Medialaws Archives - IPOsgoode /osgoode/iposgoode/tag/medialaws/ An Authoritive Leader in IP Mon, 11 Aug 2014 16:47:10 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 The Italian Data Protection Authority’s Annual Report 2013 – Big Data, Transparency and Surveillance /osgoode/iposgoode/2014/08/11/the-italian-data-protection-authoritys-annual-report-2013-big-data-transparency-and-surveillance/ Mon, 11 Aug 2014 16:47:10 +0000 http://www.iposgoode.ca/?p=25500 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective. On June 10, 2014, the Italian Data protection Authority (Garante per la protezione dei dati personali – “DPA”) presented its Annual Report for 2013. In its 17th annual edition of the Report, the […]

The post The Italian Data Protection Authority’s Annual Report 2013 – Big Data, Transparency and Surveillance appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media ina Comparative Perspective.

On June 10, 2014, the Italian Data protection Authority (Garante per la protezione dei dati personali – “DPA”) presented its . In its 17th annual edition of the Report, the Italian watchdog sets out the status of the implementation of privacy laws and indicates the operation prospects that are required to move towards genuine and effective personal data protection.

 

1. Highlights of the Annual Report 2013

The main DPA’s activities in 2013 concerned the following topics.

 

Internet and the role of large providers. Particular importance goes out to work done by the DPA, also in cooperation with other European authorities, to ensure greater transparency for users in connection with the processing of their personal data via the internet. In this respect, the DPA issued guidelines to protect privacy on smartphones and tablets and recently a resolution on consent for the use of cookies.

 

Global supervision in connection to the Datagate. Datagate stands for the revealed collecting of personal data of citizens by USA’s National Security Agency (NSA). The DPA raised concerns about espionage performed by the NSA and therefore sent a letter to the Italian Prime Minister, requesting him to support the adoption of the draft reform of the EU legal framework for data protection.

 

Transparency of the online public administration and safeguards for citizens. The DPA guidelines to make sure that transparency would not be in conflict with the right to privacy and data protection. For example, a dissemination of information on health and economically or socially disadvantaged beneficiaries of public allowances was prevented.

 

Problems caused by cyber bullying on social networks. On the occasion of the 2013 European Privacy Day, the DPA published a video on its website containing tips for knowledgeable use of social networks. Also a letter was sent to the Italian Ministry of Education to bring the growing problem of cyber bullying to his attention.

 

Confidentiality of taxpayers. In-depth prior checks were performed on the processing of data performed by the Italian Revenue Agency for purposes of the so-called “Redditometro” (i.e., an income meter tool). The DPA set forth various measures to be implemented, in order to address the many criticalities that were found. These comments related to, among the others, the quality and accuracy of the data used by the Italian Revenue Agency, the estimated expenses incurred by each taxpayer depending on multifarious life-style components, as well as the information to be provided to the taxpayers.

 

Mobile payments. The DPA launched a public consultation on the processing of personal data performed in connection with payments through the use of smartphones and tablets and, more broadly, through remote mobile payment services (the DPA has recently a resolution on such matter which takes into account the outcome of the public consultation).

 

Use of biometric data. Significant actions were taken to regulate the use of the biometric signature in banks and the use of fingerprints in the workplace. The DPA found that the use of biometrics in order to check attendance of teachers and administrative staff in several schools was disproportionate, also in accordance with the principles set out by the Article 29 Data Protection Working Party’s on developments in biometric technologies.

 

Protection of minors in the media and on the internet. The use of webcams in a nursery school was banned in order to protect children’s privacy, the unfettered development of their personality, unrestrained relationships with their teachers and freedom of teaching.

 

Protection of data used for justice purposes. Measures and arrangements were made to stimulate the security of any personal data that is being collected and used as part of interception activities, carried out by the Telecommunications Interception Centres (“Centri Intercettazioni Telecomunicazioni”), which are attached to every prosecuting office in Italy, as well as to police offices tasked with performing interceptions for judicial authorities.

 

Video surveillance. Based on spot-checks, the DPA discovered several instances of unlawful processing of employees’ and customers’ data performed by department stores using video surveillance. However, a longer retention period for video surveillance images collected in some building yards and storage areas set up in Pompeii was approved with the objective of preventing mafia-related activities. Furthermore, the DPA required health care districts that had installed video surveillance equipment in the restrooms of their facilities for ruling out drug addiction cases to take measures and precautions such as to protect the privacy of any individual whose urine sample was being taken.

 

Unsolicited promotional calls. Inspections and injunctions against IT companies specialized in database services were carried out to counteract unregulated telemarketing and unsolicited marketing. Hefty fines were to be paid since these companies had failed to comply with previous orders. Moreover, automated pre-recorded calls to costumers for debt collection reasons were banned. Other developments related to telemarking (or customer care) activities concerned call centers located in third countries without adequate data protection levels compared to EU standards. Measures such as the obligation to provide information and notify the DPA in advance about the call centers relied upon, enables the DPA to assess the transfer of personal data outside the EU.

 

Marketing and spam. Guidelines were adopted on marketing and for countering spam, with special emphasis on the new frontiers of spamming such as social spam (via social network sites) or spam based on the viral (or targeted) marketing. A video tutorial and was made available on the DPA’s website (named “Spam: how you can defend yourself”).

 

Consent for direct marketing. The DPA adopted a general resolution providing clarifications on the consent requirement in case of processing of personal data for direct marketing purposes. In particular, the DPA made clear that a data controller obtaining a data subject’s consent for direct marketing purposes through automated mechanisms may also process this data according to traditional/non-automated mechanisms (e.g., by post or operator-assisted calls), unless the data subject objects, also in part, to this processing, provided that other requirements set forth by the resolution are met.

 

Consumer rights. Two banks were allowed to equip their financial promoters with tablets that could perform an analysis of the signature of any customer entering into financial agreements in electronic format. However, the companies involved in enabling and managing both systems were required to take special measures to protect the data they collected. Additionally, measures were created to provide bank customers the option to undersign such agreements through conventional mechanisms as well.

 

Data retention of telephone traffic data. With the help of the tax police, the DPA performed inspections on telephone companies and internet service providers to verify compliance with the law provisions on internet and telephone traffic data retention. Sanctions in case of non-compliance with previous orders by the DPA were imposed.

 

Data breach notification. The DPA adopted a resolution for the notification of personal data breach providing guidance on who is required to fulfill the relevant obligations, what measures could ensure minimum common security standards, the timeline and content of the notification.

 

2. A few Figures

Over 606 decisions were adopted by the DPA in 2013 (almost 38% more compared to 2012).

 

The number of on-the-spot inspections has increased by 4% compared to 2012, for a total of 411. The inspections concerned, in particular, call centers and unsolicited telemarketing; mobile payment services; profiling; data breaches; the tax revenue database; consumer credit; credit bureaus; the information system of Italy’s social security agency (INPS).

 

Interestingly, also the number of the breaches of the Italian data protection law registered an increase, with 850 breach found by the DPA compared to 580 in 2012 (i.e., 47% more). 56% of the breaches concerned the failure to provide adequate information to data subjects. Other breaches involved processing without data subjects’ consent (179 cases); failure to adopt security measures (24 cases); breach of telemarketing rules (19 cases); failure to notify processing operations to the DPA (12 cases); etc.

 

The fines levied on account of administrative sanctions amounted to over 4 million Euros.

 

In 71 cases the DPA informed criminal authorities in particular relating to the failure to adopt security measures to protect personal data.

The post The Italian Data Protection Authority’s Annual Report 2013 – Big Data, Transparency and Surveillance appeared first on IPOsgoode.

]]>
The Italian Data Protection Authority on Google’s Privacy Policies /osgoode/iposgoode/2014/07/30/the-italian-data-protection-authority-on-googles-privacy-policies/ Wed, 30 Jul 2014 15:08:13 +0000 http://www.iposgoode.ca/?p=25410 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective.   The Italian Data Protection Authority on Google’s privacy policies After an investigation started one year ago, following the modification of Google’s privacy policies, the Italian DPA has issued yesterday a new provision, […]

The post The Italian Data Protection Authority on Google’s Privacy Policies appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media ina Comparative Perspective.

 

The Italian Data Protection Authority on Google’s privacy policies

After an investigation started one year ago, following the modification of Google’s privacy policies, the Italian DPA has issued yesterday a new provision, concerning services provided to Italian customers.

 

In fact, Google has unified in a single document the several rules governing personal data processing related to its features, such as e-mail (Gmail), social network (GooglePlus), management of online payments (Google Wallet), video platform (YouTube), online maps (Street View), statistical analysis (Google Analytics), therefore allowing the intersection and interoperability of these services and of users’ personal data involved.

 

It is the first time that a European DPA does not only holds the violation of the law but also requires specific measures that Google is expected to take in order to be compliant.

Privacypolicy

The DPA has prescribed to Google the adoption of a privacy policy structured on several levels.

 

The first general level should provide the most relevant information for the user: the mention of the data processing as well as of the data used (es. geolocation, IP addresses, etc.).; the address to which users may send their request in Italian exercising the rights listed in article 7 of the Privacy Code; the purposes of profiling activities, especially where aimed at displaying behavioral advertising and customized analysis of the behavior of the websites visitors.

 

The first level should also include the hyperlinks to the privacy policies for the single services.

 

The second level should include the privacy policies of the single services. In this level, previous versions of the privacy policies, even if no longer in force, should be stored; users should be warned about specific risks that may arise by the use of the services (for example, in case of choice of password which is not enough secure).

 

The rules on privacy policy should be applied in the same way for each kind of device (mobile, tablet, computer, laptop and TV plug-in) and for each application made ​​available to users.

Consent

In order to use personal data of its users for profiling and behavioral advertising activities, Google must reach their prior consent. An implied consent – through the use of the service as an acceptance of the personal data processing – is not allowed by the law.

 

Similarly, a consent is always required in case of fingerprint and cookies.

 

In case of unauthenticated users, it is necessary that the home page expressly holds that the website collects personal data, providing a hyperlink to the privacy policy and another hyperlink which allows users to deny their consent in case of profiling.

Data retention

Google will have to define certain times of data retention on the basis of the provisions of the Privacy Code, for both “active” and “back up” personal data (i.e. personal data stored or not). Regarding the deletion of personal data, the DPA has ordered Google to process the requests from its users (who are easily identifiable) within two months in case of active personal data and within six months in case of personal data stored on back up systems. As for the requests for cancellation affecting the use of the search engine, the Italian DPA decided to wait for further applicative development of the judgment of the Court of Justice of the European Union on the right to be forgotten.

 

Google will have 18 months to comply with the requirements of the DPA. During this time, the Authority will monitor the implementation of the measures required. The company will have to submit to the DPA, by September 30, 2014, a verification protocol, which will become binding once signed, and which will settle when and how the DPA will make its further checks on Google.

 

The post The Italian Data Protection Authority on Google’s Privacy Policies appeared first on IPOsgoode.

]]>
Intellectual Property Rights: study indicates that roughly 35% of jobs in the EU rely on IPR-intensive industries /osgoode/iposgoode/2013/10/03/intellectual-property-rights-study-indicates-that-roughly-35-of-jobs-in-the-eu-rely-on-ipr-intensive-industries/ Thu, 03 Oct 2013 20:09:02 +0000 http://www.iposgoode.ca/?p=22672 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. The European Commission today welcomed the publication of a study on Intellectual Property Rights, which was carried out jointly by the European Patent Office (EPO) and the Office for Harmonization in the […]

The post Intellectual Property Rights: study indicates that roughly 35% of jobs in the EU rely on IPR-intensive industries appeared first on IPOsgoode.

]]>
The re-posting of is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.

The European Commission today welcomed the publication of a study on Intellectual Property Rights, which was carried out jointly by the European Patent Office (EPO) and the Office for Harmonization in the Internal Market (OHIM). This study, “Intellectual Property Rights intensive industries: contribution to economic performance and employment in Europe” (September 2013), measures the importance of Intellectual Property (IP) rights in the EU economy. Key findings of the study are that about 39% of total economic activity in the EU (worth some €4.7 trillion annually) is generated by IPR-intensive industries, and approximately 26% of all employment in the EU (56 million jobs) is provided directly by these industries, while a further 9% of jobs in the EU stems indirectly from IPR-intensive industries. to read more.

The post Intellectual Property Rights: study indicates that roughly 35% of jobs in the EU rely on IPR-intensive industries appeared first on IPOsgoode.

]]>
On the newly proposed Italian Regulation on Copyright Protection in Audiovisual Media Services /osgoode/iposgoode/2013/08/02/on-the-newly-proposed-italian-regulation-on-copyright-protection-in-audiovisual-media-services/ Fri, 02 Aug 2013 14:00:04 +0000 http://www.iposgoode.ca/?p=21982 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. Last Thursday the Italian Communication Authority (“AGCOM”) has issued a new draft regulation entitled “Draft regulation on copyright on the electronic communication networks and implementing measures pursuant to Legislative Decree of April […]

The post On the newly proposed Italian Regulation on Copyright Protection in Audiovisual Media Services appeared first on IPOsgoode.

]]>
The re-posting of is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.


Last Thursday the Italian Communication Authority (“AGCOM”) has issued a new draft regulation entitled “” (Annex A to the AGCOM decision no. 452/13/CONS of July 25, 2013) (“Regulation”).

Among other provisions specifically focused on online copyright enforcement (), the Regulation provides for a new administrative procedure before the AGCOM in case of copyright infringements carried out by Audiovisual Media Services Providers (“MSP”).

The AGCOM launched a 60-day public consultation to collect stakeholder comments on each article of the Regulation and to allow stakeholders to propose specific amendments to the Regulation itself. Afterwards AGCOM will evaluate the comments received and it will decide whether or not to embrace them in the context of the final regulation. According to Article no. 19 of the Regulation will entry into force on next February 3, 2014.

1. The provisions focused on Audiovisual Media Services

The 19 articles regulation is divided into five chapters. The forth chapter entitled “Provisions on the Protection of Copyright on the Media Services” (articles 11-15) provides for a new administrative procedure before AGCOM that can be followed to obtain the stoppage of the broadcasting on Audiovisual Media Services of works which infringe copyright or allied rights.

According to article 12 of the Regulation when copyright or an allied right is infringed by means of a linear or an on-demand audiovisual media service or a program is broadcasted in breach of the license agreement (even with reference to the timescale of the broadcasting) the right holders might file a complaint before AGCOM (using a specific form provided by the same authority) requiring to order the MSP to stop the broadcasting of the relevant program.

Using the complaint-form rights holders shall provide the details of the alleged infringement (i.e. documentation which shows the ownership of the rights on the program, copy of the program, brief description of the alleged infringement, contact details of the relevant Audiovisual Media Service Provider etc.).

Within 10 days starting from the receipt of the complaint AGCOM’s direction for media services might decide to:

1) dismiss the case when:

  • the right holder has not used the AGCOM compliant form or failed to provide key information on the alleged infringement of its right;
  • the complaint is related to a subject matter which is out of the scope of the Regulation;
  • the complaint seems manifestly groundless to AGCOM; or

2) start a formal investigation on the case by sending a notice to the MSP informing him on the details of the case and the outcomes of the preliminary investigations carried out by AGCOM competent direction.

The MSP might file a counter-complaint before AGCOM explaining its defensive arguments within 7 days starting from the receipt of the AGCOM notice.

In 20 days starting from the sending of the notice the AGCOM’s direction ends the investigation and propose to the AGCOM board for services and products the adoption of the appropriate measures towards the relevant MSP. During the investigations AGCOM’s direction might require to third parties the disclosure of information or documents which are relevant for the case. Such parties shall provide AGCOM’s direction with the requested information or documents within 5 days starting from the request.

The AGCOM’s board within the following 40 days shall issue its decision on the case.

The board could dismiss the case when the investigations revealed the groundlessness of the complaint or it might adopt the following measures:

  • a warning letter to the linear MSP requiring the stoppage of the broadcasting of the relevant program which infringes the copyright of the right holder;
  • a stoppage order towards the on demand MSP requiring to remove the relevant program form the ones made available to their users.

Even if it is not expressly recalled within the Regulation, according to Article 1 of the Law no. 249/1997 in case of non-compliance with the AGCOM’s decisions, AGCOM might issue fines towards the involved MSP ranging from EUR10,000 to EUR250,000.

Finally, article 15 of the Regulation provides with a specific procedure in connection with the infringement carried out by the satellite providers which are under the Italian jurisdiction or which are not subject to the jurisdiction of any European member State.

2. Conclusive remarks

Generally speaking the provisions related to MSPs seem more balanced and in line with the AGCOM field of competence on copyright protection (as depicted by Article 32-bis of the Italian Code on Audiovisual media and radio services) as compared with the ones proposed in connection with the online copyright enforcement.

The public consultation launched by AGCOM will be helpful to collect the opinions of the stakeholders on the proposed regulation and hopefully to refine the above outlined provisions that will provide right holders with an effective and fast tool to ascertain the infringement of their rights and then collect the relevant damages by means of actions to be started before the competent courts.

Marco Bellezza is a media lawyer and Senior Associate atPortolano Cavallo Studio Legale. He is also a member of the Managing Committee of .

The post On the newly proposed Italian Regulation on Copyright Protection in Audiovisual Media Services appeared first on IPOsgoode.

]]>
A New Arrival in the IGF Family: the Dynamic Coalition on Network Neutrality /osgoode/iposgoode/2013/07/25/a-new-arrival-in-the-igf-family-the-dynamic-coalition-on-network-neutrality/ Thu, 25 Jul 2013 16:04:42 +0000 http://www.iposgoode.ca/?p=21887 The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. Last week, the Secretariat of the United Nations’ Internet Governance Forum approved the creation of the Dynamic Coalition on Network Neutrality. Along with a conspicuous number of workshops, dynamic coalitions represent the […]

The post A New Arrival in the IGF Family: the Dynamic Coalition on Network Neutrality appeared first on IPOsgoode.

]]>
The re-posting of is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.

Last week, the Secretariat of the United Nations’ Internet Governance Forum approved the creation of the .

Along with a conspicuous number of workshops, dynamic coalitions represent the structural elements of the IGF. Both elements have a heterogeneous multi-stakeholder composition and are aimed at the discussion of “public policy issues related to key elements of Internet governance”, as the IGF mandate suggests. (Tunis Agenda, para. 72.a)

On the one hand, IGF workshops are unique events which allow various stakeholders to jointly analyse “hot topics” or to examine progress that such issues have undertaken since the previous IGF. On the other hand, dynamic coalitions are supposed to evolve over the years in a lively fashion and represent an exceptional opportunity to build an enduring and collaborative policy-shaping effort.

The long-term nature of dynamic coalitions is probably better-suited in order fulfil one of the most forgotten subparagraphs of the IGF mandate, according to which the forum shall “[i]dentify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations”. (Tunis Agenda, para. 72.g)

Indeed, IGF workshops are extremely circumscribed events and although the content of their discussion is usually extremely valuable, their 90-minute length does not allow them to generate political momentum around the issues they raise and confines workshops’ debates to a conference-centre room and to a usually un-consulted report. Au contraire, dynamic-coalitions’ activities are supposed to be much broader than a 90-minute-long meeting, which is rather a moment to share the work that has been achieved over the year, discuss it and envisage the next steps.

The Interest of Creating the Network Neutrality Dynamic Coalition

“Network neutrality” is an appealing and multifaceted expression which encompasses several policy areas and may give rise to misinterpretations.

In view of the various approaches to this multi-faceted topic, it is important today to address the question of network neutrality through a multi-stakeholder approach. The purpose of the Network Neutrality Dynamic Coalition, therefore, is to provide a discussion arena aimed at allowing all interested stakeholders to jointly scrutinise the various nuances of the network-neutrality debate so as to ultimately contribute to the circulation of best practices and the elaboration of well-advised policies and regulations.

The idea of a Dynamic Coalition on Network Neutrality was presented during Multi-Stakeholders Dialogue on Network Neutrality & and Human Rights, organised under the auspices of the Council of Europe. Many of the stakeholders involved in the event have immediately manifested their interest in the initiative, stressing the need to clarify the network neutrality debate and highlighting the interest of a platform aimed at promoting the dialogue on the matter.

An Action Plan

The Dynamic Coalition on Network Neutrality will provide a common platform involving a large variety of stakeholders in a cooperative analysis of the network neutrality debate. Beyond , which will provide basic information on the work done by the dynamic coalition (e.g. publications, events, etc.), the of the coalition will allow all members and interested individuals to discuss in an open and interactive fashion.

The goal of the Dynamic Coalition will be to inform and disseminate information on current trends and policy developments with regard to network neutrality. To this end, an annual report will be produced to provide an overview on Net Neutrality tendencies, policies and draft legislation. The first Annual Report will be dedicated to the relation between network neutrality and human rights and will encompass a selection of position papers that will be presented and discussed at the next IGF.

to the 1st Annual Report of Dynamic Coalition on Network Neutrality has been recently issued and all interested individuals and organisations are invited to participate.

Lastly, the Dynamic Coalition will attempt to elaborate a “model framework” on network neutrality, which can be deemed as consistent with international human-rights standards. Such a model framework will aim at providing guidance to national legislators and respond to the growing able to safeguard end-users’ human rights and fundamental freedoms while fostering fair competition and freedom to innovate.

By all means, every interested stakeholder is welcome this collaborative effort.

Luca Belli is a PhD candidate in Public Law at PRES Sorbonne University / Université Panthéon-Assas / CERSA; ISOC returning Ambassador to the United Nations Internet Governance Forum and member of the Steering Committee of .

The post A New Arrival in the IGF Family: the Dynamic Coalition on Network Neutrality appeared first on IPOsgoode.

]]>
The Italian ‘Google Vividown’ Case: ISPs’ Liability for User-Generated Content /osgoode/iposgoode/2013/05/29/the_italian_google_vividown_case/ Wed, 29 May 2013 15:10:52 +0000 http://www.iposgoode.ca/?p=21153 The re-posting of thisanalysisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective. On 21 December 2012, the Milan Court of Appeals overturnedthe decision issued in 2010 by the Court of Milan in the’Google Vividown’ case. Filed on 27 February 2013, the Courtof Appeals’ decision was based on […]

The post The Italian ‘Google Vividown’ Case: ISPs’ Liability for User-Generated Content appeared first on IPOsgoode.

]]>
The re-posting of thisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective.


On 21 December 2012, the Milan Court of Appeals overturnedthe decision issued in 2010 by the Court of Milan in the’Google Vividown’ case. Filed on 27 February 2013, the Courtof Appeals’ decision was based on and confirmed the generalprinciple that Internet Service Providers (ISPs) have nogeneral duty to monitor user-uploaded content on theirsystems. Laura Liguori and Federica De Santis, Partner andAssociate respectively at Portolano Cavallo Studio Legale,analyse the impact of the case on ISPs’ liability and the widerlandscape of overlapping interests in the digital climate.

In this case, three executives from Google were sentenced to a six-monthsuspended conviction for unlawful data processing pursuant to Italian dataprotection laws after a video showing an autistic boy being bullied by hisclassmates was uploaded to the Google Video platform. The Milan Court ofAppeals overturned the 2010 first instance ruling by finding the Googleexecutives not guilty for unlawful data processing under Italian law.

Court of Appeals

First, the Court of Appeals upheld the lower court’s decision to acquit theGoogle executives of defamation, since Google had no duty to review thecontent on its system. According to the Court of Appeals, an ISP’s functionalitywould be clearly impaired if it were required to prevent defamation on itsplatform, as the ISP would have to apply general filtering systems on theuploaded content to prevent defamatory postings.

The Court of Appeal also ruled:

  • the jurisdiction of the Italian Courts applies in the case at hand, as thedamages (the diffusion of the relevant content) occurred in Italy, regardless ofwhere the Google servers with the uploaded content are located.
  • the Italian Data Protection Code (Legislative Decree no. 196/2003) applies toGoogle Italy either because it is established in Italy according to Section 5,paragraph 1 of the Data Protection Code or because Google Italy should beconsidered as ‘non-automated equipment’ located in Italy for processingpersonal data according to Section 5, paragraph 2 of the Data ProtectionCode.

Nevertheless, the decision reversed the unlawful data processing conviction forthe following reasons:

  • No general duty to monitor may be imposed on ISPs, in accordance with therelevant provisions under the EU E-commerce Directive (2000/31/EC),implemented in Italy by the E-commerce Decree (Legislative Decree no.70/2003). From a technical standpoint, it would be impossible to imposesuch a duty, which could undermine freedom of expression.
  • Failure to provide data subjects with a proper privacy notice does not resultin unlawful data processing, punished as a crime under Section 167 of theItalian Data Protection Code, and is subject only to administrative finesaccording to Section 161 of the Code.
  • Only the user who processed the autistic boy’s data when she recorded thedisputed video and then uploaded it to the Google Video platform shouldhave obtained the boy’s parents’ consent before the video was uploaded toGoogle Video, as she was the relevant data controller with regard to suchdata. This did not apply to Google which, according to the Court, is not thecontroller of the data in the video uploaded by users nor is processing datawhen storing such data.
  • Unlawful data processing is considered as a crime only when personal dataare processed (i) with a view to gain an advantage; or (ii) with wilful intent tocause harm to others. The Court of Appeals held that in the case at hand,Google had no intent to profit from the disputed video since no sponsoredlink appeared on it and the Google executives did not act with ‘wilful intent’since they were not aware of the content of the disputed video before it wasuploaded.

Conclusion

The Court of Appeals decision offers a comprehensive overview of Italian caselaw regarding an ISP’s liability for when users violate laws or infringe on others’rights, especially in cases of violation of personal data protection laws. Againstthis backdrop, the decision does not address Google’s role from a dataprotection standpoint nor it clarifies why handling a video (e.g. storing or deletingit) is not tantamount to processing of personal data.

While there are still unclear issues in the decision, the latter will contributesignificantly to the ongoing debate about how to balance the competinginterests involved in the digital environment: protecting personal data and thirdparties’ rights vs. safeguarding freedom of speech and internet freedom.

The post The Italian ‘Google Vividown’ Case: ISPs’ Liability for User-Generated Content appeared first on IPOsgoode.

]]>
About the Boundaries of Fairness in Fair Use /osgoode/iposgoode/2013/05/07/about-the-boundaries-of-fairness-in-fair-use/ Tue, 07 May 2013 17:27:44 +0000 http://www.iposgoode.ca/?p=20894 The re-posting of thisanalysisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective. On the 20th of March this year, the United States District Court for the Southern District of New 91ɫ, in the person of Judge Denise Cote, emitted a ruling fated to prompt lively debate and […]

The post About the Boundaries of Fairness in Fair Use appeared first on IPOsgoode.

]]>
The re-posting of thisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective.

On the 20th of March this year, the United States District Court for the Southern District of New 91ɫ, in the person of Judge Denise Cote, emitted a ruling fated to prompt lively debate and marked reactions. A closer look at the analysis conducted by the Judge will provide further insight into the reasons determining this outcome, which was largely focused on issues of law as the factual ground was almost totally undisputed.

The ruling concerned copyright law and, more specifically, the application of the doctrine of Fair Use, according to which certain uses of copyrighted work for certain purposes such as news reporting or criticism do not constitute an infringement of copyright, as clearly stated by §107 of the Copyright Act. As is well known, in order to fall within the scope of Fair Use, a given use of a copyrighted work must be assessed by four criteria laid out in §107 of the US Copyright Act.

The plaintiff, Associated Press, which has been an important news cooperative operative in the United States since 1846, filed a motion for summary judgment claiming infringement of copyright against Meltwater US1 Inc., an online service company founded in Norway in 2001.

The latter, by means of its “Meltwater News” service, has been providing its subscribers with weekly reports containing excerpts of news articles, among which some taken verbatim from AP’s copyrighted articles.

Meltwater’s main defense consisted essentially in alleging that its activities were the same as the usual transformative use made by search engines, hence it accordingly stressed that they were to be considered as Fair Use. In this respect the Judge established that the defendant had failed to provide sufficient evidence that the activity it had been engaging in could be equated with that conducted by any known search engine, especially on the grounds of the “click-through” test, and thus it could not be included in what the Judge called “breathing space”, making reference to Fair Use.

In the Judge’s opinion, an accurate assessment of the four factors constituting Fair Use in light of the purpose of Copyright Law weighed heavily against Meltwater and thus the defendant was to be considered culpable of copyright infringement.

With specific regard to the first factor (Purpose and Character of the Use), Meltwater’s conduct was referred to as “free-riding”, clearly aimed at supplanting the service that AP and its licensees offer the public. The Court found no element in favor of a finding of transformative use as Meltwater had constantly engaged in verbatim reporting of key words and excerpts surrounding them, from AP.

Moreover the Judge considered the Meltwater News click through rate as not comparable with that of other search engines. More specifically, it clearly emerged from undisputed evidence that Meltwater subscribers very rarely accessed third-party websites (i.e. the original source of the information), thus making the argument by which the service in dispute could be equated with that offered by a search engine quite difficult to sustain. In fact, the very low click through rate only seemed to strengthen the Judge’s conviction that Meltwater was acting as a substitute service for AP or its licensees rather than encouraging its subscribers to access original articles.

Moreover, in the context of a comparison between Meltwater News and Google News Alerts, the Judge granted AP’s argument that Google’s excerpts do not usually include the lede and are also considerably shorter. This appeared to be a strong factor in the Judge’s final decision, especially in consideration of the fact that Meltwater failed to provide any sufficient element to demonstrate that its service could be equated with that of a search engine.

The conclusion concerning the first element of Fair Use made by the Court, whilst rejecting further arguments offered by Meltwater in relation to previous cases such as Perfect 10, Inc. v. Amazon.com [1] and Kelly v. Arriba Soft Corp [2], appears to be as follows: search engines usually engage in transformative uses of copyrighted works, however, since Meltwater failed to provide sufficient evidence that its use is similar to that of a search engine, since it is not transformative, its activity cannot fall under the scope of Fair Use. The first factor thus weighed strongly against Meltwater.

Such a finding is of great importance as it draws a clear line between what can be considered a transformative use and what cannot. The interpretation of the role of the lede and of the composition of the articles also played an important role in considering Meltwater’s use to be non-transformative. Although reporting of facts is not copyrightable, the way news is reported “may display originality” and therefore may be subject to protection under Copyright Law.

The Judge also made a short digression on the requisites for a finding of fair use in relation to the nature of the copyrighted work, recalling the necessity for a clear difference in treatment for fictional and factual copyrighted works and also concerning their published or unpublished status. Accordingly, this element was considered to be neutral as AP deals with news articles, which are much more subject to application of Fair Use than works of fiction.

It was in relation to the factor concerning the amount and substantiality of the copying that Meltwater’s defense strategy appeared to be totally deficient. In taking a closer look at the qualitative aspect of this element, it is important to highlight the conflicting interpretation of the role of the lede of the articles. According to AP, in fact it “is meant to convey the heart of the story”, with its crafting requiring a high degree of journalistic skill. Conversely, Meltwater News service, which, according to a Meltwater employee, was aimed at saving client time “so you don’t have to read the full article”, harnessed the lede as a teaser and not as a summary of the news.

From a merely quantitative point of view, although the court admitted that “no bright-line rule exists with respect to how much copying is too much”, recalling the Supreme Court’s outcome in Campbell v. Acuff-Rose sufficed to consider the copied portions of the articles excessive.

Not only did the claims raised by AP result in being highly effective for their purpose, but Meltwater lacked appeal to the court, with all its arguments being rejected, particularly that stressing its equivalence to a search engine.

Lastly, there are the Court’s consideration of the effect of Meltwater News activities on AP’s market contained in the introduction to the final assessment on Fair Use. The impact on potential licensing revenues was found essential for the simple reason that the Court qualified Meltwater’s activity as non-transformative, thus acting on a market where the copyright holder was a player. Morever, Meltwater is considered to be not only a direct competitor of AP as its use of the work substitutes the latter’s products, but it also does not pay any licensing fee, thus obtaining an unfair commercial advantage.

The Court finally stated that Meltwater News, far from possibly being considered a search engine, is nothing but a news clipping service, gaining an unfair commercial advantage, whose business model is strictly based on non-transformative, systematic copying of other’s copyrighted expressions.

Meltwater also pointed out without any positive result that, similarly to the famous cases Field v. Google, Inc. [4] and Parker v. Yahoo! Inc. [5], it had an implied license to report the excerpts. Unfortunately for Meltwater, the factual background of the mentioned cases, unlike that of the case at issue, unequivocally demonstrated that the copyright owners were aware of the no-archive meta-tag and of the availability of the search engines to remove the content upon request.

It clearly appears that although Meltwater qualified itself as a search engine, its failure to demonstrate this and the use of its News clipping service by subscribers strongly persuaded the court that its main function was not that of a location tool. The verbatim copying of the lede and of considerable portions of articles, alongside a very low click-through rate strengthened such an interpretation, and also indicated the direction of possible future developments in the judicial interpretation of Fair Use.

The link to the ruling:

 

Notes:

[1] 508 F.3d 1146 (9th Cir. 2007)

[2] 336 F.3d 811(CA9 2003)

[3] 510 U.S. 569, 114 S. Ct. 1164, 127 L. Ed. 2d 500 (1994)

[4] 412 F.Supp. 2d 1106 (D. Nev. 2006)

[5] 2008 WL 4410095 (E.D. Pa. Sept. 25, 2008)

The post About the Boundaries of Fairness in Fair Use appeared first on IPOsgoode.

]]>
Protecting brands on the Internet. A look at approaches taken by the EU, US and Italy /osgoode/iposgoode/2013/04/11/protecting-brands-on-the-internet-a-look-at-approaches-taken-by-the-eu-us-and-italy/ Thu, 11 Apr 2013 17:55:34 +0000 http://www.iposgoode.ca/?p=20737 The re-posting of thisanalysisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective. Introduction Online advertising is the backbone of the internet business model. However, the practice by online advertisers in bidding to use keywords purchased from search engines featuring famous brand names may hurt brand owners’ reputation […]

The post Protecting brands on the Internet. A look at approaches taken by the EU, US and Italy appeared first on IPOsgoode.

]]>
The re-posting of thisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective.

Introduction

Online advertising is the backbone of the internet business model. However, the practice by online advertisers in bidding to use keywords purchased from search engines featuring famous brand names may hurt brand owners’ reputation or divert consumers.

Moreover, the internet offers more opportunities for counterfeiters. Indeed, many online stores, usually run by providers outside the European Union, imitate stores selling genuine products and induce consumers into thinking they are purchasing genuine goods at discounted prices.

So how can brand owners strengthen their brands and protect themselves while third parties are exploiting their trademarks online (e.g. through paid search words, within a website or in the websites’ metatags, etc)? Set out below is an outline of the EU and US approach on the matter.

Liability of Advertisers and Website
Operators for Trademark Infringement

Advertisers bidding keywords identical to trademarks (thus exploiting such trademarks online without the brand owner’s authorization), as well as website operators selling counterfeits may be liable for trademark infringement: this has not been generally questioned either by EU or US courts.

It is worth noting that, to be successful in such trademark infringement claims, trademark owners need to provide adequate evidence (e.g. surveys, testimony) that the use of their trademark online is likely to cause confusion or, especially for well-known trademarks, to dilute the selling power of the trademark.

In the EU, the Court of Justice of the European Union (CJEU) has held that advertisers that purchase keywords identical with a third party’s trademark triggering the display of their own adverts make use of said trademark in the course of trade for the purposes of trademark infringement under EU law (Google France SARL v. Louis Vuitton Malletier SA) (see ‘‘Adwords Liability Shifts From Google to Advertisers After ECJ Ruling’’ [24 WIPR 4, 4/1/10]).

The Court of Justice went on to rule that a trademark owner (in the specific case, the French luxury brand Louis Vuitton) may oppose the use of a keyword corresponding to its trademark where the adverts triggered by the keyword do not enable users, or enable them only with difficulty, to ascertain whether the goods or services being advertised originate from the trademark owner or, on the contrary, from a third party.[1]

Liability of Internet Service Providers
Direct Liability — ‘‘Use in Commerce’’

Whilst the liability of advertisers or counterfeiters is not a controversial point, a key issue is the extent of liability for service providers selling paid adverts or hosting website selling counterfeits.

In particular, debate arises on whether trademark owners may successfully argue that providers are directly/primarily liable for trademark infringement in that they also make ‘‘use in commerce’’ of the trademarks.
Courts across the US and Europe have reached different conclusions at various times.

‘‘[T]o be successful in trademark infringement claims, trademark owners need to provide adequate evidence that the use of their trademark online is likely to cause confusion or dilute the selling power of the trademark’’.

Courts in the United States have found the sale of trademarks as keywords by service providers to be a ‘‘use in commerce’’. Based on this finding, US courts have held providers directly liable for trademark infringement where use of trademarks by such providers was likely to cause confusion or to dilute the selling power of the trademarks. For example:

• Rescuecom Corp. v Google, Inc, where the Court of Appeals for the 2nd Circuit ruled that the recommendation and sale by Google of keywords featuring Rescuecom’s trademark constituted a ‘‘use in commerce’’ for purposes of US trademark law, as far as use of Rescuecom’s trademark causes likelihood of confusion or mistake, and this circumstance needed to be proved by Rescuecom through a trademark infringement lawsuit on remand.

• Rosetta Stone Ltd v. Google Inc, where, whilst a district court in Virginia dismissed the case in 2010, reasoning that the sale of the keywords was not likely to confuse consumers, in April 2012 the Court of Appeals for the 4nd Circuit partially overturned that ruling, holding that the plaintiff provided sufficient evidence to suggest that Google’s use of Rosetta Stone’s trademark was intended to cause likelihood of confusion (see ‘‘US Appeal Court Overturns Summary Dismissal of Rosetta Stone v. Google’’ [26 WIPR 29, 5/1/12]).

Meanwhile in Europe, the Court of Justice ruled that trademark owners could not prevent a keyword advertising platform from selling their trademarks as keywords because that platform does not make ‘‘use’’ of the trademarks in the course of trade for purposes of trademark infringement under EU law by merely enabling its customers to display on its website signs corresponding to trademarks.[2]

The court did not investigate whether the provider, by selling keywords identical with trademarks triggering the display of adverts, was causing confusion on the part of the public. The likelihood of confusion is, instead, as above reported, a relevant test which US courts apply in order to find an internet intermediary directly liable for trademark infringement.

Contributory Liability — Active or Passive Role of the Provider

Apart any direct liability issues, recent landmark trademark cases, both in the US and in Europe, indicate that service providers may be held to contributory liability for third parties’ infringements on their platform for their involvement in, or control over, the infringing activity.

Having regard to the hosting of websites selling counterfeits, the approach of US courts is that, having direct control over the ‘‘master switch’’ that keeps the infringing websites online, web hosts have affirmative obligations to intervene against trademark infringement,[3] resulting in the risk of liability where they do not promptly honor a takedown request.

In addition, some of the most relevant cases in the US include the following:

• The US Supreme Court’s decision in Inwood Laboratories v. Ives Laboratories set forth the traditional test for contributory liability for trademark infringement. The Supreme Court held that contributory liability should be imposed on a defendant that either (a) intentionally induces another to infringe a trademark, or (b) continues to supply its product to one whom it knows or has reason to know is engaging in trademark infringement;[4]

• In Tiffany v. eBay, the US Court of Appeals for the 2nd Circuit ruled that eBay was not liable for contributory trademark infringement on ground that eBay had no more than a general knowledge that sellers were offering counterfeit Tiffany jewelry on its marketplace. Therefore, Tiffany failed to prove that eBay had specific knowledge of specific sellers of counterfeit Tiffany products and had continued to supply services to those sellers.[5]

• In Europe, the Court of Justice’s landmark decision in Google France v. Louis Vuitton clarified that a keyword advertising platform may be held to contributory liability for the potentially infringing activity carried out by advertisers on its platform if it played an active/not merely technical role in facilitating the infringement.

Following this ruling, a Paris court in Olivier Martinez v. Google and Prisma Press found that Google’s provision of its AdWords service had not been merely technical, automatic and passive, on ground that Google had knowledge of the keywords and of the content of the advertisement, and played an active role. In that case, the court gave relevance, inter alia, to the fact that Google’s terms of use provided Google with editorial control over the content of the adverts.[6]

‘‘Operators of an online marketplace that provide assistance in optimizing the presentation of online offers for sale or promoting such offers perform an active role [and] thus cannot rely on the liability exemption’’.

The extent of providers’ liability for trademark infringements carried out on the internet was further discussed in L’Ore´al v. eBay, handed down by the CJEU on July 12, 2011 (see ‘‘CJEU Determines Extent of Duty for Marketplace Websites to Prevent Trade Mark Infringement’’ [25 WIPR 47, 9/1/11]).[7] On this occasion, the Court of Justice significantly pointed out that:

• Operators of an online marketplace that provide assistance in optimizing the presentation of online offers for sale or promoting such offers perform an active role, thus they cannot rely on the liability exemption that the E-Commerce Directive (2000/31/EC) grants to online service providers in certain circumstances;

• Even if the provider did not provide such assistance, it may nonetheless be held liable if it is aware of facts or circumstances from which the unlawful information is apparent and fails to remove this information from its platform;

• National courts should be able to issue orders against online service providers to take measures which contribute not only to bringing to an end trademark infringements by users of that marketplace, but also to preventing further infringements of that kind. These measures could strongly help trademark owners in protecting their brand on the internet.

Italian Law

Italian law does not provide specific rules in connection with the exploitation of trademarks on the internet. Therefore, the general rules governing the use of trademarks in the physical world are applied.
Trademark owners may bring proceedings before courts to:

• Claim that unauthorized use of their trademarks by third parties infringes their trademark rights and, when the third party is a competitor of the trademark owner, constitutes unfair competition;

• Seek compensation for damages suffered from the infringement and ask for publication of the court’s decision.

• In most serious cases trademark owners might seek preventive seizure of the infringing websites, to be enforced by means of a court order requiring Italian ISPs to block the relevant websites so that internet users in Italy would be unable to access them. According to recent Italian case law:

• If a website wrongfully uses a registered trademark (for example in one case, the word ‘‘Moncler’’) in its domain name, and if a court order is sought to block access to the website, such an order cannot be granted unless the applicant produces evidence of the website’s illicit content or purpose;

• In order to block access to a website that offers counterfeit goods, a trademark owner must produce adequate evidence of the illicit activity carried out through the website.[8]

• Moreover, it is worth noting that an increasing number of recent cases show a new Italian perspective on nontraditional IPR remedies, such as the shutdown of websites found liable for unfair commercial practices.

Indeed, brand owners can look for protection by notifying infringement of their trademark rights to the Italian Antitrust Authority (‘‘IAA’’), which has recently started ordering the blocking of some websites involved in the online sale of fashion products, enforced through the collaboration of the law enforcement agency Guardia di Finanza.

In 2012, the IAA banned a number of websites referred to as the Private Outlet Network from being accessed by users residing in Italy on grounds of infringement of consumer protection rules,[9] and in January 2013 the authority ordered the blocking of a number of Chinese websites selling counterfeits of luxury goods ‘‘made in Italy’’ (Gucci, Prada, Hogan). [10]

The IAA found the websites liable for unfair commercial practices towards Italian consumers on the bases that they:

• Provided misleading information on the nature and characteristics of the products bearing the famous brands, which have been ascertained to be counterfeits;

• Omitted relevant information on the vendor’s identity and contact details and on post-sale consumers’ rights (e.g. withdrawal right);

• Failed to inform consumers of their rights under the legal warranty, which could not be offered as the products were counterfeits.

• Moreover, the unfair commercial practices carried out by two of the websites were found to be particularly insidious as they imitated the look of the luxury goods companies’ online stores and induced consumers into thinking they were purchasing genuine goods from official resellers.

Protecting Brands

The case law in both the EU and the US may provide brand owners with a road map as to how to protect their trademarks online. Here are some top tips for online brand protection:

• Monitor the use of trademarks on the internet, also with the assistance of specialized companies, and save screenshots of possible violations.

• Promptly notify service providers of any alleged infringement of trademark rights by providing any relevant information and identifying the exact URL of the relevant webpage. Legal assistance in drafting proper notices and cease-and-desist letters is in any case recommended to incisively enforce trademark rights.

• Develop a strategy for dealing with infringements, by identifying the key threats for brands and prioritizing infringements.

 

Notes

[1] Joined Cases C-236/08, C-237/08 and C-238/08, March 23 2010.
[2] Id.
[3] Louis Vuitton Malletier SA v. Akanoc Solutions Inc (658 F 3d 936, 9th Cir 2011).
[4] 456 US 844 (1982).
[5] 600 F 3d 93 (2nd Cir 2010).
[6] Decision of November 14, 2011.
[7] L’Ore´al SA and Ors v. eBay (Case C-324/09).
[8] Court of Padua, decision of November 4, 2011.
[9] Resolution of March 6, 2012.
[10] Resolution of January 23, 2013.

Published on Bloomberg BNA – World Intellectual Property Report

The post Protecting brands on the Internet. A look at approaches taken by the EU, US and Italy appeared first on IPOsgoode.

]]>
Developments in Data Protection in 2012 and Trends for 2013 /osgoode/iposgoode/2013/03/05/developments-in-data-protection-in-2012-and-trends-for-2013/ Tue, 05 Mar 2013 19:08:40 +0000 http://www.iposgoode.ca/?p=20375 The re-posting of thisanalysisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective. 2012 was a very busy year for Italian lawmakers. Several laws significantly amended the Italian data protection legal framework, as set forth in the Italian Data Protection Code (Legislative Decree No. 196/2003). It is, however, […]

The post Developments in Data Protection in 2012 and Trends for 2013 appeared first on IPOsgoode.

]]>
The re-posting of thisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective.

2012 was a very busy year for Italian lawmakers. Several laws significantly amended the Italian data protection legal framework, as set forth in the Italian Data Protection Code (Legislative Decree No. 196/2003).

It is, however, questionable whether these changes genuinely succeeded in achieving their main objective: reducing the administrative burdens on enterprises processing personal data. Furthermore, the various amendments to the Data Protection Code made the overall framework even less clear.

Here follows a selection of the most relevant innovations in the Italian data protection legal framework and a preview of the trends for 2013.

REVIEW OF 2012

• New definition of personal data and data subject
In December 2011 the Italian Government passed Decree no. 201/2011, which excluded legal entities from the definitions of “data subject” and “personal data”.

These amendments aimed at reducing the bureaucratic requirements and administrative burdens on data controllers processing personal data. However, uncertainty arose as to whether legal entities had been excluded in toto from the protection afforded by the Data Protection Code.

With its Resolution of September 20, 2012 the Italian Data Protection Authority (Garante) gave an official interpretation of the aforementioned amendments, clarifying that legal entities were still included in the definition of “subscribers”, and that the provisions set forth by the Data Protection Code for the latter (e.g. unsolicited marketing communications and telemarketing rules) therefore still apply to them.

• Cookies
With long-awaited Legislative Decree no. 69/2012, after almost a year of delay, Italy implemented EU e-Privacy Directive no. 2009/136/EC, which amended Directive 2002/58/EC and provided for an “opt-in” principle regarding the use of cookies (i.e. small files that store information on users’ computer equipment).

As a result of the implementation of the e-Privacy Directive:

− Storing information on users’ computer equipment and retrieving said information in the form of cookies is lawful only after having obtained users’ consent.

− Consent must be informed, i.e. data subjects shall be provided with an information notice, which can be simplified according to a resolution issued by the Garante.

− Consent can be expressed through the settings of a piece of software or other device.

User consent is not always required. In line with the guidance provided by the Article 29 Data Protection Working Party, users’ prior consent shall not be obtained for technical cookies such as session-ID cookies (e.g. shopping cart session cookies used for purchasing items online); authentication cookies and multimedia player cookies (e.g. FlashPlayer cookies), provided they expire at the end of each session; customization cookies (e.g. language preference cookies) or social network content sharing cookies for users who are “logged in” to the relevant social network.

Information shall in any case be provided to users, although consent need not be obtained.

As regards the information requirement, with Resolution of November 22, 2012 the Garante launched a public consultation among consumers and the main relevant operators to gather proposals and lay down appropriate user information mechanisms. The public consultation, which opened on December 19, 2012, will close on March 19, 2013.

• New data breach notification requirements
Legislative Decree no. 69/2012 required providers of publicly available electronic communications services (e.g. telecoms operators and Internet access providers) to deal with personal data breaches (i.e. breaches of security leading to the accidental destruction, loss, or unauthorized disclosure of, or access to, personal data processed in connection with the provision of a publicly available electronic communications service).

Under the new provisions, providers shall notify the Garante of the personal data breach without undue delay. In the most serious cases, providers shall also report breaches to the subscriber or other relevant individuals without delay.

On July 26, 2012, the Garante issued guidelines and instructions for the implementation of the new security requirements in specific connection with the circumstances in which a provider shall be obliged to notify of personal data breaches, the format of the notification and the manner in which the notification shall be made.

Furthermore, the Garante launched a public consultation on certain topics related to the implementation of the new requirements in order to harmonize the procedures and modalities of the notification of personal data breaches.

While the public consultation is closed, its outcome has not yet been published.

• Security measures
A recent Decree (no. 5/2012) simplified the security obligations imposed on data controllers.

In particular, the Decree abolished the obligations of those processing sensitive data (e.g. data disclosing racial or ethnic origin, sexual orientation or health) or judicial data (e.g. data disclosing convictions for criminal offences) by electronic means to draft and update a security policy document (“Documento Programmatico sulla Sicurezza”) by March 31 of each year.

This document shall include, amongst other content, a description of the relevant data processing operations carried out and the security measures implemented. In addition, the adoption of, and any significant update to, the security policy document shall be referred to in the minutes of a Board of Directors’ meeting.

Nonetheless, the other security measures prescribed by the Data Protection Code remain in place (e.g. computerized authentication, such as usernames and passwords, the use of authorization systems, and the implementation of back-up and restoration procedures for safeguarding data and systems).

• The processing of judicial data
Decree no. 5/2012 extended the possibility of data controllers processing judicial data. Before the Decree, the processing of judicial data was only allowed where authorized by either a specific statutory provision or by the Garante, specifying a substantial public interest justification, the categories of the processed data and the operations that may be performed on the data.

The Decree introduced the additional possibility of processing judicial data in accordance with agreements to prevent and counter organized crime entered into with the Ministry for Home Affairs and/or its peripheral offices. Such agreements shall specify the categories of processed data and the processing operations to be performed.

PREVIEW OF 2013

In 2013 there will be a new government in Italy, which will hopefully move towards a more comprehensive approach to data protection. Here follows a preview of the top privacy trends for 2013.

• Cookies
Recent changes to the rules on cookies are less substantial in Italy than in the rest of Europe. Indeed, the opt-in rule was actually already provided by the Italian Data Protection Code, even though it only applied to technical cookies. Any other type of unauthorized access or storage in the user’s PC was prohibited.

This rule, however, had never been enforced by the Garante and an opt-out through the user’s browser settings had been (and still is) common practice.

The opt-in rule for the use of cookies by website operators has stirred controversy about how to implement it from a practical standpoint.

Will the Garante’s new guidance on cookies help website operators to deal with the “opt-in” rule?

• Data breaches
2013 should be the year that more companies embrace the concept of security breaches within the context of their broader IT strategy in order to deal with security vulnerabilities.

Security on mobile devices should also be a major issue in 2013.

Guidance from the Garante is expected based on the recently closed public consultation.

• Mobile advertising
As the use of mobile devices and apps grows, tracking and profiling technologies will pose increasing risks to users’ online privacy and new challenges for the online/mobile business.

• Privacy by design and privacy by default
Mobile devices pose privacy challenges that are unique to the mobile context. Specifically, controllers and app developers will increasingly consider privacy issues from the very outset of the design process, under a privacy by design and privacy by default approach.

This approach will also characterize the development of any product or software involving the processing of personal data.

• Cloud computing
The ever-expanding adoption of cloud computing technologies by companies will raise significant issues, mainly surrounding a lack of control over personal data and questions about how, where and by whom personal data is processed.

• Binding corporate rules (BCR)
BCR are internal codes of conduct that establish policies for the transference of personal data outside the EU. European Data Protection Authorities launched BCR for processors on January 1, 2013. Over the next twelve months we expect an increasing number of multinational companies to start using BCR.

• EU Data Protection Regulation
The Italian data protection framework is set to be shaken up by the future EU Data Protection Regulation, proposed by the European Commission on January 25, 2012, which aims to reform data protection laws across the EU. The proposal is currently under scrutiny at EU level. Once it is formally adopted, the Regulation will be directly applicable to all Member States and businesses will have a two-year timetable to become compliant with the new obligations. Companies may wish to start considering the new requirements now in order to be well prepared once the Regulation enters into force.

The post Developments in Data Protection in 2012 and Trends for 2013 appeared first on IPOsgoode.

]]>
Online Copyright Infringement Tracker Benchmark Study /osgoode/iposgoode/2012/12/10/online-copyright-infringement-tracker-benchmark-study/ Mon, 10 Dec 2012 18:34:27 +0000 http://www.iposgoode.ca/?p=19519 The re-posting of thisanalysisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective. This report details the main findings of a large-scale consumer tracking study into the extent of online copyright infringement, as well as wider digital behaviours and attitudes, among people aged 12+ in the UK. The […]

The post Online Copyright Infringement Tracker Benchmark Study appeared first on IPOsgoode.

]]>
The re-posting of thisis part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media ina Comparative Perspective.

This report details the main findings of a large-scale consumer tracking study into the extent of online copyright infringement, as well as wider digital behaviours and attitudes, among people aged 12+ in the UK.

The study was commissioned by Ofcom, undertaken by Kantar Media and made possible by financial support from the UK Intellectual Property Office (IPO). It is the first in a series of research waves intended to generate benchmarks and time series relevant to the access and use of copyright material online.

The research stemmed from a recommendation in the 2011 Hargreaves Review of Intellectual Property and Growth that Ofcom should not wait until its formal reporting duties arising from the Digital Economy Act began to start gathering independent data and establishing trends in the area of online copyright. Government adopted this recommendation and tasked Ofcom and IPO to work together to conduct research to gather the necessary evidence. This report is the result of this partnership.

This is a complex research task. The ways in which consumers access and share copyright material online change regularly, and infringement levels in particular are notoriously difficult to measure. Rather than focusing on one industry, the study looks at six main types of online content music, film, TV programmes, books, video games and computer software and for each of these assesses levels of infringement and locates this within wide patterns of consumer behaviour and content consumption.

The study seeks to provide as comprehensive a dataset as possible. It includes both older children (12-15 year olds) and adults who use the internet less frequently to get a nationally representative sample of UK individuals aged 12+. This requires a very large sample size (4400 individuals), and a hybrid online and face-to-face survey methodology. This approach has been carefully piloted and subjected to independent peer review. As such, we are confident that it represents the most appropriate and rigorous consumer research methodology to use in this area.

That said, as with all approaches to research, consumer surveys have limitations. In particular they rely on participants reporting their behaviour accurately and honestly a sensitive issue in areas involving unlawful behaviour. We have allowed for this as best we can, most notably by deriving levels of infringing behaviour, rather than asking people about them outright.to read more.

The post Online Copyright Infringement Tracker Benchmark Study appeared first on IPOsgoode.

]]>