legal liability & data protection paul van den bulck attorney-at-law at the paris and brussels...
TRANSCRIPT
Legal Liability &
Data ProtectionPaul Van den Bulck
Attorney-at-law at the Paris and Brussels Bars
Partner Ulys Law FirmLecturer at University Paris II Panthéon-Assas (France)
Lecturer at the University R. Schuman (Strasbourg)
Brussels
21 September 2007
WWW.ULYS.NET
Review on the basis of the European legislation
Diversity of geographic seats of the different Euro Info Centers
Diversity of different national legislations implementing different European rules (some of them are sometimes more restrictive when Directives allow it)
Preliminary remarks
I LEGAL LIABILITY
3 aspects :
I. Find the information
II. Extract the information
III. Deliver the information
Legal and information watch
analogue (“paper”)
electronic (internet, ..)
verbal sources (political speeches, declarations, public lectures,, …)
I. Finding of the information
- Various medium :
- No specific legal problem linked to the medium
II. Extraction of the information
- Protection of the information by the copyright framework
- Protection by the database legal framework
A. Protection by the copyright
2 main types of rights:
- Economic rights: reproduction, communication and distribution
- Moral rights: mainly the right of respect of the integrity of the work and the right for the author to have his/her name indicated on the work.
Various exceptions to the economic rights
- Vary from a Member State to another
- Main exceptions included in the Directive on Information society and interesting the Euro Info Centers
Reproductions on paper or any similar medium
Quotation (+ author’s name)
Political speeches as well as extracts of public lectures or similar work (+ author’s name)
B. Protection by the database legal framework (directive 96/9/EC)
Definition database :
(1) a collection of independent works, data or other materials arranged
(2) in a systematic or methodical way
(3) and individually accessible by electronic or other means.
Some websites enter in the scope of such definition.
Legal system : - Protection of the presentation of the database :
“Sui generis” right in favor of the “maker”: the right of the maker of a database to prevent extraction and or re-utilization of the whole or of a substantial part of the contents of the database
Condition of this right: the maker must show that there has been a substantial investment in either the obtaining, verification or presentation of the contents
Copyright in favor of the author if : by reason of the selection or arrangement of its contents,constitutes the author’s own intellectual creation
- Protection of the database itself :
- Protection of one or several data by copyright : data = work of author
Right of the maker : prevent …
Extraction: transfer to another medium
Re-utilization: making available to the public (distribution of copies, renting, transmission on-line, etc…)
Focus : what about GOOGLE ?
• As a way to find information: no specific legal problem. The use of a search engine is at the present time not forbidden
• As a way to extract information:
copyright protection for GOOGLE results data
• check exceptions
copyright protection for the presentation of GOOGLE results
• but no sui generis protection for the maker of the database
British horseracing case law ECJ 2004
exclusion from data created at the same time as its processing
III. Delivery of the Information
3 aspects :
Nature of the information
Means of delivery
Others Liabilities than those linked to copyright “sensu lato”
A. Nature of the information - Raw information (as find)
- Processed information
1. Raw information - Duty to respect the author’s right (copyright), except if possibility to invoke an exception:
Duty to obtain the consent of the author for the delivery; Usually payment of a compensation for a license to use; Mentioning of his name.
- Duty to respect the protection given to the author and maker of the database:
Prior and possible copyright on the data themselves (photo, music, text…); Possible copyright on the presentation of the database “Sui generis” right of the maker of the database:
Duty to obtain the authorization for the extraction or re-utilization of the data
2. Processed information
The processed information may be eligible to copyright protection
The processed information may be eligible to database protection
B. Means of delivery
- Delivery via website
- Delivery by e-mail
1. Delivery via website
- Raw information:
Duty to respect the copyright and database legal framework
Copyright: publication on a website of a protected work is a reproduction and communication
Database: publication on a website of a protected work is an extraction and a re-utilization
- Processed Information :
eligible to protection by copyright eligible to protection by database Utility to mention the protection :
© “the database ………….. is protected by the database regulations. It is strictly forbidden, without the consent of the maker, to extract and/or re-utilize the whole or a substantial part of the content of this database”
Utility to use specific tools: PDF, technological measures (Directive on information society : access control/protection
process : encryption, scrambling, copy control mechanism, etc…)”
2. Delivery by e-mail
- Raw information :
Duty to respect the copyright and database legal framework
Copyright: delivery via e-mail of a protected work is a reproduction and communication
Database: delivery in a e-mail of whole or part of a protected work is an extraction and a re-utilization
- Processed Information :
Eligible to protection by copyright
Eligible to protection by database, but in practice the e-mail in itself will not be a database, maybe the attachment
Utility to mention the protection (Theory/practice? / carefulness) :
C. Others Liabilities than thoselinked to copyright “sensu lato”
Others liabilities linked to the delivery of information
via a website
Others liabilities linked to the delivery of information
via e-mails
1. Others liabilities linked to the delivery of information via a website
May vary from a Member State to another :
Erroneous information: contractual or extra-contractual liability (utility of disclaimers concerning the accuracy of the information)
Press offence (Belgium)
Answer right (Belgium)
etc…
2. Others liabilities linked to the delivery of information via e-mails
May vary from a Member State to another :
Erroneous information: contractual or extra-contractual liability (utility of disclaimers concerning the accuracy of the information) EC Regulations concerning the processing of personal data and protection of privacy EC Regulations concerning SPAM
Focus : what about SPAM ?
2 Directives to combine :
Directive 2000/31/EC on electronic commerce
Directive 2002/58/EC on privacy and electronic communications
Directive 2000/31/EC on electronic commerce
Concept of commercial communication : « any form of communication designed to promote, directly or inderectly, the goods, services or image of a company, organisation or person pursuing a commercial, industrial or craft activity » (2 exceptions)
Legal regime
• Article 6 : information to be provided
• Article 7 : unsolicited commercial communication
SPAM must be clearly identified as such
Opt-out regime
Directive 2002/58/EC on privacy and electronic communication
Concept of communication : « any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service »
Unsolicited communications (article 13)
• Opt-in regime : prior consent (direct marketing)
• Exception : opt-out if (i) existing commercial relationship, (ii) same natural or legal person, (iii) similar products or services and (iv) consumer is given the opportunity to refuse reception
IV. Example:
Wales Euro Info Center
V. Recommendations - Do not forget that the 3 steps of information watch have legal consequences:
Find
Extract
Deliver
Check the rights upstream
Mention the rights downstream and use protection devices
Do not forget all other possible liabilities (accuracy, processing
of personal data, press offences, etc…)
Use legal notice
II DATA PROTECTION
European Framework Data Protection– General:
• Directive 95/46 on protection of personal data
– Particular: communication:• Directive 2002/58 on privacy and electronic communications
General & sector specific regulations
General: 95/46
Protection of personal data
General data protection principles
Scope?Online and offline
Public & private networks
Specific 2002/58Privacy & electronic
communications
Specific obligations(e.g., cookies, spam)
Scope?Communication service
Public networks
1. General Protection: Directive 95/46• Scope:
• 9 Principles of Data protection
• Sensitive dataMember States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Case Studies Privacy Policy Collection of information Delivery of information
Scope: Processing of personal data
• personal data: – Information concerning a data subject– identifiable natural person
• Direct or indirect
• Controller (EIC) or third party
• Legal entity: SME?
IP address? [email protected]?
Processing: any operation performed upon personal data In the EU? Quid question on Egypt?
Data Protection PrinciplesData must be: • fairly and lawfully processed;
• processed for specified, detailed and legitimate purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• Secure and remain confidential;
• not transferred to countries without adequate protection (outside EU);
• Processing activities « must » be notified to the supervisory authority.
Case study 1: Privacy Policy
• Legally required?• Contents
– The name and address of the controller and processor (contract) – Purposes of the processing activity – The kind of data processed: « sensitive data »– The means to collect and process data (cf. cookies)– Inform the data subject on his/her rights and the way he/she can
exercise them– The technical and organizational measures adopted to ensure the secure
and confidential character– Reference to general information on data protection legislation, e.g.,
FAQ, or the contact details privacy officer ([email protected])
Case Study 2: collection of information
• Processing « shall mean any operation … whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, dissemination or otherwise making available, etc. »
• Means of collection:– Data subject is aware,e.g., webform– Data subject is not aware, e.g., spy ware
Case Study 3: disclosure of personal data• Broad an open notion of « processing » includes
« disclosure by transmission, dissemination or otherwise making available »
• Must be careful if you disclose personal information in a newsletter or on your website, e.g., personal contact details
• Lindqvist case (Sweden –European Court of Justice (2003))
2. Sector Specific regulation• Directive 2002/58/EC on privacy and electronic
communication• One of the Directives of the new « Telecom
Package »• Update of Directive 97/66 on privacy and
telecommunications• Overview:
– scope– contents– Articulation with general framework
Sector Specific regulation• Scope:
• « This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. »
– Public networks: no private or corporate networks
– « Individual » communication: no broadcasting
Includes: protection of the legitimate interests of subscribers who are legal persons (SME).
Scope is not always very clear & distinction sometimes too academic.
Sector specific regulation• Contents: clarification of some principles
– Cookies, spy ware – Security and confidentiality – Traffic & location data– Directories of subscribers , e.g., yellow pages– SPAM
Sector Specific regulationPragmatic Approach and articulation:
Directive 95/46 applies to all networks
Obligations imposed by Directive 2002/58/EC, “covered” by Directive 95/46/EC
Example: traffic data:
2002/58 (art 6)
Traffic data relating to subscribers… must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication
95/46 (art 6 (e))
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
CASE STUDY
Paul Van den BulckAttorney-at-law at the Paris and Brussels Bars
Partner Ulys Law FirmLecturer at the University R. Schuman (Strasbourg)
Lecturer at University Paris II Panthéon-Assas (France)
Brussels21 September 2007
First Case
You are the manager of an EIC and to facilitate the navigation on your site, you consider to install cookies on the PC of the visitors. This way, you can display your site in the official language of their place of establishment (SME) or residence (German, Dutch, French, …).
Which precautions do you have to take?
Second Case
You are responsible of an EIC. You want to deliver on your website information about business opportunities in your region. However, you do not want to lose too much time in finding all theses data. Therefore, you ask a subcontractor to do the task for you. You ask him a finished product to be transferred on you website.
What should be done with this subcontractor in order to minimize your liability and/or maximize your rights?
Third Case
You are responsible of an EIC. You want to deliver on your website information about business opportunities in your region. Right now, you have no website, but you have a very good employee who is ready to help to build the website and search the information you need on business opportunities in the region. All the tasks in order to deliver the information will be done “in house”.
What should be done in order to minimize your liability and/or maximie your rights?
Fourth Case
You want to send by emails advertising to the SME’s of your region describing the services you offer.
Which precautions do you have to take?
