legal liability & data protection paul van den bulck attorney-at-law at the paris and brussels...

Legal Liability &

Data ProtectionPaul Van den Bulck

Attorney-at-law at the Paris and Brussels Bars

Partner Ulys Law FirmLecturer at University Paris II Panthéon-Assas (France)

Lecturer at the University R. Schuman (Strasbourg)

Brussels

21 September 2007

WWW.ULYS.NET

paul.vandenbulck@ulys.net

Review on the basis of the European legislation

Diversity of geographic seats of the different Euro Info Centers

Diversity of different national legislations implementing different European rules (some of them are sometimes more restrictive when Directives allow it)

Preliminary remarks

I LEGAL LIABILITY

3 aspects :

I. Find the information

II. Extract the information

III. Deliver the information

Legal and information watch

analogue (“paper”)

electronic (internet, ..)

verbal sources (political speeches, declarations, public lectures,, …)

I. Finding of the information

- Various medium :

- No specific legal problem linked to the medium

II. Extraction of the information

- Protection of the information by the copyright framework

- Protection by the database legal framework

A. Protection by the copyright

2 main types of rights:

- Economic rights: reproduction, communication and distribution

- Moral rights: mainly the right of respect of the integrity of the work and the right for the author to have his/her name indicated on the work.

Various exceptions to the economic rights

- Vary from a Member State to another

- Main exceptions included in the Directive on Information society and interesting the Euro Info Centers

Reproductions on paper or any similar medium

Quotation (+ author’s name)

Political speeches as well as extracts of public lectures or similar work (+ author’s name)

B. Protection by the database legal framework (directive 96/9/EC)

Definition database :

(1) a collection of independent works, data or other materials arranged

(2) in a systematic or methodical way

(3) and individually accessible by electronic or other means.

Some websites enter in the scope of such definition.

Legal system : - Protection of the presentation of the database :

“Sui generis” right in favor of the “maker”: the right of the maker of a database to prevent extraction and or re-utilization of the whole or of a substantial part of the contents of the database

Condition of this right: the maker must show that there has been a substantial investment in either the obtaining, verification or presentation of the contents

Copyright in favor of the author if : by reason of the selection or arrangement of its contents,constitutes the author’s own intellectual creation

- Protection of the database itself :

- Protection of one or several data by copyright : data = work of author

Right of the maker : prevent …

Extraction: transfer to another medium

Re-utilization: making available to the public (distribution of copies, renting, transmission on-line, etc…)

Focus : what about GOOGLE ?

• As a way to find information: no specific legal problem. The use of a search engine is at the present time not forbidden

• As a way to extract information:

copyright protection for GOOGLE results data

• check exceptions

copyright protection for the presentation of GOOGLE results

• but no sui generis protection for the maker of the database

British horseracing case law ECJ 2004

exclusion from data created at the same time as its processing

III. Delivery of the Information

3 aspects :

Nature of the information

Means of delivery

Others Liabilities than those linked to copyright “sensu lato”

A. Nature of the information - Raw information (as find)

- Processed information

1. Raw information - Duty to respect the author’s right (copyright), except if possibility to invoke an exception:

Duty to obtain the consent of the author for the delivery; Usually payment of a compensation for a license to use; Mentioning of his name.

- Duty to respect the protection given to the author and maker of the database:

Prior and possible copyright on the data themselves (photo, music, text…); Possible copyright on the presentation of the database “Sui generis” right of the maker of the database:

Duty to obtain the authorization for the extraction or re-utilization of the data

2. Processed information

The processed information may be eligible to copyright protection

The processed information may be eligible to database protection

B. Means of delivery

- Delivery via website

- Delivery by e-mail

1. Delivery via website

- Raw information:

Duty to respect the copyright and database legal framework

Copyright: publication on a website of a protected work is a reproduction and communication

Database: publication on a website of a protected work is an extraction and a re-utilization

- Processed Information :

eligible to protection by copyright eligible to protection by database Utility to mention the protection :

© “the database ………….. is protected by the database regulations. It is strictly forbidden, without the consent of the maker, to extract and/or re-utilize the whole or a substantial part of the content of this database”

Utility to use specific tools: PDF, technological measures (Directive on information society : access control/protection

process : encryption, scrambling, copy control mechanism, etc…)”

2. Delivery by e-mail

- Raw information :

Duty to respect the copyright and database legal framework

Copyright: delivery via e-mail of a protected work is a reproduction and communication

Database: delivery in a e-mail of whole or part of a protected work is an extraction and a re-utilization

- Processed Information :

Eligible to protection by copyright

Eligible to protection by database, but in practice the e-mail in itself will not be a database, maybe the attachment

Utility to mention the protection (Theory/practice? / carefulness) :

C. Others Liabilities than thoselinked to copyright “sensu lato”

Others liabilities linked to the delivery of information

via a website

Others liabilities linked to the delivery of information

via e-mails

1. Others liabilities linked to the delivery of information via a website

May vary from a Member State to another :

Erroneous information: contractual or extra-contractual liability (utility of disclaimers concerning the accuracy of the information)

Press offence (Belgium)

Answer right (Belgium)

etc…

2. Others liabilities linked to the delivery of information via e-mails

May vary from a Member State to another :

Erroneous information: contractual or extra-contractual liability (utility of disclaimers concerning the accuracy of the information) EC Regulations concerning the processing of personal data and protection of privacy EC Regulations concerning SPAM

Focus : what about SPAM ?

2 Directives to combine :

Directive 2000/31/EC on electronic commerce

Directive 2002/58/EC on privacy and electronic communications

Directive 2000/31/EC on electronic commerce

Concept of commercial communication : « any form of communication designed to promote, directly or inderectly, the goods, services or image of a company, organisation or person pursuing a commercial, industrial or craft activity » (2 exceptions)

Legal regime

• Article 6 : information to be provided

• Article 7 : unsolicited commercial communication

SPAM must be clearly identified as such

Opt-out regime

Directive 2002/58/EC on privacy and electronic communication

Concept of communication : « any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service »

Unsolicited communications (article 13)

• Opt-in regime : prior consent (direct marketing)

• Exception : opt-out if (i) existing commercial relationship, (ii) same natural or legal person, (iii) similar products or services and (iv) consumer is given the opportunity to refuse reception

IV. Example:

Wales Euro Info Center

V. Recommendations - Do not forget that the 3 steps of information watch have legal consequences:

Find

Extract

Deliver

Check the rights upstream 

Mention the rights downstream and use protection devices 

Do not forget all other possible liabilities (accuracy, processing

of personal data, press offences, etc…)

Use legal notice

II DATA PROTECTION

European Framework Data Protection– General:

• Directive 95/46 on protection of personal data

– Particular: communication:• Directive 2002/58 on privacy and electronic communications

General & sector specific regulations

General: 95/46

Protection of personal data

General data protection principles

Scope?Online and offline

Public & private networks

Specific 2002/58Privacy & electronic

communications

Specific obligations(e.g., cookies, spam)

Scope?Communication service

Public networks

1. General Protection: Directive 95/46• Scope:

• 9 Principles of Data protection

• Sensitive dataMember States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

Case Studies Privacy Policy Collection of information Delivery of information

Scope: Processing of personal data

• personal data: – Information concerning a data subject– identifiable natural person

• Direct or indirect

• Controller (EIC) or third party

• Legal entity: SME?

IP address? 007@hotmail.com?

Processing: any operation performed upon personal data In the EU? Quid question on Egypt?

Data Protection PrinciplesData must be: • fairly and lawfully processed;

• processed for specified, detailed and legitimate purposes;

• adequate, relevant and not excessive;

• accurate;

• not kept longer than necessary;

• processed in accordance with the data subject's rights;

• Secure and remain confidential;

• not transferred to countries without adequate protection (outside EU);

• Processing activities « must »  be notified to the supervisory authority.

Case study 1: Privacy Policy

• Legally required?• Contents

– The name and address of the controller and processor (contract) – Purposes of the processing activity – The kind of data processed: « sensitive data »– The means to collect and process data (cf. cookies)– Inform the data subject on his/her rights and the way he/she can

exercise them– The technical and organizational measures adopted to ensure the secure

and confidential character– Reference to general information on data protection legislation, e.g.,

FAQ, or the contact details privacy officer (privacy@euro-info.org.uk)

Case Study 2: collection of information

• Processing « shall mean any operation … whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, dissemination or otherwise making available, etc. »

• Means of collection:– Data subject is aware,e.g., webform– Data subject is not aware, e.g., spy ware

Case Study 3: disclosure of personal data• Broad an open notion of « processing » includes

« disclosure by transmission, dissemination or otherwise making available »

• Must be careful if you disclose personal information in a newsletter or on your website, e.g., personal contact details

• Lindqvist case (Sweden –European Court of Justice (2003))

2. Sector Specific regulation• Directive 2002/58/EC on privacy and electronic

communication• One of the Directives of the new « Telecom

Package »• Update of Directive 97/66 on privacy and

telecommunications• Overview:

– scope– contents– Articulation with general framework

Sector Specific regulation• Scope:

• « This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. »

– Public networks: no private or corporate networks

– « Individual » communication: no broadcasting

Includes: protection of the legitimate interests of subscribers who are legal persons (SME).

Scope is not always very clear & distinction sometimes too academic.

Sector specific regulation• Contents: clarification of some principles

– Cookies, spy ware – Security and confidentiality – Traffic & location data– Directories of subscribers , e.g., yellow pages– SPAM

Sector Specific regulationPragmatic Approach and articulation:

Directive 95/46 applies to all networks

Obligations imposed by Directive 2002/58/EC, “covered” by Directive 95/46/EC

Example: traffic data:

2002/58 (art 6)

Traffic data relating to subscribers… must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication

95/46 (art 6 (e))

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

CASE STUDY

Paul Van den BulckAttorney-at-law at the Paris and Brussels Bars

Partner Ulys Law FirmLecturer at the University R. Schuman (Strasbourg)

Lecturer at University Paris II Panthéon-Assas (France)

Brussels21 September 2007

WWW.ULYS.NETpaul.vandenbulck@ulys.net

First Case

You are the manager of an EIC and to facilitate the navigation on your site, you consider to install cookies on the PC of the visitors. This way, you can display your site in the official language of their place of establishment (SME) or residence (German, Dutch, French, …).

Which precautions do you have to take?

Second Case

You are responsible of an EIC. You want to deliver on your website information about business opportunities in your region. However, you do not want to lose too much time in finding all theses data. Therefore, you ask a subcontractor to do the task for you. You ask him a finished product to be transferred on you website.

What should be done with this subcontractor in order to minimize your liability and/or maximize your rights?

Third Case

You are responsible of an EIC. You want to deliver on your website information about business opportunities in your region. Right now, you have no website, but you have a very good employee who is ready to help to build the website and search the information you need on business opportunities in the region. All the tasks in order to deliver the information will be done “in house”.

What should be done in order to minimize your liability and/or maximie your rights?

Fourth Case

You want to send by emails advertising to the SME’s of your region describing the services you offer.

Which precautions do you have to take?

&WWW.ULYS.NET

paul.vandenbulck@ulys.net

QUESTION

S

cOMMENTS