Archive | Legislation and policy-making RSS for this section

E-Privacy – The European Commission Issues a Proposal for a New Regulation

By Maria Sturm

On 6 May 2015, the European Commission issued a communication with the title “A Digital Single Market Strategy for Europe” to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. This digital single market strategy is comprised of three main pillars:

  1. Better access to online goods and services for consumers and businesses across Europe.
  2. Creating the right conditions for digital networks and services to flourish.
  3. Maximizing the growth potential of the European Digital Economy.

The second pillar includes the goal of creating new possibilities to process communication data and to reinforce trust and security in the Digital Single Market[1]. Therefore, in January 2017, the EU Commission issued a proposal for a “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”. A study was conducted on behalf of the EU Commission to evaluate and review Directive 2002/58/EC. The most important findings of the study were:

  1. The Member States transposed the directive in very different ways. This uneven transposition led to legal uncertainty and an uneven playing field for operators.
  2. This fragmented implementation leads to higher costs for businesses operating cross-border in the EU.
  3. New means of communication (e.g. WhatsApp) are not covered by the directive. This means that EU citizens enjoy a different level of protection, depending on which communications tools they use.

Based on these findings, the new proposal seeks to keep up with the pace of the fast developing IT-services. The data business is an important economic actor, which creates a lot of workplaces. This sector needs to be able to use data and make it available. But on the other hand, consumer protection and privacy, as emphasized in Art. 7 of the Charter of Fundamental Rights of the EU, are important in establishing and maintaining trust in the digital single market. Thus, the proposal aims to strike the right balance between the expectations of businesses and the expectations of consumers, and to establish a framework for more security on both sides.

The focal points of the proposal are:

  1. The directive will be replaced by a regulation to create an even playing field for operators across the EU. While a directive needs to be transposed by each single Member State, the regulation becomes immediately enforceable.
  2. The proposal covers new means of communication, such as instant messaging or VoIP telephony[2], the so-called “Over-the-Top communications services”. It therefore guarantees the same level of confidentiality no matter whether a citizen of the EU uses a new communication system or makes a “traditional” phone call.
  3. New business development opportunities can emerge, because once consent is given, communication data can be used to a greater extent.
  4. Cookie-rules, which today are cumbersome and result in an overload of consent requests, will be streamlined and made more user-friendly.
  5. Spam protection will be increased.
  6. Enforcement will be delegated to national data protection authorities, which are already responsible under the General Data Protection Regulation. This makes enforcement more effective.

The proposal attacks directly the problems and issues detected by the study on Directive 2002/58/EC and aligns the ePrivacy legislation with the General Data Protection Regulation of April 27, 2016 (see also TTLF Newsletter of February 3, 2017). There may be further changes made to the proposal during the rest of the discussion. It remains to be seen exactly what those developments will entail. However, it is a given that the current legislation on privacy and electronic communication is fragmentary and needs to adapt to new electronic evolutions and needs.

[1] European Commission, Press Release IP-17-16.

[2] Voice over Internet Protocol.

Happy Ending in Sight? New Impulses for the European Unitary Patent

By Martin Miernicki

On 10 February 2017, Italy ratified the Agreement on a Unified Patent Court. Already, the UK had announced their commitment to continuing the ratification process of the agreement, despite the ongoing “Brexit”-discussion.

The unitary patent – an overview

The legal basis for the unitary patent is the so-called “patent package” adopted between 2012 and 2013. It consists of three main instruments:

The patent package is the result of an enhanced cooperation (art. 326 et seq. TFEU) between, originally, 25 EU member states. Italy joined in 2015, leaving Spain and Croatia as the only member states not participating in the enhanced cooperation.[1] The adoption of the patent package was accompanied by several disputes,[2] especially regarding translation arrangements.

The unitary patent (European patent with unitary effect) supplements the options for the international protection of patents like the protection systems under the Patent Cooperation Treaty (PCT) or the European Patent Convention (EPC). The unitary patent is designed as a European patent issued by the European Patent Office (EPO) under the EPC. A European patent granted with the same set of claims in respect of all the participating member states can, upon request of the patent owner, benefit from the unitary effect under the Unitary Patent Regulation. In this case, the patent provides uniform protection and has equal effect in the participating member states (art. 3 of the Unitary Patent Regulation). Translations – in addition to those required under the EPC procedure – may be necessary if a dispute arises relating to the infringement of a unitary patent and during a transitional period (article 4, 6 of the Unitary Patent Translation Regulation). The Unified Patent Court (UPC) has jurisdiction for the unitary patents according to the UPC Agreement.

Entry into force

The Unitary Patent Regulation’s entry into force is linked to the UPC Agreement (art. 18). The same applies to the Unitary Patent Translation Regulation (art. 7). The UPC Agreement will enter into force upon the ratification of thirteen member states, including France, Germany, and the UK (as the countries with the highest number of European patents). As of March 2017, 12 signatory states, including France, have ratified the agreement.

What can be expected?

The British announcement to continue preparing for ratification was somewhat surprising given the current circumstances involving Brexit. It remains to be seen how the UK government will proceed, especially in light of the upcoming negotiations between the EU and the UK on their future relationship. The announcement alludes to this point, saying, “[t]he decision to proceed with ratification should not be seen as pre-empting the UK’s objectives or position in the forthcoming negotiations with the EU.” Furthermore, British minister Jo Johnson presented a favorable explanatory memorandum on the UPC to the British Parliament earlier this year. In turn, Italy’s ratification highlights that the preparation for the unitary patent is ongoing, and shows that the patent package could indeed enter into force sooner than later. Meanwhile, the UPC Preparatory Committee is working towards the phase of provisional application, which it expects to start in spring 2017.

[1] For the time being, Poland has not signed the UPC Agreement.

[2] Spain unsuccessfully asked the ECJ to annul the Unitary Patent Regulation, see Spain v. European Parliament, C‑146/13 (2015).

The UK Issues Guidance on GDPR Consent

By Nikolaos Theodorakis

The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing UK’s Data Protection Act 1998 (DPA). It is yet unclear how Brexit will play out, yet in the meantime, the United Kingdom is moving to adopt the GDPR principles so that it adequately protects the personal data transferred within the EU. The GDPR sets a high standard for consent and compliance, which means that companies must start preparing for this transition.

The Information Commissioner’s Office (ICO) issued a guidance on GDPR consent on 2 March, explaining its recommended approach to compliance and its definition of valid consent. The ICO also provides examples and practical advice that can assist companies deciding when consent is unbiased, and when other alternatives must be sought.

The guidance’s main points on consent are:

  • Individuals should be in genuine control of consent;
  • Companies should check their existing consent practices and revise them if they do not meet the GDPR standard. Evidence of consent must be kept and reviewed regularly;
  • The only way to adequately capture consent is through an opt-in;
  • Explicit consent requires a very clear and granular statement;
  • Consent requests should be separated from other terms and conditions. Companies should avoid making consent a precondition of service;
  • Every third party who relies on the consent must be named;
  • Individuals should be able to easily withdraw consent;
  • Public authorities and employers may find using consent difficult. In cases where consent is too difficult, other lawful bases might be appropriate.

The basic notion of consent is not new. It was initially defined under the Data Protection Act 1998 (DPA) that implemented the Data Protection Directive 95/46/EC, which is currently in force. The GDPR builds on the standard of consent that was introduced in the DPA and includes more details and specific requirements. Consent is now defined in Article 4(11) of the GDPR in a similar way as in previous legislation, yet adding requirements of unambiguity and clear affirmative action. More provisions throughout the GDPR however relate to consent (e.g. Article 7 and recitals 32, 42 and 43), which complicates the notion of consent and what employers need to do to secure valid consent.

The ICO is running a public consultation on the draft guidance until 31 March 2017 to solicit the views of relevant stakeholders and the public. The feedback received will then be taken into account in the published version of the guidance, which is provisionally aimed for May 2017. The GDPR consent guidance can be found here, and the public consultation form here.

Other European countries have already launched relevant public consultation events:

In June 2016, the French data protection authority (“CNIL”) launched a public consultation on the GDPR. Two hundred twenty-fiv organizations participated in the public consultation and the outcome was integrated into recent guidance from the Consortium of European Data Protection Authorities. The CNIL’s report on the French public consultation is available (in French) here.

In Germany, the Interior Ministry has been drafting a proposed Data Protection Amendments and Implementation Law (Datenschutz-Anpassungs- und Umsetzungsgesetz – or “DSAnpUG”) approximately since the GDPR was passed.  The DSAnpUG implements the GDPR as well as the EU Law Enforcement Information Sharing Directive 2016/860. At present, several committees of the Upper House of Parliament (Bundesrat) are debating the draft, and a full vote of the Upper House is scheduled for March 8, 2017.

In February 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before the drafting of a new bill implementing the GDPR.  The press release on the Spanish consultation is available (in Spanish) here.

It is important to remember that invalid consent can have severe financial consequences, apart from reputational damage. Infringements of the basic principles for processing personal data, which includes consent, are subject to the highest tier of administrative fines. This means a fine of up to 20 million Euro, or 4% of a company’s total worldwide annual turnover, whichever is higher, could be issued.

Do-It-Yourself Synthetic Biology Punishable in Germany

By Bartlomiej Kolodziejczyk

Do-It-Yourself synthetic biology is a rapidly evolving and emerging social biotechnology movement in which individuals, community groups, and small organizations study biology and life science using methods similar to those of traditional research institutions. DIY synthetic biology is primarily undertaken by individuals with extensive research training from academia or biotech and pharmaceutical corporations, who then mentor and supervise novice DIY biologists with little or no formal training.

The movement has become so prominent that many large cities have designated “biomarker spaces” run by citizen scientists and eager DIY synthetic biology enthusiasts. Complete, ready-to-use DIY synthetic biology kits can be purchased online from a variety of sources and savvy scientists have used these tools to alter biological organisms, i.e. E. coli bacteria, plants and more, and engineer them to, for example, glow in the dark.

These developments bring many opportunities, but at the same time present peculiar challenges. The fact that some of these organisms can be hazardous to the environment, biodiversity, and human health cannot be overemphasized. Moreover, inexpensive genome modification methods that are easily implemented by novices could create new channels for bioterrorism, which may be especially concerning given recent terrorist activities.

On 25 January 2017, the Federal Office for Consumer Protection and Food Safety of Germany (Bundesamt für Verbraucherschutz und Lebensmittelsicherheit) issued a statement prohibiting the use of DIY synthetic biology and genetic engineering kits outside of the specialized facilities and research institutions.

Whoever disobeys the law by ordering a DIY kit and utilizing that kit outside of the designated facilities will be liable to a fine up to 50,000 Euros in accordance with § 38 (1) (2) Genetic Engineering Act (GenTG). Furthermore, if Genetically Modified Organisms (GMOs) are released due to the use of the DIY kits, the offender can face imprisonment of up to three years or a fine as stated under Section 39 (2) (1) GenTG.

The statement sent a wave of shock through the DIY bio community. The enactment of laws governing the proliferation of biotechnology, such as the regulation of genetic engineering (Gentechnikgesetz – GenTG), ratified on 20 June 1990, is not new. However, recent developments and the growing movement of biohackers pushed the Federal Office for Consumer Protection and Food Safety to enforce these regulations. In accordance with § 8 para. 1 sentence 1 GenTG, genetic engineering work may only be carried out in genetic engineering facilities, i.e. in suitable, officially designated laboratories under the supervision of a qualified project manager or researcher.

Germany is not the only state trying to regulate this new movement. A few days prior to the German statement, the U.S. Food and Drug Administration (FDA) quietly proposed regulations that would require any genetically engineered organism to go through a strict regulatory procedure. In essence, the FDA wants to define any organism that a scientist purposefully genetically modifies as a “drug”, and such development would have to pass strict and lengthy clinical trials to be approved.

Europe is generally stricter than the United States in regulating genetic engineering and genetically modified products. In certain European states, the legality of DIY genetic engineering is ambiguous. Germany’s statement may inspire other European and non-European nations to take similar, firm stances to regulate the activities of the social biotechnology movement. Recent events indicate that precautionary measures will be embraced by more nations across the globe.

The General Data Protection Regulation (GDPR) and the Way Forward

By Nikolaos Theodorakis

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was introduced in April 2016 with the intention of strengthening and unifying data protection for individuals within the European Union (EU). It will enter into force in 2018, replacing the outdated data protection directive of 1995. The GDPR is intended to make citizens masters of their personal data, and to simplify the regulatory environment for international businesses. Personal data may range from a name, to a photo, email address, bank details, or a computer’s IP address.

The regulation applies to data controllers, data processors, and data subjects that are based in the EU. It provides for harmonization of data protection regulations throughout the EU and includes a strict data protection compliance regime with severe penalties of up to 4% of global turnover. The proposed EU data protection regime also extends the scope of the EU data protection law to foreign companies that process data of EU residents. The regulation does not extend to the processing of personal data for national security activities or law enforcement, however.

In implementing the GDPR, each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs will cooperate to provide mutual assistance and organize joint operations. For businesses that operate in multiple Member States, a business will have a single SA as its “lead authority” based on the location of its headquarters. The lead authority will act as a “one-stop shop” to supervise all processing activities throughout the EU. A European Data Protection Board will coordinate accordingly.

The notice requirements of the prior directive are expanded by the GDPR. Citizens’ automated individual decision-making include profiling, whereas citizens now have the right to question and fight decisions that affect them that have been made on an algorithmic basis. A Data Protection Officer is also given the duty of administering the Regulation.

As for data beaches, the independent Data Protection Officer (DPO) has the legal obligation to notify the Supervisory Authority without undue delay. There is no de minimis standard, and it is likely the GDPR will require that such breaches be reported as soon as possible. In the case of a data breach, the following sanctions may be applicable: a warning in writing in cases of first and unintentional non-compliance; a regular periodic data protection audit; a fine up to 10 million EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise; or a fine up to 20 million EUR or up to 4% of the annual worldwide turnover of the preceding financial year.

The right to erasure replaces the right to be forgotten, and will be somewhat more limited in its scope. Under this right, the data subject has the right to request erasure of personal data related to him on a number of grounds, and if the interests or fundamental rights and freedoms of the data subject override the legitimate interests of the controller.

Data portability recognizes that a person shall be able to transfer their personal data from one electronic processing system to another, without being prevented by the data controller. The data must be provided by the controller in a structured and commonly used electronic format.

 

The way forward

The proposal has given rise to much discussion and controversy. Thousands of amendments were proposed and GDPR has attracted considerable criticism.

First, the Data Protection Officer is a new concept that several EU countries did not have before. It has been criticized for creating an administrative burden. The GDPR has also been criticised for not sufficiently considering requirements for handling employee data.

Data portability is also not seen as a key aspect for data protection, but rather as a functional requirement for social networks and cloud providers. Language problems may occur here, since there is not a single DPA that can be contacted, but rather the DPA that a company chooses.

In any event, the GDPR must be examined vis-à-vis the EU-US Privacy Shield that has aimed to replace the Safe Harbor agreement and has still attracted considerable criticism.

It remains to be seen how the GDPR will be implemented in practice since it requires comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force. Naturally, the European Commission and DPAs will have to provide sufficient resources to enforce the implementation and a certain level of data protection must be agreed to by all European DPAs.

The road to the future of European traffic: European Commission publishes strategy on Cooperative Intelligent Transport Systems

By Martin Miernicki

On 30 November 2016, the Commission published the Communication COM(2016) 766 on Cooperative Intelligent Transport Systems (C-ITS). C-ITS involve the cooperation, connectivity, and automation of vehicles, and they enable the communication between — and the coordination of — road users and traffic infrastructure. The additional information provided by C-ITS assists drivers and traffic managers in decision-making, especially with regard to road safety and traffic efficiency.

 

Background

The promotion and regulation of C-ITS is part of the Commission’s larger policy focus on emerging technologies. Related activities include the Digital Single Market Strategy, the Digitising European Industry Strategy, and the European Strategy for Low-Emission Mobility. In 2014, the Commission created the C-ITS platform in order to address remaining problems in connection with the application of this technology. The platform published an expert report in early 2016, which resulted in the C-ITS communication. The need for a common European strategy on C-ITS was further expressed by the European transport ministers in the 2016 Declaration of Amsterdam.

 

Core aspects of the communication

The communication highlights multiple advantages associated with the use of C-ITS, like increased road safety, reduced emissions of greenhouse gases and air pollutants, more efficient traffic, and positive effects on the European economy overall through the creation of new jobs in the sector. However, several problems must be addressed before C-ITS can be fully deployed.

  • Security of C-ITS communication

The use of C-ITS makes transport systems more vulnerable to hacking and cyber-attacks. For this reason, the Commission proposes to develop a common security and certificate policy in order to ensure that C-ITS adequately respond to security threats. This process should involve all relevant stakeholders (e.g. public authorities, vehicle manufacturers, etc.).

  • Data protection and privacy

The Commission underscores that the data transmitted by C-ITS can qualify as personal data, which are subject to the European rules on data protection. The Commission believes that the protection of such data is crucial to the acceptance of C-ITS by end-users.

  • Communication technologies & interoperability

The strategy focuses on a “hybrid communication approach” which combines different complementary communication technologies, rather than proposing a single technical solution for C-ITS. In the Commission’s opinion, the most promising communication mix is a combination of ETSI ITS-G5 and existing cellular networks. Furthermore, the Commission emphasizes the need to ensure the interoperability of C-ITS by the development of an EU-wide standardization process. In this connection, the C-Roads platform was launched in 2016.

 

Further action

The overall aim is to deploy C-ITS in 2019. For this purpose, the Commission announced plans to publish guidance regarding the C-ITS related security and certificate policy in 2017 and regarding data protection in the following year. In order to create the necessary legal framework for C-ITS, the Commission will adopt delegated acts by 2018, especially considering the ITS Directive.

European Commission publishes a preliminary report on the e-commerce sector inquiry

By Nikolaos Theodorakis

On 6 May 2015, the European Commission launched a sector inquiry into e-commerce within the context of the Digital Single Market strategy, and in connection with Article 17 of Regulation 1/2003. In March 2016, the Commission published its initial findings on geo-blocking, which refers to business practices whereby retailers and service providers prevent the smooth access of consumers to the digital single market. In doing so, geo-blocking usually has three dimensions: (i) it prevents a consumer from accessing a website because of his IP address; (ii) it allows the consumer to add an item to his online shopping basket, but it cannot be shipped to his location and (iii) it redirects the consumer to another local website to complete his order.

As part of the sector inquiry, the Commission requested information from various actors in e-commerce throughout the EU, both related to online sales of consumer goods (e.g. electronics and clothing) as well as the online distribution of digital content. For that purpose, the Commission gathered evidence from nearly 1,800 companies operating in e-commerce and analyzed around 8,000 distribution contracts. The inquiry wished to look into the main market trends and gather evidence on potential barriers to competition linked to the growth of e-commerce.

E-commerce has been growing rapidly over the past years, and the EU is the largest e-commerce market in the world. As a result, any barrier in online trade may have severe consequences and distort healthy competition. In September 2016, the Commission published a preliminary report with certain findings. It identified issues arising from distribution agreements, which pertain to trade in goods, and licensing agreements, which pertain to trade in services.

 

Issues arising from distribution agreements

Distribution agreements may create geo-blocking restrictions, both from the manufacturers’ and the retailers’ side.

Manufacturers have adjusted to the increasing popularity of e-commerce by adopting a number of business practices that help them control the distribution of their products and the positioning in the market. These practices are not by default illegitimate, however under specific conditions, they can be.

For instance, manufacturers use selective distribution systems in which products can only be sold by pre-selected authorized sellers online. They also use contractual sales restrictions that may make cross-border shopping or online shopping more difficult and ultimately harm consumers since they prevent them from benefiting from greater choice of products and lower prices. The reasoning behind selective distribution systems is to control the quality of the product and safeguard brand consistency. This, nonetheless could classify as a vertical restraint and could be considered discordant with the principles of EU competition law.

Retailers use geo-blocking to restrict cross-border sales. Several retailers collect data on the location of their customers with a view to applying geo-blocking measures. This most commonly takes the form of refusal to deliver and refusal to accept payment from cards issued in other countries.

 

Issues arising from licensing agreements

With respect to digital content, the availability of licenses from the holders of copyrights in content is essential for digital content providers and a key determinant of competition in the market. The Preliminary Report finds that copyright licensing agreements can be complex and exclusive. The agreements provide for the territories, technologies and digital content that providers can use. As such, the Commission is expected to assess on a case-by-case basis whether certain licensing practices are unaccounted for and restrict competition.

In fact, one of the key determinants of competition in digital content markets is the scope of licensing agreements that determine online transmission. These agreements, between sellers of rights, use complicated definitions to define the reach of the service, creating differences in technological, temporal and territorial level. These contractual restrictions are practically the norm, whereas access to exclusive content increases the attractiveness of the offer of digital content providers.

A striking 70% of digital content providers restrict access to their digital content for users from other EU Member States. Further, the 60% of digital content providers are contractually required by rightsholders to geo-block. This practice is more prevalent in agreements for films, sports and TV series. Licensing agreements enable rightsholders to monitor that content providers comply with territorial restrictions, otherwise they ask for compensation. These agreements usually have a very long duration and they may make it more difficult for new online business services to emerge and try to win a stake in the market.

Additional questions arise when online rights are sold exclusively on a per Member State basis, or bundled with rights in other transmission technologies and then are not used. This might signal a semi perfect price discrimination policy depending on how much money each Member State is willing to pay, and a consequent further balkanization of the digital single market.

 

Next Steps

After publishing the preliminary report, the Commission is soliciting views and comments of interested stakeholders until 18 November 2016. The final report of the sector inquiry is expected in the first quarter of 2017. As a follow-up to the sector inquiry, the Commission may further explore if certain practices are compatibility with the EU competition rules and launch investigations against specific distributors and/or resellers on matters of both goods and digital content.

Finally, the results of the sector inquiry provide useful information for the debate on Commission initiatives relating to copyright and the proposed geo-blocking regulation.