Home / current / Cutting edge

Data Privacy

Also in 2015 the main topic of the Internet is data privacy. Because of the slow legal development, the lack of internationality and effectiveness, the Council of the European Union has recently recommended the development and application of soft law. Therefore Professor Zankl has developed contemporary Data Privacy Principles based on international standards, which are applicable worldwide to operate to operate up to date and at the same time gain competitive advantages through compliance. These Principles were first introduced in 2014 by Professor Zankl at Harvard University and after refinements that have been made in coordination with the Computer Ethics Society Hong Kong, the principles were presented to the German Chamber of Commerce in Moscow and the University Tianjin. In autumn further presentations and discussions will take place in Hong Kong with the Computer Ethics Society and at the University of Sydney. Below you will find the texts in English and Russian:

 

| archive | 

Data Privacy & European Internet Law 


Regarding IT-Law 2014 can be characterized by groundbreaking decisions of the European Court of Justice and ongoing data privacy disputes between Europe and major US-companies like Google, Apple and Facebook. Prof. Zankl has recently given lectures about these developments and possible solutions (English/French) in the USA (Harvard University) and in Morocco (Universite HEM/Rabat). Please find the details here:


 

 

Groundbreaking IT-law developments: European Court of 

Justice abrogates Data Retention and allows Data Detention 

by Wolfgang Zankl, Vienna

Within a few days the ECJ recently released two game-changing decisions regarding internet providers and their customers: first it accepted that courts may obligate providers to block their customers’ access to internet sites with copyright infringements. And then it declared the European Data Retention Directive to be invalid. This directive committed providers to store traffic and location data of their customers.

 

Due to the fact that providers usually supply only technical infrastructures, they can - according to the European E-Commerce Directive - basically not be held liable. For example, a host provider is exempt from any liability as long as he has no knowledge of violations; access providers are completely released of any liability whatsoever, even if they have positive knowledge of infringements.

 

In rather the opposite way the ECJ judgment of March 27, 2014, states that holders of copyrights (in this specific case: Constantin Film) can apply for a court order to force access  providers (here the Austrian provider UPC) to block their customers' access to websites containing infringements of such copyrights. This is remarkable because so far holders of rights had to prosecute the operator of violating websites or - under certain circumstances - host providers or customers of such sites rather than access providers who, as mentioned before, only supply a technical environment. This approach of the ECJ is not only new but also questionable, for several reasons: the first and most significant argument against website blocking obviously is that it means an infringement of fundamental rights, namely the customer´s right of freedom of information according to Article 10 of the European Convention on Human Rights[1] (ECHR).

 

A counter-argument could be para 2 of Art 10 which allows restrictions of the right of freedom of information as long as such restrictions are necessary to protect rights of other individuals. This is what the ECJ seems to have in mind when it emphasizes that not blocking a website could be a violation of copyrights and related rights, which are intellectual property and are therefore protected under Article 17(2) of the Charter of Fundamental Rights of the European Union (CFREU). According to the ECJ the blocking measures adopted by access providers must therefore be “strictly targeted, in the sense that they must serve to bring an end to a third party’s infringement of copyright or of a related right but without thereby affecting internet users who are using the provider’s services in order to lawfully access information”.  

 

This restriction does not really solve the problem though because it remains unclear how providers should exactly handle this complicated and sensible balance. And moreover, and returning to fundamental rights arguments, the ECJ does not deal with the fact that website blockings can easily be bypassed, even by users with average internet knowledge[2]. Considering this, it can hardly be said that such blockings violating the right of freedom of information according to the mentioned Art 10 para 1 are, in terms of Art 10 para 2, “necessary” to protect  the rights of other individuals.  And finally it should not be neglected that an obligation to block websites means legal uncertainty, because it raises the question whether providers  can now be obliged to block all kinds of pages (for example Youtube) which contain copyrights infringements. It has been argued that in its enquiries to the ECJ the Austrian Supreme court referred only to internet pages which make content accessible "exclusively or predominantly" without permission of the copyright holder (and that therefore Youtube would  not be affected of the ECJ’s judgment). The problem is that the ECJ’s judgment was not restricted to such sites, for which reason sites like Youtube could also be affected by blocking requests of copyright holders. But even if the ECJ judgment - contrary to its wording - would be confined to "exclusively or predominantly" infringing sites, there would remain the problem what “predominantly” exactly means, and there would also remain the even more complicated question how and by whom it should be decided whether the illegal content predominates the legal content.


The second judgment of April, 8th 2014, which canceled the very controversial European Directive on Data Retention (which had been imposed 2006 in the aftermath of terror attacks in  Madrid and London in 2005) is, compared to the first judgment of March 27, much more precise and plausible in its argumentation concerning fundamental rights.


Again, the cause of the complaint cam
e (among others [3]) from Austria (the Austrian Constitutional Court) and again the case was about providers and their customers’ fundamental rights. The Directive introduced an obligation of internet and telecommunication providers to store customers’ traffic and location data (who is calling, e-mailing or texting whom, when and where). Upon request providers have then to submit the collected data to the responsible law enforcement  authorities. 

 

The content of such data is exempt from storage and release to the authorities according to the Directive. But still, in many cases it is easily possible to trace content information by simply taking a closer look at traffic data. If a person is, for example, frequently calling a certain lawyer, it is quite obvious that this person is a client. If a person keeps sending and receiving e-mails to and from a doctor specialized in HIV diseases it is very likely that such person suffers from HIV and so on. By analyzing location data it is easy to keep track of activities carried out, of social relationships or environments of an individual and so on.

 

The ECJ regards this as a violation of the fundamental right of respect for private life[4], as a violation of the protection of personal data[5] and as a violation of the right of respect for freedom of expression[6]. The Court came to the conclusion that, by adopting the Data Retention Directive, EU legislation has exceeded the limits imposed by compliance with the principle of proportionality.

 

Furthermore the ECJ emphasizes that there is no precise definition of “serious crimes” which should be prevented by data storage according to the Directive; and the ECJ also underlines that a duty to save the customer´s data up to two years is way too long, and that it is not determined where data should be stored regionally. The ECJ finally points out that the Directive lacks requirements to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data.

 

This view is to be utterly welcomed, because it corresponds to an overwhelming number of critical reviews. The e-center and many other institutions, scholars and courts throughout Europe have provided rich evidence that the complete and comprehensive surveillance of all European citizens irrespective of a given suspicion of having committed or being about to commit a crime means an absolutely unacceptable interference with fundamental rights. It remains to be seen, how the decision of the ECJ will affect the transformations of the Directive in the Member States. But it is clear that sooner or later these national laws based upon the Directive will either have to be adapted to the decision of the ECJ or be completely abolished.

 

For reasons already mentioned before, the latter would definitely be the better option: para 1 of Art 8 ECHR states that “every one has the right to respect for his private and family life, his home and his correspondence”. According to para 2 “there shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

 

The emphasis of the exemption to the right of privacy according to the mentioned Art 8 lies, again, on the word necessary. The interference with the right of privacy has to be necessary in order to be justified.

 

That this is not the case with Data Retention can easily be proved by European statistics which have brought clear evidence that Data Retention has no influence whatsoever on crime detection rates.[7] From this point of view it can hardly be said that Data Retention is “necessary”. And it can of course also be easily avoided by simply using prepaid anonymous devices or by surfing not from an identifiable office computer or at home but, for example, from an internet café. No trace will be left and so no data retention is possible. It can be expected that criminals will be skilled enough to realize and consider such obvious measures. So what we get in the end is not surveillance of those who should be observed but of those who should not. This can obviously not be “necessary”!

 

The same can be assumed for surveillance irrespective of any suspect – a principle Data Retention is presently based upon. So if,  for whatever reasons, Member States should decide to hold on to data retention (which they should, according to the arguments mentioned before, not do) they should, aside from considering the ECJ judgment, at least refrain from saving data on a general basis independent of any specific suspicion. The much more adequate way in terms of fundamental rights would be a quick freeze procedure storing only data of individuals being at least suspected of committing or having committed a crime.

 


[1] "Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This Article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.”

See also Article 11 of the Charter of Fundamental Rights of the European Union“Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

[2] There are many ways to bypass an internet censorship. One way for example is changing the DNS (Domain Name Server) in the network configuration, another way is using a proxy server such as “hide my ass”.

[3] Irish High Court.

[4] Article 8 of the ECHR: “Everyone has the right to respect for his private and family life, his home and his correspondence”. Article 7 CFREU: “Everyone has the right to respect for his or her private and family life, home and communications”.

[5] Article 7 CFREU: “Everyone has the right to the protection of personal data concerning him or her”.

[6] Article 11 CFREU: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers”.

[7] The statistics show the detection rate of various crimes, for example, bank robberies, computer crime, etc.

The Max-Planck Institute determined that the accessibility to data storage, did not change the crime detection rates (for example computer crime statistics 2007: 50%; 2008: 40%; 2009: 42%). The Institute came to the same result in connection with child pornography crimes. July 2011; direct link: www.bmj.de/SharedDocs/Downloads/DE/pdfs/20120127_MPI_Gutachten_VDS_Langfa
ssung.pdf?__blob=publicationFile

 

The European Directive on Consumer Rights

by Wolfgang Zankl, Vienna

The general aim of many European e-commerce and e-business regulations is to put contracting partners and especially consumers interacting by means of electronic communication in a similar position to contracting partners who interact in a conventional way (conventional way meaning that contracting partners have face to face contact). This purpose especially shows in regard to the Directive on Consumer Rights, 2011/83/EC. It will replace as of 13 June 2014, the current Directive 97/7/EC on the protection of consumers in respect of distance contracts and the Directive 85/577/EEC to protect consumers in respect of contracts negotiated away from business premises.

The new Directive provides a number of fundamental legal rights for consumers in order to ensure a high level of consumer protection throughout the EU. Some types of contracts are excluded from the provisions of this Directive. One exception for example is the field of online gambling. Further exceptions apply to the right of withdrawal for contracts about goods made to the consumer’s specifications and perishable goods. Contracts for financial services are covered by an own Directive – the so called Distance Marketing of Financial Services Directive 2002/65/EC, which is a systematic duplication of the former Distance Selling Directive to address the requirements of financial services in context with new technologies.

The content of the Directive is divided into six chapters. Chapter one contains common definitions such as "consumer" and "trader" and provides a common set of rules applicable in all Member States.

Chapter 2 contains core information to be provided by traders prior to the conclusion of all consumer contracts and Chapter 3, which only applies to distance and off-premises contracts, provides specific information requirements and regulates the right of withdrawal. The two most important consumer rights according to Chapter 2 and 3 of the new Directive are:

-      to receive comprehensive information, for example about the main characteristics and price including taxes of the goods, or the identity of the trader before the purchase and a confirmation of that information in a durable medium;

-      to cancel the contract within a minimum of 14 days (with some exceptions). If the trader has not provided the consumer with the information on the right of withdrawal, the withdrawal period is extended to 12 months from the end of the initial withdrawal period.

Chapter 4 contains rules on delivery and passing of risk applicable to contracts for the sale of goods as well as certain rules applicable to all types of consumer contracts. The two most important consumer rights according to Chapter 4 of the new Directive are:

-      the trader shall deliver the goods by transferring the physical possession or control of the goods to the consumer without undue delay, but not later than 30 days from the conclusion of the contract.

-      the risk of loss of or damage to the goods shall pass to the consumer not before he has acquired the physical possession of the goods.

Chapter 5 and 6 finally contain general provisions, e.g. on enforcement and the transposition period for Member States.

As you can see, once more the consumer's rights were strengthened considerably. The question is whether this development is still adequate or has gone too far. From my point of view the latter seems to be the case: Even though there is no doubt that the consumer should be informed properly, this requirement cannot be met by expanding such information duties more and more, because in the end the consumer will not be able any more to detect the real important facts in the bulk of information he is confronted with (under the mentioned Financial Services Directive alone, the consumer has, for example, to receive information on more than 30 details).[1]

As far as the consumer´s right to withdraw from online-contracts is concerned the extension of the withdrawal period (compared to the former distance selling regulations) is questionable, too, because the right to withdraw as such already puts him in a better position than he would have when concluding the same contract offline where there is no such right.

Such privilege might have been justified at the time when it first has been introduced by the Distance Selling Directive, back in 1997, when e-commerce was new and consumers unexperienced. In the meantime purchasing by using electronic means and the internet is as common and normal as buying goods in regular shops. So it would have been worth considering to reduce or even completely abolish such privileges for e-commerce and simply leave the right to withdraw from a contract to the market which is mostly granting such rights on a voluntary basis because consumers simply expect such rights.

The EU has chosen the opposite way and even strengthened the consumer´s right to withdraw, accepting, on the other hand, that traders are, compared to regular business placed in a disadvantageous position.

Against this background the Directive’s distance selling provisions should, where there is doubt, be interpreted rather restrictively. Unfortunately courts throughout Europe handle this issue in quite the opposite way by mostly deciding in favour of consumers.[2]



[1] Directive 2002/65/EC, Article 3, 4.

[2] For example: OGH 15.01.2013, 4 Ob 204/12x, ecolex 2013, 520 (Austrian Supreme Court);  BGH, 07.07.2010, VIII ZR 268 07 (German Supreme Court).