EUROPEAN COMMISSION CONSULTS WITH CIVIL SOCIETY ON DATA RETENTION

In the first week of June, the European Commission held the first of a series of consultation meetings with different groups of stakeholders on the revision of the Data Retention Directive. The first meeting was with the ‘civil society’, including representatives of industry and one lobbying company representing unspecified clients.

The meeting was originally intended to address the details of the Directive: however, civil society representatives took the view that it was impossible to have a coherent discussion on the Directive itself, if the Member States were going to fail to provide credible data to the Commission for its decision-making process. They claimed that the Commission's own Implementation Report suggested that there is not enough data available from the Member States to show that the Directive is ‘necessary’ (the minimum requirement for it to be legal).

The European Commission Data Retention Evaluation Report was published in April 2011 (ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf).

EUROPEAN COMMISSION CONSULTATION ON IPR ENFORCEMENT

Also in early June, the European Commission organised an open consultation on ‘Directive 2004/48/EC on the enforcement of intellectual property rights: challenges posed by the digital environment’.

The Commission put forward a presentation of the intermediate summary of the consultation on the IPR Enforcement Directive. A total of 165 replies from individual citizens and 297 replies from organisations suggested that the main trends are:

  • Member States are divided between wanting the Directive to be updated and believing that the legislation has not been in place, long enough to be properly analysed. Eight member states believe that ISP liability should be increased whereas seven believe that it should not change;

  • Member States are divided between wanting the Directive to be updated and believing that the legislation has not been in place long enough to be properly analysed. Eight member states believe that ISP liability should be increased whereas seven believe that it should not change;

Questions were also raised about:

  • the appropriateness of permitting, encouraging or coercing Internet intermediaries to police online communications;

  • the extent to which the legitimacy of current copyright law is definitively broken to the degree claimed by rightsholders;

  • the wider costs (also for rightsholders) for openness and innovation on the Internet as a result of ISPs being forced into a ‘gatekeeper’ role;

  • the over-reliance on dubious studies on the impact of infringements, which often use questionable methodology and highly selective as to evidence;

  • the need to address the issue of exceptions and limitations to copyright to ensure a more balanced and innovative environment.

PAN-EU CONTRACT LAW ENDORSED BY EUROPEAN PARLIAMENT (JUNE 2011)

The European Parliament has endorsed plans for the creation of a new EU-wide contract law.

Parliamentarians voted overwhelmingly to establish a ‘28th regime’ for contracts, a contract law that would apply, as well as of the 27 EU member states’ contract laws when buyers and sellers chose to opt in to it.

The European Parliament's endorsement follows a recommendation by its Legal Affairs Committee earlier this year that the Parliament should back European Commission plans to develop a new law.

‘I welcome [the] vote by the European Parliament to back an optional European contract law’, Viviane Reding, Vice President of the European Commission said in a statement.

‘I am looking closely at all the possibilities to ease cross-border transactions, and I believe the option favoured by the European Parliament could be a very good choice’, Reding said.

‘It would give Europe's 500 million consumers more opportunities to shop across borders while cutting transaction costs for small businesses – the backbone of our economy. I will work closely with the European Parliament and all Member States to see how to turn today's vote into an attractive legal reality’, Reding said.

The ‘28th regime’ of contracts could cover everything from the sale of goods and services, insurance, digital rights and beneficial ownership, which is where a person owns an asset for the benefit of another.

Differing national rules make it difficult for companies to draw up cross-border contracts in Europe, the Commission statement said.

‘The 27 different sets of national rules can lead to additional transaction costs, increased legal uncertainty for businesses and lack of consumer confidence’, the statement said. ‘These can act as a deterrent for both consumers and businesses to shopping and trading across EU borders. Small and medium-sized companies are particularly affected by higher transaction costs’.

A new contract law would reduce the cost for businesses if they wanted to trade abroad, the European Commission said.

‘An optional European contract law could be chosen freely by consumers and businesses in their contractual relations as an alternative to the existing national contract laws when they want to buy or sell goods across a national border’, the Commission said in its statement.

‘It could save a small online business wishing to trade in Europe an estimated €9000 in legal and translation fees per market – or over €230 000 if they wanted to take their business EU-wide’, the statement said.

In a statement issued before the European Parliament vote Diana Wallis MEP, who reported to the European Parliament's Legal Affairs Committee in April on the issue of a European contract law, said an optional element within the law would stimulate economic growth.

‘It has to be the right optional instrument; we have to get it right’, Wallis said in a statement.

‘In this case “right” means a high level of consumer protection (indeed higher than in many Member States) an easy and user-friendly system for SMEs to incorporate in their business model as a badge of good practice and service and most importantly no adverse effects on national law. Those are the criteria we have set out for the Commission’, the Liberal MEP said.

In April, the Parliament's Legal Affairs Committee voted to approve a report initiated by Wallis in the creation of a new pan-EU contract law.

At the time, the Committee said the new contracts should be voluntary to use, available in all EU languages and contain standardised terms and conditions.

‘At the moment, businesses, in particular small and medium-sized ones, are discouraged from engaging in cross-border trade because of the divergences in national contract law’, Diana Wallis said in April.

‘[The Legal Affairs Committee's] vote was an important step towards introducing a simplified and flexible optional instrument which will enlarge the choice of parties when drawing up contracts, provide legal certainty across borders and can be put in place relatively quickly’, Diana Wallis said.

‘Retailers and consumers alike will be able to benefit from a flexible European contract law option. It is important now to ensure that any new rules created are simple, comprehensible and ready for use’, Wallis said.

In May, a study conducted by lawyers, former judges and academics at the request of the European Commission, investigated the feasibility of a future European contract law.

The study outlines how EU-wide contracts could be created, the terms of those contracts and how they could be applied in practice. It also includes proposals for the rules for when a contract is considered as being offered and when it is considered to be accepted.

The rights to withdraw from a contract, legal rights for faulty goods and rules governing unfair contract terms are among the other aspects of law detailed in the study.

The Commission is currently analysing the study to see if it can form the basis for more concrete proposals on European contract law, the Commission said in its statement.

The Commission is expected to announce proposals for the new contract law in the autumn.

By OUT-LAW.COM, part of international law firm Pinsent Masons. Copyright © 2011, OUT-LAW.com.

IRISH ‘THREE STRIKES’ SYSTEM INVESTIGATED BY DATA PROTECTION COMMISSIONER

The Eircom/music industry three-strikes system is in doubt as predictions that Eircom would end up falsely accusing innocent users proved correct and over 300 users were wrongfully sent a ‘first strike’ letter accusing them of sharing music.

The Irish Data Protection Commissioner has begun an investigation.

FACEBOOK IN THE DOCK OVER INTRUSIVENESS AND FACE RECOGNITION SOFTWARE

Facebook has been criticised by privacy advocates for its facial recognition feature that has recently been added to the social networking service, worldwide, without any previous announcement to its users.

This goes beyond the existing ability of users to Facebook users to ‘tag’ themselves and their friends in the photos they upload to the site with pop-up captions identifying the people in the respective pictures. The new face recognition feature was launched in 2010 in United States and automatically proposes the names of people featured in photos uploaded by users.

According to Graham Cluley of IT security firm Sophos, ‘Once again, Facebook seems to be sharing personal information by default’.

The outcome of this dispute seems likely to have wide-ranging effects for any other companies intending to do similar.

Facebook is also in trouble in Italy. The Italian Big Brother Awards, Italy 2011, were handed out at the e-privacy conference in June in Florence.

Facebook was the ‘star’ of the awards being nominated for several categories and won the price for the ‘Most Invasive Technology’.

CONTROVERSY OVER TRANSFER OF PASSENGER DATA TO THE UNITED STATES

In late May 2011, new draft agreements on the transfer and retention of air passenger data between the EU and the United States and Australia, respectively, leaked to the public. The renegotiation of the agreements from 2007, which have since then been provisionally applied, had become necessary after the European Parliament refused to vote on them in May 2010.

The new agreements do not substantially change the situation with regard to the old ones: both require that data of air passengers are transferred to public authorities (DHS in the United States, Customs and Border Protection in Australia) ahead of a flight; they allow for profiling, that is, the use of data for sorting passengers into risk categories based on pre-defined and secret criteria without an initial suspicion or criminal lead; and they allow for retention of the data up to 5.5 years (Australia) and 15 years (the United States) years. There are also provisions for onward transfer of the data to third agencies and countries.

The agreement with the United States met heavy criticism both among EU member states, as well as among Members of the European Parliament, and provoked an emergency reaction from the UK Justice Secretary, as well as the US ambassador to the EU.

The outcome of these talks is likely to prove highly significant for transatlantic commerce.

PRESSURE GROWS ON US-BASED COMPANIES TO REPORT DATA BREACHES

The Personal Data Privacy and Security Act is an attempt to set national standards for protecting the growing amount of personally identifiable information stored online. According to its sponsor, Senator Patrick Leahy of Vermont its approval by the Senate Judiciary Committee in June 2011makes this the fourth year the bill has been introduced.

According to this legislation, companies that have been subject to incidents (either external hacking or internal security breaches) that threaten consumer privacy could face stiff penalties for concealing them.

Although previous attempts to introduce such a law have come to nothing, the climate may be changing, making the risk to companies that fail to disclose fully or in sufficient time that much greater. The principle of heavy fines for companies failing to disclose significant data privacy breaches has been introduced into UK law in the past few years, with fines of £200 000 now widely recognised as ‘the going rate’ for such failure.

The US complacency may also be about to change as consumers and legislators have recently learnt of a series of high-profile hack attacks on networks operated by companies, such as Sony, Silverpop Systems and Gawker Media, which have exposed sensitive data for hundreds of millions of Americans.

US COURT RULES THAT ADWORD NAME USE IS NOT AN UNREASONABLE INVASION OF PRIVACY

Using names belonging to competitors to improve your own firms’ search engine results is not automatically an unreasonable invasion of privacy, a US court has ruled.

The court said that a personal injury law firm was within its competitive rights to attract business away from its competitor by using that competitor's name to trigger ads for it in search engines. The company's actions did not confuse Internet users in thinking that the people they had searched for endorsed their firm, the judge said.

William Cannon and Patrick Dunphy placed ads for their Cannon & Dunphy firm that appeared when users searched for rival firm Habush Habush & Rottier, run by Robert Habush and Daniel Rottier.

The ads appeared on search engines run by Google, Yahoo! and Microsoft in 2009.

Habush and Rottier argued that the use of their firm's name by Cannon & Dunphy violated a Wisconsin state law on personal publicity rights.

Wisconsin laws on personal publicity rights say that using a living person's name for advertising or trade purposes is not permitted without first gaining that person's consent, the ruling said. Anyone whose privacy is unreasonably invaded is entitled to ‘equitable relief to prevent and restrain such invasion’, the ruling said.

Habush and Rottier did not prove Cannon & Dunphy's use of their names was unreasonable, the judge ruled.

‘[Habush and Rottier] have established that [Cannon & Dunphy] used their names without consent for purposes of advertising and trade’, the judge said in his ruling (27-page/508KB PDF).

‘However, they cannot establish that such use was done unreasonably. There are no genuine issues of material fact for determination at a trial. Because only one of the two essential elements of [Habush and Rottiers’] claim is provable, [Cannon & Dunphy] are entitled to summary judgment in their favour’, the judge said.

Habush and Rottier had argued that the court should award them an injunction banning Cannon & Dunphy from using their names to link to its website.

Cannon & Dunphy's actions in using the names were not unreasonable as it was within Cannon & Dunphy's rights to try and attract business away from a competitor, the judge ruled.

‘Consumers seeking the services may find it easier, and be more likely to, search for the name of a recognised law firm than to key-in ‘personal injury lawyers Milwaukee’, the judge said.

‘[Cannon & Dunphy] are correct that this tends to put businesses in the relative positions on the internet that they were once in when clients used telephone directories,’ the judge said.

‘[Cannon & Dunphy] could write to the TV stations that carry ads for Habush Habush & Rottier. They could ask to purchase ad-time within 20 minutes of every add run by the Habush firm’, the judge said.

‘If [Cannon & Dunphy] did this, they would be using the name of [Habush Habush & Rottier] for purposes of advertising without [their] consent. But such use is consistent with the principles of energetic business competition in our state and is not unreasonable’, the judge ruled.

Habush and Rottier used their names to endorse their law firm giving the search engine results a secondary meaning, the judge said. This dual meaning reduced the unreasonableness of the names’ use as advertising tools, the judge said.

Internet users that clicked on links to the Cannon & Dunphy website after searching for Habush or Rottier would notice their mistake with little, if any, confusion, and no perception is given to users that Habush and Rottier endorse Cannon & Dunphy's business, the judge said.

On balance, Cannon & Dunphy's use of Habush and Rottiers’ names were not unreasonable, the judge said. ‘The term “unreasonable” means irrational, lacking a rational basis, not guided by reason, or capricious’, the judge said.

‘Under the circumstances of this case, [neither Habush nor Rottier can] establish [that their] name was unreasonably used by the competitor’, the judge said.

By OUT-LAW.COM, part of international law firm Pinsent Masons. Copyright © 2011, OUT-LAW.com.

US REGULATORS MAY DEMAND INCREASED ONLINE BANKING SECURITY (JUNE 2011)

US banking regulators are considered by introducing tougher new rules to force banks to tighten access to online accounts, according to media reports.

New measures may include improving the security behind user passwords, the chairman of the Federal Deposit Insurance Corporation (FDIC), one of the US’ banking regulators, has said, according to the Reuters news agency.

Banks may be asked to ‘strengthen their authentication when a customer logs onto online accounts’, Sheila Bair, chairman of the FDIC, said, according to the Reuters report (www.reuters.com/article/2011/06/09/us-citi-idUSTRE7580TM20110609).

Regulators last updated their security guidance on Internet banking in 2005, but proposed that they be modernised late last year, the Reuters report said.

The regulators are ‘increasingly concerned that customer authentication methods implemented several years ago may no longer be effective … [and are] also … aware that some institutions have failed to perform periodic risk assessments and update their control mechanisms appropriately’, the regulators said in December, according to Reuters.

Earlier this week Citigroup, the biggest financial services company in the world, confirmed that hackers had stolen personal data belonging to approximately 210 000 of its customers. The Financial Times had previously reported that the company's systems had been breached.

Names, account numbers and contact information was stolen, but other personal information was not taken, Citigroup said in a statement.

By OUT-LAW.COM, part of international law firm Pinsent Masons. Copyright © 2011, OUT-LAW.com.

EDPS: DATA RETENTION DIRECTIVE FAILS TO MEET DATA PROTECTION REQUIREMENTS

Peter Hustinx, the European Data Protection Supervisor (EDPS) adopted, on 31 May 2011, an opinion on the European Commission's Evaluation Report on the Data Retention Directive submitted on 18 April 2011 to the Council and the European Parliament.

On the basis of this Report, the EDPS has drawn the conclusion that the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, primarily because the necessity for data retention has not been sufficiently demonstrated.

This is an issue of ongoing debate within the European Parliament – and likely to have significant implications for obligations for data retention placed on businesses.

INTERNATIONAL LAW ON IP RIGHTS IS FINALISED AND READY FOR SIGNING (JUNE 2011)

An international trade agreement that targets intellectual property (IP) rights infringers has been finalised, the Japanese Ministry of Foreign Affairs has said.

The Anti-Counterfeiting Trade Agreement (ACTA) is a voluntary international treaty that seeks to provide standardised international enforcement of IP rights. ACTA was negotiated in secret by the Governments of a collection of countries over the past 3 years.

The treaty has been controversial because of secrecy surrounding its negotiation; because it operates outside of existing trade bodies the World Trade Organisation (WTO) and World Intellectual Property Organisation (WIPO), and because earlier drafts reportedly sought to impose measures that could interfere with individuals’ rights.

ACTA has been finalised since April and has been open to countries to adopt into since the start of May, the Japanese Ministry of Foreign Affairs said.

‘The ACTA was opened for signature on May 1, following its adoption by participants in its negotiations on April 15. The Government of Japan will receive signatures as the Depositary of this Agreement’, the Japanese Ministry of Foreign Affairs has said in a statement.

‘The Government of Japan looks to continue efforts with the other concerned countries with a view to bringing the ACTA into effect as soon as possible’, the Japanese Ministry said.

The ACTA document, published by the European Commission, said that effective enforcement of IP rights is ‘critical’ to international economic growth.

‘The proliferation of counterfeit and pirated goods, as well as of services that distribute infringing material, undermines legitimate trade and sustainable development of the world economy, causes significant financial losses for right holders and for legitimate businesses, and, in some cases, provides a source of revenue for organised crime and otherwise poses risks to the public’, the ACTA document said (25-page/231KB PDF).

A Foundation for a Free Information Infrastructure (FFII), a body that has scrutinised the development of ACTA, said in a blog that this version of the agreement did not differ greatly from a previous draft published late last year.

The ACTA encourages customs officers to help identify IP right violators and share the details with other countries.

‘Where a Party seizes imported goods infringing an intellectual property right, its competent authorities may provide the Party of export with information necessary for identification of the parties and goods involved in the exportation of the seized goods’, the ACTA said.

‘The competent authorities of the Party of export may take action against those parties and future shipments in accordance with that Party's law’, the ACTA said.

Countries should ‘share information with the competent authorities of other Parties on border enforcement of intellectual property rights, including relevant information to better identify and target for inspection shipments suspected of containing infringing goods’, the ACTA said.

In January, a group of 27 European law academics criticised ACTA and urged European governing bodies to reject it. The group said that ACTA's criminal enforcement measures protecting IP rights was unlawful.

‘Within the EU legal framework there are currently no provisions on criminal enforcement of intellectual property rights. ACTA, therefore, is by nature outside the EU law and would require additional legislation on the EU level’, the academics said at the time.

Existing IP rights frameworks exist, such as the WTO's TRIPS (Trade Related aspects of Intellectual Property Rights) agreement, but critics are concerned that ACTA does not provide the same safeguards that protect accused infringers’ rights.

‘The ACTA conveniently does not include provisions comparable to those of the TRIPS Agreement that provide protection to accused infringers, such as time limits for preliminary injunctions during which right holders must act to initiate cases on the merits, and the right to be heard in cases initially acted upon [where their side of the case was not heard]’, the Intellectual Property Watch news group said in a report (www.ip-watch.org/weblog/2011/05/06/trading%E2%80%99s-end-is-acta-the-leading-edge-of-a-protectionist-wave/).

‘The ACTA negotiating countries have sought to justify the “non-appearance” of protective provisions on grounds that the Parties will maintain their obligations under the TRIPS Agreement’, the group said.

‘In a strict sense, that may be correct, but it should be recalled that the TRIPS Agreement is not directly effective in the law of the European Union or the United States, and private parties do not have the right to directly challenge the consistency of national IP law with the TRIPS Agreement before the courts’, the group said.

‘ACTA has several features that raise significant potential concerns for consumers’ privacy and civil liberties, for innovation and the free flow of information on the Internet, legitimate commerce, and for developing countries’ ability to choose policy options that best suit their domestic priorities and level of economic development’, the Electronic Frontier Foundation, a digital civil liberties campaign group, said in a statement.

ACTA was negotiated by, among others, Australia, Canada, the United States, Japan, Korea, Morocco, New Zealand, Mexico, Singapore and, on behalf of EU countries, the European Commission.

Full text of the ACTA document may be found at trade.ec.europa.eu/doclib/docs/2011/may/tradoc_147937.pdf.

By OUT-LAW.COM, part of international law firm Pinsent Masons. Copyright © 2011, OUT-LAW.com.

FUTURE CONFERENCES

  1. 1

    24–30 July 2011, Meissen, Germany European Summer School on Internet Governance 2011, www.euro-ssig.eu/.

  2. 2

    11 October 2011, Brussels, Belgium. ePractice Workshop: addressing evolving needs for cross-border eGovernment services, www.epractice.eu/en/events/epractice-workshop-cross-border-services.

  3. 3

    27–30 October 2011, Barcelona, Spain. Free Culture Forum 2011, fcforum.net/.