Tag Archives: cjeu

Where to after Watson: The challenges and future of data retention in the UK

An event hosted by the Bingham Centre for the Rule of Law and sponsored by Simmons & Simmons. 

Date: 11th May 2017
Time: 17:30 – 19:30 (Registration open from 17:00). Followed by a reception
Venue: Simmons & Simmons, City Point, 1 Ropemaker Street, London EC2Y 9SS
Cost: Members £15, Non-members £25

This event can be booked on the British Institute for International and Comparative Law website. Book now.

The judgment of the CJEU in the Watson case was handed down shortly before the year’s end in 2016. The determination that member states may not impose on communications providers a general obligation to retain data was applauded by privacy groups and has undoubtedly caused disquiet among those involved in policing and intelligence. What parliamentarians and judges will make of it in the coming months – and, post-Brexit, years – is both uncertain and important.

In this event, experts will examine the strengths, weaknesses and implications of the decision, with an eye to rights protections, the need to combat serious crime, and the practicalities of managing both in light of the European Court’s decision.

Speakers:

  • The Rt Hon Dominic Grieve QC MP, Chair of the Intelligence and Security Committee
  • Max Hill QC, Independent Reviewer of Terrorism Legislation
  • Dr Nora Ni Loideain, Incoming Director, Information Law and Policy Centre, IALS
  • Renate Samson, Chief Executive, Big Brother Watch

Chair:

  • Professor Lorna Woods, University of Essex

For more information download the event flyer and join in the conversation: @BinghamCentre, #Watson

AG Szpunar in Stichting Brein v Ziggo: An Indirect Harmonisation of Indirect Liability?

In the following piece, Christina Angelopoulos, Lecturer in Intellectual Property Law at the University of Cambridge, analyses the recent Opinion by AG Szpunar in case C-610/15, Stichting Brein v Ziggo. The post was originally published on the Kluwer Copyright Blog.

On 8 February, Advocate General Szpunar handed down his Opinion on Stichting Brein v Ziggo. The case is significant, as it represents the first time that the liability of an internet intermediary for copyright infringement will be considered by the CJEU. To date, all decisions handed down by that court on intermediary liability have instead concentrated on the related question of injunctions against intermediaries whose services are used by third parties to infringe.

Questions Referred

The case finds its origins in the Netherlands, where Stichting Brein, a Dutch anti-piracy organisation, applied for an injunctive order against internet access providers Ziggo and XS4ALL that would require them to block access for their customers to the peer-to-peer file-sharing website The Pirate Bay (TPB).

That application was upheld at first instance, but dismissed on appeal, on the grounds that, first, it is the customers of Ziggo and XS4ALL, and not TPB itself, who are the originators of the copyright infringements and, secondly, that the blocking sought would not be proportionate to the aim pursued, i.e. the effective protection of copyright.

The case eventually made it before the Hoge Raad, the Dutch Supreme Court, which decided to submit two questions to the CJEU. Essentially, these ask the following:

  1. Does TPB, by providing a system through which metadata on protected works that are present on its users’ computers is indexed and categorised, thus enabling those users to trace, upload and download the works, engage in a communication to the public of those works for the purposes of EU copyright law?
  1. If the answer to Question 1 is negative, may an injunction nevertheless be issued against Ziggo and XS4ALL, requiring them to block access for their customers to TPB?

It should be noted from the outset that these two questions are seen by the Dutch court as interconnected. The Hoge Raad is essentially querying whether TPB must be an infringer before access to it may be blocked.

[To continue reading this post on the Kluwer Copyright Blog, click here.]

New Study on Intermediary Liability and European Copyright Reform

Dr Christina Angelopoulos, associate research fellow at the Information Law & Policy Centre and lecturer at the University of Cambridge, has authored a study entitled ‘On Online Platforms and the Commission’s New Proposal for a Directive on Copyright in the Digital Single Market’.

The study, commissioned by MEP Julia Reda, evaluates the provisions of the European Commission’s Proposal of 14 September 2016 for a Directive on Copyright in the Digital Single Market that are relevant to the issue of intermediary liability.

The study concludes that key elements of these provisions are incompatible with existing EU directives, as well as with the Charter of Fundamental Rights of the EU.

In particular, the study suggests that the Proposal misinterprets EU copyright and related rights law by implying that intermediaries that allow users to host content in a public manner are themselves performing an act of communication to the public. The study argues that acts of facilitation of third party copyright infringement are instead the rightful domain, not of primary, but of accessory liability, an area of copyright and related rights law that has not yet been harmonised at the EU level.

Continue reading

New Special Issue of Communications Law: Information control in an ominous global environment

Communications Law JournalThe Information Law and Policy Centre is pleased to announce the publication of a special issue of the Communications Law journal based on papers submitted for our annual workshop last November. The journal articles are available via direct subscription, through the Lexis Library (IALS member link) and (coming soon) Westlaw.

In the following editorial for the special issue, Dr Judith Townend, Lecturer in Media and Information Law, University of Sussex, (the outgoing Director of the ILPC, Institute of Advanced Legal Studies) and Dr Paul Wragg, Associate Professor of Law, University of Leeds discuss the challenges of information control in an ominous global environment.

This special issue of Communications Law celebrates the first anniversary of the Information Law and Policy Centre (ILPC) at the Institute of Advanced Legal Studies. It features three contributions from leading commentators who participated in the ILPC’s annual conference ‘Restricted and redacted: where now for human rights and digital information control?‘, which was held on 9 November 2016 and sponsored by Bloomsbury Professional.

The workshop considered the myriad ways in which data protection laws touch upon fundamental rights, from internet intermediary liability, investigatory and surveillance powers, media regulation, whistle-blower protection, to ‘anti-extremism’ policy. We were delighted with the response to our call for papers. The conference benefited from a number of provocative and insightful papers, from academics including Professor Gavin Phillipson, Professor Ellen P Goodman, Professor Perry Keller and Professor David Rolph as well as Rosemary Jay, Mélanie Dulong de Rosnay, Federica Giovanella and Allison Holmes, whose papers are published in this edition.

The date of the conference, by happenstance, gave extra piquancy to the significance of our theme. News of Donald J Trump’s election triumph spoke to (and continues to speak to) an ominous and radically changed global environment in which fundamental rights protection takes centre stage. But as Trump’s presidency already shows, those rights have become impoverished in the rush to promote nationalism in all its ugly forms.

In the UK, the popularism that threatens to rise above all other domestic values marks a similar threat, in which executive decision-making is not only championed but also provokes popular dissent when threatened by judicial oversight. The Daily Mail’s claim that High Court justices were ‘enemies of the people’ when they sought to restrict the exercise of unvarnished executive power reminds us that fundamental rights are seriously undervalued.

Perhaps we should not be surprised at these events and their potential impact on communication law. In February 2015, at the ILPC’s inaugural conference Dr Daithí Mac Síthigh delivered a powerful paper in which he noted the rise of this phenomena in the government’s thinking on information law and policy under the Coalition Government 2010-15. In his view, following an ‘initial urgency’ of libertarianism, the mood changed to one of internet regulation or re-regulation. Such a response to perceived disorder, though not unusual, was ‘remarkable’ given how the measures in this field adopted during these final stages of the last government had been ‘characterised by the extension of State power in a whole range of areas.’ We should also note the demise of liberalism in popular thought. That much criticised notion which underpins all fundamental rights seems universally disclaimed as something weak and sinister. All of this speaks to a worrisome future in which the fate of the Human Rights Act remains undecided.

Concerns like these animate the papers in this special issue. The contribution from leading data protection practitioner Rosemary Jay, Senior Consultant Attorney at Hunton & Williams and author of Sweet & Maxwell’s Data Protection Law & Practice, is entitled ‘Heads and shoulders, knees and toes (and eyes and ears and mouth and nose…)’. Her paper discusses the rise of biometric data and restrictions on its use generated by the General Data Protection Regulation. As she notes, sensitive personal data arising from biometric data might be more easily shared, leading to loss of individual autonomy. It is not hard to imagine the impact unrestricted data access would have – the prospective employer who offers the job to someone else because of concerns about an applicant’s cholesterol levels; the partner who leaves after discovering a family history of mental ill heath; the bank that refuses a mortgage because of drinking habits. As Jay concludes, consent will play a major role in regulating this area.

In their paper, Federica Giovanella and Mélanie Dulong de Rosnay discuss community networks, a grassroots alternative to commercial internet service providers. They discuss the liability issues arising from open wireless local access networks after the landmark Court of Justice of the EU decision in McFadden v Sony Music Entertainment Germany GmbH. As they conclude, the decision could prompt greater regulation of, and political involvement in, the distribution of materials through these networks which may well represent another threat to fundamental rights.

Finally, Allison M Holmes reflects on the impact of fundamental rights caused by the status imposed on communication service providers. As Holmes argues, privacy and other human rights are threatened because CSPs are not treated as public actors when retaining communications data. As she says, this status ought to change and she argues convincingly on how that may be achieved.

Information Law and Policy Centre’s annual workshop highlights new challenges in balancing competing human rights

dsc_0892  dsc_0896  dsc_0898

Our annual workshop and lecture – held earlier this month – brought together a wide range of legal academics, lawyers, policy-makers and interested parties to discuss the future of human rights and digital information control.

A number of key themes emerged in our panel sessions including the tensions present in balancing Article 8 and Article 10 rights; the new algorithmic and informational power of commercial actors; the challenges for law enforcement; the liability of online intermediaries; and future technological developments.

The following write up of the event offers a very brief summary report of each panel and of Rosemary Jay’s evening lecture.

Morning Session

Panel A: Social media, online privacy and shaming

Helen James and Emma Nottingham (University of Winchester) began the panel by presenting their research (with Marion Oswald) into the legal and ethical issues raised by the depiction of young children in broadcast TV programmes such as The Secret Life of 4, 5 and 6 Year Olds. They were also concerned with the live-tweeting which accompanied these programmes, noting that very abusive tweets could be directed towards children taking part in the programmes.

Continue reading

Eduardo Ustaran: Life after Safe Harbor – an action plan

In this piece that originally appeared in the Internet Newsletter for Lawyers, ,  partner at Hogan Lovells, considers the implications of the CJEU’s recent decision in the Schrems case and sets out an action plan for companies previously reliant on Safe Harbor for EU to US transfers 

On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.

Background

Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.

The Schrems case

One particular individual, Austrian law student Max Schrems, decided not to wait for the outcome of the re-negotiation of Safe Harbor. He lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the USA. However, the Irish Commissioner rejected the complaint on the basis that the adequacy of Safe Harbor had already been determined by the European Commission and therefore, it was not open to the Irish Commissioner to challenge the European Commission’s “adequacy finding”. This was not accepted by Schrems who sought judicial review of the Commissioner’s decision by the High Court of Ireland, which then referred the case to the CJEU.

In its ruling, the CJEU confirms that a national data protection authority is always empowered to challenge the adequacy of data transfers. More importantly, the ruling goes beyond this specific question by declaring that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe.

The practical effect of Schrems

The decision invalidating Safe Harbor has the following immediate consequences:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorised by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimise data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to engage their services lawfully.

It is also critical to appreciate that the CJEU did not rule on whether the Safe Harbor principles were sufficiently close to the European data protection standards. The CJEU ruled that Safe Harbor is no longer a valid mechanism to legitimise data transfers because it does nothing to address the potentially excessive interference of US law with the fundamental rights to privacy and data protection that exist under EU law. Therefore, any alternative mechanisms being relied on will need to address this specific point by ensuring that they refer to this potential conflict in a data protection compliant way.

Consent

Data transfers can lawfully be made with the consent of the individual. However, consent must be freely given and while it is possible to make consent a condition for the provision of a non-essential service, consent is unlikely to be valid if the individual has no real choice. This is particularly the case in the context of employment where, if an existing employee is required to agree to the international transfer of personal data any consent given is unlikely to be valid if the penalty for not agreeing is dismissal.

Consent must also be specific and informed. This means that the individual must know and understand what such consent will amount to. Individuals should be informed of the reasons for the transfer and, if possible, the countries involved. In addition, any identified risks involved in the transfer should be brought to the individual’s attention. As a result, in practice it will be very difficult to make a valid argument that consent provides a lawful basis to legitimise international data transfers.

The EU authorities’ position

The EU Article 29 Working Party issued a statement following the CJEU decision emphasising that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

Therefore, the EU data protection authorities have made it clear that they expect companies to ensure an adequate level of protection for European data at all times. In the meantime, the Working Party will continue to analyse the available transfer tools, such as the Standard Contractual Clauses and Binding Corporate Rules, but these transfer mechanisms can be subject to investigation by data protection authorities to protect individuals in “particular cases,” for instance on the basis of complaints.

Action plan

Before the January 2016 enforcement deadline, companies that previously relied on Safe Harbor for their EU to US transfers should follow this process:

  • Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimised by Safe Harbor.
  • Prioritise key transfers for the business by reference to the nature of the data and its use.
  • For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
  • For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
  • US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.
  • Finally, whatever the mechanisms used, ensure that they include suitable measures to deal with requests for disclosure of personal data by law enforcement authorities.

Eduardo Ustaran is a partner in the Privacy and Information Management practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran. This piece originally appeared on the Internet Newsletter for Lawyers and is shared with the author and publisher’s permission.