Rule by Decree Part II: How the Commission Undermines Rule of Law by Attempting to Regulate Online Content by Issuing Edicts

In its most simple form, the rule of law can be defined as a way of restricting arbitrary power by subjecting everyone to democratically passed and fairly applied and enforced laws. Such laws are subject to proper procedure and judicial oversight. Rule by Decree, on the contrary, is represented by quick and unaccountable creation by laws favoured by despots.

In March 2017, I have commented on this blog, on the Commission’s attempt to regulate large platforms such as Facebook, Google and others by politely asking them to take action in the field of unfair contracts terms and removing fraud & scams. I have commented at that point that, rather than giving the Commission ex ante enforcement powers, the Treaty only gives it the right to propose laws and to occasionally partake in oversight of the ones that already exist. Where such laws do not exist, because the proper agreement lacks, they cannot and should not be replaced by letters demanding action from individual corporations.

In September 2017, the Commission extended its ambition to regulate platforms by proposing to monitor illegal content on online platforms. In that dubious document, the Commission asserted that “what is illegal offline is also illegal online” and demanded that “platforms” step up the fight against illegal content online. In summary, the document demanded that platform do more to tackle illegal content and take “proactive measures” to detect and remove such content. The Commission kept repeating that the proposed demands do not conflict with the limitations of ISP liability of Articles 12-15 of the E-Commerce Directive but did little to explain how this conflict could be resolved in practice.1 Further to that, different kinds of “illegal” content were all bundled under one title thus putting such issues as child pornography, hate speech, terrorism, commercial fraud and copyright infringement all under one hat. Already at that point, the Commission had been warned that its position is contradictory and dangerous for free speech.

Good laws cannot be replaced by decrees.

Having learned little from the criticism, the Commission marched on and issued a set of operational measures (in the form of Recommendation) leaning on the September 2017 Communication and targeting “companies and Member States” and threatening legislation if these fail to be effective. In it, the Commission calls for

  • Clearer ‘notice and action’ procedures
  • More efficient tools and proactive technologies
  • Stronger safeguards to ensure fundamental rights, in particular when automated tools are used for removal
  • Special attention to small companies
  • Closer cooperation with authorities

Special rules are introduced for “terrorist” content online and this inlcudes

  • the obligation to remove such content within an hour of referral
  • faster detection and removal
  • better referral
  • regular reporting to the Commission, in particular about referrals

While the criticism concerning the September 2017 communication still stands, new concerns have to be added. They can be summarised as follows:

  1. The Guidelines lack effective safeguards against abuse. Points 1.11 and 1.12 require only that content providers be given the right to contest the decision “within a reasonable time period“ and through a “user-friendly” mechanism. Point 18 encourages “proportionate and specific proactive measures” in tackling illegal content in particular by automated means. Points 19 and 20 call for “effective and appropriate safeguards” but, essentially, leave this issue to Member States, further increasing disparity between them and fostering confusion. Point 21 unhelpfully and vaguely calls for protection against abuse without being specific on what this protection might constitute in.
  2. The Guidelines are in direct conflict with Article 15 of the E-Commerce Directive. That article explicitly states that Member States shall not impose a general obligation to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity. While it is perfectly possible and allowed, in a civil and democratic society, to repeal this article, this has not happened yet.
  3. The Guidelines bundle different kinds of illegal content. Illegal content is defined in point 1.4.b as “any information which is not in compliance with Union law or the law of a Member State concerned”. The definition is unacceptably wide. Furthermore, it conflates content which is illegal at EU level (because of harmonisation efforts) with material that is illegal only in some states which, in turn, also brings subsidiarity into play (for, why would Member States transfer issues concerning locally-illegal content onto EU). Further to that, copyright, hate speech, child pornography and terrorist content require vastly different monitoring and enforcement tools. It makes no sense to treat them as one.
  4. Finally, and most importantly, good laws cannot be replaced by decrees. The Commission understands all too well that an effort to pass legislation on hate speech alone (never mind anything else covered by the Recommendation) would require lengthy public consultations, acrimonious disputes between stakeholders and endless negotiations as texts progress through various committees in the effort to find a compromise between the Parliament and the Council. Whereas soft law is a legitimate and useful governance tool, it is defined by its non-binding character.2 A recommendation that threatens legislation unless it reaches its desired effect is not soft law, it is a decree. We should remind the Commission that the reason why EU Internet laws have been a success3 is precisely because democratic procedures have been respected. It may be tempting to make shortcuts but this undermines the legitimacy of EU institutions and will ultimately do little to combat illegal content.
  1. In fact, it got into trouble for exactly the same reasons with another badly-formulated proposal – Copyright in the Digital Single Market.
  2. As evidenced, among others, in Article 288 TFEU.
  3. The E-Commerce and InfoSoc directives have lasted over 17 years while the Data Protection Directive is over 20 years old.

A Short Explanation of the Uber Judgment: How to Regulate “Composite” Services

On December 20, the CJEU delivered its long-anticipated judgment in the Uber case. This follows the application, submitted on 16 October 2015, and Advocate General Szpunar’s opinion delivered on 11 May 2017. The anticipation which surrounds the case arises from the potential it may have on disruptive business models that rely on electronic commerce.

The dispute arises from an action before Spanish courts by a Barcelona taxi association seeking a declaration that Uber Spain violates Spanish competition laws. In order to answer that question, it was necessary to determine whether Uber needed prior administrative authorisation which, in turn, required that it be determined whether Uber services were transport services, information society services or a combination of both. It is the latter question that got referred to CJEU. If Uber is an information society service (which was Uber’s argument in the main proceedings), it would not require authorisation. If, on the other hand, it is a transport service (the taxi association’s argument), it would be subject to the same authorisation as regular taxi associations.

Both the AG’s Opinion and the judgment take the view that services which Uber provides are a combination of transport and electronic commerce, and the bulk of the subsequent analysis concentrates on determining how that affects Uber’s services.

Advocate General Szpunar points out in his opinion (paragraph 64) that “within the context of this service, it is undoubtedly the supply of transport which is the main supply and which gives the service economic meaning”. Furthermore, he says that the connection part of the service is merely preparatory and meant to enable the transport part (p. 65). Crucially, since it is “neither self-standing, nor the main supply, in relation to the supply of transport”, it cannot be considered to be an information society service (ISS), within the meaning of the E-Commerce Directive. Paragraph 87 of the Opinion suggests that E-Commerce Directive is explicit in only covering information society service activities while not suggesting that a classification of an activity as being an ISS can, in and of itself, render other parts of the service meaningless. The Directive, in other words, says nothing about whether transport or any other laws also apply to the service. The central issue, the AG suggests, is whether the provider of the service exerts control over the key conditions governing the supply of transport. Where this is not the case, there may be talk of a service being an ISS. But, where this is the case, the connection part of the service does not turn a transport service into an ISS one. In AG’s view, the e-commerce component cannot stamp its spirit on the non-electronic part it depends on.

The Court’s final judgment follows the spirit of AG Szpunar’s opinion, although it uses a somewhat different reasoning. It notes (paragraph 32) that transport and intermediation are different services:

In that regard, it should be noted that an intermediation service consisting of connecting a non-professional driver using his or her own vehicle with a person who wishes to make an urban journey is, in principle, a separate service from a transport service consisting of the physical act of moving persons or goods from one place to another by means of a vehicle. It should be added that each of those services, taken separately, can be linked to different directives or provisions of the FEU Treaty on the freedom to provide services, as contemplated by the referring court. (emphasis added)

The Court is essentially saying that two components of a service may each be subject to different rules. While intermediation is an ISS, “non-public urban transport” is a transport service. Having that in mind, however, the Court concludes (p. 40) that “intermediation service must thus be regarded as forming an integral part of an overall service whose main component is a transport service and, accordingly, must be classified not as ‘an information society service”. The intermediation service too is a service in the field of transport. Similar to AG, the Court thinks that it is the dominant transport component which subsumes the electronic intermediation component.

Although the Court does not spell it out, the main criterion must be the separability of the two services. This is also apparent in the Court’s press release on the judgment, which concentrates on whether the services are “inherently linked”. In the Court view, services which are not inherently linked may be treated separately. If services are inherently linked, i.e. it is not possible for them to be supplied separately, it is necessary to look for the economically dominant one. In Uber’s case, the whole point of the service is for the electronic connection to facilitate the ultimate goal – transport. The electronic component would be meaningless on its own. This echoes paragraph 31 of AG’s opinion:

It would be pointless only to liberalise a secondary aspect of a composite supply if that supply could not be freely made on account of rules falling outside the scope of the provisions of Directive 2000/31.

The service in point, Uber, would have no self-standing economic value without the transport component which, in turn, is regulated elsewhere. The answer must therefore be that composite supply services depend on all relevant legislation and not only on the electronic commerce laws. The fact that they are also electronic commerce services does not take them outside the scope of transport laws.

The judgment offers guidance on what is to be considered a composite service:

In the case of composite services, namely services comprising electronic and non-electronic elements, a service may be regarded as entirely transmitted by electronic means, in the first place, when the supply which is not made by electronic means is economically independent of the service which is provided by that means.

For a service to fall entirely into the ISS category, the non-electronic component must be independent of the electronic one. The present framework leaves the determination of how non-electronic components of composite services are to be regulated to national laws (p. 47 of the judgment) in all cases which are not directly harmonised.

In conclusion, the Uber case recognises several categories of services:

  • non-composite electronic commerce services (e.g. taxi directories), subject to E-Commerce laws only
  • non-composite transport services (e.g. regular taxi services), subject to transport laws only
  • composite services with economically dependent components (e.g. Uber), subject to transport laws (or other dominant non-electronic component)
  • composite services with economically independent non-electronic component (e.g. airline ticket portals), which are subject to E-Commerce laws

It is difficult to disagree with the Court’s logic. This is for a simple reason: a service whose main non-electronic component is otherwise regulated, should not be able to escape such regulation by introducing an e-commerce aspect. To hold otherwise would mean that medical, financial or tourism services would be able to circumvent regulation by having an innovative electronic component. Contrary to the view that CJEU misunderstands the innovative and disruptive aspects of Uber, the Court simply believes that the innovative component in the service may be located in either of the two parts of the composite service. In Uber’s case, this is both in the electronic and the transport components.

Net Neutrality: What the Public Gets Wrong

A short article I published on Danish site had also been published on ScienceNordic in English. Here are the links to both

In English:

In Danish:

More on the Proposed 2017 ePrivacy Regulation: A Messy and Contradictory Text That Confuses Content and Carrier

We have briefly outlined some of the problems concerning the Commission’s 2017 proposal for a new ePrivacy Regulation in an earlier post. The main point made then was that the rules are unnecessarily complicated and not always in sync with the forthcoming GDPR. On October 26, the EU Parliament voted to move forward to Trilogue on the basis of the present text, thus advancing it one step forward towards adoption. The debate about the text seems to have been simplified to such extremes that even EU officials are not immune from making emotional albeit misguided arguments.

The proposed text, however, is highly technical, and requires careful analysis. In this post, in order to underline the claim that the present text is inadequate, we will try to highlight three of the most pressing controversies that arise out of it.

  1. As is well known, the ePrivacy proposal, as was the case with the still-in-force 2002 ePrivacy Directive, is a text arising out and forming part of the Telecommunications Regulatory Framework. The present framework dates to 2009 and very comprehensive proposals for its reform in the form of the European Electronic Communications Code (EECC) have been tabled. As such, the Proposal is part of a set of laws which apply to the carrier layer of the Internet – the electromagnetic signals which move either through the wires or through the air. That Framework does not apply to content, for which an entirely different set of laws has been designed (the chief of which is the 2001 E-Commerce Directive but part of which is also the 1995 Data Protection Directive (“DPD”)). This is apparent from Articles 1, 2 and 4.1.b, which confirm that its field of application are networks and services,1 the same field of application as that in the Telecoms Regulatory Framework – not information society services, as is the case with E-Commerce. The Telecoms Regulatory Framework, by definition, does not regulate the content of electronic communications but only the modalities of their transfer (authorisation of, access and interconnection, universal services). In that sense, the ePrivacy Directive positioned itself as an instrument which complemented the 1995 Data Protection Directive (still in force today until GDPR replaces it in May 2018), albeit from the arsenal and with a toolbox of a completely different regulatory circle – that covering the content. In other words, the ePrivacy Directive relied on the DPD instruments (and referred to them directly) to address a set of specific issues which only arose in the telecommunications field. This was a neat trick which was relatively simple to perform in 2002. The Proposal still positions itself as part of the telecoms circle, expressly referring to EECC. The Proposal still relies on the (now) GDPR set of tools and declares its complementary role. But, the reality of the converged Internet which the Proposal now effectively applies to has moved it from the telecoms/carrier squarely into the contents field. In other words, the Proposal is a content-regulatory tool that passes itself of as a telecoms law and uses telecoms tools for content regulation. The result is highly confusing – applying content-designed privacy concepts to the carrier layer and carrier-designed rules to content services.
  2. The Proposal extends its territorial scope of application to non-EU providers. Whereas the Directive applies within the scope of the application of DPD and the 2009 telecoms framework, the Proposal aligns itself with the GDPR’s extended scope: it applies to provision and use of all services to end-users in the Union (irrespective of the corporate seat of the provider) as well as terminal equipment of the end-users in the Union. This is the extension of its scope to entities located outside of the EU, which is similar in nature to Article 3 GDPR. The problem arises from the lack of precision which GDPR does not suffer from but ePrivacy proposal does. GDPR is specific in that it applies only to the provision of goods or services to EU subjects (deliberate targeting) and monitoring of behaviour. Recital 23 of GDPR requires an intention to target EU users. Recital 9 of the Proposal does not. This can only be interpreted to mean that all telecoms services reaching end-users in the EU, irrespective of whether such services were intended for these users, are covered – an unnecessary extension of scope and an unnecessary deviation from the GDPR’s more balanced approach.
  3. Whereas the Directive’s main idea was that telecoms communications should be confidential while they pass through the wires and while they are in telecoms operator’s hands, it never put obstacles on the processing itself. It rather sought to eliminate the situations in which telecoms operators might compromise the data privacy (by e.g. unwarranted surveillance) or where data or metadata might be misused. The Proposal’s starting point is that “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data” (emphasis added) should be prohibited unless specifically allowed. The essence of any telecoms business model is the processing of telecoms data and metadata. The main position of the Proposal is that this activity is, in principle, prohibited. This position is both unsustainable and puzzling since it demonstrates the drafter’s lack of understanding of the nature of telecoms activities.The processing is allowed under some circumstances covered in Article 6. The Proposal suggests first that both content and metadata may be processed by providers or networks and services for achieving the transmission or for maintaining or restoring security. Metadata only may be processed in more situations by providers of services only, including when the users gave consent. Finally, content only (without data) can only be processed by providers of services only for the provision of a specific service to end users with their consent and where all end-users concerned have given their consent. The proposed division seems to be arbitrary in its distinction between providers of networks and providers of services. Equally confusing are the reasons under which content as opposed to metadata may be provided. More damagingly, the consent here is in contradiction with Articles 6 and 7 GDPR. The two sources – GDPR and Proposal – say different things about consent, with the Proposal imposing significantly stricter requirements.

Some of criticism outlined above is not new. A study published on October 19, 2017, highlighted a number of controversies as have other sources. We believe that the confusion which arises from the present text is a sign that the convergence of content and carrier cannot be dealt with by bundling the issues into a single legal container. The present Proposal attempts to do too much by relying on tools from two legal frameworks while not being fully committed to either. Equally damagingly, the Proposal duplicates and/or confuses issues already covered in GDPR. Nowhere is this more apparent than in the provisions on ‘cookies’. Article 8, which replaced the much-maligned and ineffective cookie requirement of Article 5(3) of the ePrivacy Directive, is long, confusing and replicates some parts of Recitals 26, 30 and 32 of GDPR while contradicting others.

A sensible approach is to keep the content and carrier layers separate by transferring content-related issues to GDPR while keeping the telecoms ones strictly within the telecoms framework. While this would require a thorough rethinking of the proposed texts and a redrafting of GDPR, the ultimate result would be the added protection in those areas where it is really needed.

  1. “Electronic communications” are an official EU replacement for the old term “telecommunications”. In reality, they are synonyms.

Commission Fines Google €2.4 billion – What They Got Wrong and Why it Matters

On June 27, The European Commission fined Google €2.42 billion for abusing dominance as a search engine by giving advantage to its own comparison shopping service.

Google’s “flagship” product is its search engine, with a global market share of over 78% and over 90% in the EU. 90% of Google’s revenues come from selling advertising on its search engine. The present case concerns another product, its comparison shopping service, currently named Google Shopping. When entering a product name, Google Shopping compares products and prices online and presents the results to end-users. In doing so, Google accesses other platforms such as Amazon or eBay. Google Shopping is embedded in Google’s search engine so that it is not necessary to visit Google Shopping separately. A regular search for a product on its main engine prominently displays Google Shopping results at the top. This, in Commission’s view, is Google’s main transgression.

The Commission is currently running three separate cases against Google. The present case should not be confused with a similar but conceptually different one the Commission is running against Google’s practices concerning its Android operating system. That investigation into Google’s Android has been running from 2015 and has not concluded yet. It should equally not be confused with the Commission’s 2016 investigation of agreements between Google and partners of its online search advertising intermediation programme AdSense. While Google’s dominance in the search market is what connects these cases, the underlying legal basis on which the Commission relies is not the same in them and they should be analysed separately.

The investigation dates back to 2010. After a lengthy investigation, the then-commissioner Joaquín Almunia sought to reach a deal with Google in 2012, avoiding formally charging it, a strategy for which he was heavily criticised. After Margrethe Vestager assumed office in November 2014, the case started moving at a somewhat faster pace. The Commission sent the original statement of objections in September 2015. Google outlined its responses to the Commission in a blog post in November 2016. The supplementary statement of objections has been sent in July 2016 to which further responses followed.

In reaching its present decision, the Commission’s starting point is that there should be competition between comparison shopping services. Google has used its dominant position on the search market to allegedly illegally promote its own comparison shopping service. The Commission’s argument is that Google has:

  • “systematically given prominent placement to its own comparison shopping service”
  • “demoted rival comparison shopping services in its search results”

Put in simple terms, the Commission claims that Google is not only relying on its dominance in the search market to push its own comparison shopping service but is taking active steps to ensure that rivals’ services are not readily accessible. The Commission concludes that Google is dominant in the search engine market and that it has abused its dominance by giving its own shopping service an illegal advantage.

In comments to the original and supplemental statement of objections, Google indicated that it believed the Commission’s definition of the relevant market to be narrow. In choosing to focus on comparison shopping websites only, the Commission was ignoring the broader dynamics of consumer shopping. Google’s June 27, 2017 response to the decision repeats in an abbreviated form the arguments heard before. In Google’s view, the Commission does not provide convincing reasons for only targeting the more recent version of its shopping product which has been available for many years without objection. Furthermore, the Commission does not adequately address the overall decline of comparative shopping products which Google believes to be a direct result of the increasingly popular Amazon and eBay. Google’s November 2016 response claims

that online shopping is robustly competitive, with lots of evidence supporting the common-sense conclusion that Google and many other websites are chasing Amazon, by far the largest player on the field.

If one is to look for market power, one has to see what market that power is supposedly exercised on. There is no doubt that market definition in online markets is a rather complicated exercise. At present, horizontal search engines (Google, Bing, etc), vertical search engines (e.g. Pricerunner) and vendor platforms (Amazon, eBay) all compete for the same custom. Furthermore, the SSNIP test (small but significant and non-transitory increase in price) does not seem to be effective in narrowing down the market for online shopping. It can be said with some confidence that Google’s competitors are not only the other comparison shopping websites (nor even other search engines) but other intermediaries in general. This is especially true of younger generations who increasingly use platforms like Facebook, Instagram or Snapchat for their search needs. Firms with different business models can and do compete within the same market.

Research suggests that product comparison shopping is affected mainly by the frequency of internet usage, perceived usefulness, and ease of use. The Commission has not provided a forward-looking market definition nor did it prove that Google might be dominant on such a market (as opposed to more narrowly defined one). The Commission’s argument concerning dominance on the search engine and the related advantage would only work if the consumers would access a more significant share of competitors’ services either in the total absence of Google Shopping or in it being “downgraded” in ranking or placed alongside others. But, evidence suggests that consumers access comparison shopping sites largely directly and not trough Google simply because it is easier and more useful to do so. Google’s withdrawal from this market would have no effect on traffic that these other sites get.

In summary, it seems that the Commission’s approach is based on a specific and narrow market definition. Users do not seem to engage in comparative shopping of the kind Commission believes them to. An average shopper accessing Google is well aware of alternatives and uses them anyway. To say that there is no single market for online search today borders on banality and yet the Commission seems to read too much into the fact that 90% of users in the EU use Google. Further to that, the Commission believes that Google should treat own products and those of competitors equally, by no means a foregone conclusion.

The Commission’s decision is important for several reasons. While Vestager DG COMP may very well have learned the lessons from the political fallout from Almunia’s attempt to strike a deal, the importance of threading carefully cannot be overestimated. Almunia’s attempt to compromise reflects the realities of modern platforms – they tend to be dominant for a short while, they are ubiquitous and they perform a public service. Heavy handed approach may backfire. The present decision may be rendered meaningless much faster than with the 2007 Microsoft case in a rapidly changing search market.

More importantly perhaps, the somewhat hasty approach may be a signal of a messy situation to follow both in further Google cases and a plethora of other high-tech issues currently pending or coming in the future. The case is likely to continue for a considerable period as it gets appealed to Court.

Is Sharing Torrents on Online Platforms a Communication to the Public ? – CJEU’s Judgment in Stichting Brein

On June 14 the CJEU delivered its judgment in Stichting Brein case (not to be confused with the C-527/15 Stichting Brein, which is also about ‘communication to the public’ and in which CJEU ruled that the sale of multimedia players with pre-installed add-ons is communication to the public).

The present case concerns Stichting Brein, the rights holders’ association from the Netherlands, and Ziggo and XS4ALL, internet service providers. The latter had a number of customers who availed themselves of the services of online sharing platform TPB, an indexing service for BitTorrent files. It was established as a fact that the majority of works indexed through TPB were protected by copyright and shared without the rightholders’ consent. Stichting Brein applied to courts requesting that Ziggo and XS4ALL be ordered to block access to TPB. The question then concentrated on whether the individual posters, the TPB or the intermediaries were engaged in communicating the works to the public. The Hoge Raad referred the case to CJEU, asking, essentially, if TPB’s actions amount to communication to the public at all.

The questions referred to the Court were:

Is there a communication to the public within the meaning of Article 3(1) of the Copyright Directive by the operator of a website, if no protected works are available on that website, but a system exist … by means of which metadata on protected works which is present on the users’ computers is indexed and categorised for users, so that the users can trace and upload and download the protected works on the basis thereof?

If the answer to Question (1) is negative:

Do Article 8(3) of the Copyright Directive and Article 11 of the Enforcement Directive 2 offer any scope for obtaining an injunction against an intermediary as referred to in those provisions, if that intermediary facilitates the infringing acts of third parties in the way referred to in Question 1?

The two groups of questions are conceptually unrelated. By the first, the Court is asking if TPB’s actions amount to communication to the public as per Article 3(1) of the Copyright Directive. By the second, the court is asking if the facilitating intermediaries (Ziggo and XS4ALL) can nevertheless be subject to an injunction (even where their activity is not communicating to the public).

Advocate General Szpunar, in his opinion, emphasises the lack of proper definition of ’communication to the public’ and refers to Court’s case law which had so far helped clarify the concept. In particular, the acts of communication and the presence of a public need to exist.1 The player makes an act of communication “when it intervenes, in full knowledge of the consequences of its action, to give its customers access to a protected work, and does so in particular where without that intervention its customers would not, in principle, be able to enjoy the broadcast work.” The second criterion requires two separate conditions to be fulfilled: the communication must be directed at indeterminate but fairly large number of recipients2 and it must target a new audience. The second condition is not fulfilled where the work is already been made available on another website. As will immediately be clear, all sorts of difficulties may arise as to what qualifies as a work already made available. In Advocate General’s summary (paragraphs 41 and 42) of the Court’s cases, two situations can be discerned in which a new public clearly exists:

  • a work made available without the consent of the copyright holder amounts to communication to the public since the original holder did not envisage the new public gained through the act
  • communication through technical means different than the initial communication3

(It is worth noting here that it is not entirely clear whether the Court’s case law amounts to the first conclusion and it is questionable whether the second one should apply.) AG Szpunar takes the position that TPB’s actions are a communication to the public and gives three reasons. First, the fact that files are cut-up in the process of transmission and downloaded from multiple sources simultaneously is irrelevant for the fact that complete works are enjoyed at final destination. Second, potential users of peer-to-peer networks fulfil the first criterion of indeterminate number of users. Third, the ‘new public’ criterion is also satisfied since not only is the rightholder’s consent absent but the new technical means had been used for transmission. Finally, the AG says that, although it is the users who willingly upload the files and leave the computers connected to the network, it is the indexing site that makes the ultimate transmission possible. While active knowledge (and refusal to rectify) remains a condition for an intermediary’s liability, the “necessary and deliberate” actions of operators demonstrate the possession of full knowledge and are, therefore, “simultaneously and jointly” making the works available.

The Court’s judgment repeats the basic premises on which Article 3(1) of the Copyright Directive works, in particular the absence of consent and the new technical means. The Court adds that the for-profit nature “is not irrelevant” without offering further explanation as to how and why it might become relevant. The key point is made in paragrapoh 36:

[…] the fact remains that those operators, by making available and managing an online sharing platform such as that at issue in the main proceedings, intervene, with full knowledge of the consequences of their conduct, to provide access to protected works, by indexing on that platform torrent files which allow users of the platform to locate those works and to share them within the context of a peer-to-peer network. […] without the aforementioned operators making such a platform available and managing it, the works could not be shared by the users or, at the very least, sharing them on the internet would prove to be more complex.

The Court downplays the subjective element which, both in the AG’s opinion and in the Court’s own previous case law features somewhat more prominently. Whereas AG’s opinion suggests that the operator must have been aware that the work had been available (thus exempting bona fide intermediaries), the final judgment puts focus on the facts that the indexing site is essentially a co-infringer. The final ruling is, therefore:

The concept of ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, must be interpreted as covering, in circumstances such as those at issue in the main proceedings, the making available and management, on the internet, of a sharing platform which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users of that platform to locate those works and to share them in the context of a peer-to-peer network. (emphasis added)

In spite of the somewhat unsurprising conclusion of the Court, some doubts remain.

First, a significant number of cases in which CJEU interpreted communication to the public relate to hyperlinks and not to peer-to-peer setups. It is not clear to what extent the conclusions made in those cases can be translated to the present ones. Although the Court does refer to its well-known Svensson and GS Media judgments, both of these were criticised at the time. Neither the Court nor Advocate General attempt to develop a new approach to P2P platforms.

Second, some aspects of the previous case-law are questionable. The fact that it is not necessary to establish the existence of the new public where new technical means are used is, in view of this author, problematic and may not be applicable to a range of situations. Likewise, the role of the extent of the rightholder’s consent is not properly explored. It seems that the CJEU believes that a rightholder who consented for something to be posted would be precluded from suing for infringement where that work gets linked to from elsewhere. While it is possible to defend that position, it is not clear that the drafters of Article 3 had intended that effect at all.

Third, while it may be clear that TPB is in full knowledge of the infringing nature of the traffic that it facilitates, this will not always be the case. The Court’s present case-law concerning the relevance of knowledge is confusing. The Court’s hyperlinking line of cases (GS Media) establishes the presumption of knowledge for commercial sites, saying that commercial providers who hyperlink are simply presumed to be knowledgeable about the infringing nature of the activity. Paragraph 47 of that judgment makes the subjective element part of the equation. Advocate General suggests (paragraph 52) that platform’s actual knowledge must exists. The AG suggests that GS Media approach is not appropriate here. The Court mostly disregards the knowledge factor in the present case and does not go into the applicability of its presumption system to P2P cases, leaving the subjective factor open for further confusion and interpretation. Finally, while the existence of intermediaries’ liability in light of Articles 12-15 of the E-Commerce Directive does depend on the subjective factor, these articles do not apply in cases where platforms are primary infringers or co-infringers.

Fourth, the Court’s judgment emphasises indexation, metadata and the provision of a search engine as decisive elements which make TPB a communicator but these exact elements can also be ascribed to search engines such as Google or instant messaging services. The judgment does not offer many clues which can be used to distinguish infringing P2P sites from other sites in the future.

Fifth, the intermittent reliance on profit as a criterion (also featuring in GS Media) is puzzling, especially in the absence of a longer explanation from the Court concerning the possible roles it may play. While the existence of commercial interests may play a role in highlighting the poster’s intentions regarding the public it wants to reach and possible lack of good faith, it cannot and should not play a role in determining whether a work has or has not been communicated to the public. Particularly damaging might be an attempt to conclude that an undertaking operating without profit should not be considered to be making a communication to the public – a possibility which still exists in the present setup. A possible interpretation would be that a for-profit shortcut would simply exempt court from looking at other factors but this interpretation is not supported by Article 3(1).

In summary, while the Court’s judgment is not surprising and can easily be defended on the basis of the facts presented to it, it does little to clarify the increasingly muddled situation surrounding communication to the public in the digital world.

In light of the fact that the first question was answered positively, the second question had not been answered. Nothing is lost here since the Court’s position on injunctions against intermediaries is relatively well-established.

  1. C-160/15 GS Media, link.
  2. A condition usually satisfied by a website C-466/12 Svensson, link.
  3. C-607/11 ITV, link

The US Congres Repealed FCC Broadband Privacy Rules – What does EU Law Say and are Europeans affected?

On January 27, representatives of many ISP providers in the United States filed a petition with the Federal Communications Commission (FCC) requesting a stay of the rules adopted on October 27, 2016 (under Obama administration). The rules the ISPs wanted removed were the FCC privacy, data breach, and data security rules for broadband Internet access service (BIAS) providers. These rules, which had not yet come into effect, had been labelled as unduly restrictive. The House voted this Tuesday on S.J. 34, repealing the FCC BIAS rules. This has prompted a wave of negative comments (e.g. here). Are they justified and are Europeans affected?

The essence of the rules was to require ISPs to obtain individual consent from each individual before collecting and using information for any purpose, including targeted advertising. The harvesting of data is already under control of the Federal Trade Commission (FTC) and this control extends to ISPs. The new rules – a bolt-on to the FTC’s existing control – would have created a new regime only for ISPs, subjecting them to a more stringent control, probably guided by the idea that ISPs have unique insight into users’ browsing habits (almost certainly not correct, since a lot of traffic is encrypted or anonymised). The FTC regime is, in essence, an opt-out regime – users can withdraw their assumed consent. FCC regime would have been an opt-in regime.

As already point out, in spite of an outcry from privacy advocates, the repeal would have little impact. This is because a) the FCC regime that it repeals had not yet come into force at the time of repeal, b) many ISPs have already pledged to protect existing levels of consumer privacy and c) the repeal simply leaves data collection in the state in which it has been up until now. The internet advertising market, which is dominated by Google, remains now open to a degree of competition, although all the criticism which could be levelled at data collection practices in the US prior to FCC attempt from October 2016 (which are now in place again) is still valid. In other words, whereas it is certainly true that EU Internet privacy is not ideal, this is not for the reasons stated in most public comments.

But, what is the situation in the EU and do American rules affect users in the EU?

It is easier to dispense with the second question first. The FCC rules would have targeted ISPs in the United States only, not those located abroad, including in the EU. Since EU users do not avail themselves of American ISP services (except when they travel to the US), all remains as it has been. On the other hand, EU consumers are subject to American data collection practices in as much as they use websites located1 in the United States. The legal status of these practices is somewhat murky, since they are subject to two sets of laws + collector’s terms of use and privacy policy. First, the general data collection is under US FTC rules. Second, they are under EU data protection law. At present this is the 1995 Data Protection Directive, from May 2018 it will be General Data Protection Regulation. The former applies to entities established in the EU or those who process with the use of the equipment in the EU. If neither is satisfied, the Directive does not apply. This is an oversight which had been corrected in the GDPR which demands application to all situations where EU individuals are targeted irrespective of the establishment or the equipment. Finally, privacy policies and terms of use will be interpreted in light of both these sets of rules and national contract and consumer protection laws. Unfair clauses in such polls are likely to be invalid under EU and national contract and consumer laws and under privacy law. Whereas all this may be of interest to EU users (and their lawyers), it has nothing to do with data that ISPs collect. The conclusion must, therefore, be that the repeal has no effect whatsoever on EU consumers.

The second question, concerning the extent to which EU broadband providers in their own right are subject to privacy oversight, is split between regulation affecting the content and carrier layers of the Internet. The carrier layer is subject to telecommunications laws2 and covers wired and wireless infrastructure carrying the signal (rules on setting up operations, access to other providers’ networks, obligations towards consumers, spectrum management, etc.) These rules do not regulate content itself. The latter is subject to a different set of disciplines – electronic commerce laws3 and audio video media services laws.4 These do not affect the carrier layer but do regulate the content (contracts, consumer laws, protection of minors, advertising, copyright, etc.) The division between the content and carrier layers is important because the EU regulates privacy on both and ISPs do operate on both layers . Privacy on the content layer is largely subject to a the 1995 EU Data Protection Directive (soon GDPR). Privacy on the carrier layer is subject to a special directive, the 2002 ePrivacy Directive (which itself is under a proposed change tabled in 2017 and currently under review). An activity in the digital world may be regulated under both regimes if it moves across the content and carrier layers, or it may be regulated under one only.5

An EU ISP provider in its role as a broadband provider is subject to DPD (which covers all situations where private data relating to identified or identifiable customers is gathered with the aid of automation). It will also be subject to ePrivacy Directive in its role as telecommunications provider and in respect of data that consumers demand from third parties through ISPs infrastructure. In other words, if the data moves through ISP provider’s wires only, and it is not ISP itslef that purveys data, the transaction is subject to ePrivacy Directive. Content providers such as Google or Facebook or a local newspaper, are not telecommunications providers and are, as a rule, only subject to DPD and those elements of the ePrivacy Directive which do apply to the content layer (cookies and spam).

Having said all this, what does ePrivacy Directive actually say about ISPs and will that change in the ePrivacy proposal?

The ePrivacy Directive applies to all telecommunications providers.6 Two general obligations imposed on providers7 are the obligation to secure the processing of data8 and to maintain confidentiality.9 A general rule on traffic data, Article 6(1), demands that this data be erased or anonymised “when it is no longer needed for the purpose of the trans­mission of a communication.” Exceptions exist for billing purposes, marketing and value added services as well as for reasons of national security, defence, public security, and the prevention, investi­gation, detection and prosecution of criminal offences or of unauth­orised use of the electronic communication systems.10 In Article 15(3), the exception relating to marketing is introduced in the form of explicit opt-in:

For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data […] to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. [emphasis added]

This is the level of protection consistent with the one that would have come into place in the US after the now moribund October 2016 intervention. Location data, other than traffic data11, as per Article 9, may only be processed when “made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.” In such cases, the users are informed of the collection and can withdraw their consent. Furthermore, Article 9(2) also requires that, where consent had been given, users be allowed to temporarily suspend collection in an easy and free-of.charge manner.

The 2017 proposal for an ePrivacy regulation is at this stage only a proposal (unlike GDPR which has been adopted). It is a more complex and more confusing document than its predecessor. New Article 6 proposes to allow the processing telecommunications metadata,12 among others when

the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

The wording is different from DPD. Whereas DPD Article 6 allowed collection for marketing purposes or for the provision of value-added services, the new proposal is more permissive in terms of types of services for which collection is possible. This includes all situations where the user gives consent for a purpose which is “specified” and which includes (but is not limited to) the provision of “specific services”. The only limitation comes in the form of a demand that the purpose could not have been achieved through anonymised processing. Content itself (rather than metadata) can only be processed if and only if the provision of a consumer-demanded electronic service could not be achieved without such processing. Although the article no longer specifies that it is “prior” consent, this is clear from Article 9’s reference to GDPR’s conditions for consent.

Overall, the new article is slightly more permissive in terms of purposes for which metadata could be collected but it does not relax the conditions (prior consent, possibility for withdrawal, etc.) for their collection. On the contrary, it underlines that such collection is possible only when anonmymization does not fulfill the purpose and under user’s consent.

In conclusion, the EU opt-in regime (both under the present and proposed ePrivacy) provides a somewhat better (on paper at least) protection than their American opt-out counterpart. Overall, ISP data collection practices are regulated on both sides of the Atlantic and the demise of the October 2016 proposal is likely to be of little consequence. On the other hand, data collection practices on the service and application layer (not ISPs) remain an issue both in the USA and in the EU but are legally and logically not part of this debate. Finally, the fact that EU regime is more robust on paper is not in itslef a testimony to EU users being better protected in real life.


  1. Officially referred to in EU as electronic communications law.
  2. See EU E-commerce Directive which is the framework instrument for this area.
  3. See AVMS Directive and the 2016 proposal for its reform.
  4. To make things even more complicated, the ePrivacy Directive does regulate certain issues on the content layer such as cookies and spam.
  5. Articles 1 and 3.
  6. This is not only ISP but all providers of telecoms services.
  7. Article 4. This is general security against outside breaches.
  8. Article 5. This relates to surveillance, tapping, etc.
  9. See Article 15.
  10. Traffic data refers to ordinary data about the electronic transaction (e.g. IP address, duration, etc.). Location data only refer to the geographical location.
  11. Which is information about the type, duration, IP, etc. of a transaction but not the content itself. “Location” in this context means a company with a corporate seat in the United States and subject to US laws, irrespective of where the equipment (i.e. servers) used to collect data is located.