Transcript Slide 1

Legal Liability
&
Data Protection
Paul Van den Bulck
Attorney-at-law at the Paris and Brussels Bars
Partner Ulys Law Firm
Lecturer at University Paris II Panthéon-Assas (France)
Lecturer at the University R. Schuman (Strasbourg)
Brussels
21 September 2007
WWW.ULYS.NET
[email protected]
I LEGAL LIABILITY
Preliminary remarks
 Review on the basis of the European legislation
 Diversity of geographic seats of the different
Euro Info Centers
 Diversity of different national legislations
implementing different European rules
(some of them are sometimes more restrictive
when Directives allow it)
Legal and information watch
3 aspects :
I. Find the information
II. Extract the information
III. Deliver the information
I. Finding of the information
- Various medium :
 analogue (“paper”)
 electronic (internet, ..)
 verbal sources (political speeches,
declarations, public lectures,, …)
- No specific legal problem linked to the medium
II. Extraction of the information
- Protection of the information by the copyright
framework
- Protection by the database legal framework
A. Protection by the copyright
2 main types of rights:
- Economic rights: reproduction, communication
and distribution
- Moral rights: mainly the right of respect of the
integrity of the work and the right for the author
to have his/her name indicated on the work.
Various exceptions to the economic rights
- Vary from a Member State to another
- Main exceptions included in the Directive on
Information society and interesting the
Euro Info Centers
 Reproductions on paper or any similar medium
 Quotation (+ author’s name)
 Political speeches as well as extracts of public
lectures or similar work (+ author’s name)
B. Protection by the database legal
framework (directive 96/9/EC)
Definition database :
(1) a collection of independent works, data or
other materials arranged
(2) in a systematic or methodical way
(3) and individually accessible by electronic
or other means.
Some websites enter in the scope of such definition.
Legal system :
- Protection of the presentation of the database :
Copyright in favor of the author if : by reason of the selection
or arrangement of its contents,constitutes the author’s own
intellectual creation
- Protection of the database itself :
“Sui generis” right in favor of the “maker”:
the right of the maker of a database to prevent extraction
and or re-utilization of the whole or of a substantial part
of the contents of the database
 Condition of this right: the maker must show that there has
been a substantial investment in either the obtaining,
verification or presentation of the contents
- Protection of one or several data by copyright :
data = work of author
Right of the maker : prevent …
 Extraction: transfer to another medium
 Re-utilization: making available to the public
(distribution of copies, renting, transmission
on-line, etc…)
Focus : what about GOOGLE ?
• As a way to find information: no specific legal problem. The
use of a search engine is at the present time not forbidden
• As a way to extract information:
 copyright protection for GOOGLE results data
• check exceptions
 copyright protection for the presentation of GOOGLE
results
• but no sui generis protection for the maker of the database
 British horseracing case law ECJ 2004
 exclusion from data created at the same time as its
processing
III. Delivery of the Information
3 aspects :
 Nature of the information
 Means of delivery
 Others Liabilities than those linked
to copyright “sensu lato”
A. Nature of the information
- Raw information (as find)
- Processed information
1. Raw information
- Duty to respect the author’s right (copyright),
except if possibility to invoke an exception:
 Duty to obtain the consent of the author
for the delivery;
 Usually payment of a compensation
for a license to use;
 Mentioning of his name.
- Duty to respect the protection given to the author
and maker of the database:
 Prior and possible copyright on the data themselves
(photo, music, text…);
 Possible copyright on the presentation of the database
 “Sui generis” right of the maker of the database:
Duty to obtain the authorization for the extraction
or re-utilization of the data
2. Processed information
The processed information may be eligible
to copyright protection
The processed information may be eligible
to database protection
B. Means of delivery
- Delivery via website
- Delivery by e-mail
1. Delivery via website
- Raw information:
 Duty to respect the copyright and database legal framework
 Copyright: publication on a website of a protected work
is a reproduction and communication
 Database: publication on a website of a protected work
is an extraction and a re-utilization
- Processed Information :
 eligible to protection by copyright
 eligible to protection by database
 Utility to mention the protection :

©
 “the database ………….. is protected by the database regulations.
It is strictly forbidden, without the consent of the maker, to extract
and/or re-utilize the whole or a substantial part of the content of
this database”
 Utility to use specific tools: PDF, technological measures
(Directive on information society : access control/protection
process : encryption, scrambling, copy control mechanism, etc…)”
2. Delivery by e-mail
- Raw information :
 Duty to respect the copyright and database legal framework
 Copyright: delivery via e-mail of a protected work is a
reproduction and communication
 Database: delivery in a e-mail of whole or part of a
protected work is an extraction and a re-utilization
- Processed Information :
 Eligible to protection by copyright
 Eligible to protection by database, but in practice
the e-mail in itself will not be a database, maybe
the attachment
 Utility to mention the protection
(Theory/practice? / carefulness) :
C. Others Liabilities than those
linked to copyright “sensu lato”
Others liabilities linked to the delivery of information
 via a website
Others liabilities linked to the delivery of information
 via e-mails
1. Others liabilities linked to the delivery
of information via a website
May vary from a Member State to another :
 Erroneous information: contractual or extra-contractual
liability (utility of disclaimers concerning the accuracy of
the information)
 Press offence (Belgium)
 Answer right (Belgium)
 etc…
2. Others liabilities linked to the delivery
of information via e-mails
May vary from a Member State to another :
 Erroneous information: contractual or extra-contractual
liability (utility of disclaimers concerning the accuracy
of the information)
 EC Regulations concerning the processing of personal
data and protection of privacy
 EC Regulations concerning SPAM
Focus : what about SPAM ?
2 Directives to combine :
 Directive 2000/31/EC on electronic commerce
 Directive 2002/58/EC on privacy and electronic
communications
Directive 2000/31/EC on electronic commerce
 Concept of commercial communication :
« any form of communication designed to promote,
directly or inderectly, the goods, services or image
of a company, organisation or person pursuing
a commercial, industrial or craft activity » (2 exceptions)
 Legal regime
• Article 6 : information to be provided
• Article 7 : unsolicited commercial communication
- SPAM must be clearly identified as such
- Opt-out regime
Directive 2002/58/EC on privacy and electronic
communication
 Concept of communication : « any information
exchanged or conveyed between a finite number of parties
by means of a publicly available electronic communications
service »
 Unsolicited communications (article 13)
• Opt-in regime : prior consent (direct marketing)
• Exception : opt-out if (i) existing commercial
relationship, (ii) same natural or legal person,
(iii) similar products or services and (iv) consumer
is given the opportunity to refuse reception
IV. Example:
Wales Euro Info Center
V. Recommendations
- Do not forget that the 3 steps of information watch
have legal consequences:
 Find
 Extract
 Deliver
 Check the rights upstream
 Mention the rights downstream and use protection devices
 Do not forget all other possible liabilities (accuracy, processing
of personal data, press offences, etc…)
 Use legal notice
II DATA PROTECTION
European Framework Data Protection
– General:
• Directive 95/46 on protection of personal data
– Particular: communication:
• Directive 2002/58 on privacy and electronic communications
General & sector specific regulations
General: 95/46
Protection of personal data
General data protection
principles
Specific 2002/58
Privacy & electronic
communications
Specific obligations
(e.g., cookies, spam)
Scope?
Online and offline
Public & private networks
Scope?
Communication service
Public networks
1. General Protection: Directive 95/46
• Scope:
• 9 Principles of Data protection
Member States shall prohibit the processing of
data revealing racial or ethnic origin,
• Sensitive data personal
political opinions, religious or philosophical
beliefs, trade-union membership, and the
processing of data concerning health or sex life.
Case
Studies
Privacy Policy
 Collection of information
 Delivery of information

Scope:
Processing of personal data
• personal data:
– Information concerning a data subject
– identifiable natural person
• Direct or indirect
• Controller (EIC) or third party
IP address?
[email protected]?
• Legal entity: SME?

Processing:
any
operation performed upon personal data
In the EU? Quid question on Egypt?
Data Protection Principles
Data must be:
•
•
•
•
•
•
•
•
•
fairly and lawfully processed;
processed for specified, detailed and legitimate purposes;
adequate, relevant and not excessive;
accurate;
not kept longer than necessary;
processed in accordance with the data subject's rights;
Secure and remain confidential;
not transferred to countries without adequate protection (outside EU);
Processing activities « must » be notified to the supervisory authority.
Case study 1: Privacy Policy
• Legally required?
• Contents
–
–
–
–
–
The name and address of the controller and processor (contract)
Purposes of the processing activity
The kind of data processed: « sensitive data »
The means to collect and process data (cf. cookies)
Inform the data subject on his/her rights and the way he/she can
exercise them
– The technical and organizational measures adopted to ensure the secure
and confidential character
– Reference to general information on data protection legislation, e.g.,
FAQ, or the contact details privacy officer ([email protected])
Case Study 2: collection of information
• Processing « shall mean any operation … whether or
not by automatic means, such as collection,
recording, organization, storage, disclosure by
transmission, dissemination or otherwise making
available, etc. »
• Means of collection:
– Data subject is aware,e.g., webform
– Data subject is not aware, e.g., spy ware
Case Study 3: disclosure of personal data
• Broad an open notion of « processing » includes
« disclosure by transmission, dissemination or
otherwise making available »
• Must be careful if you disclose personal information
in a newsletter or on your website, e.g., personal
contact details
• Lindqvist case (Sweden –European Court of Justice (2003))
2. Sector Specific regulation
• Directive 2002/58/EC on privacy and electronic
communication
• One of the Directives of the new « Telecom
Package »
• Update of Directive 97/66 on privacy and
telecommunications
• Overview:
– scope
– contents
– Articulation with general framework
Sector Specific regulation
• Scope:
• « This Directive shall apply to the processing of personal data in
connection with the provision of publicly available electronic
communications services in public communications networks in the
Community. »
– Public networks: no private or corporate networks
– « Individual » communication: no broadcasting
Scope is not always very clear & distinction
sometimes too academic.
Includes:
protection of the legitimate interests of subscribers who
are legal persons (SME).
Sector specific regulation
• Contents: clarification of some principles
–
–
–
–
–
Cookies, spy ware
Security and confidentiality
Traffic & location data
Directories of subscribers , e.g., yellow pages
SPAM
Sector Specific regulation
Pragmatic Approach and articulation:
Directive 95/46 applies to all networks
Obligations imposed by Directive 2002/58/EC, “covered” by
Directive 95/46/EC
Example: traffic data:
2002/58 (art 6)
95/46 (art 6 (e))
Traffic
data
relating
to
subscribers… must be erased or
made anonymous when it is no
longer needed for the purpose of
the
transmission
of
a
communication
kept in a form which permits
identification of data subjects
for no longer than is necessary
for the purposes for which the
data were collected or for which
they are further processed.
CASE STUDY
Paul Van den Bulck
Attorney-at-law at the Paris and Brussels Bars
Partner Ulys Law Firm
Lecturer at the University R. Schuman (Strasbourg)
Lecturer at University Paris II Panthéon-Assas (France)
Brussels
21 September 2007
WWW.ULYS.NET
[email protected]
First Case
You are the manager of an EIC and
to facilitate the navigation on your site, you consider
to install cookies on the PC of the visitors.
This way, you can display your site in the official
language of their place of establishment (SME)
or residence (German, Dutch, French, …).
Which precautions do you have to take?
Second Case
You are responsible of an EIC. You want to deliver on
your website information about business opportunities in
your region. However, you do not want to lose too much
time in finding all theses data. Therefore, you ask a
subcontractor to do the task for you. You ask him a
finished product to be transferred on you website.
What should be done with this subcontractor in order to
minimize your liability and/or maximize your rights?
Third Case
You are responsible of an EIC. You want to deliver on
your website information about business opportunities
in your region. Right now, you have no website, but
you have a very good employee who is ready to help to
build the website and search the information you need
on business opportunities in the region. All the tasks in
order to deliver the information will be done “in
house”.
What should be done in order to minimize your liability
and/or maximie your rights?
Fourth Case
You want to send by emails advertising to
the SME’s of your region describing the
services you offer.
Which precautions do you have to take?
Q
&c
UESTIONS
OMMENTS
WWW.ULYS.NET
[email protected]