More on the Proposed 2017 ePrivacy Regulation: A Messy and Contradictory Text That Confuses Content and Carrier

We have briefly outlined some of the problems concerning the Commission’s 2017 proposal for a new ePrivacy Regulation in an earlier post. The main point made then was that the rules are unnecessarily complicated and not always in sync with the forthcoming GDPR. On October 26, the EU Parliament voted to move forward to Trilogue on the basis of the present text, thus advancing it one step forward towards adoption. The debate about the text seems to have been simplified to such extremes that even EU officials are not immune from making emotional albeit misguided arguments.

The proposed text, however, is highly technical, and requires careful analysis. In this post, in order to underline the claim that the present text is inadequate, we will try to highlight three of the most pressing controversies that arise out of it.

  1. As is well known, the ePrivacy proposal, as was the case with the still-in-force 2002 ePrivacy Directive, is a text arising out and forming part of the Telecommunications Regulatory Framework. The present framework dates to 2009 and very comprehensive proposals for its reform in the form of the European Electronic Communications Code (EECC) have been tabled. As such, the Proposal is part of a set of laws which apply to the carrier layer of the Internet – the electromagnetic signals which move either through the wires or through the air. That Framework does not apply to content, for which an entirely different set of laws has been designed (the chief of which is the 2001 E-Commerce Directive but part of which is also the 1995 Data Protection Directive (“DPD”)). This is apparent from Articles 1, 2 and 4.1.b, which confirm that its field of application are networks and services,1 the same field of application as that in the Telecoms Regulatory Framework – not information society services, as is the case with E-Commerce. The Telecoms Regulatory Framework, by definition, does not regulate the content of electronic communications but only the modalities of their transfer (authorisation of, access and interconnection, universal services). In that sense, the ePrivacy Directive positioned itself as an instrument which complemented the 1995 Data Protection Directive (still in force today until GDPR replaces it in May 2018), albeit from the arsenal and with a toolbox of a completely different regulatory circle – that covering the content. In other words, the ePrivacy Directive relied on the DPD instruments (and referred to them directly) to address a set of specific issues which only arose in the telecommunications field. This was a neat trick which was relatively simple to perform in 2002. The Proposal still positions itself as part of the telecoms circle, expressly referring to EECC. The Proposal still relies on the (now) GDPR set of tools and declares its complementary role. But, the reality of the converged Internet which the Proposal now effectively applies to has moved it from the telecoms/carrier squarely into the contents field. In other words, the Proposal is a content-regulatory tool that passes itself of as a telecoms law and uses telecoms tools for content regulation. The result is highly confusing – applying content-designed privacy concepts to the carrier layer and carrier-designed rules to content services.
  2. The Proposal extends its territorial scope of application to non-EU providers. Whereas the Directive applies within the scope of the application of DPD and the 2009 telecoms framework, the Proposal aligns itself with the GDPR’s extended scope: it applies to provision and use of all services to end-users in the Union (irrespective of the corporate seat of the provider) as well as terminal equipment of the end-users in the Union. This is the extension of its scope to entities located outside of the EU, which is similar in nature to Article 3 GDPR. The problem arises from the lack of precision which GDPR does not suffer from but ePrivacy proposal does. GDPR is specific in that it applies only to the provision of goods or services to EU subjects (deliberate targeting) and monitoring of behaviour. Recital 23 of GDPR requires an intention to target EU users. Recital 9 of the Proposal does not. This can only be interpreted to mean that all telecoms services reaching end-users in the EU, irrespective of whether such services were intended for these users, are covered – an unnecessary extension of scope and an unnecessary deviation from the GDPR’s more balanced approach.
  3. Whereas the Directive’s main idea was that telecoms communications should be confidential while they pass through the wires and while they are in telecoms operator’s hands, it never put obstacles on the processing itself. It rather sought to eliminate the situations in which telecoms operators might compromise the data privacy (by e.g. unwarranted surveillance) or where data or metadata might be misused. The Proposal’s starting point is that “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data” (emphasis added) should be prohibited unless specifically allowed. The essence of any telecoms business model is the processing of telecoms data and metadata. The main position of the Proposal is that this activity is, in principle, prohibited. This position is both unsustainable and puzzling since it demonstrates the drafter’s lack of understanding of the nature of telecoms activities.The processing is allowed under some circumstances covered in Article 6. The Proposal suggests first that both content and metadata may be processed by providers or networks and services for achieving the transmission or for maintaining or restoring security. Metadata only may be processed in more situations by providers of services only, including when the users gave consent. Finally, content only (without data) can only be processed by providers of services only for the provision of a specific service to end users with their consent and where all end-users concerned have given their consent. The proposed division seems to be arbitrary in its distinction between providers of networks and providers of services. Equally confusing are the reasons under which content as opposed to metadata may be provided. More damagingly, the consent here is in contradiction with Articles 6 and 7 GDPR. The two sources – GDPR and Proposal – say different things about consent, with the Proposal imposing significantly stricter requirements.

Some of criticism outlined above is not new. A study published on October 19, 2017, highlighted a number of controversies as have other sources. We believe that the confusion which arises from the present text is a sign that the convergence of content and carrier cannot be dealt with by bundling the issues into a single legal container. The present Proposal attempts to do too much by relying on tools from two legal frameworks while not being fully committed to either. Equally damagingly, the Proposal duplicates and/or confuses issues already covered in GDPR. Nowhere is this more apparent than in the provisions on ‘cookies’. Article 8, which replaced the much-maligned and ineffective cookie requirement of Article 5(3) of the ePrivacy Directive, is long, confusing and replicates some parts of Recitals 26, 30 and 32 of GDPR while contradicting others.

A sensible approach is to keep the content and carrier layers separate by transferring content-related issues to GDPR while keeping the telecoms ones strictly within the telecoms framework. While this would require a thorough rethinking of the proposed texts and a redrafting of GDPR, the ultimate result would be the added protection in those areas where it is really needed.

  1. “Electronic communications” are an official EU replacement for the old term “telecommunications”. In reality, they are synonyms.
Advertisements

Commission Fines Google €2.4 billion – What They Got Wrong and Why it Matters

On June 27, The European Commission fined Google €2.42 billion for abusing dominance as a search engine by giving advantage to its own comparison shopping service.

Google’s “flagship” product is its search engine, with a global market share of over 78% and over 90% in the EU. 90% of Google’s revenues come from selling advertising on its search engine. The present case concerns another product, its comparison shopping service, currently named Google Shopping. When entering a product name, Google Shopping compares products and prices online and presents the results to end-users. In doing so, Google accesses other platforms such as Amazon or eBay. Google Shopping is embedded in Google’s search engine so that it is not necessary to visit Google Shopping separately. A regular search for a product on its main engine prominently displays Google Shopping results at the top. This, in Commission’s view, is Google’s main transgression.

The Commission is currently running three separate cases against Google. The present case should not be confused with a similar but conceptually different one the Commission is running against Google’s practices concerning its Android operating system. That investigation into Google’s Android has been running from 2015 and has not concluded yet. It should equally not be confused with the Commission’s 2016 investigation of agreements between Google and partners of its online search advertising intermediation programme AdSense. While Google’s dominance in the search market is what connects these cases, the underlying legal basis on which the Commission relies is not the same in them and they should be analysed separately.

The investigation dates back to 2010. After a lengthy investigation, the then-commissioner Joaquín Almunia sought to reach a deal with Google in 2012, avoiding formally charging it, a strategy for which he was heavily criticised. After Margrethe Vestager assumed office in November 2014, the case started moving at a somewhat faster pace. The Commission sent the original statement of objections in September 2015. Google outlined its responses to the Commission in a blog post in November 2016. The supplementary statement of objections has been sent in July 2016 to which further responses followed.

In reaching its present decision, the Commission’s starting point is that there should be competition between comparison shopping services. Google has used its dominant position on the search market to allegedly illegally promote its own comparison shopping service. The Commission’s argument is that Google has:

  • “systematically given prominent placement to its own comparison shopping service”
  • “demoted rival comparison shopping services in its search results”

Put in simple terms, the Commission claims that Google is not only relying on its dominance in the search market to push its own comparison shopping service but is taking active steps to ensure that rivals’ services are not readily accessible. The Commission concludes that Google is dominant in the search engine market and that it has abused its dominance by giving its own shopping service an illegal advantage.

In comments to the original and supplemental statement of objections, Google indicated that it believed the Commission’s definition of the relevant market to be narrow. In choosing to focus on comparison shopping websites only, the Commission was ignoring the broader dynamics of consumer shopping. Google’s June 27, 2017 response to the decision repeats in an abbreviated form the arguments heard before. In Google’s view, the Commission does not provide convincing reasons for only targeting the more recent version of its shopping product which has been available for many years without objection. Furthermore, the Commission does not adequately address the overall decline of comparative shopping products which Google believes to be a direct result of the increasingly popular Amazon and eBay. Google’s November 2016 response claims

that online shopping is robustly competitive, with lots of evidence supporting the common-sense conclusion that Google and many other websites are chasing Amazon, by far the largest player on the field.

If one is to look for market power, one has to see what market that power is supposedly exercised on. There is no doubt that market definition in online markets is a rather complicated exercise. At present, horizontal search engines (Google, Bing, etc), vertical search engines (e.g. Pricerunner) and vendor platforms (Amazon, eBay) all compete for the same custom. Furthermore, the SSNIP test (small but significant and non-transitory increase in price) does not seem to be effective in narrowing down the market for online shopping. It can be said with some confidence that Google’s competitors are not only the other comparison shopping websites (nor even other search engines) but other intermediaries in general. This is especially true of younger generations who increasingly use platforms like Facebook, Instagram or Snapchat for their search needs. Firms with different business models can and do compete within the same market.

Research suggests that product comparison shopping is affected mainly by the frequency of internet usage, perceived usefulness, and ease of use. The Commission has not provided a forward-looking market definition nor did it prove that Google might be dominant on such a market (as opposed to more narrowly defined one). The Commission’s argument concerning dominance on the search engine and the related advantage would only work if the consumers would access a more significant share of competitors’ services either in the total absence of Google Shopping or in it being “downgraded” in ranking or placed alongside others. But, evidence suggests that consumers access comparison shopping sites largely directly and not trough Google simply because it is easier and more useful to do so. Google’s withdrawal from this market would have no effect on traffic that these other sites get.

In summary, it seems that the Commission’s approach is based on a specific and narrow market definition. Users do not seem to engage in comparative shopping of the kind Commission believes them to. An average shopper accessing Google is well aware of alternatives and uses them anyway. To say that there is no single market for online search today borders on banality and yet the Commission seems to read too much into the fact that 90% of users in the EU use Google. Further to that, the Commission believes that Google should treat own products and those of competitors equally, by no means a foregone conclusion.

The Commission’s decision is important for several reasons. While Vestager DG COMP may very well have learned the lessons from the political fallout from Almunia’s attempt to strike a deal, the importance of threading carefully cannot be overestimated. Almunia’s attempt to compromise reflects the realities of modern platforms – they tend to be dominant for a short while, they are ubiquitous and they perform a public service. Heavy handed approach may backfire. The present decision may be rendered meaningless much faster than with the 2007 Microsoft case in a rapidly changing search market.

More importantly perhaps, the somewhat hasty approach may be a signal of a messy situation to follow both in further Google cases and a plethora of other high-tech issues currently pending or coming in the future. The case is likely to continue for a considerable period as it gets appealed to Court.

Is Sharing Torrents on Online Platforms a Communication to the Public ? – CJEU’s Judgment in Stichting Brein

On June 14 the CJEU delivered its judgment in Stichting Brein case (not to be confused with the C-527/15 Stichting Brein, which is also about ‘communication to the public’ and in which CJEU ruled that the sale of multimedia players with pre-installed add-ons is communication to the public).

The present case concerns Stichting Brein, the rights holders’ association from the Netherlands, and Ziggo and XS4ALL, internet service providers. The latter had a number of customers who availed themselves of the services of online sharing platform TPB, an indexing service for BitTorrent files. It was established as a fact that the majority of works indexed through TPB were protected by copyright and shared without the rightholders’ consent. Stichting Brein applied to courts requesting that Ziggo and XS4ALL be ordered to block access to TPB. The question then concentrated on whether the individual posters, the TPB or the intermediaries were engaged in communicating the works to the public. The Hoge Raad referred the case to CJEU, asking, essentially, if TPB’s actions amount to communication to the public at all.

The questions referred to the Court were:

Is there a communication to the public within the meaning of Article 3(1) of the Copyright Directive by the operator of a website, if no protected works are available on that website, but a system exist … by means of which metadata on protected works which is present on the users’ computers is indexed and categorised for users, so that the users can trace and upload and download the protected works on the basis thereof?

If the answer to Question (1) is negative:

Do Article 8(3) of the Copyright Directive and Article 11 of the Enforcement Directive 2 offer any scope for obtaining an injunction against an intermediary as referred to in those provisions, if that intermediary facilitates the infringing acts of third parties in the way referred to in Question 1?

The two groups of questions are conceptually unrelated. By the first, the Court is asking if TPB’s actions amount to communication to the public as per Article 3(1) of the Copyright Directive. By the second, the court is asking if the facilitating intermediaries (Ziggo and XS4ALL) can nevertheless be subject to an injunction (even where their activity is not communicating to the public).

Advocate General Szpunar, in his opinion, emphasises the lack of proper definition of ’communication to the public’ and refers to Court’s case law which had so far helped clarify the concept. In particular, the acts of communication and the presence of a public need to exist.1 The player makes an act of communication “when it intervenes, in full knowledge of the consequences of its action, to give its customers access to a protected work, and does so in particular where without that intervention its customers would not, in principle, be able to enjoy the broadcast work.” The second criterion requires two separate conditions to be fulfilled: the communication must be directed at indeterminate but fairly large number of recipients2 and it must target a new audience. The second condition is not fulfilled where the work is already been made available on another website. As will immediately be clear, all sorts of difficulties may arise as to what qualifies as a work already made available. In Advocate General’s summary (paragraphs 41 and 42) of the Court’s cases, two situations can be discerned in which a new public clearly exists:

  • a work made available without the consent of the copyright holder amounts to communication to the public since the original holder did not envisage the new public gained through the act
  • communication through technical means different than the initial communication3

(It is worth noting here that it is not entirely clear whether the Court’s case law amounts to the first conclusion and it is questionable whether the second one should apply.) AG Szpunar takes the position that TPB’s actions are a communication to the public and gives three reasons. First, the fact that files are cut-up in the process of transmission and downloaded from multiple sources simultaneously is irrelevant for the fact that complete works are enjoyed at final destination. Second, potential users of peer-to-peer networks fulfil the first criterion of indeterminate number of users. Third, the ‘new public’ criterion is also satisfied since not only is the rightholder’s consent absent but the new technical means had been used for transmission. Finally, the AG says that, although it is the users who willingly upload the files and leave the computers connected to the network, it is the indexing site that makes the ultimate transmission possible. While active knowledge (and refusal to rectify) remains a condition for an intermediary’s liability, the “necessary and deliberate” actions of operators demonstrate the possession of full knowledge and are, therefore, “simultaneously and jointly” making the works available.

The Court’s judgment repeats the basic premises on which Article 3(1) of the Copyright Directive works, in particular the absence of consent and the new technical means. The Court adds that the for-profit nature “is not irrelevant” without offering further explanation as to how and why it might become relevant. The key point is made in paragrapoh 36:

[…] the fact remains that those operators, by making available and managing an online sharing platform such as that at issue in the main proceedings, intervene, with full knowledge of the consequences of their conduct, to provide access to protected works, by indexing on that platform torrent files which allow users of the platform to locate those works and to share them within the context of a peer-to-peer network. […] without the aforementioned operators making such a platform available and managing it, the works could not be shared by the users or, at the very least, sharing them on the internet would prove to be more complex.

The Court downplays the subjective element which, both in the AG’s opinion and in the Court’s own previous case law features somewhat more prominently. Whereas AG’s opinion suggests that the operator must have been aware that the work had been available (thus exempting bona fide intermediaries), the final judgment puts focus on the facts that the indexing site is essentially a co-infringer. The final ruling is, therefore:

The concept of ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, must be interpreted as covering, in circumstances such as those at issue in the main proceedings, the making available and management, on the internet, of a sharing platform which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users of that platform to locate those works and to share them in the context of a peer-to-peer network. (emphasis added)

In spite of the somewhat unsurprising conclusion of the Court, some doubts remain.

First, a significant number of cases in which CJEU interpreted communication to the public relate to hyperlinks and not to peer-to-peer setups. It is not clear to what extent the conclusions made in those cases can be translated to the present ones. Although the Court does refer to its well-known Svensson and GS Media judgments, both of these were criticised at the time. Neither the Court nor Advocate General attempt to develop a new approach to P2P platforms.

Second, some aspects of the previous case-law are questionable. The fact that it is not necessary to establish the existence of the new public where new technical means are used is, in view of this author, problematic and may not be applicable to a range of situations. Likewise, the role of the extent of the rightholder’s consent is not properly explored. It seems that the CJEU believes that a rightholder who consented for something to be posted would be precluded from suing for infringement where that work gets linked to from elsewhere. While it is possible to defend that position, it is not clear that the drafters of Article 3 had intended that effect at all.

Third, while it may be clear that TPB is in full knowledge of the infringing nature of the traffic that it facilitates, this will not always be the case. The Court’s present case-law concerning the relevance of knowledge is confusing. The Court’s hyperlinking line of cases (GS Media) establishes the presumption of knowledge for commercial sites, saying that commercial providers who hyperlink are simply presumed to be knowledgeable about the infringing nature of the activity. Paragraph 47 of that judgment makes the subjective element part of the equation. Advocate General suggests (paragraph 52) that platform’s actual knowledge must exists. The AG suggests that GS Media approach is not appropriate here. The Court mostly disregards the knowledge factor in the present case and does not go into the applicability of its presumption system to P2P cases, leaving the subjective factor open for further confusion and interpretation. Finally, while the existence of intermediaries’ liability in light of Articles 12-15 of the E-Commerce Directive does depend on the subjective factor, these articles do not apply in cases where platforms are primary infringers or co-infringers.

Fourth, the Court’s judgment emphasises indexation, metadata and the provision of a search engine as decisive elements which make TPB a communicator but these exact elements can also be ascribed to search engines such as Google or instant messaging services. The judgment does not offer many clues which can be used to distinguish infringing P2P sites from other sites in the future.

Fifth, the intermittent reliance on profit as a criterion (also featuring in GS Media) is puzzling, especially in the absence of a longer explanation from the Court concerning the possible roles it may play. While the existence of commercial interests may play a role in highlighting the poster’s intentions regarding the public it wants to reach and possible lack of good faith, it cannot and should not play a role in determining whether a work has or has not been communicated to the public. Particularly damaging might be an attempt to conclude that an undertaking operating without profit should not be considered to be making a communication to the public – a possibility which still exists in the present setup. A possible interpretation would be that a for-profit shortcut would simply exempt court from looking at other factors but this interpretation is not supported by Article 3(1).

In summary, while the Court’s judgment is not surprising and can easily be defended on the basis of the facts presented to it, it does little to clarify the increasingly muddled situation surrounding communication to the public in the digital world.

In light of the fact that the first question was answered positively, the second question had not been answered. Nothing is lost here since the Court’s position on injunctions against intermediaries is relatively well-established.

  1. C-160/15 GS Media, link.
  2. A condition usually satisfied by a website C-466/12 Svensson, link.
  3. C-607/11 ITV, link

The US Congres Repealed FCC Broadband Privacy Rules – What does EU Law Say and are Europeans affected?

On January 27, representatives of many ISP providers in the United States filed a petition with the Federal Communications Commission (FCC) requesting a stay of the rules adopted on October 27, 2016 (under Obama administration). The rules the ISPs wanted removed were the FCC privacy, data breach, and data security rules for broadband Internet access service (BIAS) providers. These rules, which had not yet come into effect, had been labelled as unduly restrictive. The House voted this Tuesday on S.J. 34, repealing the FCC BIAS rules. This has prompted a wave of negative comments (e.g. here). Are they justified and are Europeans affected?

The essence of the rules was to require ISPs to obtain individual consent from each individual before collecting and using information for any purpose, including targeted advertising. The harvesting of data is already under control of the Federal Trade Commission (FTC) and this control extends to ISPs. The new rules – a bolt-on to the FTC’s existing control – would have created a new regime only for ISPs, subjecting them to a more stringent control, probably guided by the idea that ISPs have unique insight into users’ browsing habits (almost certainly not correct, since a lot of traffic is encrypted or anonymised). The FTC regime is, in essence, an opt-out regime – users can withdraw their assumed consent. FCC regime would have been an opt-in regime.

As already point out, in spite of an outcry from privacy advocates, the repeal would have little impact. This is because a) the FCC regime that it repeals had not yet come into force at the time of repeal, b) many ISPs have already pledged to protect existing levels of consumer privacy and c) the repeal simply leaves data collection in the state in which it has been up until now. The internet advertising market, which is dominated by Google, remains now open to a degree of competition, although all the criticism which could be levelled at data collection practices in the US prior to FCC attempt from October 2016 (which are now in place again) is still valid. In other words, whereas it is certainly true that EU Internet privacy is not ideal, this is not for the reasons stated in most public comments.

But, what is the situation in the EU and do American rules affect users in the EU?

It is easier to dispense with the second question first. The FCC rules would have targeted ISPs in the United States only, not those located abroad, including in the EU. Since EU users do not avail themselves of American ISP services (except when they travel to the US), all remains as it has been. On the other hand, EU consumers are subject to American data collection practices in as much as they use websites located1 in the United States. The legal status of these practices is somewhat murky, since they are subject to two sets of laws + collector’s terms of use and privacy policy. First, the general data collection is under US FTC rules. Second, they are under EU data protection law. At present this is the 1995 Data Protection Directive, from May 2018 it will be General Data Protection Regulation. The former applies to entities established in the EU or those who process with the use of the equipment in the EU. If neither is satisfied, the Directive does not apply. This is an oversight which had been corrected in the GDPR which demands application to all situations where EU individuals are targeted irrespective of the establishment or the equipment. Finally, privacy policies and terms of use will be interpreted in light of both these sets of rules and national contract and consumer protection laws. Unfair clauses in such polls are likely to be invalid under EU and national contract and consumer laws and under privacy law. Whereas all this may be of interest to EU users (and their lawyers), it has nothing to do with data that ISPs collect. The conclusion must, therefore, be that the repeal has no effect whatsoever on EU consumers.

The second question, concerning the extent to which EU broadband providers in their own right are subject to privacy oversight, is split between regulation affecting the content and carrier layers of the Internet. The carrier layer is subject to telecommunications laws2 and covers wired and wireless infrastructure carrying the signal (rules on setting up operations, access to other providers’ networks, obligations towards consumers, spectrum management, etc.) These rules do not regulate content itself. The latter is subject to a different set of disciplines – electronic commerce laws3 and audio video media services laws.4 These do not affect the carrier layer but do regulate the content (contracts, consumer laws, protection of minors, advertising, copyright, etc.) The division between the content and carrier layers is important because the EU regulates privacy on both and ISPs do operate on both layers . Privacy on the content layer is largely subject to a the 1995 EU Data Protection Directive (soon GDPR). Privacy on the carrier layer is subject to a special directive, the 2002 ePrivacy Directive (which itself is under a proposed change tabled in 2017 and currently under review). An activity in the digital world may be regulated under both regimes if it moves across the content and carrier layers, or it may be regulated under one only.5

An EU ISP provider in its role as a broadband provider is subject to DPD (which covers all situations where private data relating to identified or identifiable customers is gathered with the aid of automation). It will also be subject to ePrivacy Directive in its role as telecommunications provider and in respect of data that consumers demand from third parties through ISPs infrastructure. In other words, if the data moves through ISP provider’s wires only, and it is not ISP itslef that purveys data, the transaction is subject to ePrivacy Directive. Content providers such as Google or Facebook or a local newspaper, are not telecommunications providers and are, as a rule, only subject to DPD and those elements of the ePrivacy Directive which do apply to the content layer (cookies and spam).

Having said all this, what does ePrivacy Directive actually say about ISPs and will that change in the ePrivacy proposal?

The ePrivacy Directive applies to all telecommunications providers.6 Two general obligations imposed on providers7 are the obligation to secure the processing of data8 and to maintain confidentiality.9 A general rule on traffic data, Article 6(1), demands that this data be erased or anonymised “when it is no longer needed for the purpose of the trans­mission of a communication.” Exceptions exist for billing purposes, marketing and value added services as well as for reasons of national security, defence, public security, and the prevention, investi­gation, detection and prosecution of criminal offences or of unauth­orised use of the electronic communication systems.10 In Article 15(3), the exception relating to marketing is introduced in the form of explicit opt-in:

For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data […] to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. [emphasis added]

This is the level of protection consistent with the one that would have come into place in the US after the now moribund October 2016 intervention. Location data, other than traffic data11, as per Article 9, may only be processed when “made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.” In such cases, the users are informed of the collection and can withdraw their consent. Furthermore, Article 9(2) also requires that, where consent had been given, users be allowed to temporarily suspend collection in an easy and free-of.charge manner.

The 2017 proposal for an ePrivacy regulation is at this stage only a proposal (unlike GDPR which has been adopted). It is a more complex and more confusing document than its predecessor. New Article 6 proposes to allow the processing telecommunications metadata,12 among others when

the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

The wording is different from DPD. Whereas DPD Article 6 allowed collection for marketing purposes or for the provision of value-added services, the new proposal is more permissive in terms of types of services for which collection is possible. This includes all situations where the user gives consent for a purpose which is “specified” and which includes (but is not limited to) the provision of “specific services”. The only limitation comes in the form of a demand that the purpose could not have been achieved through anonymised processing. Content itself (rather than metadata) can only be processed if and only if the provision of a consumer-demanded electronic service could not be achieved without such processing. Although the article no longer specifies that it is “prior” consent, this is clear from Article 9’s reference to GDPR’s conditions for consent.

Overall, the new article is slightly more permissive in terms of purposes for which metadata could be collected but it does not relax the conditions (prior consent, possibility for withdrawal, etc.) for their collection. On the contrary, it underlines that such collection is possible only when anonmymization does not fulfill the purpose and under user’s consent.

In conclusion, the EU opt-in regime (both under the present and proposed ePrivacy) provides a somewhat better (on paper at least) protection than their American opt-out counterpart. Overall, ISP data collection practices are regulated on both sides of the Atlantic and the demise of the October 2016 proposal is likely to be of little consequence. On the other hand, data collection practices on the service and application layer (not ISPs) remain an issue both in the USA and in the EU but are legally and logically not part of this debate. Finally, the fact that EU regime is more robust on paper is not in itslef a testimony to EU users being better protected in real life.

 

  1. Officially referred to in EU as electronic communications law.
  2. See EU E-commerce Directive which is the framework instrument for this area.
  3. See AVMS Directive and the 2016 proposal for its reform.
  4. To make things even more complicated, the ePrivacy Directive does regulate certain issues on the content layer such as cookies and spam.
  5. Articles 1 and 3.
  6. This is not only ISP but all providers of telecoms services.
  7. Article 4. This is general security against outside breaches.
  8. Article 5. This relates to surveillance, tapping, etc.
  9. See Article 15.
  10. Traffic data refers to ordinary data about the electronic transaction (e.g. IP address, duration, etc.). Location data only refer to the geographical location.
  11. Which is information about the type, duration, IP, etc. of a transaction but not the content itself. “Location” in this context means a company with a corporate seat in the United States and subject to US laws, irrespective of where the equipment (i.e. servers) used to collect data is located. 

Rule By Decree: A Comment on the Commission’s Letter to Twitter, Facebook and Google

On March 17, the Commission published a press release concerning a meeting following a letter it sent in November 2016 to Twitter, Facebook and Google. The letter demanded action from the said platforms in two areas: unfair contracts terms and removing fraud & scams. The meeting on March 16 was organised to hear the three companies’ proposal for action. The press release is accompanied by the European consumer authorities’ common position, which provides a somewhat more detailed explanation of the legal bases for each demand.

In the first area, the following changes are demanded:

  • Social media networks cannot deprive consumers of their right to go to court in their Member State of residence;
  • Social media networks cannot require consumers to waive mandatory rights, such as their right to withdraw from an on-line purchase;
  • Terms of services cannot limit or totally exclude the liability of Social media networks in connection with the performance of the service;
  • Sponsored content cannot be hidden, but should be identifiable as such;
  • Social media networks cannot unilaterally change terms and conditions without clearly informing consumers about the justification and without given them the possibility to cancel the contract, with adequate notice;
  • Terms of services cannot confer unlimited and discretionary power to social media operators on the removal of content.
  • Termination of a contract by the social media operator should be governed by clear rules and not decided unilaterally without a reason.

In the second, the following is demanded:

  • scams involving payments taken from consumers;
  • subscription traps where consumers are offered to register for a free trial but are not given clear and sufficient information;
  • marketing of counterfeited products;
  • fake promotions like “win a smart phone for 1 €” have proliferated over social media which were in fact a true contest but entailing a hidden long term subscriptions for several hundred euros per year.

There are two kinds of problems with the Commission’s approach.

First, in spite of the obvious worthiness of some of the Commission’s aims, the letter is an unfortunate example of “rule by decree”. There is no obvious reason why a public authority should address foreign or EU corporations with the competition law-styled statement of objections – a power which the Treaties do not give it. Nor is there reason to single out a small number of Information Society Service (ISS) providers, which all happen to be public platforms, rather than address its communication to ISSs in general or offer interpretative communications on each relevant regulation or directive. ISS are legitimate subjects of EU regulation in the content layer while platforms are not. Moreover, if the rules in question are obviously applicable to the otherwise extraterritorial platforms, why is it necessary to remind them of that fact and much less already extract their commitment to change their practices? While it is certainly true that a “carrot-and-stick” approach has sometimes been used in the EU, this is normally not done in cases where clear rules already exist but in cases where there are no rules and the Commission encourages self-regulation with a (usually thinly) disguised threat to the stakeholders to engage in self-regulation or suffer the consequences of EU laws. The example in question is significantly different: the Commission is informally enforcing a disparate bunch of rules already in existence – and rules whose applicability to the question in hand it obviously doubts – for why would it otherwise be necessary to threaten enforcement rather than simply engage in it, as is the Commission’s duty?

Second, it is far from certain that some of the Commission’s statements are even true. Three items from the Commission’s list can be taken as examples.

First, it is not a given fact that social media cannot deprive consumers of the right to go to court in their Member State. Brussels I Regulation (Recast) Article 18 (on special jurisdiction for consumer protection) and Article 25 (on prorogation of jurisdiction) talk of jurisdiction of “Member States” only and do not openly prohibit jurisdiction or arbitration clauses in favour of third countries. Their application to third countries is far from obvious. While it is possible to interpret these provisions as prohibiting any jurisdiction clause in favour of courts or tribunals in third states, no CJEU case law exists to confirm or reject such a view yet.

Second, the limitation or exclusion of liability which the communication speaks of is, in reality, affected by contractual arrangements as well as the liability regime in Articles 12-15 of the E-Commerce Directive. A statement limiting liability may very well be valid under national contract law and under the provisions of the 1993 Unfair Contract Terms Directive. That directive, which is not a full harmonisation measure and allows discrepancies in national implementation, quotes as examples only specific cases of limitation of liability, the first of which relates to death or personal injury and the second to “inappropriate” limitations of liability in cases of non-performance or partial performance. None are obvious examples of platform limitations of liability.

Finally, the storage and removal of content is governed by a contractual relationship between the users and the platforms. That relationship is subjected mostly to national law. It is certainly true that the power to remove content is not unlimited and usually not entirely discretionary. Consumer Rights Directive and Unfair Commercial Practices Directive, which are full harmonisation measures that preclude further national intervention, may very well apply to the problem even though the common position does not even quote them. The enforcement of such measures should not be subject to EU discretion but is, instead, entirely in the hands of national courts. The common position quotes Article 3 in relation to item 1(m) in the Annex of the Unfair Terms Directive. This puts the problem in the context of user-generated services being offered in exchange for the use of the platform. In such a scenario, the consumer gets access to the platform in exchange for providing user-generated content. But, this is not a typical use of platforms nor their dominant business model. Instead, the user is accessing a service on the provider’s terms, agreeing to be subject to certain amount of advertising and agreeing to its personal data being used. What the user “sells” is information about the user, not his or her content. The contractual relationship, therefore, is free access and use of the service in exchange for some personal data (usually obtained on consent) and exposure to advertising. An arbitrary removal may raise liability issues as it tilts the balance between the parties but the exercise of a discretion in removing content voluntary provided does not.

In summary, the regulatory approach is obscure. Rather than encouraging self-regulation, the Commission is simply overstepping its authority. The letter states that the companies have already “agreed to propose changes.” More significantly, even, the issues which have been bundled together as falling under “consumer protection” are a diverse package of issues concerning jurisdiction and the applicable law, contract law, customs law, criminal law and even unfair competition. These complex issues, in as much as they fall within EU competences, are better be left to tried and tested methods of enforcement. The Treaties do not give the Commission ex ante enforcement powers which it had taken on itself. Instead, it gives it the power of passing specific laws, regulations, directives and decisions, which national consumer authorities and national courts – not the Commission – are authorised to enforce.

The Pirate Bay and Inducement in EU Copyright – AG’s Opinion in C-610/15 Stichting Brein

The Pirate Bay is an online index of torrents which the users can access to search and obtain files downloadable through BitTorrent clients. The operators were subject to criminal and civil proceedings in Sweden in 2009 and the site remains controversial and blocked in some jurisdictions.

The case concerns a Dutch foundation for the protection of intellectual property rights – Stichting Brein – and two main Dutch Internet providers. Stichting Brein applied to courts under Article 8(3) of Directive 2001/29 asking them to order the two ISP providers to block access to The Pirate Bay, arguing that The Pirate Bay website is used primarily for large-scale copyright infringement.

In November 2015 the Dutch Hoge Raad referred the following question to the CJEU:

Is there a communication to the public within the meaning of Article 3(1) of the Copyright Directive 1 by the operator of a website, if no protected works are available on that website, but a system exist … by means of which metadata on protected works which is present on the users’ computers is indexed and categorised for users, so that the users can trace and upload and download the protected works on the basis thereof?

If the answer to Question (1) is negative:

Do Article 8(3) of the Copyright Directive and Article 11 of the Enforcement Directive 2 offer any scope for obtaining an injunction against an intermediary as referred to in those provisions, if that intermediary facilitates the infringing acts of third parties in the way referred to in Question 1?

 

The Hoge Raad is essentially asking about liability of operators of P2P indexing sites for copyright infringements ensuing from the use of these sites. Although a casual reader might first think of the limitation of liability for intermediaries which both the EU and US laws provide, the case concerns not providers as intermediaries but providers as primary infringers. In other words, the question is not about whether the ISPs can be insulated from liability for somebody else’s actions1 but whether the site indexing these torrents itself is participating in the infringement.

In the United States, the Supreme Court addressed this issue in the well-publicised 2005 MGM v Grokster case, where it ruled that a service which induces infringement cannot shield itself from copyright infringement claims2. A service which does have substantial non-infringing uses and does not induce, however, could. European law is not unison on the substantive aspects of inducement or indirect infringement (with various Member States’s law applying somewhat different standards) but it is on the ability to use generic injunctive relief. Such relief is allowed under Article 8 of the Copyright Directive and Section 4 of the Copyright Enforcement Directive. In the 2010 Scarlet Extended and Sabam cases, though, the CJEU ruled that generic indiscriminate filtering injunctions were not allowed under EU law but did not exclude targeted filtering.3

The Stichting Brein case is interesting for two related yet different reasons. The first question referred is asking if the operators (The Pirate Bay) themselves are the originators of the infringement. In other words, this question is not whether the operator could avail itself of the E-Commerce Directive ISP liability insulation but whether the operator is one of the perpetrators. In order to answer that, the Court has to look into whether the operator (indexer) is making the works available or not (Article 3 of the Copyright Directive). The second question asks if, in the case where they are not perpetrators, an injunction could still be made against them ordering them to block the content which the indexer makes available. The first question is, therefore, essentially about The Pirate Bay while the second targets the ISPs.

In answering the first question, the AG Szpunar emphasises that operators of The Pirate Bay are merely indexing the content and not actually putting it online for downloading4. On the other hand, it is equally clear that the works would either be unavailable or very difficult to obtain had it not been for The Pirate Bay’s intermediation.5 For that role to be fulfilled, the operator must have actual knowledge of the infringement.6 In light of that, the AG answers the first question as follows:

The answer to the first question referred for a preliminary ruling should therefore be that the fact that the operator of a website makes it possible, by indexing them and providing a search engine, to find files containing works protected by copyright which are offered for sharing on a peer-to-peer network, constitutes a communication to the public within the meaning of Article 3(1) of Directive 2001/29, if that operator is aware of the fact that a work is made available on the network without the consent of the copyright holders and does not take action in order to make access to that work impossible.

This result is neither surprising nor inconsistent with the Court’s previous case law nor with what has hitherto been said in courts in the EU7 or in the United States. In fact, using different legal concepts and a somewhat different language, AG Szpunar reached the result which is, in substance, in line with the US Supreme Court’s MGM Grokster decision.

The second question is, in essence, about obtaining a blocking injunction through Article 8(3) of the Copyright Directive of a service which does not communicate to the public. Since the AG suggests an affirmative answer to the first question (i.e. that The Pirate Bay is an infringer), the available injunctions are somewhat wider and there would no need to use Article 8(3), which is specifically targeting ISPs.8 The CJEU had already said in UPC Telekabel Wien that Article 8(3) allows injunctions againstinfringing operators where the order “does not specify the measures which [the] access provider must take and when that access provider can avoid incurring coercive penalties for breach of that injunction by showing that it has taken all reasonable measures”. In the AG’s opinion, however, this only covers the infringing operators which The Pirate Bay may, at this stage, not be. Article 8(3) presupposes a link between subject of the injunction and a direct copyright infringement.9 In addition to that, it is also necessary that such an injunction does not violate fundamental rights.10 Crucially, however, if the infringement is only indirect, it falls under national law, since indirect copyright infringements have not been harmonised at EU level. The AG, therefore, leaves the matter to national courts, suggesting that Article 8(3) allows injunctions

against an intermediary ordering it to block access for its users to an indexing site of a peer-to-peer network, if the operator of that site can, under national law, be held liable for copyright infringements committed by users of that network, provided that measure is proportionate to the significance and seriousness of the copyright infringements committed, which is a matter for the national court to determine.

This part of the Opinion is also not particularly controversial since it has long been clear not only that injunctive relief in national law is available but also what the outer EU boundaries of such relief might be. The only change that this Opinion brings, should it be adopted, is to clarify the limits of Article 8(3) in cases where it is not expressly clear that the indexing website is itself infringing.

Overall, the case brings the EU law one step closer to the American position and provides extra clarity for what has long already been the practice in national courts. After this case, it becomes clear that indexing services, such as The Pirate Bay, might very well be considered to be primary infringers, just as the Swedish court originally held in 2009.

  1. Nor about whether the users posted illegal torrent links – presumably they had.
  2. Grokster had marketed itself openly as the successor of the recently shut down Napster service.
  3. See UPC Telekabel Wien CJEU case here.
  4. Paragraph 51 of the Opinion.
  5. Paragraph 50.
  6. Paragraph 52.
  7. For Swedish case see http://www.stockholmstingsratt.se/Om-Sveriges-Domstolar/Sveriges-Domstolars-pressrum/Nyhetsarkiv/2009/Fallande-dom-i-det-sk-Pirate-Bay-malet/
  8. He is answering the question, anyway, on the assumption that the Court might not agree with him on the first question.
  9. Paragraph 64.
  10. Paragraphs 71-83.

The New ePrivacy Regulation – Complex and Obscure Rules

In December 2016, a proposal for the new ePrivacy Directive was leaked. The final proposal was published on January 10, 2017 (text and impact assessment, Commission’s summary) The important document, which has an impact on a wide range of issues (cookies, spam, advertising and metadata, for example) is already causing the Internet to resonate with comments (see here, here, here and here).

The original 2002 Directive (see consolidated version) has always been a peculiar instrument. It is technically part of the 2009 telecommunications package (see the proposed 2016 reform), and therefore also part of the carrier layer of regulation1. On the other hand, it always also had an impact on the content of the Internet, since it regulated spam and cookies, and general security of electronic data. In addition to that, the ePrivacy Directive is a bolt-on instrument to the 1995 Data Protection Directive, which is the main instrument regulating privacy of individuals on the net (itself reformed with the proposal for a General Data Protection Regulation – GDPR). The 2002 Directive was meant to complement the 1995 Directive and “refresh” it for the digital age and the 2017 Regulation continues this connection with the GDPR.

The Proposal does not fundamentally change the setup provided in the ePrivacy Directive but brings in a number of significant changes, somewhat increasing privacy protection.

The basic rule is confidentiality of communications (Article 5). This rule is then subject to various modifications and exceptions scattered trhoughout the Regulation. Article 10 requires privacy-by-design for software, meaning that new software ought to default to increased privacy settings upon installation.

In terms of the type of instrument used, the Directive becomes a Regulation, thus reducing the manoeuvring space that Member States might have (for transposition problems with the existing Directive and inconsistencies in Member States’ implementation, see here).

The scope of the Regulation is wider than that of the Directive and matches GDPR. Article 3 of the Proposal specifies that it applies “in connection with the provision of electronic communications services” in the EU, irrespective of whether they are processed in the Union or not. In addition to this, it applies to all services located out of the EU but targeting end-user in the EU. This is consistent with the extended scope of application of GDPR.

The Regulation prohibits collection of metadata but contains a full page of exceptions. It does not directly address the high-profile problem of state-mandated ‘snooping’ (for that, see C-203/15 Tele2).

In terms of cookies, the Directive (Article 5(3)) had drawn a lot of criticism in respect of its demand that clear prior consent be given for all ‘cookies’ stored on the machine. In practice, this resulted in annoying popups alerting the users of ‘cookies’. The info was mostly ignored and the Proposal now has what the Commission calls a more sensible approach (Article 8) but what is, in effect, a markedly more complicated one. The article has two basic rules, with six basic exceptions and other modifying rules elsewhere in the text. In addition to that, Article 9(2) says that “consent may be expressed by using the appropriate technical settings of a software application”. This means that a software setting (e.g. in a browser) ought to be interpreted as consent or lack thereof.

Article 16 reinforces the rule that unsolicited communication could only be received by those who have given their consent (opt-in). The article applies to any “services, i.e. email, SMS, instant messaging, etc, a change compared to Article 13 of the ePrivacy Directive which only applied to electronic mail.

While it is true that the Regulation is a result of the REFIT simplification process, the end product is anything but simple. This is for four reasons. First, the Regulation must be read in conjunction with GDPR, itself a lengthy and complex instrument. Frequent cross-references do not make things easier and neither does the obsure technical language. Second, the Regulation is still standing with one foot in the carrier and the other in the content world, each of which is subject to different rules. Third, the interplay of various issues it regulates (data, metadata, different types of consent, lots of exceptions) makes interpreting it a difficult task even for experts. Fourth, the lack of clarity on fundamental issues (metadata collection is prohibited – except when it is allowed, cookies may or may not require consent, metadata should not be collected – unless one of the broad exceptions exist, unsolicited communication is banned but the reality of advertising is not taken into consideration…)

In view of this author, the new Regulation will intensify the problems, not eliminate them.

  1. Content vs carrier: the laws applying to the carrier layer regulate the networks and telecommunications services (cables, wires, spectrum, etc). The laws applying to the content layer regulate the content that flows on these wires (media rules, e-commerce, copyright, etc.)