Month: October 2014 (page 1 of 2)

The ‘EU Google Tax’ – A very unpromising work in progress?

Let's tax everything.

Let’s tax Googleverything.

Once upon a time or, more precisely, about four years ago, a group of German newspaper publishers filed several antitrust complaints due to the use, in Google news service and search results, of article snippets from their publications.

One would think that the additional free traffic directed by Google, associated to this inclusion of short snippets from their stories, would actually be beneficial for publishers, generating more audience, making their content more valuable, and enabling them to sell more advertising.

It might be quite an accurate consideration but, as it seems, completely irrelevant because the main issue at stake was apparently reduced to the argument that Google was making money out of it:

Hans-Joachim Fuhrmann, a spokesman for the German Newspaper Publishers Association, said the Web sites of all German newspapers and magazines together made 100 million euros, or $143 million, in ad revenue, while Google generated 1.2 billion euros from search advertising in Germany. “Google says it brings us traffic, but the problem is that Google earns billions, and we earn nothing,” Mr. Fuhrmann said.

Although many, in fact, failed to understand how short excerpts shown as part of search results can be detrimental to newspapers publishers, last year, the German Parliament actually approved a new kind of copyright to protect online journalism and, consequently, subjected the presentation of news snippets and linking to the source to a licensing fee.

The law, better known as “ancillary copyright for press publishers” or “Leistungsschutzrecht für Presseverleger”, establishes that publishers have the exclusive right to commercialize their products or parts thereof. The law is intended to be particularly applicable to situations where companies commercially use third party content.

Therefore, a commercial aggregator or a search engine will not be able to aggregate quotations and links of journalistic articles unless they have received previous and explicit authorization. However, as this is intended to be a proportionate solution (?), the use of single words or very small text excerpts is allowed.

The main goal to be achieved is to enable publishers to receive an appropriate contribution for their content being promoted, for free, elsewhere than their websites.

Anyway, recently, the very same German publishers filed an antitrust complaint with the German Federal Cartel Office. Allegedly, due to Google’s dominance on the search engine German market, publishers were forced to agree to let Google use the snippets and links for free.

In parallel, based on the abovementioned German law, they filed as well a copyright request of compensation with the Copyright Arbitration Board of the German Patent and Trade Mark Office, demanding Google to pay them 11% of its gross worldwide revenue on any search that results in Google showing a snippet of their content.

Well, this could have been just like any regular competition or copyright case. Except, for its ludicrous details, it was not.

To start with, no advertising is displayed in the Google News service. Moreover, publishers do not have to be on Google at all. But, despite being able to ‘opt-out’, without any further consequences, the same publishers didn’t remove themselves from Google’s search. Indeed, Google has already ensured that publishers opting out of Google News won’t have their content removed from its search results. In addition, it has been demonstrated that publishers actually use every tool put at their disposal by Google, including Google Webmaster Tools and SEO (Search Engine Optimization) techniques, in order to achieve a better ranking position in search results.

This all saga is not so vaguely reminiscent of a Belgian comic case, from 2006, where, following the complaint of a group of publishers, alleging that Google was infringing on their copyrights by linking to their newspaper articles, Google removed the links referring to content of those newspapers. However, due to the (expected) traffic drop which ensued, those publishers asked to be referenced again on the search engine results. (For more details, see here and here)

As the story seems to repeat itself, the abovementioned antitrust complaint was ultimately rejected as inconclusive, no sufficient grounds having been found to justify an investigation.

In addition, Google decided to remove existent snippets and not to use any further news snippets referring to publications of those publishers. One would expect that the publishers would be satisfied with this initiative but, instead, they dramatically qualified it as “blackmail.”

Confused? Don’t worry. Apparently, this does not have to make any sense at all… And it gets worse!

Not having news snippets referring to their websites showing on Google News obviously led those publishers to a commercial disadvantage comparing to other news websites, which snippets continued appearing in the search results. In this context, and against all odds, the same old group of publishers announced the intention to grant Google a free license to use those kind of excerpts.

This has lead us to an interesting outcome, indeed.

So we now have a German law which allows publishers to collect license fees from news aggregators and search engines which use snippets of their content.

This law was primarily intended to address the specific concerns of a group of German publishers regarding Google market power and to regulate the particular situation of the snippets displayed on Google News.

But it turns out that, after all, Google will benefit from a preferential treatment precisely due to its dominant position in the EU market.

One would innocently expect that Member States could learn from each other mistakes…

Well, against our best expectations, that it is not the case. Spain has just approved a new copyright law, which is polemic at many levels, namely because it has created a brand new ‘inalienable right’ (derecho irrenunciable) for news publishers.

In practice, it means that publishers won’t be able to refuse the use of “non-significant fragments of their articles” by third parties. However, it creates a compulsory license to compensate them for that use, which means that copyrights holders can’t decide to allow the use of content for free and, therefore, completely overrides any concept of fair use, like Creative Commons-type of licenses.

Thus said, one optimistic would still hope that the same mistake wouldn’t be emulated at the EU level.

However, when Günther Oettinger, the next Digital Economy and Society EU Commissioner – considering his previous demonstration of obliviousness regarding Internet in general – takes a stance on the issue, one cannot help to start worrying.

Indeed, as reported by Julia Red (the Pirate Party MEP), Oettinger recent statements were as follows:

When Google is taking intellectual works from within the EU and using them, then the EU has to protect those works and demand a tax from Google.

I am really not sure that a similar tax is the way forward for the EU copyright reform in the digital age we are living in. The reform shouldn’t be aimed to target companies according to their position on the EU market.

To begin with, I am afraid that the whole aim of copyright laws – produce incentive to creativeness – is somehow going amiss and that they will end up being used to protect businesses that refuse or are just unable to adapt their strategies to the fast-changing technological reality.

It is always very frustrating for any legal practitioner to deal with laws that are no longer suitable for the reality they are intended to be applicable to. But it is even more exasperating to deal with laws that were never appropriate to the situation which is intended to be regulated. To legislate in the new era with an old mindset is definitely not the way to go forward.

Moreover, I strongly believe that an extension of the existent copyright laws, namely regarding links, is not compatible with the spirit of openness that characterizes the Web and is mostly a reflection of the interest of publishers who have failed to achieve successful business models on the Internet. Taxing links might most likely lead to the smashing of the very basic premise of the Web.

Furthermore, I am worried that this might be the beginning of the end of freedom and access to unlimited information that characterizes the Internet as we know it and that it will stifle innovation brought by successful entrepreneurship.

Last but not the least, all my criticism aside, considering the German example, how ironic would it be that, in the midst of all the concerns surrounding the dominant position of Google in the EU market, and in all the efforts deployed to fracture its market power, its dominant position would end up being strengthened?

The Google Affair – Crossing the Border

You will cross the border. Just saying.

You will cross the border. Just saying.

Today I am referring again to the famous Google Spain judgement, better known for ruling on what press has been popularly calling the ‘right to be forgotten’. The amount and the complexity of the questions raised in that decision enabled me to address all of them in the previous posts (here, here, here, and here)… And as I like to honour my promises, I will not  promise that this will be the last post regarding that matter.

So, although the worldwide attention has been focusing on the fact that individuals may directly address, to search engines, requests for deletion of links from search results, the ruling also dealt with a key topic that seemed to have been undervalued, even if as equally important for businesses.

I am specifically referring to the territorial scope of the Directive 95/46 1)Directive 95/46/EC of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, i.e., whether it applies to Google Spain, a subsidiary of Google Inc. or not, given that the parent company is based in Silicon Valley.

In order to fall within the territorial scope of the national provisions implementing the above mentioned Directive, the data processing shall be namely carried out in the context of the activities of an establishment of the data controller on the territory of the Member State, as stated in its article 4(1)(a).

As foreseen in its recitals, “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements” and “the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor.2)Recital 19 of the Directive

In this regard, the main relevant facts that the ECJ took into consideration were that Google search engine is operated by Google Inc. outside of the EU and that it has a subsidiary on Spanish territory which sells advertising connected to the Internet-related activities of Google Inc.

In parallel, the ECJ rejected the argument according to which Google does not carry out its processing of personal data activities in Spain and that Google Spain is a mere commercial representative for its advertising actions. Instead, the ECJ noted that, pursuant to recital 19 of the Directive, an establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements. 3)Paragraph 48 of the ruling

Moreover, it held that Google Spain engages in such activity and, as a subsidiary of Google Inc., with its own legal personality, constitutes an establishment.4)Paragraph 49 of the ruling

According to the ECJ, Article 4(1)(a) of the directive does not require the processing of personal data to be conducted by the subsidiary itself, but only that it be carried out ‘in the context of the activities’ of the subsidiary.5)Paragraph 52 of the ruling That would be the case, for instance, if the subsidiary promotes and sells advertising space offered by the parent company which serves to make the service offered by that engine profitable.6)Paragraph 55 of the ruling Since the advertisements are displayed next to search results and finance the website, both activities are inextricably linked.7)Paragraph 56 of the ruling

Furthermore, the court considered that the very display of personal data on search results page constitutes processing of such data. As results are displayed, on the same page, with advertising linked to the search terms, the Court concluded that the processing of personal data is carried out in the context of the commercial and advertising activities of the controller’s establishment on the territory of a Member State.8)Paragraph 57 of the ruling

For all these reasons, the ECJ concluded that the processing of personal data in the context of the activities of a subsidiary of the controller established in a EU Member State, which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State, does fall within the territorial scope of application of the Directive.9)Paragraph 60 of the ruling

Last but not the least, the Court noted that, in light of the objectives of the Directive, the rules on its scope ‘cannot be interpreted restrictively’, and that it had ‘a particularly broad territorial scope’.

I must confess that I wasn’t particularly surprised by the conclusion that the Directive is applicable to companies based outside the EU, as long as it conducts a noteworthy local activity that has some link to the Internet activities of the parent body.

In fact, none withstanding the divergence of viewpoints regarding ‘right to be forgotten’ issue, the ECJ broadly confirmed the Advocate General opinion regarding jurisdiction.

The Advocate General had previously established the scope of application of the Directive, pointing out the very nature of the business model of search engines, and the inextricable link between Google Inc. and its subsidiary. Thus, the consideration according to which a controller should be treated as a single economic unit would lead to conclude that a controller is established in a Member State if the subsidiary which generates its revenues is established in that Member State. In this context, it was also disregarded that the technical data processing operations were conducted outside the EU. 10)Paragraphs 64, 65, 66 and 67 of the opinion

As a result, the ruling has broadened the territorial scope of the Directive. Not referring specifically to search engines, it applies to every data processing “in the context of the activities of an establishment”. Hence, it means that businesses with operations in the EU might generally be subjected to EU Data Protection rules.

The concept of establishment may therefore include non-EU businesses which have branches set up in a Member State. This is particularly relevant as it might affect foreign companies simply by virtue of having local sales subsidiaries in the EU. Moreover, it might potentially extend to every business that has a stable presence in the EU market, even if no European representation.

This is in line with the wider reach of the territorial scope of the forthcoming General Data Protection Regulation, which is intended to be applicable not only to businesses established in the EU. The Regulation will, in fact, introduce some key changes to the existing legal framework.

Firstly, while the current Directive applies to the data processing conducted by an establishment of a data controller in the EU, the new legislation will cover as well the personal data processing in the context of the activities of an establishment of a controller or a processor established in the Union.

In addition, the Regulation will also be applicable to the processing of personal data of individuals residing in the EU, by data controllers who are not established in the EU, when the processing activities are related to the offering of goods and services to data subjects in the EU or the monitoring of their behaviour (profiling), as far as their behaviour takes place within the EU.

If implemented, the proposed changes will bring all foreign companies who process EU citizens’ data, many of which have kept their data processing abroad to avoid being subjected to the current Data Protection Directive, within the scope of EU law.

As a consequence, non-EU based businesses will have to reconsider their arrangements for subsidiaries to ensure full compliance with EU Data Protection requirements.

References   [ + ]

1. Directive 95/46/EC of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
2. Recital 19 of the Directive
3. Paragraph 48 of the ruling
4. Paragraph 49 of the ruling
5. Paragraph 52 of the ruling
6. Paragraph 55 of the ruling
7. Paragraph 56 of the ruling
8. Paragraph 57 of the ruling
9. Paragraph 60 of the ruling
10. Paragraphs 64, 65, 66 and 67 of the opinion

♫ I just call to say…la la la ♪: The unromantic side of telemarketing

Not another one!

Not another one!1)Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

Missed anonymous calls that leave you wondering who it may have been… Calls from unknown numbers at the most inconvenient moment… Wasting money in returning the call… The displeasure of discovering, mainly if we were expecting a specific important call, that it is only a marketing communication… The frustration of spending long and precious minutes repeating that we are not interested in whatever product the interlocutor is trying to sell…

It most certainly sounds familiar…

Out of my personal experience I can refer quite a few examples of unsolicited marketing, some of which actually could have been qualified as marketing harassment. Not the best publicity, if you ask me…

From evening calls, to anytime calls, from participating in a raffle only to be attacked by unwanted marketing initiatives, from registering in an online shopping website only to be contacted by financial institutions intending to sell you some credit card, from ordering a body lotion only to start receiving advertising of completely unrelated products…

I am specifically referring to business-to-consumer (B2C) advertising and marketing, through all the channels technologically available to promote companies’ commercial campaigns of products and services among individual buyers.

However, telemarketing is, in my very personal opinion, among the most annoying direct marketing initiatives. It gets worse when calls are repetitive, insistent, and even aggressive, as many of them usually are.

Worse than that? Well, I can easily point out having a salesperson ringing on your bell door right before or, even worst, during dinner time…

If the assumption that consumers purchases are usually based on personal emotions is correct, despite not being a marketing genius myself, I am pretty sure that bothering potential clients is never (ever!) the way to go when it comes to attract consumers. As a matter of fact, I am certain that it can actually lead to the opposite effect. So, if you own a business and somehow your marketing campaign is not working, you might want to check this criterion.

Nevertheless, it is astonishing how abusive and unlawful marketing initiatives frequently are. It never ceases to amaze me the number of businesses that seem to be completely unaware of their responsibilities as data controllers. I always fail to understand if they actually ignore their duties or if they just pretend so in order to take advantage of the data subject most likely ingenuousness on the matter.

Legal requirements, as those foreseen in the E-Privacy Directive, i.e., the Directive on privacy and electronic communications and the Directive 95/46, which is applicable as direct marketing requires personal data processing, are not suitably taken into consideration. It is like some companies do not acknowledge that individuals have any rights over their personal data, including the absolute right to object to their personal data being used for marketing purposes.

However, while it is merely an inconvenience for me, as I know which reasoning I shall refer to and which means are required in order to cease any further annoyance quickly, not everybody does. Sometimes it takes people months before being able to get definitely rid of any undesirable contact.

The very basic requirement that is applicable to direct marketing – the prior consent of the data subject – seems to be easily overlooked as many companies sell or share data from customers without their authorisation. Most of the time, individuals do not even fully appreciate that they giving their consent or what they are consenting to or are not even given the possibility to refuse such use of their personal data.

This is particularly worrying considering all the changes which are on the way. If businesses keep ignoring or refusing to acknowledge the requirements they owe to comply with, they will commit the offences and suffer the sanctions which most likely will be foreseen, for instance, in the future EU General Regulation on Data Protection.

I already had the opportunity to address some of those forthcoming changes here. However, these are particularly restrictive regarding marketing initiatives.

All forms of marketing communications, including telemarketing and direct mail, will be subjected to the individual’s consent. Indeed, the current ‘opt-out’ checkboxes system will be replaced by an ‘opt in’ permission method. This means that any communication which hasn’t been the object of a previous, free, explicit and informed consent of the data subject will therefore be forbidden.

The criterion of explicit consent requires a clear statement or an affirmative action. In this context, companies collecting information will have to ensure that the data subject is well aware of the specific purposes of the data collection, namely for marketing purposes.

In parallel, the data subject would be able to access the data collected without being charged any fee. Moreover, if a data subject decides to opt out of marketing communications, marketers will have to delete any records they hold, if requested. Marketers won’t be able to retain, in that case, any detail, unless they can show legitimate grounds for retaining the data.

As a direct result, if companies cannot demonstrate that consent has been previously explicitly given to marketing purposes, they will have to delete it. Databases and contacts lists will most certainly be severely reduced.

The forthcoming changes will obviously make the conducting of marketing campaigns more difficult and, consequently, will require a shift in the marketing strategies in order to be compliant with the law.

As a consumer, I am always favourable of legislation which protects individuals regarding ambiguities related to the use of their personal information.

As lawyer, I can only provide timely and relevant information that will help my clients to comply with the law while (hopefully) simultaneously making a profit for their company.

The unpleasant side of non compliance with the rules on direct marketing does not limit itself to bad publicity or reputation. Fines, legal action and financial damages also have strikingly negative effects on businesses. For this reason, companies should start preparing for the forthcoming changes in advance in order to avoid any surprises, save time and money and make the most out of a new situation.

References   [ + ]

1. Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

The match of the year: Right to be Forgotten vs Right to know

Round 1, Fight!

Round 1, Fight!

As it is well-known, the ‘right to be forgotten’ ruling extended the possibilities foreseen under the current EU Data Protection Directive for data subjects to exercise their rights to erasure of data and to object to personal data processing with regard to search engine services providers, which were deemed as controllers.

Therefore, facing a deletion request, search engines will have to decide on the balance of the rights at stake, namely freedom of expression and right to privacy, weighing up whether it is in the public interest for the information indexed in its search results to remain.

From the very beginning, the public opinion thrived both with enthusiasm and concern. The main question was: how would the decision be enforced? Isn’t the removal of links to legal and accurate information damaging for freedom of speech and right to access to the information? The debate was mostly vivacious between free speech advocates and privacy campaigners and hasn’t faded away with the course of time. The firsts insist that it will lead to a whitewashing of the past, whereas the latter uphold that it will enable individuals to limit the visibility of some personal information.

Google, despite affirming that the enforcement of the ruling could hamper free speech, alerting for the potential abuse of those looking for the deletion of important information and complaining that the ruling requirements for conformity were vague and subjective, started dealing (efficiently?) with the astonishing amount of requests for suppression of links received, rejecting some and admitting others.

In fact, Google says it has received approximately 143,000 requests, related to 491,000 links, to take down links in the last five months, involving everything from serious criminal records to embarrassing photos and negative press stories. Considering the data revealed by Google itself, the company has refused about 30 per cent of demands and about 50 per cent were taken down. According to its online transparency report, Google has removed more links to content on Facebook from its search results than from any other site. In this regard, Reputation VIP — the company that provided Forget.me, the first “Right To Be Forgotten” Removal Service – outlined that, ironically, most requests do not refer to unflattering or inaccurate web pages written by third parties, but, instead, to content authored by the requestor.

Google even set up an advisory committee to handle the requests. This council is headed by the company’s executive chairman, Eric Schmidt, and chief legal officer, David Drummond, and includes academics, technologists, legal experts and a journalist.

Most recently, Google decided to launch a public debate regarding the balance to be achieved between a person’s right to be forgotten and the public’s right to information. To that end, it organized a grand tour of hearings across Europe and has been on the road for about a month now.

The good intentions beneath this initiative failed to convince everyone. For instance, Isabelle Falque-Pierrotin, who heads the Article 29 Working Party, which gathers all 28 EU national data protection authorities, didn’t hesitate to share her scepticism about the Google initiative, which she described as part of a “PR war”:

Google is trying to set the terms of the debate. They want to be seen as being open and virtuous, but they handpicked the members of the council, will control who is in the audience, and what comes out of the meetings.

Although I do not share such a pessimist viewpoint of the initiative, I actually also have some doubts regarding the openness and transparency that it is intended. Indeed, when the public debate was firstly announced, I expected that it would allow for a better understanding Google’s current processes for dealing with requests. But, as far as I am aware, hearings have centred themselves in abstract and rather philosophical discussions.

Considering the ongoing negotiations regarding the EU data protection reform, already well advanced, the question which should be asked is: how much could the ruling and Google’s efforts in fact influence the direction of the discussions?

According to the European Commission’s initial proposal, the right to be forgotten would be built on the right to erasure of personal data and the right to object to data processing operations, which already exist under the current Data Protection Directive. Therefore, the data subject could exercise the right against the original data controller when and if: the data is no longer necessary; consent is withdrawn or when the storage period has expired; the data subject objects to the processing on specified grounds; or the processing is no longer valid on some other ground. Freedom of expression was among the exemptions foreseen.

The European Parliament was quite favourable to this proposal, having voted its opinion  last spring. However, it ensured that the right could also be exercised directly against third parties and the possibility to exercise the right following an order by a court or regulatory authority.

The Council of the European Union had already discussed the issue before but decided to suspend the respective debates in order to wait for the CJEU’s ruling. However, negotiations regarding other issues of the reform kept going and Member States even agreed on partial general approach since then.

An afterwards statement issued by the Italian Presidency made clear that the provision concerning the right to erasure would take into account principles set out by the CJEU. Indeed, the revised version issued recently left no doubt about it.

I thought this utterly confusing as it is for the Council of the European Union and for the European Parliament, as co-legislators, to make the law as it will stand in the future and for the CJEU to interpret the law as it exists. To take into account the judicial interpretation of the law that we are about to replace for the definition of the upcoming legislation is, in my opinion, quite puzzling. The ruling should not dictate the content or drafting of the future Regulation.

Nevertheless, something has to be done regarding the enforcement of the ruling. As things stand at the moment, it has been up to Google to determine the balance between the conflicting interests at stake. The criteria as defined by the CJEU are undoubtedly insufficient.

And if the ruling shall be taken into account regarding the upcoming legislation regarding anything, it most certainly has to address the scope of the right to be forgotten, the grounds on which it can be exercised and the need to balance this right with the freedom of information, as the judgement itself doesn’t establish with rigour how it shall be applied in practice.

In this context, it must be noted that the regulation has a horizontal nature and, thus, is intended to be applied to all controllers, independently of their nature. Search engines are not the specific aim of the future legislation although, as controllers, they are covered by its scope.

Regarding the scope, one may wonder if the distinction made by the European Commission between personal data which have been initially disclosed or uploaded by the data subject and the personal data which have been disclosed by third-parties will be kept.

Moreover, as it seems that there is no doubt that search engines – now considered as controllers – may receive deletion requests, it is important to clarify what about providers of social media, as Facebook, for instance, where it is possible to argue that the processing is based on consent or a contract.

As for the grounds on which the right can be exercised, I think it won’t be easy to determine who will be required to conduct the assessment in order to consider if the initially lawful processing of accurate data became unnecessary, inadequate, irrelevant or no longer relevant, or excessive in the light of the purposes for which they were collected or processed and of the time it has elapsed. Who is better suited for that role: search engines or the first controller?

In this context, one cannot assume that, if the initial processing is lawful, that the second processing is also legal. There might be cases where both might have reached different outcomes of lawfulness. What then?

Furthermore, should requests for deletion be addressed directly to the controller? Should they be addressed, instead, to the supervisory authority? Or to the competent courts? And if so, which court would be the competent one?

In addition, should the data subject have the right to choose any of the controllers to exercise the right to be forgotten and erasure? I believe that, at least theoretically, it should be possible for the data subject to exercise the rights against the processing carried out by the search engine before, after or independently from exercising the same or other rights against the original controller. But one should bear in mind that it is quite unrealistic to ask operators of search engines to track information and replication of data across the web.

As we can see, many questions are yet to find their answers.

The most popular is:

How will be the right to the protection or personal data fairly articulated with the right to freedom of expression?

Understandably, certain Member States have shown legitimate concerns regarding the freedom of expression and the interest of the public at large to have access to information, which may end up being underweight in the balancing process. So the debates are currently ongoing.

One of the big issues at stake is that, according to the spirit of the founding treaties, the conciliation of the right to the protection of personal data and the freedom of expression should remain in Member States’ legislative power. This implies that the European co-legislative institutions, the Council of the European Union and the European Parliament, are not entitled to regulate in detail this matter. However, if it is up to Member States to reconcile the two potentially conflicting rights, nor harmonization nor a unified application of law is ensured.

In this context, it will be important to delineate the concept of ‘public interest’ and ‘public figure’, which scope is not satisfactorily developed in data protection due to the swiftly evolved digital era.

Moreover, it will be important to establish that bloggers and individuals generally expressing themselves online fall within the scope of the ‘freedom of expression’ exception, even if they are not professional journalists. After all, article 11 of the Charter of Fundamental Rights of the European Union establishes that everyone has the right to freedom of expression, including the freedom to hold opinions and to receive and impart information and ideas, establishing the freedom and pluralism of the media.

On another level, and as it is well-known, Google has been systematically alerting websites when it cuts links to their pages from results presented based on searches for a person’s name, which is in line with the European Commission’s proposal. But should search engines be barred to inform publishers, as Google has been doing, when articles have been delisted from search results? Are they cases where it would be appropriate to involve a publisher? Which ones?

These notifications are mostly problematical due to the possibility of republication, which could cause additional harm or distress for the data subject. And indeed, it often leads to a republication of a version which indicates what URLs are being removed from the search index.

In my opinion, it is preferable for the data subject that the search engine, as a second controller, contacts the controller which has firstly published the information (preliminary controller), as, otherwise, it might not be always easy to establish the correct balance.

In parallel, Google has unilaterally restricted the deletion of internet links to European websites only, for instance Google.es, Google.de, Google.uk… Well, you get the idea… But shouldn’t the removal be global, considering the very nature of Internet? Shouldn’t links be removed from all versions of Google, such as Google.com? This is particularly important considering that most of European users of the search engine use local domains, rather than referring to google.com.

The Justice and Home Affairs Council gathered in Luxembourg, on the 10th of October, to discuss the regulation and directive. A partial general approach on chapter IV of the general data protection regulation, which deals with the obligations for data controllers and processors, was agreed. There is, nevertheless, still plenty to be agreed on, so one may wonder if the deadline established by the incoming European Commission President Jean-Claude Juncker for the end of negotiations – within six months of the commission starting work – will be enforceable.

Meanwhile, the Article 29 Working Party is preparing some guidelines which will set out a common record to deal with different types of appeals coming in from citizens. To that end, it has met with media and search engine companies, Google, Microsoft and Yahoo, to gather their views on how to strike a balance between the freedom of information and privacy. The guidelines are expected to be finalized by the end of November.

Considering the current state of play, let’s hope that some thorny questions would have been answered by then…

Uncle Sam is watching EU

I know what you're doing!

I know what you’re doing!

Surveillance is commonly defined as the, often surreptitious and illegal, monitoring of behaviours and activities of people for the most diversified ends, which normally include the purposes of supervision, influence or manipulation, control or protection.

Therefore, mass surveillance means to watch over an entire or substantial fraction of a population and is usually conducted by governments or by corporations on their behalf in order to, allegedly, fight terrorism, national security or child pornography, just to mention some of the justifications.

I still remember the worldwide chilling feeling that followed Edward’s Snowden’s revelations, published by The Guardian, back in summer 2013, regarding the extent and the scope of the surveillance programme known as PRISM conducted by the NSA (National Security Agency).

That feeling still remains and the worldwide debates that followed concerning the illegality of the measures taken and the violation of privacy rights and civil liberties are not about to end any time soon.

The news according to which some technology and telecommunications companies granted the NSA direct access to their servers or handed over detailed reports about their customer’s databases most certainly didn’t help.

Despite the denials from the companies concerned that ensued, mass surveillance has become, since then, a concern of the EU.

First, the surveillance measures undertaken affected the fundamental rights of European citizens, namely their right to privacy and to protection of personal data.

Moreover, the surveillance programmes conducted by the USA outlined the connection between the state or government surveillance and the processing of data by private companies.

In addition, the disclosure of large-scale intelligence data collection programmes affected negatively the trust in the transatlantic relationship.

And, in this regard, there is quite a lot at stake.

Indeed, both parties have concluded several agreements regarding the exchange of personal data for the purposes of law enforcement, including the prevention and combating of terrorism and other forms of serious crimes. These are the Mutual Legal Assistance Agreement, the Agreement on the use and transfer of Passenger Name Records (PNR), the Agreement between Europol and the US and the Agreement on the processing and transfer of Financial Messaging Data for the purpose of the Terrorist Finance Tracking Program (TFTP).

In addition, the legal basis for the exchanges for commercial purposes between the EU and the USA is provided by the Safe Harbour Decision, which concerns transfers of personal data from the EU to companies established in the U.S. which have adhered to the Safe Harbour Principles. Efforts to negotiate amendments to the program have been ongoing since the fall of 2013.

Besides, the EU and the USA are currently negotiating the ‘umbrella agreement’, a framework agreement on data protection regarding the transfer and processing of data in the field of police and judicial cooperation.

Last, but not the least, it should be also mentioned the ongoing negotiations for the controversial Transatlantic Trade and Investment Partnership (TTIP), the world biggest trade agreement.

While it is supposed to increase trade and investment, there is a noteworthy apprehension around its potential negative impact on privacy. But, as it is being negotiated behind closed doors, it is yet to be known how much these concerns are justified in the light of the ACTA (Anti-Counterfeiting Trade Agreement), which would have allowed to carry out intrusive surveillance on all of our Internet usage, regardless of whether we had actually infringed anyone’s copyright. This lead the European Parliament to reject it in 2012. All things considered, the EU Ombudsman recommendations are therefore much welcomed.

In this context, the documents very inconveniently released by Edward Snowden revealed that the USA accessed the SWIFT database, the biggest storage of financial transactions in the world, thus accessing millions of personal financial records, in the margin of the Terrorist Financing Tracking Programme (TFTP).1)The TFTP agreement allows the U.S. Treasury to access some data stored in Europe by international bank transfer company Swift (Society for Worldwide Interbank Financial Telecommunication) for the prevention, investigation, detection, and prosecution of conduct pertaining to terrorism or terrorist financing.

Last November, the European Commission released a communication in which it shared its concerns regarding the protection of personal data within the existing instruments.

The European Parliament has already called for the ‘immediate suspension’ of the Safe Harbour as it considered that the principles do not provide adequate protection for EU citizens and for the immediate suspension of the TFTP agreement until a “thorough investigation has been concluded”.

Meanwhile, leaders from the EU and the USA reiterated their commitment in a joint statement.

Although Jean-Claude Juncker has pressed the “conclusion of negotiations on the reform of Europe’s data protection rules, as well as the review of the Safe Harbour arrangement with the U.S.”, Andrus Ansip, who is slated to become the European Commission’s Vice-President for the Digital Single Market, affirmed, during a European Parliament confirmation hearing, that, unless the differences are resolved, the USA – EU Safe Harbour could be suspended. Ansip said that “we have to be absolutely sure that the national security exception will be used as an exception, not on a regular basis.”

It is beyond any doubt that the plea of terrorism or national security concerns can only fall down when facing revelations according to which NSA collects data related to international trade and monitors the telecommunications of leaders from Brazil and Germany. It is evident that those are mere excuses to conduct this kind of surveillance in the name of less honourable goals.

As if this wasn’t enough, documents delivered by Edward Snowden, and recently released by The Intercept, show that the agency has “under cover” agents embedded in foreign companies for the purpose of extending its surveillance reach.

Thus said, transparency reports, while presenting statistics of government’s requests for data, could be a useful tool to disclose the scope and scale of surveillance. However, governments are obviously not that keen in reporting on their surveillance activity and they will make sure to exempt from the report requested information related to ‘national security’.

It doesn’t come as a surprise that technology companies such as Facebook, Yahoo, Google, Microsoft, are now investing in barriers, mainly through the refusal of access requests and encryption of internal traffic, to make it harder for governmental intelligence agencies to ‘snoop around’. Even though some concerns regarding the impact on police investigations, namely of paedophilia suspects, have been raised, it is questionable if they are completely justified, mainly because there are several other ways to access the information stored. For instance, the information stored in the Cloud will still be ‘easily’ accessible.

Nevertheless, these and similar companies are businesses and shouldn’t be assigned with the role of guardian’s of individuals’ rights. It is all very wrong, and very totalitarian regimes look alike, when the governments themselves are attacking the most private parts of our lives.

Encryption measures have lead some to the conclusion that governments should be entitled to have a golden key – a back door access – in order to unlock and access individuals’ communications. The main viewpoint is that, by allowing so, personal safety and national security could be properly ensured…

Thus said, it might not come as the most surprising event that Russia is requiring social network companies, as Facebook and Twitter, to store the personal data of national citizens in servers based within the country’s borders or face being blocked without a previous court ruling. Conveniently, the initiative – which represents an open door to enforce censorship – is even presented as a necessary remedy to protect against foreign threats and USA spying.

It is difficult not to wonder – and worry – if this is the first step for the blocking of all websites with user generated contents, as an already proved effective mean to control the right to information and freedom of expression and any democratic expressions.

In this context, the hypothesis according to which the European Commission (DG Home) has been collaborating with the USA administration regarding the EU data protection reform raises some deep and justified concerns. Mainly if we consider that the former EU Home Affairs Commissioner, Cecilia Malmström, is very likely soon to be confirmed by the European Parliament as the EU’s new trade commissioner, conducting the negotiations over the TTIP, from the EU side. But then, again, if it is true that the European Commission knew about PRISM all along… Conspiracy theories apart, Cecilia Malmström has denied the allegations at the hearing with the Members of the European Parliament.

Of course, according to the principle of conferral or attributed powers, the EU may only exercise competences conferred on it by the Treaties to attain the objectives set out therein.2)See article 5[2] TEU This means that competences not conferred upon the Union in the treaties remain within the Member States.3)See article 4 TEU National security is deemed an essential State function and the sole responsibility of each Member State.

Considering that matters related to national security are usually exempted from surveillance activity reports, I guess that it all comes full circle, after all…

And while one can be glad that the UN issued a report stating that Mass Surveillance Violates Human Rights, one is also entitled to be sceptical regarding its effects on the government programs.

 

References   [ + ]

1. The TFTP agreement allows the U.S. Treasury to access some data stored in Europe by international bank transfer company Swift (Society for Worldwide Interbank Financial Telecommunication) for the prevention, investigation, detection, and prosecution of conduct pertaining to terrorism or terrorist financing.
2. See article 5[2] TEU
3. See article 4 TEU

A World of Data = Big Data x Little Privacy

Next evolution, Humongous Data?

Next evolution, Humongous Data?

With massive amounts of our personal data now being routinely entered, collected, stored and exchanged, data security and privacy breaches are almost inevitable, in particular the large-scale attacks that lead to the theft of millions of individuals’ data are becoming more and more common nowadays.

With technology at our fingertips, we are sharing more and more information online and by electronic means. From sensors that fit into our cars to wearables, from cloud computing to social networking interaction, from digital pictures and videos to cell phone GPS signals, from online purchase transactions to a sign up process, from the telecommunications’ and insurance to medical or banking sectors, we leave traces of information with every move we make.

The massive volume of data generated and gathered is popularly referred to as ‘Big Data’. The concept commonly describes such a large amount of complex, unstructured, diverse and fast information that it is difficult to process using traditional database and software techniques. Billions to trillions of records of millions of people are now measured in new units as petabytes and exabytes. The golden era for gigabytes is long gone.

So what is so special about Big Data?

The analysis that can be done with Big Data enables the establishment of correlations among large populations that is useful to individuals. It creates a remarkable opportunity for the worldwide society in any field you can think about, ranging from criminal rate predictions to medical research, from public health to national security and from marketing to risk analysis. Companies and governments no longer have to rely on sampling: they have access to the entire plentiful digitized knowledge of digital age, a myriad of data points collected for unrelated purposes and updated in real time.

For instance, a few years ago, Google was able to predict flu outbreaks faster than what was possible using hospital admission records, just by analyzing clusters of search terms by region in the United States. All with algorithms! Quite impressive, huh?

In our enthusiasm to share and bond with others, to live up to the facilities allowed by new technologies, as the world grows more and more connected, we are quite easy when it comes to give away information about ourselves. Businesses know that. And they are continuously developing new means to collect information about their customers.

Why wouldn’t they?

They can try to look for hidden patterns, trends or other insights that will enable them to better mould their products and services to customers, anticipate demand or improve performance. Big Data certainly can bring the appropriate knowledge that will allow innovative improvements for businesses… from which all of us will ultimately benefit. As a result, personal data is consistently collected and traded, being the new money in the new economy that is internet.

For instance, have you noticed how frequently it happens that, after having searched a certain type of good or of services on Google, you will have matching publicity, on the right side of your ‘gmail’ window tab next time you open it?

But the astonishing advantages coming from the analysis of Big Data are tempered by concerns over privacy and data protection.

I believe that many of us don’t think much about the implications of easily sharing and giving away personal details online nowadays. After all, how many of us actually read the consent form regarding the use of our personal data?

But it is important to reflect on a few points which I assume won’t let anybody comfortable after consideration.

Consider, for instance, that some retailers are able, through the analysis of purchasing habits, to predict such intimate details as the pregnancy of a customer and that, despite the will of the concerned customer, ensuing marketing activities which result in disclosing that information.

Consider, for example, with such a volume of data and powerful analytical mechanisms, the combination of data might lead to the identification of individuals, despite the anonymisation of certain elements.

Consider, now, that the data contain biases, inaccuracies, obsolete and missing information, flaw correlations, that unavoidably affect the predictions and conclusions resulting from its analysis and that decisions that can affect your welfare will still be taken based on those predictions and conclusions.

Consider also that most of the data being collected about us more and more doesn’t come directly from us.

At last, consider that hospital records of national health system patients could be sold for insurance purposes.

Scary, at the very least…

The good or bad news is that Big Data analysis isn’t as efficient as many would like or fear it to be.

The risk of biases inherent to data and false correlations and associations is great and increases as bigger volumes of data are analyzed.

For instance, Google’s model of predicting the spread of flu ended up pointing to an overestimated the phenomenon by almost a factor of two.

Regarding public security, Big Data hasn’t proven itself either able to detect patterns or anomalies that could help prevent acts of terror.

No so reliable after all…

Neverthless, one cannot escape Big Data. We live so entangled in it that is more and more usual to talk about an ‘internet of things’. Good things can come from it. But nobody can be entirely sure that it will be used for the legitimate purposes.

In parallel to the enthusiasm of connecting and sharing, there is an increasing concern surrounding the lack of privacy.

In this context, it might indeed be a big place in the market for privacy products. And the seeds are being planted now. Just recently Google has announced that data encryption will come as a default setting on the next Android operating system, known as Android Lollipop, which will make impossible for anyone to gain access to the data without the consent of the owner. This initiative is in line with the announcement made by Tim Cook, the CEO of Apple, regarding the privacy policy of the company. Both guarantee that even police won’t be able to gain access to the user’s personal information. It is however worth mentioning that the upgraded security feature will only protect data and information stored within the iOS device itself and not data stored within the iCloud service.

The advantages which result from Big Data analysis will only be reached if privacy expectations of users are appropriately met and their data protection rights are respected. However, finding the right balance between all the interests at stake: those of the individuals concerned, those of businesses and, ultimately, the general public interest might not be an easy end to chieve, namely in the field of health research.

The Article 29 Working Party recently issued a statement on the impact of the development of Big Data on the protection of individuals with regard to the processing of their personal data in the EU, where it found “no reason to believe that the EU data protection principles are no longer valid and appropriate for the development of Big Data.” Nevertheless, it envisaged the possibility of “further improvements to make [the principles] more effective in practice” in the context of Big Data.

In my opinion, data protection principles shall be deemed to be applicable, as they refer to fairness, transparency and, ultimately, trust. For that reason, the ‘notice and consent’ and the ‘purpose limitation’ models should be preserved as much as possible and data ought to be anonymized to the point where re-identification is secluded.

This week, the European Commission and Big Data Value Association, an industry-led organisation which acts on behalf of companies including ATOS, Nokia Solutions and Networks, Orange, SAP, SIEMENS, have committed in a public-private partnership (PPP) that aims to support research and innovation in Big Data technologies and infrastructures to ensure privacy and security.

No statistics can predict what uncertainties do the future holds regarding Bid Data… However, in these high-speed changing times of information and communications technology, we will surely know anytime soon…

Data Protection Reform: Change is coming… slowly

EU Data Protection Reform is about to happen... eventually.

EU Data Protection Reform is about to happen… eventually.

Although subjected to the well-known saying ‘nothing is agreed until everything is agreed’, data protection reform is slowly taking shape and businesses should prepare themselves for what is coming, as activities which involve the processing of personal data will have to comply with the new data protections laws.

In June, the Council’s Justice and Home Affairs Committee reached  an agreement on the rules concerning data transfers and on the territorial scope of the future new Regulation.

In the last meeting held in Luxembourg, earlier this month, Justice and Home Justice Ministers have reached a broader partial agreement regarding the wording of chapter IV of the draft General Data Protection Regulation, which includes new rules on personal data breach notifications that businesses operating in the European Union will have to comply with.

Therefore, in the light of the new approach, contractual freedom regarding the content of contracts will be restricted and the liability of processors regarding controllers over subcontracting activities will be further elaborated.

Addittionnally, pseudonymisation of personal data will be included as a  technical and organisational measure to ensure an appropriate level of security.

In this context, businesses will have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that “may result in physical, material or moral damage” to individuals. This will include disparate situations such as loss of confidentiality of the data, damage to the data’s subject reputation and identity theft.

Moreover, although businesses will have to inform without undue delay data subjects in case of a data security breach which could affect severely their rights and freedoms, they will be exonerated of this obligation when appropriate technological protection measures have been implemented to protect its access, even if lost or stolen, namely through encryption.

Furthermore, the processing of personal data which is likely to represent a high risk for the rights and freedoms of individuals, such as health data or personal data which can be used for profiling, will have to carry out a data protection impact assessment.

If businesses based outside the European Union process personal data of citizens of the European Union, they will have to appoint a representative based in the European Union, except if the processing is occasional and unlikely to result in a risk for their rights and freedoms.

Of course, negotiations with the European Parliament and the European Commission in order to finalize the instrument will only begin once a consensus on the whole draft has been reached within the Council.

If slowly is the best way to go further, we will get there… eventually.

The Snappening: the new hacking in town

Oh snap!

Oh snap!

Digital privacy is once again in the spotlight due to rumours that emerged last week of a widespread hack of Snapchat accounts. The incident, which has already been dubbed ‘The Snappening’, has allegedly allowed a massive collection of thousands of both random and intimate Snapchat pictures and videos.

Vaguely reminiscent of the iCloud security breach Celebgate, right?

Well, indeed, thousands of private pictures and videos  are said to have recently been published on the notorious 4Chan message board and the online forum Redditt, the same places where hackers published the stolen iCloud pictures of nude celebrities this past summer.

Except, in this case, it is not about pictures and videos of female celebrities which would never have made to the public eye if it wasn’t for the  obvious gender directed attack.

Instead, the pictures have been intentionally sent by the people they concern to others  through the Snapchat mobile application. And, more grievously, it might involve a vast majority of underaged individuals.

For those who are less technologically aware, the Snapchat is a mobile application which allows users to send personalised and draw-on messages to others, with the promise of an instant and automatic deletion of images, pictures and videos within seconds after having been watched by the receiver.

It is like in those Hollywood movies where the message would self destroy in five or ten seconds. How enigmatic!

One romantic viewpoint of the application is that the ephemerity of the content is deemed to make it more treasured and valued and, consequently,  to make people more attentive to it.

On the pragmatic side, it is as well quite obviously  intended that no record of the content will ever be kept and, once self deleted, it won’t surface ever again.

Nevertheless, I fail to understand how someone could trust that the information sent would be secure just because it couldn’t be saved. In my opinion, the whole concept was a pure illusion. In fact, it would suffice to take a screenshot of an image within a phone before it would expire or to use another camera to capture a Snapchat screen and the receiver would be able to make the moment last forever.

Anyway, the overall effect is that the promise of instant and short lasting content has made the application particularly popular among teenagers, who represent the vast majority of its users base. And, therefore, the main concern is that the collection might, in parallel to random content, involve pictures and videos which would legally be considered child pornography.

Although Snapchat has faced security problems before,  it seems that, this time, the incident is due to the use of a third-party website which allows to store and catalogue snaps that would otherwise be deleted.

Indeed, the data has apparently been obtained through a third-party website  Snapsaved.com, which allows Snapchat users to use the service on a desktop computer, rather than just on a mobile phone. By getting a user’s login details, such as username and password, the website could access to Snapchat’s servers. Therefore, it was able to access and store the shared information, thus circumventing Snapchat’s instantaneous deletion most famous feature.

Therefore, its users were able to save photos sent to them via Snapchat without the sender’s knowledge. Not too comforting, I suppose…

Snapchat was quick at issuing a statement according to which the scenario of a security breach of its servers was absolutely rejected:

We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.

As we can see, it made very clear that the privacy of Snapchat users could have been compromised with the use of a third-party application, which is an expressly prohibited practice in its Terms of Use.

In other words, according to the issued statement, if the victims have used a third-party application, they are the sole responsibles for having suffered a hacking attack.

Does this victim-blaming sounds familiar?

Anyway, although Snapchat is technically correct when it points out that the security of its own servers was not compromised, it conveniently failed to address the real issue at stake.

I am far from being a geek but I cannot help to wonder, for instance, why do these third parties applications and websites succeed in having access to the content shared through Snapchat? What is the company doing in order to prevent the connection of these applications to its own?

Snapchat conveniently dodged the very relevant issue that is: even those users that share messages by means of the real Snapchat application are at risk because it is not possible for the sender to ascertain if the receiver is using the official Snapchat application or a third-party one.

So it is all good when Snapchat blames users who use a third-party unauthorized service; but what about all the users that are unwittingly communicating with friends who use those services? Are they to blame as well? Or should we consider that, in a globally sharing world, they shouldn’t be sharing anything in the first place?

According to Snapchat’s own statement, it seems to consider that users should  envisage the possibility and perhaps expect that the receiver is able to save the pictures, namely  by using a third-party service.

While this is quite unfortunate from a marketing perspective, it is also deeply hypocrite. The whole point of making pictures disappear, besides the romantic vision of ephemeris,  to make the sharing safer.

I am fully aware that Snapchat’s Terms of Use mention the limitations of its technology, stating that services are provided “as is” without warranties of any kind regarding its security. But were most of its users – children and teenagers – equally aware? Besides, is it enough to state that an application is not entirely safe? Shouldn’t users be informed about how weak it is regarding their privacy? After all, it is sufficient to download one of the many readily available third-party application in order to be able to save indefinitely incoming messages without the sender’s knowledge.

It is without any doubt that a security flaw exists within Snapchat’s product, which cannot be ignored and for which Snapchat is responsible.

Currently, there are very few credible sources of information and most are anonymous. Many believe this whole story to be a hoax, arguing that the photos that were being spread on 4chan were images that had already leaked online. On Reddit, some of those who claim to have downloaded the photos in the Snappening hack shared their disappointment regarding the mundane nature of the pictures. No surprise here. We can always rely on internet to destroy any remaining bits of faith in humanity. Others claim that a vast amount of the content qualifies as child pornography.

Disregarding if an actual hack took place or not, this ephemeral messaging application raises serious and longstanding concerns.

It is an unfortunate reminder that privacy violations of social networks’ users may occur even if a company’s servers are not directly attacked due to the use of a third-party services.

Furthermore, it brings to spotlight issues regarding the knowledge regarding the navigation on internet, software usability and social media literacy.

Last but not the least, the exposure of children and underage individuals to the risks of privacy and security online breaches outlines their vulnerabilities in an increasingly technological-based social networking world.

Older posts

© 2017 The Public Privacy

Theme by Anders NorenUp ↑