Tag: EU (page 2 of 3)

CCTV: household security or how to be a data controller at home

CCTV, walking the thin line of protecting yourself or becoming a data processor.

CCTV, walking the thin line of protecting yourself or becoming a data processor.1)Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

Having suffered several attacks, in which the windows of the family home had been broken on several occasions, by persons unknown, Mr Ryneš, a Czech citizen, installed a CCTV camera under the eaves of his home. In a fixed position, the camera recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. Reaching its full capacity, the device would record over the existing recording, erasing the old material. Although the images would not be monitored in real time, this video surveillance system made it possible to identify two suspects, who were subsequently prosecuted.

However, despite the happy outcome, the operation of this camera system, installed by an individual on his household, for the purposes of protecting the property, health and life of the owner and his family, raised some questions due to the continuous recording of a public space.

One of the suspects challenged the legality of Mr Ryneš recording of the images. The Czech Data Protection Authority (hereafter DPA) considered that this operation infringed data-protection rules because the data collection of persons moving along the street or entering the house opposite occurred lacked their consent; individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and this processing was reported to the Office as mandatory.

Mr Ryneš brought an action challenging that decision in court, which was dismissed. The case was appealed to the Czech Supreme Administrative Court which referred to the Court of Justice of the European Union (hereafter CJEU) for a preliminary ruling.

In this context, in its judgment in Case C-212/13, the CJEU addressed the application of the ‘household exception’, for the purposes of Article 3(2) of Directive 95/46/EC, which refers to the data processing carried out by a natural person in the course of a purely personal or household activity.

The CJEU considered that the image of a person recorded by a camera constitutes personal data within the meaning of the Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Moreover, the Court considered that video surveillance falls within the scope of the above mentioned directive in so far as it constitutes automatic processing, i.e., an operation which is performed upon personal data, such as collection, recording, storage.

Considering that the main goal of the this Directive is to guarantee a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, as foreseen in article 7 of the EU Charter of Fundamental Rights, the CJEU recalled that derogations and limitations must be strictly necessary.

Therefore, the Court deemed that the ‘household exception’ must be narrowly construed and applicable when the data processing activity is carried out ‘purely’ private and household context, even if it incidentally concerns the private life of other persons, such as correspondence and the keeping of address books.

In this context, the CJEU concluded as follows:

(…)the second indent of Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

However, Mr Ryneš’s concerns, which motivated the installation of the camera, were not overlooked by the CJEU. Indeed, the Court outlined that the Directive itself allows, where appropriate, to consider the legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself. This reflection is in line with the Opinion of the Article 29 Working Party in this regard as security was mentioned as an example of a legitimate interest of the data controller.

This implies that, even if the household exception is not applicable in this very particular case, a CCTV camera recording activity such as the one in the proceedings is lawful in the light of article 7(f) of the Directive. Thus said, the referring Court will now have to take this interpretative guidance into consideration and decide if the recording and processing at stake were legitimate, for instance, in regards of article 10 of the instrument. It is possible that the Czech Court may still consider that because no information regarding the recording was provided to the public (individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data) and considering that this processing was not reported to the Office constitute a breach of the data protection rules.

This is particularly relevant considering that, precisely for security purposes, individuals are equipping their households with CCTV systems which capture public space. Only time will tell how this decision will be applied to individuals in practice. Most certainly, DPAs across the EU will update their recommendations regarding the weighing between the necessity of the recording and storing of the data to pursue an interest deemed legitimate and the interests for fundamental rights and freedoms of the data subject.

At this point, it is expectable that householders who have surveillance cameras that capture public space will need to ensure that their collection and further use of any footage which contains images of identifiable individuals complies with the data protection requirements. Thus, they will have, for instance, to at least inform people of this monitoring and ensure that no footage is illegally retained.

References   [ + ]

1. Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

(Un)Safe Harbour

Safe harbour for who?

Safe harbour for who?

As a general rule, the EU Data Protection Directive (Directive 95/46/EC) prevents businesses from transferring personal data from the EU to third-countries. Therefore, EU citizens’ personal data cannot be processed or hosted outside the EU, except if those countries do provide an adequate level of data protection. This adequacy requirement is met only when the European Commission recognize the data recipient country as providing an adequate level of protection. These decisions are commonly referred to as ‘adequacy decisions’.

It is deemed that the USA do not meet the above mentioned EU adequacy requirement, i.e., do not provide an adequate level of protection for data transfers to be accepted. Nevertheless, data can still be transferred from companies located in the EU on the basis of the Safe Harbour mechanism. In fact, by reason of the EU Data Protection Directive, the European Commission adopted a Decision (the “Safe Harbour decision”) recognising that the Safe Harbour Privacy Principles and the ‘Frequently Asked Questions’ provide an adequate protection for the purposes of personal data transfers from the EU to the USA.

The EU-USA Safe Harbour is an agreement concluded in 2000 which enables European data controllers to transfer personal data for commercial purposes, from companies located in the EU to companies in the USA that have signed up to the Principles. The framework aims to ensure that such transfers dully comply with the EU data protection law. To that end, USA companies pretending to lawfully receive personal data from the EU are required to self certificate the compliance of their personal data policies and practices to the Safe Harbour. Companies which voluntarily adhere to a set of principles issued by the Federal Trade Commission (FTC) are therefore presumed to qualify for the Safe Harbour ‘adequacy’.

This Framework has been greatly criticized since its implementation. Indeed, the Safe Harbour scheme has been used for the transfer of the personal data of EU citizens from the EU to the USA by companies required to give in data to USA intelligence agencies under the USA intelligence collection programmes. Moreover, some EU Data Protection Authorities manifested strong reservations about the rigour of the Safe Harbour framework, namely regarding the self-certification requirement. These concerns were echoed in the opinion of the Article 29 Working Party on Cloud Computing issued in July 2012, where it was suggested that EU data exporters could not rely on cloud provider’s self-certification regarding compliance.

As a result, it is no surprise that the framework has been reviewed twice, back in 2002 and 2004. Nevertheless, the Safe Harbour framework was endorsed by the European Commission, in January 2012, regarding the draft Data Protection Regulation, where adequacy decisions taken under the current Directive 95/46/CE would remain in effect unless amended, repealed or replaced by the Commission.

By contrast, the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs) Committee has proposed amending the proposal so that such adequacy decisions would only remain in force for five years after the Regulation comes into effect.

In the wake of the Snowden revelations regarding the USA covert surveillance programme, PRISM, for the interception and access to the electronic communications of EU citizens on a large scale, namely personal data that was transferred to online service providers in the USA under the Safe Harbour, the European Data Protection Authorities (DPAs) and the European Commission have been increasingly manifesting serious concerns regarding the safety of this agreement.

This led Viviane Reding, former Justice Commissioner, to argue that “the Safe Harbor agreement may not be so safe after all” and that it “could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones.” Vivian Reding further announced that the Commission would conduct an assessment of the EU-USA Safe Harbour agreement.

In July 2013 the European Parliament considered that the PRISM program constituted a “serious violation” of the Safe Harbour agreement and called on the European Commission to review the framework. Last March, following its report on mass surveillance activities, the European Parliament approved a resolution calling for the reversion or suspension of the EU-USA Safe Harbour scheme, considering that it fails to provide adequate protection for EU citizens.

Instead, in November 2013, the European Commission put forward a series of 13 recommendations for the USA to put into practice, which would make the Safe Harbour safer, if implemented. Nevertheless, the most controversial features of the framework, such as the voluntary adherence, were not adequately addressed. The expected conclusion of the discussions on the 13 recommendations proposed by the European Commission was set for the end of last summer. The deadline passed without any further developments.

Last June, following a complaint brought by the Austrian campaign group Europe v Facebook regarding the company’s part on NSA’s mass electronic surveillance programme, a Irish court (the Facebook’s international headquarters are in Ireland) referred to the Court of Justice of the EU on the compliance of the Safe Harbour with the EU Charter of Fundamental Rights.

There has been extensive debate regarding the future of the Safe Harbour, considering that some DPAs no longer recognize it as a valid data transfer mechanism. DPAs can exceptionally suspend data transfers based on the Safe Harbour, namely when it is likely that the Safe Harbour Principles are being violated. To date, no DPA has done so. Considering the serious economic implications, I think that it is very unlikely that the Safe Harbour will be suspended or reversed. In the meantime, the decision of the European Commission on the adequacy of Safe Harbour remains in force, until specifically repealed or changed.

Věra Jourová, the new Justice Commissioner, already expressed strong doubts on the security of the Safe Harbour mechanism. However, she did not favour a suspension or a cancellation of the programme. Andrus Ansip, the new Commissioner for the Digital Internal Market, for its turn, did not exclude that possibility.


The impact of the CJEU ruling
invalidating the EU Data
Retention Directive

Data retention heh!? Tricky business.

Data retention heh!? Tricky business.

Data retention has been increasingly perceived as a criminal justice and law enforcement tool in the EU in the past years. As a matter of fact, the EU Data Retention Directive (the Directive 2006/24/EC) was adopted in the wake of the London bombing attacks, back in 2005, despite the fact that data retention would not actually have any relevant effect on the tragic event.

Nevertheless, the Directive requires EU Member States to compel telecommunications and Internet service providers to retain considerable amounts of communications data – including landline phones, mobile, fax and email – regarding individuals within the EU, even those never suspected of committing a crime, for a minimum period of six months and up to two years, for law enforcement purposes, namely regarding investigations of serious crimes and terrorism.

The data thus collected and retained allows for the identification of all the people with whom a user has communicated, the means employed, the time, the place and the frequency of those communications. Therefore, despite not permitting the access to the content of the communications as such, this data nonetheless provides detailed information on the private lives of individuals, in an evident interference in the private sphere of their lives.

The question to be asked, then, was: is this interference acceptable in the light of the EU Charter of Fundamental Rights?

In this regard, article 52 of the Charter states that restrictions upon the rights foreseen in the Charter must be established by law, respect the core of the right, be subjected to the principles of proportionality and necessity, aimed to fulfil public interest objectives and balanced with the rights and freedoms of others individuals.

As you certainly well remember, last April, the Court of Justice of the European Union (hereafter CJEU) ruled on the entire invalidity of the abovementioned Directive, in the light of the EU Charter of Fundamental Rights, namely the rights to privacy and data protection, respectively foreseen in its Articles 7 and 8.

Having this in consideration, recognising that there was a public safety interest subjacent to such intrusion, the Court focused, instead, on whether such interference could be somehow justified. In this regard, the Court concluded that such a collecting, processing and accessing of personal data by authorities did not comply with the principles of necessity and proportionality and, therefore, constituted an unjustified and serious interference with the fundamental rights to privacy and data protection. Indeed, while requiring the mass retention of all communication traffic of all individuals in the EU, including innocent or not suspect of any crime, the instrument was considered to go beyond what is strictly necessary for a criminal investigation.

In this context, the broad scope of the Directive, given that it refers to all means of electronic communication; the broad time period set for retention; the lack of clear rules limiting the access and use of data by authorities; the absence of an obligation to destroy the data once the retention period expires; the dissatisfying level of protection of the data from unlawful access and use; and the possibility of storage outside the EU territory were deemed particularly problematic.

This ruling has a far-reaching impact at many levels. As a direct consequence, the Data Retention Directive is deemed to be void and a new Directive will have to be built from scratch. Moreover, this ruling seems to oppose the practice of mass surveillance related to the existing EU legislation and the ongoing reforms, with an obvious direct effect on agreements concluded by the EU with third countries. To be true, it raised some practical issues regarding the data retention laws implemented by EU Member States and the validity of international agreements which require the retention of personal data, such as the PNR frameworks.

One of the main issues at stake is that, despite long years have passed since the foreseen deadline for its implementation, the Directive has still not been fully implemented by all Member States. In fact, several Member States were subjected to infringement proceedings for failing to implement national legislation on due time. Nevertheless, those which have fully implemented the Directive weren’t able to achieve a full harmonization due to the abstraction of concepts such as ‘competent national authorities’ and ‘serious crime’ and the broad scope of the time data retention period. So long for the intended harmonization.

Moreover, as the Data Retention Directive amended the e-Privacy Directive to remove prohibitions on data retention, this invalidation implies that the previous version of the e-Privacy Directive is again applicable. Member States no longer have the obligation to retain data pursuant to the Data Retention Directive. In fact, national measures transposing the Directive will need to be amended.

Where a national Court has doubts about the compatibility of the national law with the EU law, the proceeding for a preliminary ruling by the CJEU must be initiated. Alternatively, once exhausted the domestic remedies, a claim could be addressed to the ECtHR. Anyway, the European Commission or another Member State are entitled to initiate an infringement procedure in case of violation of EU law by national measures or of incomplete, inadequate transposition or non-transposition.

Furthermore, in 2011, the European Commission published a proposal for the EU Passenger Name Record (PNR) Directive, which would require air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival, and is currently under negotiation. In the light of the above mentioned ruling, the envisaged text will not be able to stand. For instance, the data retention period of five years is clearly not acceptable.

Additionally, the legality of several already in force and proposed international agreements which include data retention schemes has been questioned. For instance, an Irish court referred to the CJEU, asking whether the EU ‘Safe Harbour’ arrangement on data protection with the USA is compatible with the rights to privacy and data protection

Last month, the European Parliament voted to refer the EU-Canada PNR agreement, which is currently being renegotiated, to the CJEU, for an opinion, in order to assess its compliance with the EU Charter of Fundamental Rights. The Treaty of Lisbon allows the European Parliament to refer to the CJEU regarding the compatibility with EU law of a draft agreement to be concluded by the EU with third States on police or criminal law cooperation. In this regard, the EU-Canada agreement may not be concluded before a ruling on its compatibility with the EU law is issued because the consent of the European Parliament is now required for the conclusion of such international agreements.

Where does all this leave us?

Well, currently the EU has negotiated PNR data sharing agreements with the USA, Australia, and Canada.

In the light of Snowden’s revelations regarding the extent of spying by the American National Security Agency (NSA), the agreement with the USA, regarding the transfer of air passengers’ data for flights from the EU to the USA, has raised serious concerns within the EU, namely due to the access of the PNR database by the USA government for purposes other than fighting terrorism.

In this context, the ruling requested by the European Parliament regarding the EU-Canada agreement would indirectly establish if the EU/USA and EU/Australia agreements and the proposed EU PNR Directive do or do not violate those rights as well.

Subsequently to the rulings regarding the Data Retention Directive and the ‘right to be forgotten’, future judgements regarding data collection, processing and transfers are most certainly welcomed as they are expected to cast some light regarding the legality or illegality of the existing or upcoming PNR frameworks.

What would happen if the CJEU would rule that all these international agreements are in breach of the rights to privacy and data protection? The application of such agreements would need to be challenged, now that they are already in force, by individuals via their national courts or the European Parliament would have to require the other EU institutions to ensure the full respect on the EU Charter of Fundamental Rights by denouncing the agreements at stake.

Consequently, all instruments dealing with data retention will have to be subjected to necessity and proportionality tests in order to assess their compliance with the EU Charter of Fundamental Rights. Therefore, the requirements set in the ruling might unavoidably challenge the EU PNR proposal. Similarly, other EU-USA agreements, such as the agreement on the access to financial data under the USA Terrorist Finance Tracking Programme (TFTP), will need to be tested for compliance with the judgement standards.

Moreover, an analysis regarding the compliance of other legislative proposals might need to be conducted regarding the proposals for an entry-exit system to track non-EU nationals crossing EU borders, for the European Terrorist Financing Tracking System and for the governments’ access to the Eurodac database.

History has shown us that PNR data has turned into an attractive source for governments to obtain personal data regarding individuals. EU institutions should therefore question the necessity and proportionality of these and similar schemes of data collecting, data retention and bulk transfers to third countries and review the draft and existing legislation, frameworks and agreements to ensure that they do comply with the EU Charter of Fundamental Rights.

(On this subject, I recommend the reading of the following study,commissioned by the Group of the Greens/EFA in the European Parliament on initiative of the MEP Jan Philipp Albrecht)

Update: The title was modified because, due to a lapse, it referred to the Data Protection Directive, instead of the Data Retention Directive.

About the last meeting of the Council of the EU on JHA

The European Council

The Council of the EU

On the last 4 and 5 December, the Council of the European Union held its 3354th meeting on Justice and Home Affairs.

A partial general approach on specific aspects of the draft regulation setting out a general EU framework for data protection was reached, on a “nothing is agreed until everything is agreed” basis, namely regarding provisions related to the public sector and specific data processing situations.

Moreover, the proposal presented by the Italian Presidency on the ‘one stop shop‘ mechanism was discussed and a “majority of ministers endorsed the general architecture of the proposal and the Presidency concluded that further technical work will need to be done in the coming months“.

Regarding the EU PNR Directive, it is expected of the European Parliament to adopt as soon as possible its position so as to start negotiations with the Council.

In addition, the Council was updated on the state of play concerning the Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and free movement of such data.

You can find the press release here and the compromised proposals agreed on here.

The ‘right to be forgotten’
extended to Google.com

Forgetting everywhere

Forgetting everywhere

As you might well remember, the Court of Justice of the European Union, in a better known as ‘right to be forgotten’ judgement, ruled that individuals, provided that certain prerequisites are met, have the right to require from search engines, such as Google, to remove certain results about them, subsequently presented to a search based on a person’s name. (you can read more here, here, here, here and here) According to the ruling, the original information will still be accessible under other search terms or by direct access to the publisher’s original website.

In this context, in cases where the criteria for deletion are met and where search engines do not remove the links requested by the data subject, the latter would be able to complain to its national data protection or judicial authority.

Therefore, last week, the Article 29 Working Party, which gathers representatives of the 28 national data protection authorities (hereafter DPAs) of the EU Member States, has adopted Guidelines on the implementation of the judgement. This has not really come as a surprise as the Working Party had already announced its decision to establish a common approach to the right to be forgotten.

Indeed, the ruling left many questions unanswered. For instance, it was left to be found out if Google was only obliged to block requested names for European domain names only or should do so for all Google search domains. Moreover, it was left unanswered how could the balance between the relevant rights and interests at stake be achieved and how the ‘public figure’ concept could be defined.

According to the Article 29 Working Party, the ruling only refers to search engines as “data controllers” and is not to be applicable to the original source of information, so the information is not to be removed entirely, just from search indexes.

Furthermore, considering that users are directed to localised editions of the company’s search service, when they initially try to visit the Google.com website, Google’s current practice regarding delisting procedures consists in delisting results which appear in the European versions of its search engines, but not the international one ‘.com’. In this regard, the Article 29 Working Party considers that Google has therefore failed to effectively implement the abovementioned ruling. It considers, indeed, that limiting the de-listing of search results to EU domains, on the grounds that users tend to access search engines via their national domains, does not sufficiently guarantees the rights of the data subjects. In fact, it concluded that the de-listing should be conducted on all the relevant ‘.com’ domains. This conclusion is certainly in line with a recent position of a French court which decided that Google should remove a link to a defamatory article for a particular search on both on its ‘.fr’ and ‘.com’ domains.

In addition, the document clarifies that Google is not required to block links if searches lead to the same result without using the individual’s name and that, although all individuals have a right to data protection under EU law, DPAs should focus on claims where there is a clear link between the data subject and the EU.

Moreover, referring to the notice stating that “some results may have been removed under data protection law in Europe” posted by Google at the bottom of search results, the Working Party deems that the information provided to users of search engines that the list of results to their queries is not complete has no legal ground under data protection law and is only acceptable if it cannot be concluded that the results related to a particular individual have been de-listed.

Likewise, because there is no legal basis for such routine communication under EU data protection, and in order to avoid a ‘Streisand effect’, it is considered that search engines should not, as a general practice, inform the webmasters of the pages affected by removals of the fact that some web pages cannot be accessed from the search engine in response to a specific name based query. However, it is accepted that contacting the original editor of the content being targeted by a search de-listing request might actually be appropriate when more information is required in order to take a decision.

Furthermore, the guidelines establish a list of 13 common criteria which the data protection authorities should apply when handling complaints following refusals of de-listing by search engines.

It is also stated that no single criterion is determinative and that, in most cases, more than one will have to be taken into consideration. However, each criterion has to be applied in the light of the interest of the general public in having access to the information.

The Working Party further concluded that the impact of the de-listing on individuals’ rights to freedom of expression and access to information will prove, in practice, to be very limited and the balance between the public interest and the rights of the data subject will have to be assessed casuistically.

The abovementioned list includes an orientation regarding what can constitute ‘public life’, considering that, while details associated to the private life of a public figure may be delisted, information regarding the public role or activities should be available for search:

It is not possible to establish with certainty the type of role in public life an individual must have to justify public access to information about them via a search result. However, by way of illustration, politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfil a role in public life. There is an argument in favour of the public being able to search for information relevant to their public roles and activities.

A good rule of thumb is to try to decide where the public having access to the particular information – made available through a search on the data subject’s name – would protect them against improper public or professional conduct. It is equally difficult to define the subgroup of ‘public figures’. In general, it can be said that public figures are individuals who, due to their functions/commitments, have a degree of media exposure.

In addition, search engines are called upon to be more transparent regarding the de-listing criteria. It is a legitimate concern as Google only has released very limited and abstract information on this regard.

Despite the fact that these guidelines are not legally binding, they reflect a consensual position of national regulators and therefore will certainly influence the enforcement decisions taken by the Member States’ data protection authorities. Considering all the issues surrounding the implementation of the ruling, these guidelines are undoubtedly useful. Nonetheless, it remains to be seen whether Google will actually follow the guidance and extend de-listing to ‘.com’ as well.

In my personal opinion, it is quite outlandish and unrealistic, from both legal and technical points of view, to assume that the ‘right to be forgotten’ can become a global scenario and not just a European one. I mean, considering the overlapping jurisdictions regarding Internet, how come nobody considers the evidence that such a global de-listing sets up a divergence on the international level, between the EU Member States and the rest of the world?

The Internet should not be subjected to geographical boundaries. Assuming that the rules referring to a country can actually apply worldly online can be associated with web censorship. In fact, the EU is not alone in its aim for the global implementation of its rules. Russia and China, for instance, have quite global ambitions regarding Internet governance. Of course, one may argue that the EU motivations are legitimate, intended to protect some individuals’ private sphere, and do not amount to censorship. But considering that this legitimacy of the measures is usually the most frequent argument regarding censorship, is this really the example the EU wants to set?

Google Break: The new reality show on the EU channel

Let's all break Google, the new EU h(l)obby!

Let’s all break Google, the new EU h(l)obby!

I like the Google search service. I like it because it is the best at what it does. It is a fact that Google’s dominant position in the EU market is not due to the lack of competitors or due to a weaker competition. There are other big companies which provide the same sort of services. Microsoft Bing, Yahoo, Duck Duck Go… But they just don’t do it as well. Google’s dominance comes from a vast majority of EU citizens preferring its services over those provided by its competitors. It hasn’t grown into a verb by mere chance. This is what competition on the merits is all about. Theoretically, there is nothing wrong with dominance legitimately acquired. What about in practice?

In practice, Google has been having full-size antitrust problems regarding how it manages the search results presented. It has been alleged that those are manipulated in order to promote the company’s own services at its competitors’ expense and to be favourable to certain business in which it has interest while being detrimental to others. The decline of once very influential publishing industries under the impact of the internet has most certainly contributed to the problem.

It is a fact that Google crosses the results from its search algorithms with links to its own related web services, such as Youtube, Maps, News, which expands the format of search results beyond a meagre index of links. From the user’s viewpoint, this is a good thing. From its competitors’ perspective, not so much. While Google is obviously dominant, it is yet to be confirmed if it actually abuses its position in the EU market. Nevertheless, legitimate fears that this self-promotion may be harmful to users is increasingly prevailing among the EU regulators, to which the weight of certain points of interests might not have been completely irrelevant.

In this context, the European Parliament just voted a resolution on “consumer rights in the digital single market”, proposed by the European People’s Party (EPP) and the Social and Democrats (S&D), the two biggest political blocs of the European Parliament.

If I would be remotely naïve, I would consider that it is certainly a coincidence that Andreas Schwab, one of the MEP who proposed the resolution, is tied to the law firm which represents some of the German publishers against Google… Or that the fact that the two MEPs who proposed the resolution are national citizens from Germany and Spain, precisely the countries where legislative initiatives have recently been taken in order to make Google pay for links, is not more than a happenstance.

Anyway, in the paragraph 15 of the resolution, despite being outlined the relevance of search engines for the functioning of a competitive digital single market, the European Commission is called upon to apply existing legislation and to consider if ‘unbundling’ the search engines operations of Internet technologies companies with activities in the EU from the rest of their commercial business services may boost competition in the EU market.

In a less politically correct way to put it, companies which promote their own non-search services through their search engine should have those services disaggregated. To what end? Well, what would be achieved through this action is not clear.

It is, however, evocative of previous statements of German politicians who considered that Google’s dominant position should be broken. In the same line, several of the complainants against Google – once again, inadvertently, mostly German publishers – called for this separation.

As far as I am aware, the European Commission has never requested the break-up of any company for anti-competitive practices. In fact, structural remedies as such should only be imposed if there is no equally effective solution, if this latter is more burdensome, or there is a risk for repeated infringement. Nonetheless, in this case, it seems very unlikely that it can be considered that Google’s competitors actually need Google’s infrastructure in order to be able to provide their own services. Anyway, for Google to actually be ‘broken up’, it would have to be demonstrated that it has abused its dominance in the search or advertising markets.

Needless to say, the separation of its search engine operations from its other lines of business would be seriously harmful for Google. As it is well known, Google supplements the results from its search algorithms with advertising which is its primary source of income. In case of separation, its value would certainly drop, its databases would be less complete and its search engine service would end up being less effective. Ironically, the measure would be quite disadvantageous to users of the search service.

Moreover, and more gravely, the resolution considers that “search process and results should be unbiased” and calls on promoting “non-discriminatory online search” in its paragraph 17, where it calls on the Commission to prevent any abuse in the marketing of interlinked services by search engine operators:

when operating search engines for users, the search process and results should be unbiased in order to keep internet searches non-discriminatory, to ensure more competition and choice for users and consumers and to maintain the diversity of sources of information; notes, therefore, that indexation, evaluation, presentation and ranking by search engines must be unbiased and transparent.

It appears that the underlying principle is that, considering that consumers do prefer its search services over those provided by its competitors, consumers shouldn’t have to use a search provider’s bundle service just because that company actually promotes its other own services. One should ask, though, if it is reasonable to demand from a search engine service provider to not reflect on the search results presented any prominence of its own services and to self-marketing?

Furthermore, while one could believe that there are some good intentions behind this ‘search neutrality’ goal, it seems that the intention is for providers to reveal their algorithm and how the results are determined, in order to ensure that the process is fairly conduct and is not unfavourable to its competitors. Nevertheless, the ‘search neutrality’ concept is just ludicrous. Search is inherently biased according to the criteria set. That is how search is supposed to be. It should return the most completed version of the results we ask to find and not results manipulated by the strongest website owner.

Coincidently, it reminds of the comical German ‘ancillary copyright’ which was intended to license revenue from Google for indexing publishers content and of Günther Oettinger own stance on the issue. So one should really worry if this is just not the first step for a European ancillary copyright for press publishers.

To be true, the document does not mention Google or any specific search engine. However, it is very likely to be particularly directed to Google as the company has a European market share of over 90%.

Despite its non-binding nature, the fact that the European Parliament has no initiate legislative powers and certainly has no competence regarding the unbundling of companies, the resolution shows that the European Parliament is getting involved in a matter that falls within the jurisdiction of the Commission, considering the ongoing proceedings aiming to address the competition concerns on the market of internet search engines.

Anyway, it is certainly intended to put pressure on Margrethe Vestager, the new EU Competition Commissioner, considering that Joaquin Almunia, its predecessor, was unable to reach a satisfactory settlement regarding the complaints and the allegations concerning its market power. In this regard, Joaquin Almunia considered that Google could not be broken up under existing competition legislation. Until now, Margrethe Vestager is being cautious regarding the next steps to be taken.

Thus said, I guess this is just the beginning of this saga… But, considering all this, I cannot help being pessimist. I am quite worried regarding what may follow.

The ‘One Stop Shop’ mechanism reloaded

Get all your data protection matters handled here!

Get all your data protection matters handled here!

The ‘one stop shop’ mechanism is one of the most heralded and yet most controversial features of the General Data Protection Regulation which draft is currently being negotiated within the Council of the European Union.

According to the most recent proposal of the Italian Presidency of the Council of the European Union, where data protection compliance of businesses operating across several EU Member States’ is in question or where individuals in different EU Member States are affected by a personal data processing operation, it would allow businesses to only deal with the Data Protection Authority (DPA) of the country where they are established.

Cases of pure national relevance, where the specific processing is solely carried out in a single Member State or only involves data subjects in that single Member State would not be covered by the model. In such circumstances, the local DPA would investigate and decide on its own without having to engage with other DPAs.

These are, however, deemed to be the exemption as the mechanism aims for a better cooperation among DPAs of the different EU Member States concerned by a specific matter.

Therefore, in cross-border cases, the competence of the DPA of the EU Member State of the main establishment does not lead to the exclusion of the intervention of all the other supervisory authorities concerned by the matter. In fact, while the supervisory authority of the Member State where the company is established will take the lead of the process which will ensue, the other authorities would be able to follow, cooperate and intervene in all the phases of the decision-making process.

In this context, if no consensus is reached among the several authorities involved, the European Data Protection Body (hereafter EDPB) will decide on the binding measures to be implemented by the controller or processor concerned in all of their establishments set up in the EU. Similarly, the EDPB will have legally binding powers in case of failure to reach an agreement over which authority should take the lead.

Multi-jurisdictional operating businesses operating in the EU, which handle vast amounts of personal data, would highly benefit from this ‘one stop shop’ concept, which would enable to reduce the number of regulators investigating the same cases. Indeed, as things stand presently, a company with operations in more than one EU Member State has to deal with 28 different data protection laws and regulators, which unavoidably leads to a lack of harmonization and legal uncertainty.

The Article 29 Working Party has already manifested its support for a ‘one stop shop’ mechanism under the proposed EU General Data Protection Regulation.

However, in the past, Member States have manifested numerous reservations regarding this mechanism. Among the main concerns expressed were the following: businesses would be able to ‘forum shop’ in order to ensure that their preferred DPA leads the process; a DPA would not be able to take enforcement action in another jurisdiction; individuals’ rights to an effective remedy under EU laws would not be appropriately recognised; authorities without the lead position would not be able to influence processes related to data protection breaches involving nationals of their Member States.

As the way the ‘one stop shop‘ mechanism would be implemented in practice is one of the main causes of the hindrance for the Member States to reach an agreement on the wording of a new EU General Data Protection Regulation, let’s hope that the solution proposed by the Italian Presidency of the Council of the European Union does get closer to a suitable accommodation of the various concerns expressed by Member States.

The ‘EU Google Tax’ – A very unpromising work in progress?

Let's tax everything.

Let’s tax Googleverything.

Once upon a time or, more precisely, about four years ago, a group of German newspaper publishers filed several antitrust complaints due to the use, in Google news service and search results, of article snippets from their publications.

One would think that the additional free traffic directed by Google, associated to this inclusion of short snippets from their stories, would actually be beneficial for publishers, generating more audience, making their content more valuable, and enabling them to sell more advertising.

It might be quite an accurate consideration but, as it seems, completely irrelevant because the main issue at stake was apparently reduced to the argument that Google was making money out of it:

Hans-Joachim Fuhrmann, a spokesman for the German Newspaper Publishers Association, said the Web sites of all German newspapers and magazines together made 100 million euros, or $143 million, in ad revenue, while Google generated 1.2 billion euros from search advertising in Germany. “Google says it brings us traffic, but the problem is that Google earns billions, and we earn nothing,” Mr. Fuhrmann said.

Although many, in fact, failed to understand how short excerpts shown as part of search results can be detrimental to newspapers publishers, last year, the German Parliament actually approved a new kind of copyright to protect online journalism and, consequently, subjected the presentation of news snippets and linking to the source to a licensing fee.

The law, better known as “ancillary copyright for press publishers” or “Leistungsschutzrecht für Presseverleger”, establishes that publishers have the exclusive right to commercialize their products or parts thereof. The law is intended to be particularly applicable to situations where companies commercially use third party content.

Therefore, a commercial aggregator or a search engine will not be able to aggregate quotations and links of journalistic articles unless they have received previous and explicit authorization. However, as this is intended to be a proportionate solution (?), the use of single words or very small text excerpts is allowed.

The main goal to be achieved is to enable publishers to receive an appropriate contribution for their content being promoted, for free, elsewhere than their websites.

Anyway, recently, the very same German publishers filed an antitrust complaint with the German Federal Cartel Office. Allegedly, due to Google’s dominance on the search engine German market, publishers were forced to agree to let Google use the snippets and links for free.

In parallel, based on the abovementioned German law, they filed as well a copyright request of compensation with the Copyright Arbitration Board of the German Patent and Trade Mark Office, demanding Google to pay them 11% of its gross worldwide revenue on any search that results in Google showing a snippet of their content.

Well, this could have been just like any regular competition or copyright case. Except, for its ludicrous details, it was not.

To start with, no advertising is displayed in the Google News service. Moreover, publishers do not have to be on Google at all. But, despite being able to ‘opt-out’, without any further consequences, the same publishers didn’t remove themselves from Google’s search. Indeed, Google has already ensured that publishers opting out of Google News won’t have their content removed from its search results. In addition, it has been demonstrated that publishers actually use every tool put at their disposal by Google, including Google Webmaster Tools and SEO (Search Engine Optimization) techniques, in order to achieve a better ranking position in search results.

This all saga is not so vaguely reminiscent of a Belgian comic case, from 2006, where, following the complaint of a group of publishers, alleging that Google was infringing on their copyrights by linking to their newspaper articles, Google removed the links referring to content of those newspapers. However, due to the (expected) traffic drop which ensued, those publishers asked to be referenced again on the search engine results. (For more details, see here and here)

As the story seems to repeat itself, the abovementioned antitrust complaint was ultimately rejected as inconclusive, no sufficient grounds having been found to justify an investigation.

In addition, Google decided to remove existent snippets and not to use any further news snippets referring to publications of those publishers. One would expect that the publishers would be satisfied with this initiative but, instead, they dramatically qualified it as “blackmail.”

Confused? Don’t worry. Apparently, this does not have to make any sense at all… And it gets worse!

Not having news snippets referring to their websites showing on Google News obviously led those publishers to a commercial disadvantage comparing to other news websites, which snippets continued appearing in the search results. In this context, and against all odds, the same old group of publishers announced the intention to grant Google a free license to use those kind of excerpts.

This has lead us to an interesting outcome, indeed.

So we now have a German law which allows publishers to collect license fees from news aggregators and search engines which use snippets of their content.

This law was primarily intended to address the specific concerns of a group of German publishers regarding Google market power and to regulate the particular situation of the snippets displayed on Google News.

But it turns out that, after all, Google will benefit from a preferential treatment precisely due to its dominant position in the EU market.

One would innocently expect that Member States could learn from each other mistakes…

Well, against our best expectations, that it is not the case. Spain has just approved a new copyright law, which is polemic at many levels, namely because it has created a brand new ‘inalienable right’ (derecho irrenunciable) for news publishers.

In practice, it means that publishers won’t be able to refuse the use of “non-significant fragments of their articles” by third parties. However, it creates a compulsory license to compensate them for that use, which means that copyrights holders can’t decide to allow the use of content for free and, therefore, completely overrides any concept of fair use, like Creative Commons-type of licenses.

Thus said, one optimistic would still hope that the same mistake wouldn’t be emulated at the EU level.

However, when Günther Oettinger, the next Digital Economy and Society EU Commissioner – considering his previous demonstration of obliviousness regarding Internet in general – takes a stance on the issue, one cannot help to start worrying.

Indeed, as reported by Julia Red (the Pirate Party MEP), Oettinger recent statements were as follows:

When Google is taking intellectual works from within the EU and using them, then the EU has to protect those works and demand a tax from Google.

I am really not sure that a similar tax is the way forward for the EU copyright reform in the digital age we are living in. The reform shouldn’t be aimed to target companies according to their position on the EU market.

To begin with, I am afraid that the whole aim of copyright laws – produce incentive to creativeness – is somehow going amiss and that they will end up being used to protect businesses that refuse or are just unable to adapt their strategies to the fast-changing technological reality.

It is always very frustrating for any legal practitioner to deal with laws that are no longer suitable for the reality they are intended to be applicable to. But it is even more exasperating to deal with laws that were never appropriate to the situation which is intended to be regulated. To legislate in the new era with an old mindset is definitely not the way to go forward.

Moreover, I strongly believe that an extension of the existent copyright laws, namely regarding links, is not compatible with the spirit of openness that characterizes the Web and is mostly a reflection of the interest of publishers who have failed to achieve successful business models on the Internet. Taxing links might most likely lead to the smashing of the very basic premise of the Web.

Furthermore, I am worried that this might be the beginning of the end of freedom and access to unlimited information that characterizes the Internet as we know it and that it will stifle innovation brought by successful entrepreneurship.

Last but not the least, all my criticism aside, considering the German example, how ironic would it be that, in the midst of all the concerns surrounding the dominant position of Google in the EU market, and in all the efforts deployed to fracture its market power, its dominant position would end up being strengthened?

Older posts Newer posts

© 2018 The Public Privacy

Theme by Anders NorenUp ↑