protection Directive, grants to the data subject the right not to be subject to a decision based solely on automated processing (like automatic refusal of an online credit application or e-recruiting practices without any human intervention – see Recital 58 of the Regulation), including profiling, which produces legal effects concerning him or her or significantly affects him or her. The Regulations expands the cases in which decision-making based on such processing, including profiling, is allowed, introducing the possibility to carry it out with the data subject’s explicit consent.

Different from the various national provisions adopted in each Member State, profiling would be treated by the new EU rules as a processing alone and, as a consequence, it would require, amongst others, that controllers:

  • inform data subjects about the existence of profiling, and the consequences of such profiling;
  • obtain a specific and explicit consent for it (unless one of the exceptions provided by the Regulation applies).

This course of action would not be a new one for Italy, where, for example, profiling is traditionally considered as an autonomous processing, which requires a specific consent, separate from the consent for other purposes (such as, marketing purposes). In other European countries, profiling is usually treated as a modality of processing personal data and not as an autonomous processing, therefore it is generally deemed that no specific consent is required for profiling once the controller has obtained consent for marketing purposes.

 

Conclusion

In conclusion to this brief overview of the most groundbreaking provisions of the proposed Regulation, it is worth reminding that the latter is currently subject to discussions between the Parliament and the Council. Even though it is likely that the proposal will be amendment before the enactment, the general structure would probably remain the same, especially in the parts described above, which represent momentous innovations and will surely ensure effectiveness and confidence in the processing of people’s personal data

The post Compliance with EU Data Protection Regulation appeared first on IPOsgoode.

]]>
The General Data Protection Regulation: From Promises to Reality /osgoode/iposgoode/2016/01/27/the-general-data-protection-regulation-from-promises-to-reality/ Wed, 27 Jan 2016 22:29:51 +0000 http://www.iposgoode.ca/?p=28670 The re-posting of this comment is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. In December 2012, the Commission put forward its proposal for a General Data Protection Regulation (“GDPR”). According to the Commission’s own words, “The Regulation is an essential step to strengthen citizens’ fundamental […]

The post The General Data Protection Regulation: From Promises to Reality appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with .

In December 2012, the Commission put forward its proposal for a General Data Protection Regulation (“GDPR”). According to the Commission’s own words, “The Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”

After almost four years, at the end of the so-called trialogue, the Commission, the Council and the EU Parliament have reached agreement on a proposed text, which needs the final vote of the Parliament and the agreement of both the Council and the Commission. It is likely, indeed it is expected, that by the end of February the Regulation will have been finally approved. The purpose of this comment is not to analyze the text and the wording of the GDPR; I will rather concentrate my analysis on two points:

1. When the Regulation was first presented on 25 January 2012, the premise, indeed the very basis to move from the Directive to the GDPR was (and still is) to have only one law applicable in all of the EU: is it really the case? Will Europe finally have a uniform law, applicable across all 27 Member States?

2. Technology is moving ahead at a pace never experienced before. In addition, the widespread use of mobile devices has created a whole new market of products; finally, robots are coming in our world very strongly (and in some areas they have been used for decades already). Is the GDPR what we need to tackle the issues raised by new, ever-changing technology?

Ìę

1. One single law.

According to the words of Commissioner Viviane Reding, when the GDPR shall be effective we shall have a single privacy law in all 27 countries. According to the words used by the Commission in January 2012, the GDPR would have delivered ”a single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year”[1].Ìę Four years later, more or less the same triumphant words have been used in the press release issued at the time the European Institutions reached agreement: “a single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year”[2±Ő.

The truth of the matter is quite different. Section 88 of the GDPR repeals Directive 95/46/EC, but not Directive 2002/58/EC, the so-called ePrivacy directive (amended with Directive 2009/136/EC), better known to most practitioners as the “Cookies Directive”. The fact that there would not be a uniform regime was well known to everyone under the sun (including the Commission, one hopes). Indeed, the Commission itself, one and half year after pounding the drums of a uniform legislative scenario, issued a request for proposal under which the chosen contractor was required to evaluate (among other things) the potential problems deriving from havingÌę two different legal instruments[3] in force at the same time. One and a half year after stating “one Europe, one law”, the Commission itself was looking for someone to tell them what would be the potential consequence of a dual-system legal environment. Hard to believe, but the highest authority in Europe did not know itself what it would be the consequences of its own acts, and asked someone else to assess them!Ìę There are two possible scenarios to justify this mess: under the first scenario, someone within the Commission made a gross mistake: he/she did not know of the existence of Directive 2002/58/EC. The second scenario is that the future co-existence of the GDPR with the ePrivacy Directive was well known (one would be very hard pressed to believe that the Commission ignored it), but if this is the case the words of Ms. Reding sound very odd indeed.

So much for what happened in 2012. But if it is hard to believe that at that time Ms. Reding may have been misled by some functionary, it is just as difficult to accept the same statement and the same words being used today[4]. To top this mess off, when one reads the entire press release, it states that the Junker Commission has delivered a comprehensive Data Protection reform, which included the GDPR as well as the new Data Protection Directive for the police and criminal justice sector. “The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism”[5±Ő.

Which means that European shall cope with three legal instruments on the same subject: one Regulation and two Directives. So long to the “single law” approach.

Now, some may say that the two Directives have a different scope as compared to the Regulation; nevertheless, the reality shall be that Europe shall continue to have different rules on different aspects of Data Protection in each Member State.

But on this topic there is more to be said, much more.

The real problem lies in the following fact. Since the implementation of Directive 95/46/EC, each the Data Protection Authoritiy (“DPAs”) of the Member States has approved specific regulation on several items. Just to stay with Italy, the Italian DPA has issued regulations on matters like video-surveillance, fidelity cards, system administrators, clinical trials, mobile payments, etc. The list could go on for a couple of pages. The same has happened in other countries. Now, all this secondary legislation is not going to be impacted by the GDPR. In fact, Whereas n. 8 states the following:

“This regulation does not exclude Member States law that defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful”.

And Whereas n. 134 is more explicit on the point: “Commission decisions adopted and authorization by supervisory authorities based on Directive 95/46/EC remain in force”.

In other words, if yesterday Italy, Spain, Sweden and (or, if you wish) UK had a specific regulation on anyone of these items, the situation shall remain the same and businesses will continue to cope with different regulation for the same processing in different countries[6]. On one hand, this is logical: if all these regulations were repealed, there would be an enormous legislative vacuum and personal data would not be protected. But different regulations on the same subject shall still be in place all over Europe.

Finally, according to Whereas n. 119, “Member States may lay down the rules on criminal sanctions for infringements of this Regulation”. Again, this is going to create differences between the laws of Member states and set the condition for a round of forum shopping, just as it happened with Directive 95/46/EC.

The sad conclusion is that no, there is not going to be one single law in all 27 Member states. This is what we were told, but this is not going to be the case. It is extremely disappointing, since I believe Europe has a duty to tell the Europeans the real story. It has not been the case with the GDPR.

Ìę

2. The state of the art and the GDPR

“Rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale
Technology has transformed both the economy and social life”[7±Ő.

“These developments require a strong and more coherent data protection framework”[8±Ő.

Yes, technology has changed our lives, and shall continue to do so, in a way and at a pace we can hardly imagine. I have always made the point that if one compares the IT industry to the automotive industry, we’re about at the time of the Ford Model T (whose production started in 1908). The Model T looked pretty much like Granma Duck’s old car. If one compares the timeframe, considering that widespread use of the net and of IT technology has started in the last decade of the past century, that’s where we are. In other words, what we see and what we know to-day is only the beginning. Industrial robots have been used in manufacturing for more than two decades now; medical robots are used in complex and non-invasive surgery, many of them are operated via network, so that the surgeon is not present in the location where the surgery is being performed, but outside the hospital, and in some cases in another country. Robots are starting to be used in households.Ìę Drones are one of the hottest items in the marketplace: Amazon is said to be using them to deliver its parcels. Computing power and storage capacity is getting faster, cheaper and more easily available at ever decreasing cost. Telecommunication technology is moving ahead with unprecedented speed. Users and consumers are linked 24 hours a day, seven days a week; they buy goods on line, participate in auctions, post comments on restaurants and on any commercial item available under the sun. Big data is getting bigger and bigger, fostered by a surge in availability of different means of connection (gaming consoles, smartphones, tablets); cloud computing is now used by medium and small business thanks to IT giants like Microsoft, Google, Amazon, etc. Internet of things shall open more potential for new and creative use of old household objects: lights, heating systems, tv sets, fridges, etc.

Without a doubt, the biggest change (and the most taunted one) shall be in the automotive industry, that for the first time in its history is opening up to the use of a technology other than engine technology. In this industry many example of automation or digitalization are already a mature technology (to name one: gps or similar technology is available on almost every car), and the declared goal of the Googles and Apples of this world is the autonomous car. This will change even more the way we live.

This dramatic and continuous change seems to have been missed by European Legislators. The GDPR is still based on the same principles and logic of Directive 95/46/EC, with some changes here and there, but the basic structure is the same. On its part, the Directive is based on the principles of the Strasburg Convention[9], which dates back to 1981. The question is: does someone really believe that the complexities and the technologies of this century can be regulated by a set of rules that were established 35 years ago?

Does someone really believe that the information-consent process, in the way it is conceived today (and shall remain, with the new GDPR), is the answer to the advancements of technology?

I do not believe, as some famous law scholar does, that technology is the law and that we should therefore cave in to any and all new development of science and IT. That’s not my position.

On the other hand, using a standard that was devised at a time when the computing model was the old IBM mainframe is unacceptable. With this standard, it shall become more and more difficult to comply with the law, to apply it to new devices and usages, to the creative new products and little things that we are starting to get used to, and that shall be the norm in the future.

No, in my opinion the GDPR is not a step forward, but a meaningless repetition of an old cliché, another painful evidence that law cannot keep the pace with technology.

 

3. A final point

The GDPR is, beyond any doubt, one of the most complex statutes ever enacted by the EU. Including the lengthy whereas clauses, the Regulation is some 200 pages long, with many (too many) sections interconnected among them; several of the key sections of the law have cross references to other sections; complex wording leaves ample room for dubious interpretation, in short, the GDPRÌę is one of the most complex pieces of legislation ever. The cost of education on this Regulation is going to be very, very significant. The press release of the EU maintains that with the GDPR there shall be savings for 2.3 billion for business. I do not know who arrived to this figure, but what I know is that the GDPR shall require a significant shift in the way companies carry their business: a large number of companies shall hire a Privacy Officer; all business are now required to maintain a record of all processing activities (whatever that means)[10], to carry out a security assessment, to implement prior consultation with the DPA (in certain cases) etc.

There are no doubts in my mind that the protection of privacy is a fundamental human right[11] and that “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls “the right to be left alone”.°Ú12±Ő

If Europe wants to be serious in protecting the right to be left alone, adequate legal instruments have to be put in place: they have to be simple, easy to understand and easy to implement, otherwise they shall fail.

 


 

“ePrivacy Directive: Assessment of transposition, effectiveness and compatibility with proposed Data Protection regulation, SMART 2013/0071B1.Ìę Sec. B.1- Analysing the legal consequences resulting from the co-existence of the ePrivacy Directive and a data protection Regulation”.

See footnote 1.

In addition, on several items the Regulation leaves room to the member states to implement their own regulations and statutes: see whereas 125 a on scientific research, whereas 127 on access to personal data by the Supervisor Authority.

GDPR, Whereas # 5

GDPR, Whereas # 6

Strasbourg Convention of January 28, 1981, n. 108

Sec. 28 of the GDPR: the list of items to be included in this list is quite comprehensive.

GDPR, whereas 1: “The protection of natural persons in relation to the processing of personal data is a fundamental right”.

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193 (1890).

The post The General Data Protection Regulation: From Promises to Reality appeared first on IPOsgoode.

]]>
The future of the IGF: mandate renewal? /osgoode/iposgoode/2015/12/21/the-future-of-the-igf-mandate-renewal/ Mon, 21 Dec 2015 15:11:49 +0000 http://www.iposgoode.ca/?p=28467 The re-posting of this comment is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. This week, internet governance debates will centre on the UN General Assembly, which is due to make a decision about the future of the Internet Governance Forum (IGF); specifically, whether or not […]

The post The future of the IGF: mandate renewal? appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

This week, internet governance debates will centre on the UN General Assembly, which is due to make a decision about the future of the Internet Governance Forum (IGF); specifically, whether or not to renew its mandate. In advance of that decision, Luca Belli, Researcher at the Center for Technology and Society (CTS) of Fundação Getulio Vargas Law School, Rio de Janeiro, outlines the value of the IGF and why he believes that its mandate should be renewed. This is theÌęÌęto be published by the Media Policy Project which considers the issue of the IGF’s mandate.

Next week, the UN General Assembly will decide on the mandate renewal of the UNÌęÌęat theÌęÌę, the official UN meeting aimed at assessing the implementation of theÌęÌę. The IGF is one of the main outcomes of WSIS and, over the past decade, the Forum has allowed world policymakers, private sector representatives, techies, academics and human rights advocates to congregate and debate the most salient Internet policy issues in a multistakeholder environment.

The Forum has proven to be a valuable platform for policy discussions and a significant catalyst for cooperation by allowing different stakeholders to organise new partnerships. However, multistakeholder dialogue is not the exclusive goal of the Forum, and theÌęÌęexplicitly states that the Forum shall “find solutions to the issues arising from the use and misuse of the Internet” as well as “identify emerging issues [
] and, where appropriate, make recommendations” (Tunis Agenda, para. 72.k and 72.g).

There is no doubt that the first decade of the IGF has triggered a number of stimulating debates and has managed to engage a critical mass of stakeholders into a self-organised, yet incredibly wide-ranging, process. However, it also clear that this process has not realised its full potential yet, and the production of “recommendations” and “solutions” has been long – and unjustifiably – deferred.

As emphasised by the 2012 Report of the Working Group on Improvements to the IGF (Ìę)), the need for “more tangible outputs” has become patent, and the reluctance to do so can only undermine the credibility of the whole IGF process. The lack of formal IGF outcomes has been criticised by many as a failure to fully comply with its mandate. Such dissatisfaction seems justified, not only due to the fact that the development of solutions and recommendations is explicitly requested by the mandate, but also in light of the fact that tangible outputs already exist yet are waiting to be formally recommended.

 

Habemus outcomes!Ìę

Over the past few years, a great number of IGF participants have expended considerable efforts in open and participatory processes, leading to concrete outputs through the IGFÌęÌęand theÌęÌę. Despite the absence of a formal process of “recommendation” of outcome documents, it is worth noting that some have already inspired the work of several institutions. For instance, theÌęÌę, developed by theÌęÌę, was a considerable source of inspiration for theÌęÌę, put forward by the Italian Chamber of Deputies. Similarly, in their effort toÌęÌę, European policymakers have taken substantial inspiration from theÌęÌęon Network Neutrality, developed by the IGF Dynamic Coalition on Network Neutrality.

The documents produced by Best Practice Fora and Dynamic Coalitions are a clear example not only of the possibility of achieving concrete IGF outputs, but also of the willingness of many IGF participants to collaborate to produce them. The undeniable benefit of any multistakeholder approach is not only to nurture discussions with experts holding a wide range of views, butÌęÌę. Therefore, it is a very positive sign that, following the 10thÌęIGF, the documents produced by Dynamic Coalitions and Best Practice Fora have been finally acknowledged as outputs ofÌę.

 

“The best IGF ever”

One of the reasons why ‘Ìęacknowledged IGF 2015 asÌęÌęis probably because this year, the IGF has been the most outcome-oriented ever, demonstrating that multistakeholder fora can be much more than a ‘talking shop’.

For the first time in the IGF history, the IGF community was allowed to express its own opinion on concrete outputs, having a say on the content of the proposed documents,ÌęÌę. Although this participatory experiment may be seen as quite timid, it is remarkably innovative for a forum that has shied away from the adoption of any official outputs for over an entire decade. Furthermore, to make this experiment even more inclusive, the IGFÌęÌęhave been kept open until the end of December 2015 to allow individuals to express feedback on key policy issues such asÌęÌę, onlineÌęÌęand theÌęÌę.

 

The way forwardÌę

The first step to making any future ambition for the IGF a reality is the renewal of the Forum’s mandate by the UN General Assembly. This is not yet certain, although is highly probable. A very telling sign seems to be the recent decision toÌęÌęon the IGF website, particularly as the UN has avoided to allow the display its logo on the IGF website for almost a decade. In addition, the IGF’s capability to produce concrete outputs seems to be a very good argument in favour of the mandate renewal – not to mention the fact that once an international body is established, it becomes virtually impossible to disband it.

If the mandate is renewed, a crucial element for the future will be how to enhance stakeholder cooperation to enable the production of stable outcomes. Many IGF participants cheerfully herald “the beauty of the multistakeholder model” but the atmosphere becomes slightly less cheerful when stakeholders are asked to debate how to concretely implement such a model (assuming that they would even agree there is only one in the first place).

It seems undeniable that the current trend towards further cooperation and outcomes – particularly within Dynamic Coalitions and Best Practice Fora – appears to be beneficial and it would be unwise to curb such cooperative momentum. Besides fostering stakeholder engagement in the IGF process, the production of tangible outputs is instrumental in producing policy suggestions that may be valuable for national and international policymakers and that may ultimately lead to interoperable legal frameworks, based on compatible rules inspired by shared principles.

To date, Dynamic Coalitions and Best Practice Fora have been the only components of the IGF structure allowing for the production of “tangible outputs”, although there are no formal impediments to the experimentation of new forms of multistakeholder cooperation. The organisation of IGF main sessions in a more outcome-oriented fashion may be considerably more productive than keeping the current super-workshop format that allows, at best, repetition of the same kind of discussions enabled by regular workshops and, at worst, sterile collections of micro-statements.

The IGF process is on the right path to becoming more output oriented, and the JoĂŁo Pessoa meeting has clearly proven that the IGF can go further than mere debate. This year, the IGF has finally provided participants with the possibility not only to debate but also to table concrete suggestions. This is why the IGF 2015 has truly been the best IGF ever.

The post The future of the IGF: mandate renewal? appeared first on IPOsgoode.

]]>
Conference Report: “Internet and Copyright Law in the European Perspective. The Digital Single Market Copyright” /osgoode/iposgoode/2015/12/08/conference-report-internet-and-copyright-law-in-the-european-perspective-the-digital-single-market-copyright/ Tue, 08 Dec 2015 21:51:10 +0000 http://www.iposgoode.ca/?p=28421 The re-posting of this comment is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On November 4th and 5th 2015 the Italian Judge Permanent Training Program for the Court of Milan (Hon. Francesca Fiecconi), with the collaboration of AIPPI Italian Group (Ms Renata Righetti, Avv.ti Giorgio […]

The post Conference Report: “Internet and Copyright Law in the European Perspective. The Digital Single Market Copyright” appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On November 4th and 5th 2015 the Italian Judge Permanent Training Program for the Court of Milan (Hon. Francesca Fiecconi), with the collaboration of AIPPI Italian Group (Ms Renata Righetti, Avv.ti Giorgio Mondini, Simona Lavagnini, Fabrizio Sanna) and Franzosi Law Firm (with a team composed by Prof. Avv. Mario Franzosi, Avv.ti Gianluca Campus and Anna Maria Stein), organized in the Aula Magna of the Court of Milan a Congress for practitioners and academics from all over Europe aimed at discussing the most recent evolutions in the copyright law, taking into consideration the reform proposals indicated by the Europen Commission in the .

The introduction of communications via Internet and the wide use of digital contents have dramatically demonstrated that most of the national copyright laws need to be re-evaluated and that the borders between communication, distribution and reproduction rights should be reviewed taking into consideration needs and structure of digital economy. The Digital Single Market Strategy for Europe highlights that the reform of copyright law plays an important role in achieving the goals indicated by President Jean-Claude Juncker.

EU legislative proposals for a reform of the copyright regime are expected at the end of 2015 and early 2016. This made the Congress a strategic occasion for information and discussion, a thinking arena, with the purpose of comparing national approaches on copyright issues, looking to a European view.

The Congress has been organized in three sessions, dedicated respectively to: (1) Distribution of digital contents on the internet; (2) Copyright infringements on the internet and the enforcement of rights; (3) Collective rights management in the digital era. Each session has been followed by a Panel Discussion dedicated to academics, judges, lawyers, technicians, collective rights managers and in-house lawyers.

Have joined the Congress, among others, Judges specialized in IP matters (Hon. Marina Tavassi, Amedeo Santosuosso, Francesca Fiecconi, Francesco Cajani, Giovanni Canzio and Roberto Bichi) the European Commission, the World Intellectual Property Organization, the Max Planck Institute (Munich), the Institute for Information Law (IviR) of the University of Amsterdam, the Italian Authorities for Communications (AGCOM) and for Competition (AGCM), the Universities Milan Bicocca, Milan Bocconi, Ferrara, Washington, the collecting societies SIAE, Nuova Imaie, SCF, IFPI and Google, Sky Italia, Mediaset, V-Nova, Italiaonline, Sinapsi. The Congress Proceedings will be in English and in Italian and will published in 2016 both in electronic form and in paper form with Aracne Editrice in the book collection “”, directed by Prof. Oreste Pollicino.

Speeches and Panel discussion focused on the evolution of the market of digital contents that requires copyright rules fitting the purpose of enabling better cross-border transactions, at least at European level and possibly at a worldwide level. In detail the Speakers analyzed the core actions indicated in Digital Single Market Strategy. Mr Marco Giorello (Deputy Director of the Copyright Unit of the DG Connect – European Commission) has introduced the legal framework and the roadmap for the implementation of the Digital Single Market Strategy for Europe (“DSMS”). The DSMS could have a huge impact on the reform of copyright law at a European level. It is anyway still matter of discussion which direction should take this reform.

For Prof. Mario Franzosi (University of Washington) the entire regime of copyright should change in order to face the challenges of the digital era. If the regime does not change, it could perish. Prof. Vincenzo Franceschelli (University of Milan Bicocca) has highlighted that is of the utmost importance to balance the right to economic exploitation of copyrighted materials with the right to private use of the same materials. Without such balance also the review of the Infosoc Directive (included in the DSMS) could lead to a “payable information society”. Also Hon. Vittorio Ragonesi (Italian Supreme Court – Legal Advisor Italian Foreign Office) suggested that the selection of conducts that constitute copyright infringement plays an important role. A possible balance could be found at the level of the exceptions to exclusive rights on copyrighted materials.

Other Speakers from European countries suggested possible ways for modernizing copyright law. For Prof. Bernt Hugenholtz (Institute for Information Law, Universiteit van Amsterdam) despite 25 years of copyright harmonization at a EU level, territoriality of copyright is left mostly intact and copyright protection is limited to national borders. An effective response to territoriality could be the review of the Sat/Cab Directive and the extension of the satellite broadcasting rules to Internet. On the other hand Prof. Dr. Michael Lehmann (Max Planck Institut Munich) analyzed the definition of Digital Contents in the Consumer Rights Directive and the recent ECJ case law on used software (Usedsoft case) and realized that the ECJ-decision is valid only for software: interprets the Software Directive. But at the time of the Software Directive every on-line activity was classified as a service. In the digital era we must treat on-line and off-line delivery of all types of “digital contents” as equal.

With reference to the topic of copyright infringements on the internet and the enforcement of rights, Hon. Francesco Cajani (Public Prosecutor – Pool for Cybercrime of the Court of Milan) has gone through the Google-Vividown case law in Italy in 2010, highlighting that the interpretation of the Public Prosecutor’s Office of Milan with reference to the liability of the ISP for managing personal data has been essentially confirmed in recent years by the case law of the European Court of Justice (C-131/12 Mario Costeja Gonzalese e AEPD Vs Google Spain e Google Inc.). Mr Giorgio Greppi (Italian Communication Authority – AGCOM) has reconstructed the legal basis for AGCOM power of control on on-line copyright infringements in the Italian legal system. Since 31st March 2014 the Regulation is in force in Italy and AGCOM has already managed 380 claims raised by copyright holders. But Mr Thomas Dillon (Counsellor, BRIP Division, WIPO) has remebered the different interpretations raised by national courts on the extent of liability of ISPs. National courts implement the copyright laws in divergent ways, in particular with regard to injunctions against intermediaries.Ìę Such orders (and their refusal) may certainly have cross-border consequences. The Digital Single Market Strategy for Europe should face the challenge of overcoming such fragmentation among national approaches.

Also the collective rights management is a core topic for the digital era. Hon. Gabriella Muscolo (Italian Competion Authority – AGCM) considers that antitrust rules and an harmonized legislative framework are complementary means for implementing an effective digital single market of collective rights. The current scenario underlines a contrast between: (i) the request by the users of access to digital contents anytime and anywhere; (ii) the principle of territoriality of copyright and the complexity in copyright clearance. In the light of the above, an efficient and transparent system of collective rights management at a European level could represent a solution for implementing cross-border licensing and for reducing transaction costs.

Ms Stefania Ercolani (SIAE – Director of Multimediality Department) has indicated that also historical factors impacted the area of collective rights management. In Italy there is a dichotomy between the collective management of copyright and the collective management of neighbouring rights (only for the latter the Italian legislature has introduced a certain level of competition). It will be interesting to verify how the implementation of the Collective Rights Management Directive could impact both sectors.

 

P.S. a long form of this Conference Report will be published in the Journal of European Consumer and Market Law (December 2015)

The post Conference Report: “Internet and Copyright Law in the European Perspective. The Digital Single Market Copyright” appeared first on IPOsgoode.

]]>
Internet service providers liability and copyright protection in the EU /osgoode/iposgoode/2015/10/15/internet-service-providers-liability-and-copyright-protection-in-the-eu/ Thu, 15 Oct 2015 15:28:36 +0000 http://www.iposgoode.ca/?p=28034 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.   Which is the legal framework surrounding Internet Service Providers (ISPs) in the EU, when it comes to copyright protection? The following article analyses the importance of ISPs in the enforcement of […]

The post Internet service providers liability and copyright protection in the EU appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

 

Which is the legal framework surrounding Internet Service Providers (ISPs) in the EU, when it comes to copyright protection? The following article analyses the importance of ISPs in the enforcement of rights in Cyberspace and in balancing different interests.

This work finds its roots in the essay composed in the context of the LSE Summer School 2015 Cyberlaw course attended by the author, during which he was given a full introduction on all the hot topics covered by Information Technology Law.

 

SCENARIO

A European ISP, EasyTelco, leases to its clients its fiber-optic cables to deliver fast Internet access.
A movie producer, DotCom Entertainment, has recently informed EasyTelco that some of its clients are allowing users to access a website based in Greece, called FreeShare.com, which hosts unauthorised copies of some of the products of DotCom Entertainment. Hence, they ask EasyTelco to block access to FreeShare.com and to any other site on which they know are illegally hosted DotCom Entertainment movies.

 

THE LAW

As a matter of simplicity, we will not domicile EasyTelco in any EU State in particular, in order to hold a more generic point of view. Moreover, we will focus only on the ISP regime, omitting the position of the other subjects involved in the case.

First, it is easy to recognise that DotCom Entertainment, being the author of the multimedia products involved in the dispute, holds a rightful copyright over them, which includes, among others, an exclusive right to make or authorise the making of copies of the work and to decide whether to issue those to the public. Thus, it is copyright infringing to engage in unauthorised copying for commercial purposes, and the law gives action on that to the right holder.

In the light of this right, the position of EasyTelco is a complex one, because it lays at the very cross-over between contrasting interests, as we will see.

The ISPs legal status has been shaped by the European Electronic Commerce Directive[1] and the Copyright and Related Rights in the Information Society Directive[2]. As a matter of fact, Art. 8(3) of the Copyright and Related Rights in the Information Society Directive creates a “notice and take down” system:

Ìę“Member States shall ensure that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.”

However, protection of copyright needs to be balanced with the safe harbour provision of the art. 15(1) of the Electronic Commerce Directive, which says that:

Ìę“Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.”

The article refers to art. 12, 13 and 14, which all define different types of ISPs, to identify the subjects benefiting from the protection of the above-mentioned article. In brief, the three articles set forth that “mere conduit”, caching and hosting providers shall not be liable for the information they transmit, cache and host, unless they are made aware of their (defamatory, copyright infringing, etc.) nature. In particular, art.12[3] is the one relevant for our purposes, as long as it defines the “mere conduit” provider as whoever allows transmission of information in or access to a communication network, which happens to be the exact activity of EasyTelco. As a final point, the third paragraph of the article allows norms such as art.8 of the Directive on copyright protection, stating that:

“3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement.”

Therefore, EasyTelco should not be held liable for copyright violations occurred within its connection services, as long as it is unaware of them, according to the general prohibition set forth by art.15 Ecommerce Directive on imposing a general duty to monitor the content of communications. However, following the “notice and take down” system, it is likely that a court would grant an injunction to the claiming party to oblige EasyTelco to unable access to copyright infringers such as FreeShare.com.

 

AN EXAMPLE FROM THE UK

An English case helps us understanding how courts balance the two contrasting EU provisions: Twentieth Century Fox and ors v British Telecommunications plc (Newzbin II) [4]. The “Studios” were trying to close the P2P sharing website Newzbin, liable of hosting copyright infringing materials. The claimants decided to seek an injunction under s.97A[5] of the CDPA 1988, which mirrors art.8 of the Copyright and Related Rights in the Information Society Directive, against BT, to oblige it to prevent users to access Newzbin via the inclusion of the URL in the Cleanfeed blacklist.

As a matter of fact, the majority of the ISPs in the UK have implemented since 2004 a technical system developed originally by BT, called Cleanfeed, which blocks all the requests from the UK to any webpage inserted in a blacklist because of hosting child abuse related images. This content blocking solution has proved to be the ideal solution to inhibit access to sites which have been found infringing copyright during their activities, but whose servers are located abroad, consequently voiding any chance of direct enforceability of a UK court order. Then, when BT claimed violation of art.15 of the Ecommerce Directive, Arnold J pointed out that, due to the previous existence of the Cleanfeed filter, adding a single site to the blacklist could not be regarded as imposing a general obligation, so he granted the injunction to the claimants. In arguing that, he referred to a similar Belgian case[6] at that moment under the scrutiny of the ECJ, where the Belgian authors society was asking the national ISPs to cover all the communications across their networks with a totally new monitoring system to prevent copyright violations. Arnold J underlined the striking difference between the two cases, and that only the Belgian one implied a violation of art.15, as it was eventually ruled by the ECJ, because it obliged all Belgian ISPs to create, at their own expenses, a brand new filtering scheme.

 

THE DEBATE

Nowadays, ISPs are one of the most powerful tools to regulate cyberspace and to enforce laws and court orders, in a manner that remembers the concept of “regulation by architecture” theorised by Lawrence Lessig[7].Ìę As a result, they are at the very intersection of various interests, from copyright to freedom of expression, right to privacy and the preservation of a functional and efficient Internet.

”Originally the European legislature made a lot of efforts to restrain intermediaries from choosing
party and made sure they would take up a merely neutral-passive role. This is clearly reflected by the
special exemption regime installed by the E-Commerce Directive that was adopted in 2000 as a
response to the disparities that existed amongst Member States concerning the liability of service
providers acting as intermediaries which prevented the smooth functioning of the Internal Market”[8±Ő.

However, legislators are constantly looking for new solutions to regulate them, as the French HADOPI system. HADOPI (Haute AutoritĂ© pour la Diffusion des Oeuvres et la Protection des droits sur Internet) is an administrative authority to whom copyright holders may notify infringements of their copyright, hence activating a so-called “three strikes procedure”, which consists of two consecutive warnings, first an email, then a more formal letter, down to the last step if the user continues in his offending activities, which contemplates a temporary suspension of internet access. Concerns related to the constitutionality of the new law were raised before its approval by the Conseil Constitutionnel, which eventually led to introducing the possibility for the user to appeal to a court against the HADOPI’s suspension of Internet access. Similar multi-strikes approaches have been followed by countries like U.S., Eire and the UK with the Digital Economy Act 2010, but all of those hide a problem of fair balancing between the rights at stake.

There are clear problems surrounding that design-based manner of enforcing law on the Internet, unquestionably one is the power to limit freedom of expression, a fundamental right as acknowledged by the ECHR (art.10), which is given to an administrative authority, expression of the government, and not to the judiciary.

Again, as soon as copyright holders’ claims start growing, it is not clear how the courts will deal with extending blocking techniques to all the offending users without contrasting with the general prohibition of art.15 of the Electronic Commerce Directive and the neutral role of ISPs it wants to preserve. Lastly, it might be argued that also serious privacy matters arise when an administrative body such as HADOPI requires surveillance over a citizen. Indeed, art. 8 (2) of the Human Rights Act allows some limitations of the right to privacy one enjoys only for, amongst others, “the protection of the rights and freedoms of others”, which could be the case when enforcing copyright. Nevertheless, are we sure it is best way to allow a body of the Government to compress a fundamental right just to protect an economic interest of some corporations? An authoritative point of view on the subject was expressed in 2008 by the ECJ in the Spanish Promusicae v. Telefonica, in which a copyright holder asked the ISP to communicate the personal data of users of Kazaa to allow suing them in civil trial. The court decided that there was no obligation under UE law for Member States to impose a duty to disclose personal data to ensure copyright protection.

Curiously, it is interesting to notice how even in Italy the one year-old regulation on online copyright issued by AGCOM, it is under review at the moment by the Italian Constitutional Court. The reasons behind this is that the Authority, quiet similarly to HADOPI in France, wants to protect copyright holders up to blocking access to offending sites after a summary hearing of the parts involved. As distinctly reported by Marco Bellezza in an article appearing on Medialaws.eu[9], what basically has been challenged is that this procedure underlies some critical constitutional issues, i.e. the fact that orders to limit Ìęa fundamental right as freedom of expression in favour of a so-called “economic freedom” should not come from a regulation of an executive body, but from an act of parliament, and together with the chance of battling them in court, not before a mere administrative authority.

 


 

[1] Dir. 2000/31/EC of the European Parliament and of the Council of 8 June 2000, OJ L 178, 17 July 2000.
[2] Dir. 2001/29/EC of the European Parliament and of the Council of 22 May 2001, OJ L 167, 22 June 2001.
[3] “(1)Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted [
]“
[4] [2011] EWHC 1981 (Ch).
[5] “(1)The High Court (in Scotland, the Court of Session) shall have power to grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright.”
[6] Scarlet Extended SA v SABAM. (C-70/10) [2012] ECDR 4.
[7] Lessig, L. (1999) “Code and Other Laws of Cyberspace”. New 91ŃÇÉ«: Basic Books.
[8] Werkers, E. Intermediaries in the Eye of the Copyright Storm – A Comparative Analysis of the Three Strike Approach within the European Union (August 15, 2011). ICRI Working Paper No. 4/2011.
[9] Bellezza, M. #dda online: la questione di costituzionalitĂ  e il regolamento AGCOM. Retrived: 05/08/15, from: http://www.medialaws.eu/ddaonline-la-questione-di-costituzionalita-e-il-regolamento-agcom/

The post Internet service providers liability and copyright protection in the EU appeared first on IPOsgoode.

]]>