ICT Law Newsletter

Transcription

ICT Law Newsletter
ICT Law Newsletter
Number 51 – April 2015
FOCUS: EUROPE
2
• WP 29 defines the scope of Health Data collected by mobile apps and devices
2
• National legislations may extend broadcasting organizations’ exclusive right provided in the EU Copyright Directive
3
• Courts of a Member State where a work is accessible online have jurisdiction to hear case
4
• WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the
Right to be Forgotten”
5
• WP 29 document on a new co-operation procedure regarding contractual clauses 6
FOCUS: BELGIUM
7
• Belgian collecting society SABAM may not levy royalties on ISPs 7
• Bhaalu case: Flemish Media Regulator rules in favor of broadcasters Medialaan, SBS Belgium, and VRT in their
suit against Right Brain Interface
8
• The UsedSoft decision of the European Court of Justice on the resale of software has been successfully alleged by
the second acquirer 9
FOCUS: THE NETHERLANDS
10
• Google wins appeal in first Dutch ‘Right to be Forgotten’ case
10
• Bill submitted to increase penalty powers of the Dutch Data Protection Authority to EUR 810,000 or 10% of the
annual turnover of certain legal entities
11
• Dutch DPA: Employment agencies violate the privacy of the temporary workers
12
• The Dutch House of Representatives requests Privacy Impact Assessment for new legislation
14
FOCUS: LUXEMBOURG
15
• A new bill on data retention 15
Judica Krikke
Gérald Origer
Erik Valgaeren
Partner
T • +31 20 546 02 12
judica.krikke@stibbe.com
Partner
T • +352 26 61 81 11
gerald.origer@stibbe.com
Partner
T • +32 2 533 53 43
erik.valgaeren@stibbe.com
FOCUS: EUROPE
WP 29 defines the scope of Health Data collected by mobile apps and devices
In light of the Internet of Things, mobile apps that are
installed in smartphones, other portable electronic devices,
and smartwear devices collect and process increasingly
large quantities of data – especially personal data. Among
these mobile apps, an increasing number of lifestyle apps
are currently available. They collect a variety of data about
the user’s day-to-day activities (e.g., one’s health and
physical conditions, eating, sleeping, and workout habits).
These mobile app users are often not aware of the kinds of
data that are being processed and the adverse effects the
processing could have on their private life and reputation.
Therefore, the category health data is considered a special
category of sensitive data to which a higher level of
protection applies.
As a response to the request of the European Commission
in the light of its mobile Health or mHealth initiative, the
Article 29 Working Party (“WP 29”) gave its clarification on
the scope of health data, as set out in Article 8 of the Data
Protection Directive (Directive 95/46/EC). The WP 29
clarifies that personal data is qualified as health data if it falls
within the broad scope of one of the following categories or
description:
1. The data is inherently/clearly medical data;
2. The data are raw sensor data that can be used in itself or
in combination with other data to draw a conclusion
about the actual health status or health risk of a person;
3. Conclusions are drawn about a person’s health status or
health risk (irrespectively of whether these conclusions
are accurate or inaccurate, legitimate or illegitimate, or
otherwise adequate or inadequate).
Although not all information collected through lifestyle apps
constitutes health data within the meaning of Article 8 of the
Data Protection Directive, e.g., an app that registers the
number of steps one takes during a walk does not collect
ICT Law Newsletter – Number 51 – April 2015
enough information to draw conclusions on the health status
of the user, the opinion of the WP 29 warns of the
processing of data that are in the “grey zone”, i.e., where it
is not directly obvious in determining if the data collected
can be considered health data. The WP 29 emphasizes
accordingly that not only the type of data but especially the
intended use of data must be considered when assessing
whether personal data qualifies as health data. In that way,
even low impact data can be considered health data when
used (especially in combination with other data) to determine
the health status of the user. For example, an app for
runners (e.g., Nike +) might only collect limited information
about a user (i.e., the blood pressure level and speed), but
such information collected over a long period of time,
combined with data on the user’s age and gender can be
used to draw conclusions on the user’s health status.
Because of the prohibition of processing health data under
Article 8 of the Data Protection Directive, a data controller
who intends to process health data needs to rely on one of
the derogations laid down in the same provision. According
to the WP 29, the derogation that would most likely apply to
this scenario would be when there is explicit consent of the
data subject for such processing, provided that the data
subject is clearly informed about the intended use of his or
her data. In addition, the opinion focuses on additional
obligations (e.g., principle of purpose limitation and security
obligations) that will need to be taken into account by data
controllers (i.e., lifestyle app developers) when processing
health data.
Michiel Van Roey
Junior associate
T • +32 2 533 52 07
michiel.vanroey@stibbe.com
2
FOCUS: EUROPE
National legislations may extend broadcasting organizations’ exclusive right provided in
the EU Copyright Directive
On 26 March 2015 the Court of Justice of the European
Union (“CJEU”) held that the EU Copyright Directive (
Directive 2001/29/EC of the European Parliament and of the
Council of 22 May 2001 on the harmonization of certain
aspects of copyright and related right in the information
society) must be interpreted as not precluding national
legislations to extend the exclusive rights of broadcasting
organizations beyond the legal protection as set forth in
Article 3(2)(d) of the EU Copyright Directive, provided that
such protection does not undermine that of copyright.
The CJEU states firstly that the objective of the EU
Copyright Directive was not to remove any differences
between national legislations that do not adversely affect the
functioning of the internal market. Therefore, the EU
Copyright Directive has only partially harmonized the
copyright legal framework. Then, the Court, relying on
Directive 2006/115 on rental and lending rights and certain
rights related to copyright, affirms that MS should be able to
provide, on a national level, for wider protection than the
protection afforded under the EU Copyright Directive.
The issue before the Swedish Supreme Court concerned
the alleged infringement of the rights of C More
Entertainment AB. C More Entertainment is a pay-TV station
that offers live streaming of ice hockey matches on its
website. Mr Sandberg places links on his website that
allows Internet users to access C More Entertainment’s
website and watch the live streaming of two hockey
matches for free. In this context, the Swedish Supreme
Court submitted five questions to the CJEU, but
subsequently decided to withdraw four of them (which were
already answered by the recent Svensson case C-466/12).
In substance, the remaining question was: “May the
Member State (MS) give wider protection to the exclusive
right of authors by enabling ‘communication to the public’ to
cover greater range of acts than those provided for in Article
3(2) of the EU Copyright Directive?”
The Court concludes that Article 3(2) of the EU Copyright
Directive does not preclude an MS to grant broadcasting
organizations the exclusive right to authorize or prohibit acts
of communication to the public (with no consideration about
whether this act also represents an act of making available
to the public) of their transmissions, but provided that such
protection does not undermine that of copyright. This ruling
is in line with Recital 7 of the EU Copyright Directive
whereby “the directive does not have the objective of
removing or preventing differences that do not adversely
affect the functioning of the internal market”.
As an introductory point, the CJEU restates Article 3(2)(d) of
the EU Copyright Directive whereby “MS are to provide for
the exclusive right for broadcasting organizations to
authorize or prohibit the making available of fixations of their
broadcasts to the public, in such a way that members of the
public may access them from a place and at a time
individually chosen by them.” The CJEU clarifies that the
“making available to the public” was actually included within
the concept of “communication to the public” referred to in
Article 3(1) of the Directive. In any event, in order for an act
to fall under the category “making available to the public”
and thus to benefit from the protection of Article 3(2)(d), this
act must (i) make it possible for the public to access the
protected work from a place chosen by them and (ii) at a
time chosen by them. However, the transmissions made
available by Mr Sandberg cannot be considered as
amounting to “interactive on-demand transmissions”.
Nevertheless, the Swedish legislation affords a wider
protection as it is not limited to acts that make works
available “on demand”.
ICT Law Newsletter – Number 51 – April 2015
This case is particularly interesting in the way that it moves
away from the precedent CJUE ruling in the Svensson case.
In the latter case, the CJUE was asked whether an MS
could extend the protection afforded to the copyright
holders through an extension, on a domestic basis, of the
notion of “communication to the public” under Article 3(1) of
the EU Copyright Directive. The CJUE answered in the
negative, stating that if it had held otherwise, the objective
pursued by the EU Copyright Directive would have been
undermined. The CJUE held that allowing the MS to widen
the concept of “communication to the public” would
necessarily affect the functioning of the internal market.
Conversely, in the present case, the CJUE, presumably
because it reads the EU Copyright Directive in conjunction
with Directive 2001/29, allows MS to extend the rights set
forth in Article 3(2) of the EU Copyright Directive.
The case (C-279/13) can be found on http://curia.europa.eu
Carol Evrard
Junior associate
T • +32 2 533 57 42
carol.evrard@stibbe.com
3
FOCUS: EUROPE
Courts of a Member State where a work is accessible online have jurisdiction to hear case
On 22 January 2015 the European Court of Justice (ECJ), in
its judgment C-441/13, held that a court of a Member State
where a work is accessible online does have jurisdiction to
hear the case if the damage has occurred or might occur in
that Member State.
Article 2 of Regulation 44/2001 of 22 December 2000 on
jurisdiction and the recognition and enforcement of
judgments in civil and commercial matters (“Regulation
44/2001”) stipulates that persons domiciled in a Member
State shall be sued in the courts of that Member State. By
way of exception, and hence to be interpreted restrictively,
Article 5(3) of this Regulation states that the courts of the
place where the harmful event occurred or might occur can
be seized in matters relating to tort, delict, or quasi-delict.
In the case at stake, a German-based company had
published on its website pictures that were taken by an
Austrian photographer and had done so without this
photographer’s consent and without any recognition of
authorship. The photographer subsequently sued the
company before the Austrian courts. The company
(defendant) argued that the Austrian courts lacked
jurisdiction because the website was not directed at Austria
and that the mere fact that the website can be accessed
from Austria is insufficient to confer jurisdiction on the
Austrian courts.
ICT Law Newsletter – Number 51 – April 2015
The ECJ confirmed, however, that in accordance with Article
5(3) of Regulation 44/2001, the Austrian courts could be
seized on the basis of the place where the alleged damage
occurred. As a matter of fact, the likelihood of damage
occurring in a particular Member State is subject to the
condition that the right whose infringement is alleged is
protected in that Member State.
The ECJ further confirms that unlike Article 15(1) of
Regulation 44/2001, Article 5(3) does not require that the
activity concerned be directed to the Member State in which
the court seized is situated. In the case at issue, the
occurrence of damage and/or the likelihood of its
occurrence arise from the accessibility in the Member State
of the photographs to which the rights relied on retain.
This case can be found on: http://curia.europa.eu
Cédric Lindenmann
Junior associate
T • +32 2 533 54 56
cedric.lindenmann@stibbe.com
4
FOCUS: EUROPE
WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory
Council Report on “the Right to be Forgotten”
On 13 May 2014 the European Court of Justice (“ECJ”)
delivered a landmark ruling, the so-called “Google Spain
Case” (“the Ruling”). Because this decision has generated
several concerns and could have potentially led to Member
States’ diverging application of this case-law, the European
Commission (“the Commission”), followed by the Article 29
Working Party (“WP 29”), issued guidelines (“Guidelines”) on
the matter.
In February 2015 Google’s Advisory Council published its
report on “the Right to be Forgotten” to advise Google on
how to implement the Ruling properly. Notwithstanding the
broad scope given by some in their interpretation of the
Ruling, it seems that the ECJ did not intend its judgment to
be one of principle.
In the first part of the Guidelines, the WP 29 specifies the
most important elements of the Ruling. It confirms that,
according to the ECJ, search engines operators process
data are considered data controllers. The legal basis lies in
the legitimate interest of the controller or of third parties to
which the processed data are disclosed. This legal basis is
different from the one justifying the publishing of content by
the original publisher. That is why, in some instances,
although the publishing of some information by the original
publisher might be lawful, the accessibility to those
information by means of a search engine might, however, in
turn be unlawful. In any event, search engine operators are
supposed to assess the legitimacy of the data processing
only at the data subjects’ request. Moreover, those data
subjects, when they are refused its request to be de-listed,
should be allowed to turn to the competent data protection
authority (“DPA”) to contest that decision of refusal.
Regarding transparency, the search engines could only
inform their users that some results have been removed if it
was not, on this sole basis, possible for them to conclude
that a specific individual has asked for this de-listing. Lastly,
the WP 29 considers that an effective de-listing decision
should have a global territorial reach and affect all domain
names, including those ending with .com.
In the second part of its Guidelines, the WP, through its
creating a list of “common criteria for the handling of
complaints by EU DPAs”, has undertaken to harmonize the
way these DPAs should deal with de-listing-related
complaints. The WP 29 makes it clear, however, that the
assessment of the data subjects’ complaints must be made
on a case-by-case basis. The criteria are indeed merely
“flexible working tool”, none of which being determinative.
They will always have to be applied in accordance with
applicable domestic legislation.
These Guidelines complement the report published on 19
September by the EU Commission and aim to rebut the
“myths” surrounding the Ruling. This report refutes some
ideas that have erroneously emerged, e.g.: the Ruling does
ICT Law Newsletter – Number 51 – April 2015
not contradict freedom of expression, nor does it allow for
censorship. Indeed, it is emphasized that the Ruling does
not enable people to have the contested search results
removed in all cases, but only if the interest to privacy
overrides the respect for other fundamental rights. No less
importantly, the EU Commission clarifies the scope of the
Ruling, stating that it only concerns the right to be forgotten
“regarding search engine results involving a person’s name”.
The resulting consequences to this clarification are twofold:
(i) only the link to the disputed content can be deleted, the
content itself remains unaffected in its original location on
the internet; (ii) the content can still be found via the same
search engine when using a different query.
Finally, the most recent developments regarding the
appropriate implementation of the Ruling are contained in
the report published by Google’s Advisory Council
(“Report”). This panel of independent experts has been
asked to advise Google in this regard. The panel has based
its advice on, inter alia, the opinion on experts from all over
Europe, the European Court of Human Rights case-law,
policy guidelines of new organizations, and also the WP 29
Guidelines discussed above. Remarkably, the Report
emphasizes that the Ruling does not establish a general
right to be forgotten. Indeed, the balancing test that has to
be used by Google might lead to the conclusion that
overriding interests justify a de-listing refusal. The Report
states that “the Ruling, while reinforcing European citizen’s
data protection rights, should not be interpreted as a
legitimation for practices of censorship of past information
and limiting the right to access information.”
Further, and in line with the WP 29 approach, the Report
lists the main criteria to be used for assessing delisting
requests: (i) the data subject’s role in public life; (ii) the nature
of the information; (iii) the source of the information; and (iv)
the time that has elapsed since the original publication.
Then, the Report explains key procedural elements in this
respect. Two of them are worth emphasizing. Firstly, the
Panel advises, as a good practice, that the search engine
should notify the publishers of the delisting to the extent
allowed by law. That is to say, in compliance with each
Member State’s domestic data protection law, among other
regulations. Secondly, contrary to the WP 29 Guidelines, the
Report states that the de-listing should not operate globally.
The rights of the data subjects are, according to the Panel,
adequately protected if de-listings apply only to the
European versions of the search. This is based on the
finding that 95% of all European search queries are
conducted on local versions of Google. The Report
concludes that “removal from nationally directed versions of
Google’s search services within Europe is the appropriate
means to implement the Ruling at this stage.”
The Ruling allows for a major enhancement to the data
subjects’ right online. However, it seems that this has been
5
FOCUS: EUROPE
widely misinterpreted. To increase clarity regarding its
implications, the WP 29, the EU Commission, and later, a
panel of experts, have published reports and guidelines on
how to implement the Ruling correctly. Although those
reports differ in some aspects (e.g., the geographical scope
of the de-listing obligation), there seems to be a growing
consensus towards the inexistence of the so-called right to
be forgotten. The Ruling is a mere application of the
balancing test that must be made, on a case-by-case basis,
between, on the one hand, the rights to privacy and data
protection, and on the other hand, the rights to freedom of
expression and access to information.
Carol Evrard
Junior associate
T • +32 2 533 57 42
carol.evrard@stibbe.com
WP 29 document on a new co-operation procedure regarding contractual clauses
On 26 November 2014 the Article 29 Data Protection
Working Party (“WP 29”) issued Working Document WP226.
This document sets forth a co-operation procedure for issuing
common opinions on contractual clauses that are considered
compliant with the EC Model Clauses. Through this
document the WP 29 wants to establish a more harmonized
approach among the national data protection authorities
(“DPAs”) throughout the multiple jurisdictions of Europe in
approving EU Model Clauses.
decision-making process. The chosen lead DPA has the
possibility to transfer the application to another DPA if it
believes this other DPA is more suitable as the lead DPA.
Such transfer needs to be conducted under supervision of
the Presidency of the WP 29. Additional to the lead DPA and
depending on the number of Member States from where the
data is transferred, one co-reviewer (if less than 10 Member
States) or 2 co-reviewers (if more than 10 Member States) will
be appointed.
The Model Clauses were adopted by the European
Commission to enable companies to put in place sufficient
safeguards for legally framing international data transfers
outside the EEA. In principle, companies choosing to use
such clauses may not change them unless they seek prior
approval from the DPA of the Member State from where the
transfer is taking place (“competent DPA”). Nevertheless, it is
possible for companies to draft a contract that contains
additional (commercial) clauses alongside these Model
Clauses as long as there is no direct or indirect contradiction
between them.
The review should be done in the context of a Mutual
Recognition, and DPAs can freely decide on whether it wants
to participate. The lead DPA will conduct the review and,
once it is decided that the proposed contract conforms to the
Model Clauses, it will send its conclusion in the form of a draft
letter to the co-reviewer(s). The latter must submit their
comments (if any) within a one-month deadline. If no
comments are made within this timeframe, the draft letter, the
analysis, and the draft contract will be sent to the other
competent DPAs. Only those not participating in the Mutual
Recognition procedure are allowed to make comments those
documents. At a final stage, the lead DPA will sign the letter
on behalf of all competent DPAs and will send it to the
company.
In many Member States, a company must obtain an
authorization from the DPA—before the data transfer—for
both the use of an ad hoc contract and the use of Model
Clauses. In a situation where the company wants to transfer
data from different EU/EEA countries, this obligation entails
the risk that the DPAs in the different Member States would
not reach the same conclusion regarding the same draft
contract.
Through this Working Document, the WP 29 launches a
procedure that will enable companies to obtain a coordinated
position of the different DPAs regarding their proposed
contract. DPAs are free to decide, based on the
circumstances, whether such co-operation procedure is
opportune or not.
As a first step in the co-operation procedure, the company
needs to choose a lead DPA out of the several competent
DPAs. In the Working Document, the WP 29 sets out different
possible decisive factors that can guide the company in the
ICT Law Newsletter – Number 51 – April 2015
Through this Working Document, the WP 29 is clearly
choosing the path of harmonization, which is desirable to
create uniformity and legal certainty within the EU.
Nevertheless, this procedure only relates to conformity to the
EC Model Clauses. But when permits or authorizations are
legally required, national DPAs may still analyze the annexes
and descriptions of data transfers to assess their legality
under national law. Moreover, in a situation where a company,
after initially having intended to transfer data from a few
Member States, decides to extend the geographical scope
after the co-operation procedure, the additional competent
DPAs are not bound by the decision made in the co-operation
procedure. They are free to conduct their own analysis of the
draft contract, but the company will have to bear the risk
should the DPAs decide otherwise on the contract.
This article was written by student trainee Dorien Taeymans.
6
FOCUS: BELGIUM
Belgian collecting society SABAM may not levy royalties on ISPs
On 13 March 2015 the Brussels Court of First Instance
issued a judgment in the cease-and-desist case the Belgian
state brought against the collecting society SABAM, which
was suing Internet service providers (ISPs). According to
SABAM, the ISPs themselves—besides the Internet
users—“communicate” works to the public, and such
communication would require authors’ consent under
copyright law and, therefore, payment of specific royalties.
However, the supervising authority of collecting societies
within the Ministry of Economy did not agree with SABAM’s
argument, and, through a specific administrative procedure,
it had SABAM summoned so that its claim against the ISPs
would stop. Since SABAM did not accede to this demand,
the Ministry of Economy sought eventually the Court to
order a cease-and-desist injunction. The main Belgian ISPs
joined the proceedings in support of that request.
After a detailed examination of all the ISP’s activities, the
Court recalled the applicable legal provisions, including
Directive 2001/29/EC of 22 May 2001 on the harmonisation
of certain aspects of copyright in the information society, the
case-law of the European Court of Justice (ECJ), and more
particularly the recent Svensson (C-466/12) and Bestwater
International cases (C-348/13). Then, the Court formulated
two hypotheses: either the ISP’s activities are a mere
provision of physical facilities for enabling or making a
communication (and in this scenario, it does not in itself
amount to a communication, pursuant, notably, to Recital
27 of the Directive 2001/29/EC), or they do more than that.
In the latter scenario, even if one were to consider that the
ISPs make any additional communication to the “initial”
communication of their customers or the content suppliers,
this would not satisfy the public requirement: either there is
no large indefinite number of persons when looking at the
ICT Law Newsletter – Number 51 – April 2015
communication originated from the Internet user/content
supplier to its ISP, or there is no “new public” when the ISP
makes the content available to its customers because this is
precisely the intended purpose of the initial communication
of the Internet user/content supplier.
As a result thereof, there is no valid ground for claiming
royalties on such activities. When doing so, SABAM does
violate Belgian copyright law, and therefore, the Belgian
state is right to have intervened.
Finally, it is worth mentioning that the Court found that there
was no need to refer to the ECJ for a preliminary ruling
because the existing case-law provided sufficient guidance.
In this regard, the Court stressed the differences between
the disputed case and some landmark decisions previously
rendered by the ECJ, such as the decisions in Airfield
(C-431/09) and SGAE/Rafael Hoteles (C-306/05). Also, the
Court recalled that ISPs are intermediaries that are essential
for the functioning of the Internet, in the light of the decision
UPC Telekabel (C-314/12). Without them, the “initial”
communication cannot take place.
By the end of March, SABAM has decided to lodge an
appeal against the Court of First Instance’s decision.
The case can be found on http://www.ie-forum.be
Nicolas Roland
Counsel
T • +32 2 533 51 51
nicolas.roland@stibbe.com
7
FOCUS: BELGIUM
Bhaalu case: Flemish Media Regulator rules in favor of broadcasters Medialaan, SBS
Belgium, and VRT in their suit against Right Brain Interface
Right Brain Interface NV is a young technology company
that has created a remote DVR (digital video recording)
storage service called Bhaalu. In essence, this service allows
its subscribers to record the television shows, which they
can watch according to their TV channels’ subscription and
store them on servers owned by the unincorporated
association of Bhaalu users (“in the cloud”). This way,
Bhaalu users can watch TV shows on demand up to 3
months after they have been aired.
The Bhaalu system is also called a Collaborative Video
Recorder (or CVR) because the users are basically sharing
the cost of certain common components of the CVR
hardware, without it being technically possible for them to
share content with or transfer the content to other users.
Naturally, Bhaalu’s entry on the Belgian market has led to a
great deal of opposition by Belgian broadcasters, provoking
Medialaan, VRT, and SBS Belgium to sue Right Brain
Interface before the Antwerp Commercial Court on grounds
of their right to exclusive reproduction and communication
enshrined in the Belgian Copyright Act. The broadcasters
also filed a complaint with the Flemish Media Regulator on
grounds of Right Brain Interface’s violation of the Flemish
Government Decree of 27 March 2009 (the “Media
Decree”).
On November 4, 2014 the Antwerp Commercial Court ruled
that Right Brain Interface could not lawfully rely upon the
“private copy” exception enshrined in the Belgian Copyright
Act. Even though Right Brain Interface has since
suspended its activities, it did apply for an appeal against
this decision. On January 12, 2015 the Flemish Media
Regulator also decided in favor of the Belgian broadcasters.
The broadcasters asserted that Right Brain Interface should
be considered a “service provider” in the meaning of Article
2, 7° of the Media Decree. As a service provider, Right Brain
Interface would be obliged, according to Article 180 of the
Media Decree, to:
• transmit linear television shows—that are included in the
range of television services in the Flemish Community—
unabridged, unaltered, and in their entirety, at the actual
time these television shows are aired.
• seek prior consent of the broadcasters so that these
broadcasters may offer its customers an option to have a
delayed, shortened, or altered viewing of the linear
television shows.
However, Right Brain Interface does not transmit linear
television shows in an unabridged, unaltered way and in
their entirety at the actual time these television shows are
aired. In addition, Right Brain Interface did not obtain the
ICT Law Newsletter – Number 51 – April 2015
broadcasters’ prior consent so that they could offer its
customers the said option for delayed, shortened, or altered
viewing of linear television shows.
The Media Decree defines “service providers” as any entity
providing one or more broadcasting services to the public
by means of electronic communication networks, with the
exception of broadcasting organizations that only make their
own broadcasting services to available to the public. This
third category of market players (which fall between a
broadcaster and a network operator) was added to the
Media Decree to cope with future technical evolutions in the
media sector. The Flemish Media Regulator held that Bhaalu
was indeed the result of such technical evolutions and
needed to be considered a service provider under the Media
Decree.
In reaching this decision, the Flemish Media Regulator first
considered that it was not required for service providers to
provide the broadcasting services to the public via their own
network. The Flemish Media Regulator also considered that
it was irrelevant whether these services were broadcast on
individual request or whichever technique was used to
broadcast them (including point-to-point technique or, as in
the present case, unicast technique). The fact that the
Bhaalu user must indeed have made a recording instruction
so that the signal via unicast would be forwarded to him
does not, according to the Flemish Media Regulator, imply
that Bhaalu did not provide broadcasting services.
Therefore, the Flemish Media Regulator declared that Right
Brain Interface has violated Article 180 of the Media Decree
by: (i) not transmitting the linear television shows—that are
part of their range of television services in the Flemish
Community—unabridged, unaltered, and in their entirety, at
the exact time these television shows are aired, and (ii) not
obtaining prior consent of the broadcasters so that they
could offer its customers an option allowing for a delayed,
shortened, or altered viewing of linear television shows.
However, given that Right Brain Interface had already
ceased its Bhaalu-related activities after the Antwerp
Commercial Court rendered its decision on November 4,
2014, the Flemish Media Regulator only issued Right Brain
Interface a warning and ordered it to stop committing further
violations.
Valerie Vanryckeghem
Associate
T • +32 2 533 51 72
valerie.vanryckeghem@stibbe.com
8
FOCUS: BELGIUM
The UsedSoft decision of the European Court of Justice on the resale of software has been
successfully alleged by the second acquirer
On 26 January 2015, the Court of Appeal of Gent dismissed
the claim of a software company for copyright infringement
against another company that integrated its computer
program into an ERP solution for dentists.
This computer program and the accompanying license key
were ordered by and delivered electronically to an authorized
reseller for the explicit purpose of resale. On many
occasions, the Court stressed the fact that, apparently, the
software company did not impose any restriction in this
respect. Also, it appears that the defendant that acquired
such computer program from the reseller did not know that
it was the property of the plaintiff since the reseller never
mentioned it and the software company failed to
demonstrate that its licensing scheme should normally have
been passed on to the defendant via the reseller. The latter
went bankrupt two years later.
The software company then initiated a lawsuit against the
second acquirer, asking for monetary damages and a
cease-and-desist injunction.
However, pursuant to the Court that made several
references to the landmark decision of the European Court
of Justice dated 3 July 2012 UsedSoft v. Oracle (C-128/11),
the defendant is a “lawful acquirer” within the meaning of
Article 4(1) of the Council Directive 91/250/EEC of 14 May
1991 on the legal protection of computer programs (the
Directive) since it validly acquired the disputed component
from an authorized reseller.
ICT Law Newsletter – Number 51 – April 2015
Therefore, the Court found that the defendant may benefit
from the exception of Article 5(1) of the Directive, pursuant
to which the authorization of the right holder is not required
for some acts (such as the permanent or temporary
reproduction by any means and in any form, in part of in
whole) where they are necessary for the use of the computer
program in accordance with its intended purpose. In the
current case, the disputed software development kit aims to
integrate third party applications. Furthermore, the Court
ruled that the software company contractually agreed with
such resale for commercial use, at least implicitly.
Finally, the Court decided that the right of distribution is
exhausted towards the defendant and that such exhaustion
does not relate solely to one physical copy of the program.
Should the license key be used only-once for resale, then
the software company should have expressly stipulated so,
said the Court.
The case can be found on http://www.ie-forum.be
Nicolas Roland
Counsel
T • +32 2 533 51 51
nicolas.roland@stibbe.com
9
FOCUS: THE NETHERLANDS
Google wins appeal in first Dutch ‘Right to be Forgotten’ case
In May 2014, the European Court of Justice made a
groundbreaking decision regarding the Costeja-case, often
referred to as the Google Spain case. This case briefly
stated that Google is bound to remove certain search results
should a person request Google to do so. A person can file
such a request when he is of the opinion that these results
can no longer be considered adequate or relevant, or when
the processing of such search results is excessive and
subsequently infringes the privacy of the respective person.
This European case has had great consequences for
Google; the search engine has since received almost
240,000 requests and has evaluated more than 865,000
URLs. If Google refuses to remove certain search results,
one can start legal proceedings on a national level.
In the Netherlands, one of the first cases dealt with by the
national courts regarding the “Right to be Forgotten” was
the case of a Dutch escort boss, X. X was sentenced to six
years in prison in 2012 following a failed attempt to procure
the murder of a competing escort boss. He gave very
detailed instructions to an assassin, who, unbeknownst to
X, was secretly filming the entire conversation. The hit-man
proceeded to give the footage to Peter R. de Vries, a crime
journalist, who aired the tape during an episode of his very
popular true-crime TV show. Due to the mass media
attention, an author also decided to write a criminal novel
about the case, proclaiming it “faction”, a combination of
fact and fiction. X is currently awaiting the appeal of his
criminal procedure and claims that he is unable to pick up
his day-to-day life, due to the fact that if you Google him,
search results about the criminal case, the TV show and the
book pop-up. He has filed a request for Google to remove
certain search results and that Google’s auto-complete
feature abstains from automatically connecting him to the TV
show and the novel. X believes that Google actively
manipulates the search results with no other aim than to
harm him. Google should generally refrain from any
infringement on X’s privacy. In first instance, the District
Court rejected X’s requests. The Court is of the opinion that
X has committed a serious crime which has led to a huge
amount of publicity. The Court states that the Costeja-case
ICT Law Newsletter – Number 51 – April 2015
does not aim to protect a person from all negative
information published on the internet, but that a person
should be protected from being haunted by irrelevant or
unnecessary defamatory posts. The Court also believes that
the search results relating to X’s criminal offences cannot be
considered irrelevant and that the connection via autocomplete with Peter R. de Vries is logical. The right of
freedom of information outweighs the right of privacy of X.
The ruling of the District Court is confirmed in appeal. The
Court of Appeal states that although X is still awaiting the
appeal in his criminal procedure, he has submitted no
information which detracts from the existence of this
conviction. The online publications are therefore the result of
his own conduct. It is in the public interest that information
about serious crimes, and consequently about the
prosecution and conviction of X, can be accessed. X has
not been able to prove that Google manipulates the search
results. Furthermore, X has not contested the fact that the
search results generated via the auto-complete feature are
based on the number of times users have entered certain
search results. There is no evidence that Google has
deliberately caused damage to X and X has not argued that
the auto-complete feature generates additional search
results that would harm him. The general ground of appeal
that Google should refrain from infringing X’s privacy is too
broad and has been rejected. The Court’s lesson for X is
clear: if you play with fire, you are going to get burned.
Source: Court of Appeal Amsterdam, 31 March 2015,
ECLI:NL:AMS:2015:1223
Friederike van der Jagt
Senior associate
T • +31 20 546 01 44
friederike.vanderjagt@stibbe.com
10
FOCUS: THE NETHERLANDS
Bill submitted to increase penalty powers of the Dutch Data Protection Authority to EUR
810,000 or 10% of the annual turnover of certain legal entities
On 24 November 2014 State Secretary Teeven (from the
VVD, a conservative-liberal party) submitted a second
memorandum of amendment concerning the legislative
proposal adjusting the Dutch Data Protection Act (“DDPA”).
The amendment, to be introduced through an adjustment of
article 66 DDPA, is intended to give the Dutch Data
Protection Authority (“DPA”) the authority to impose higher
administrative fines and to be able to do so in more cases.
At the moment this authority is limited to a number of
specific administrative provisions such as failure to register a
data processing with the DPA. Furthermore, the maximum
possible fine is EUR 4,500 which is relatively low and is in
practice not imposed. The legislative proposal extends this
authority to a large number of general obligations under the
DDPA and introduces penalty categories which range from
EUR 20,250 for relatively minor violations, to EUR 810,000
for intentional and repeated violations, which can have
significant social repercussions. An even higher flexible
financial penalty is proposed in relation to legal entities: if the
maximum fine level of EUR 810,000 is not sufficiently
punitive, the DPA can impose a fine equal to a maximum of
10% of the annual turnover of the respective legal entity. It is
remarkable (and good news in practice) that the fine for not
registering a data processing with the DPA, which until now
was one of the only provisions from the DDPA that was
fineable, will cease to exist.
The legislative proposal is consistent with the penalty
categories included in article 23 of the Dutch Criminal Code.
However, the DPA can only impose such an administrative
fine after it has issued a binding instruction to the offender. A
time limit in which the offender has to follow the instruction
can be imposed. The offender may file a notice of objection
against this decision – although this will not suspend the
proceedings. This can be problematic since this could in
practice lead to two parallel procedures. In situations
involving an intentional breach of the material standards of
the DDPA, there is no obligation to give a binding instruction
and the DPA can impose a fine directly.
ICT Law Newsletter – Number 51 – April 2015
If the legislative proposal is accepted, the DPA shall be
referred to as ‘Personal Data Authority’. This reflects the
terminology of the European proposal for the new General
Data Protection Regulation and to prevent any existing
confusion with the Dutch Bureau for Economic Policy
Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition
the DPA will in the future need approval from the Minister of
Security and Justice for the guidelines which serve to
explain and interpret the material standards of the DDPA,
under which an administrative penalty can be imposed for
violations.
The proposal derives from the coalition agreement, which
contained an increase of penalty powers. This reinforces
supervision and shifts the focus from remedy sanctions such
as incremental payments, often imposed by the DPA under
the present system, towards administrative fines. The
question is, however, whether this will make a difference in
practice, especially considering the fact that the DPA is
obligated to first issue a binding instruction. This obligation
arises from the advice of the Council of State that, given the
‘vague’ standards of the DDPA, it is undesirable to impose a
penalty without a previous warning. The DPA does not agree
with this part of the proposal: it feels like a ‘paper tiger’ and
believes it will not be able to act promptly and efficiently. A
fear exists that companies and organisations will not feel the
urge to comply with the law. Paper tiger or not, one thing is
certain: the creation of a wider penalty authority
demonstrates that, after years of talking and lobbying,
compliance with the privacy rules is being taken seriously.
Privacy compliance has become a boardroom issue and is
expected to be on the agenda of a number of companies in
2015.
Friederike van der Jagt
Senior associate
T • +31 20 546 01 44
friederike.vanderjagt@stibbe.com
11
FOCUS: THE NETHERLANDS
Dutch DPA: Employment agencies violate the privacy of the temporary workers
Each year the Dutch Data Protection Authority [“DPA”],
taking its limited capacity into account, sets out a number of
key objectives on which it will focus. The protection of
privacy in the employment relationship has been one of the
priority areas over the last two years. Having regard to the
financial dependence between employee and employer and
the increasing pressure on the employees as a result of the
economic crisis, the employee is in a vulnerable position in
terms of protecting its privacy. The DPA received various
signals that employment agencies appeared to be violating
the privacy of temporary workers. In a temporary
employment relationship the agency acts as the employer of
the temporary worker [“temp”]. For these reasons, the DPA
decided to carry out an investigation in respect of two large
employment agencies regarding their compliance with the
Dutch Data Protection Act [“DDPA”].
Processing of copies of ID cards
According to the DPA, the investigations confirmed that the
employment agencies are violating data protection laws on
various points. For example, copies of ID cards are made as
soon as the temp signs up at an employment agency and
these copies are being shared with potential clients. Making
a copy of an ID is only permitted if there is a legal basis, for
example under the Wages and Salaries Tax Act or the
Foreign National Employment Act, or when it is necessary in
connection with the performance of the contract with the
data subject. The reason behind this is that the copies of ID
cards left lying around can easily lead to identity fraud. ‘ID
copies’ also contain information about race and nationality,
and the sharing of this information [at an early stage] can
lead to discrimination. In addition, this means that the Social
ICT Law Newsletter – Number 51 – April 2015
Security Number [“SSN”] of the temp is also being
processed without any legal basis. As long as an individual
has not actually started working for the agency, the
aforementioned exceptions cannot be invoked. The legal
obligations to process a copy of an ID or SSN only exist
when someone actually starts working for the agency. As a
result, it will only be necessary to process the information at
that stage in order to be able to perform the temporary
employment contract with the temp.
The necessary monitoring of a person’s identity by the
agencies during the selection process can be effected in a
lawful manner by letting the temp show its ID and allowing
the intermediary to check it without making a copy. The
employment agencies do not agree with this point of view of
the DPA: they find the method impractical and are afraid of
mistaken identities or mix-ups, particularly because temps
often speak to multiple agencies.
Absence registration
The DPA also noted that both employment agencies
process too much data on temps who are ill. The agencies
list the nature and cause of the illness, which is not allowed.
In line with the previous investigations into processing data
of ill employers by absenteeism agencies and occupational
health and safety services, the DPA holds that the agencies
are only allowed to record that someone is ill and to what
extent he/she is incapacitated. Furthermore, this is only
permitted when it is necessary for the re-integration or the
guidance for the employee as a result of illness or incapacity
or to meet legal objectives.
12
FOCUS: THE NETHERLANDS
Criminal antecedents
Retention period and follow up
Employment agencies want to be able to screen people for
their criminal past for certain positions. The processing of
criminal information is, however, prohibited under the DDPA,
unless one of the legal exceptions can be invoked. In
practice, use of the certificate of good conduct is often
made. This does not contain information about a person’s
previous convictions or on-going criminal proceedings.
Because an application for a certificate can take some time,
the agencies usually ask a temp to fill out a statement, in
which they indicate if they have or have not committed any
criminal offences. If the temps report criminal facts through
the statement, processing of criminal information takes
place. Furthermore, this statement is also shared with clients
of the employment agency. The agencies are of the opinion
that this is allowed because they have received consent for
the processing thereof from the temps. However, according
to the DPA, this consent cannot be relied on: a successful
appeal to base the processing of personal data on the
justification ground of ‘consent’ can only exist if the consent
is given freely. In this case consent is not given freely
because of the imbalance in the relationship between the
temp and the employment agency.
Personal data cannot be held for longer than necessary in
order to fulfil the purposes for which they were collected,
unless the retention is necessary to meet legal retention
obligations. However, in some cases the data were retained
longer: one agency even retained the data for 24 [!] years.
Religious symbols
One of the employment agencies occasionally recorded that
a temp was wearing a headscarf. In principle, processing
such information is forbidden precisely because this can
lead to discrimination based on religion or belief. There is no
legal exception in place that allows the employment
agencies to process such data.
ICT Law Newsletter – Number 51 – April 2015
The practical implementation of the obligations of the DDPA
which companies and business must comply with still
remains an obstacle. In early 2014, therefore, the DPA
published various do’s and don’ts in which a straightforward
explanation was given on how to handle the privacy of the
employee in the workplace. Useful guidelines regarding the
processing of copies of IDs have also been published.
The investigated employment agencies have promised to
improve and have adapted or started to adapt their way of
working. The DPA will keep a close eye on the matter: the
DPA can order enforcement measures, for example
imposing an order subject to a penalty, if the violations
continue.
Source: http://www.cbpweb.nl/Pages/pb_20141120_
uitzendbureaus.aspx
Friederike van der Jagt
Senior associate
T • +31 20 546 01 44
friederike.vanderjagt@stibbe.com
13
FOCUS: THE NETHERLANDS
The Dutch House of Representatives requests Privacy Impact Assessment for new
legislation
On 11 November 2014, the motion Segers/Oosenbrug on
Privacy Impact Assessments was adopted by the House of
Representatives [“the House”]. The motion was proposed in
connection with a legislative proposal, namely 34000 VII
Budget Memorandum of Interior and Kingdom Relations
2015. The House expects a so-called Privacy Impact
Assessment [“PIA”] to be performed by the government
when proposed legislation may have an impact on the
processing of personal data. If the PIA is not performed, it
will be up to the government to explain why the PIA is
missing.
A PIA is a tool designed to help with setting out privacy risks
in the development of new policies and relevant legislation.
Questionnaires and test models are examples which can be
used. The purpose behind performing a PIA is to put
measures in place to reduce or eliminate privacy risks at an
early stage.
A “Key Model Privacy Impact Assessment Civil Service” has
been in place within the government since 2013. This model
requires the government to perform a PIA while developing
new legislation or policy related to the installation of large
data files or the construction of new IT systems.
The model has to be taken into account and considered in
the Explanatory Memorandum of the legislation concerned.
The House wants to introduce an obligatory PIA for all new
legislation likely to have an impact on the processing of
personal data. In practice, the broadly defined motion will
lead to PIAs being undertaken on a regular basis. Minister
Plasterk of Interior and Kingdom Relations indicated that the
motion supports government policy. He did point out that
the application of the current key model will be evaluated in
the summer of 2015.
The minister is not required to actually implement the
adopted motion. Nevertheless, he will have to inform the
House via the annual budget whether or not he has taken
action in respect of the motion.
ICT Law Newsletter – Number 51 – April 2015
The call for a PIA by the government is in line with the
proposed European privacy regulation. The new Regulation
in article 33, expected to be agreed on at European level in
the course of 2015, imposes an obligation to perform a PIA
by companies and governments if the intended data
processing “present[s] specific risks to the rights and
freedoms of data subjects by virtue of their nature, their
scope or their purposes.”
Currently, there are already some prior tests in place. In
addition to the opinion of the Council of State, the
government is required to ask the Data Protection Authority
[“DPA”] for advice on proposed legislation that is fully or
largely related to data processing under article 51(2) Dutch
Data Protection Act.
The added value of a PIA lies in the fact that the privacy
impact of new legislation is critically evaluated at an early
stage of the legislative process. The broadly defined motion
means, however, that more proposals may be subject to a
PIA, when compared with the amount of times the DPA is
requested to advise at present.
The wording of the motion is not clear on whether “new
legislation” only applies to laws, orders of Councils or even
ministerial regulations. One thing is obvious: the privacy
aspects of laws and regulations may look forward to
increasing scrutiny and developments in the near future.
Source: https://zoek.officielebekendmakingen.nl/
dossier/33727/kst-34000-VII-21.html
Friederike van der Jagt
Senior associate
T • +31 20 546 01 44
friederike.vanderjagt@stibbe.com
14
FOCUS: LUXEMBOURG
A new bill on data retention
On January 7, 2015, the Luxembourg Ministry of Justice
filed with the Chamber of Deputies bill n° 6763 (the Bill)
modifying Article 67-1 of the Luxembourg Criminal
Procedure Code (the Criminal Code) and Articles 5, 5-1
and 9 of the Act of May 30, 2005 laying down specific
provisions for the protection of persons with regard to the
processing of personal data in the electronic
communications sector, as amended from time to time (the
2005 Privacy Act).
refer to Article 67 -1 (4) of the Criminal Code where an
exhaustive list of offences has been inserted.
By so doing, the Luxembourg government aims to comply
with the Court of Justice of the European Union (the ECJ)
ruling of April 8, 2014, the so-called “Digital Rights”, in joint
cases C-293/12 - Digital Rights Ireland and C-594/12 Seitlinger and Others, whereby the ECJ has declared the
Data Retention Directive 2006/24/EC to be invalid.
The Bill also amends Articles 5 (6)- and 9 (6) of the 2005
Privacy Act by modifying the penalties to be imposed in
case of breach of Article 5 (1) to 5 (5) and Article 9 (1) to 9
(5) o the 2005 Privacy Act. The penalty incurred will be now
a sentence of six months to two years of imprisonment and/
or a fine of between EUR 251 and EUR 125 000.
The Bill focuses on traffic data (Article 5 of the 2005 Privacy
Act) and location data other than traffic data (Article 9 of the
2005 Privacy Act).
Finally, the Bill will oblige service providers and operators,
through the amended Article 5-1, to store data on the
territory of the European Union.
Firstly the Bill intends to amend the current access by the
judicial authorities to retained data for the purposes of the
investigation, detection and prosecution of criminal offences
subject to a criminal or correctional penalty of at least one
year of imprisonment. Now Articles 5 (1) (a) and 9 (1) (a) will
ICT Law Newsletter – Number 51 – April 2015
Furthermore, the Bill proposes to amend Articles 5 (1) (b)
and 9 (1) (b) by stating that service providers and operators
must delete irrevocably and without any delay the retained
data at the end of the 6 months retention period. Service
providers and operators cannot keep anonymous data at
the end of the retention data anymore.
Johanne Mersch
Associate
T • +352 26 61 81 20
johanne.mersch@stibbe.com
15
For more information
If you require further copies of this newsletter, or advice on any of the matters raised in it, please contact:
Erik Valgaeren, T +32 2 533 53 51, F +32 2 533 51 15, erik.valgaeren@stibbe.com
Brussels
Amsterdam
Luxembourg
Central Plaza
Loksumstraat
Rue de Loxum 25
1000 Brussels
Belgium
T • +32 2 533 52 11
F • +32 2 533 52 12
Stibbetoren
Strawinskylaan 2001
P.O. Box 75640
1070 AP Amsterdam
The Netherlands
T • +31 20 546 06 06
F • +31 20 546 01 23
Rue Jean Monnet 6
2180 Luxembourg
Luxembourg
T • +352 26 61 81
F • +352 26 61 82
Dubai
Hong Kong
London
New York
Dubai International Financial Centre
Gate Village 10 Level 3 Unit 12
P.O. Box 506912
Dubai
United Arab Emirates
T • +971 4 401 92 45
F • +971 4 401 99 91
Suite 1008-1009
10/F, Hutchison House
10 Harcourt Road
Central, Hong Kong
T • +852 2537 0931
F • +852 2537 0939
Exchange House
Primrose Street
London EC2A 2ST
United Kingdom
T • +44 20 7466 6300
F • +44 20 7466 6311
489 Fifth Avenue, 32nd floor
New York, NY 10017
USA
T • +1 212 972 4000
F • +1 212 972 4929
The ICT Law Newsletter
is also available on
our website
www.stibbe.com
All rights reserved. Care has been taken to ensure that the content of this newsletter is as accurate as possible. However the accuracy and completeness of the
information in this newsletter, largely based upon third party sources, cannot be guaranteed. The materials contained in this newsletter have been prepared and
provided by Stibbe for information pruposes only. They do not constitute legal or other professional advice and readers should not act upon the information
contained in this newsletter without consulting legal counsel. Consultation of this newsletter will not create an attorney-client relationship between Stibbe and the
reader. The newsletter may be used only for personal use and all other uses are prohibited.
© Stibbe 2015 Publisher: Erik Valgaeren, Stibbe, Central Plaza, Loksumstraat 25 rue de Loxum - BE-1000 Brussels