- Email: [email protected]
European national news
computer law & security review 32 (2016) 546–548
Available online at www.sciencedirect.com
ScienceDirect w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m
European national news Nick Pantlin * Herbert Smith Freehills LLP, London, United Kingdom
A B S T R A C T Keywords:
This is a regular article tracking developments at the national level in key European coun-
Internet
tries in the area of IT and communications – co-ordinated by Herbert Smith Freehills LLP
ISP/internet service provider
and contributed to by firms across Europe. This column provides a concise alerting service
Software
of important national developments in key European countries. Part of its purpose is to comple-
Data protection
ment the journal’s feature articles and briefing notes by keeping readers abreast of what
IT/information
is currently happening “on the ground” at a national level in implementing EU level legis-
Technology
lation and international conventions and treaties. Where an item of European National News
Communications
is of particular significance, CLSR may also cover it in more detail in the current or a sub-
European law/Europe
sequent edition. © 2016 Herbert Smith Freehills LLP. Published by Elsevier Ltd. All rights reserved.
1.
Belgium
Cédric Lindenmann, Associate, [email protected] and Carol Evrard, Associate, [email protected] from Stibbe, Brussels (Tel.: +32 2533 53 51). No contribution for this issue.
2.
Denmark
[email protected] from the Paris Office of Herbert Smith Freehills LLP (Tel.: +33 1 53 57 78 57). No contribution for this issue.
4.
Germany
Dr. Stefan Weidert, LL.M. (Cornell), Partner, stefan.weidert@ gleisslutz.com and Dr. Martin Hossenfelder, Associate, [email protected], from the Berlin Office of Gleiss Lutz (Tel.: +49 30 800 979 0).
Arly Carlquist, Partner, [email protected] and Anders Futtrup, Junior Associate, [email protected] from Bech-Bruun, Copenhagen office, Denmark (Tel.: +45 7227 0000). No contribution for this issue.
4.1. No specific grounds required for a consumer to exercise right to withdraw from long distance contracts
3.
On 16 March 2016, the German Federal Court of Justice (BGH) ruled on whether a consumer’s right to withdraw from long distance contracts (e.g. contracts concluded on the Internet) can be excluded on the basis of that consumer’s grounds for the withdrawal. In the case at hand, the plaintiff had ordered two mattresses from the defendant on the Internet. Making reference
France
Alexandra Neri, Partner, [email protected] and JeanBaptiste Thomas-Sertillanges, Avocat, Jean-Baptiste.Thomas-
For further information see: www.herbertsmithfreehills.com. * Herbert Smith Freehills Exchange House, Primrose St, London EC2A 2HS. Tel.: +44 20 7374 8000; fax.: +44 20 7374 0888. E-mail address: [email protected]. http://dx.doi.org/10.1016/j.clsr.2016.04.002 0267-3649/© 2016 Herbert Smith Freehills LLP. Published by Elsevier Ltd. All rights reserved.
computer law & security review 32 (2016) 546–548
to a more favourable offer by another provider and a “low price guarantee” of the defendant, the plaintiff asked for reimbursement of the amount of the difference. In exchange, the plaintiff said that he would not avail himself of the right of withdrawal from the contract. No agreement was reached. The plaintiff then withdrew from the purchase agreement. The defendant argued that the withdrawal was invalid, since the plaintiff withdrew from the contract in order to enforce (unjustified) claims arising from the “low price guarantee”. The Federal Court of Justice ruled that the plaintiff had validly withdrawn from the purchase agreement. For the validity of a withdrawal from a purchase agreement concluded on the Internet, it is sufficient that the withdrawal is merely declared in a timely manner (within 14 days). The Court stressed that the legal provisions on withdrawal are supposed to provide the consumer with a right to dissolve a contract which is effective and easy to implement and that the statutory provision explicitly states that it is not necessary to give reasons for a withdrawal. It is therefore generally of no relevance for what reason a consumer avails himself or herself of a right of withdrawal.
5.
Italy
Salvatore Orlando, Partner [email protected] and Laura Liberati, Associate [email protected], Rome office of Macchi di Cellere Gangemi (Tel.: +39 06 362141).
5.1. PayPal agrees to amend some of its Buyer Protection programme terms upon investigation by the Italian Antitrust Authority On 5 August 2015, the Italian Antitrust Authority (the “Authority”), after receiving several complaints from two Italian consumers’ associations, started an investigation against PayPal Europe s.à.r.l. and CIE Sca (jointly “PayPal”) to verify whether PayPal’s Buyer Protection programme contained unfair contract terms. In particular, the Authority focused its investigation on specific clauses of PayPal’s User Agreement: clause 13.9 (b) on the meaning of “Significantly Not as Described” (“SNAD”) purchases, and clauses 14.3, 14.4, and 14.5 on the applicable law, jurisdiction, and consumer’s protection respectively. With respect to clause 13.9 (b), the Authority considered that such term could be construed as unfair since the wording “Your purchase is not significantly as described . . .” and the relevant examples were ambiguous and could be arbitrarily used by PayPal to limit reimbursements, and therefore violating article 33, para. 1 and article 33, para. 2, letters b) and p) of the Italian Consumers’ Code (the “Code”) (such two letters containing the same provisions as those contained in letters b) and m) under the Annex of Directive 93/13/EEC). The terms contained in clauses 14.3, 14.4 and 14.5, providing the applicability of English law and the jurisdiction of the courts of England or Luxembourg, were viewed as unfair since they cause a significant imbalance in the parties’ rights and obligations, and are contrary to the principle of jurisdiction in favour of the courts of the consumer’s domicile. In light of the conclusions reached by the Authority, PayPal proposed several
547
amendments to the said terms, and such amendments were finally accepted by the Authority on 24 February 2016. The new amendments – which PayPal has also decided to adopt for the other EU countries – have been in effect from 23 March 2016, and can be consulted at https://www.paypal.com/it/webapps/ mpp/ua/useragreement-full.
6.
The Netherlands
Joost van Eymeren, Junior Associate, joost.vaneymeren@ stibbe.com, Amsterdam office of Stibbe (Tel.: +31 20 546 0332). No contribution for this issue.
7.
Norway
Dr. Rolf Riisnæs, Partner, [email protected] and Dr. Emily M. Weitzenboeck, Senior Associate, [email protected], from Wikborg, Rein & Co. Advokatfirma DA, Norway (Tel.: +47 22 82 75 00).
7.1. Registration of customer’s destination IP by mobile communications network provider Telenor’s practice of registering and storing its mobile internet customers’ destination IP addresses for a period of 21 days, in cases when the source of a communication came from outside Telenor’s network, was recently called into question by the Norwegian Data Protection Authority. Telenor argued that such storage was necessary to ensure security in its network and enabled Telenor to identify and warn clients who were exposed to a cyber-attack. This was not possible, Telenor claimed, if it were unable to analyse historical traffic-metadata, i.e. data relating to the originating and destination IP-addresses for traffic sessions. The Norwegian Data Protection Authority objected to this practice, holding that such practice required the consent of Telenor’s customers and that any eventual storage could not exceed a very short period of time. Telenor submitted that section 2–7, first paragraph, of the Norwegian Electronic Communications Act provided a statutory basis for the storage of the destination IP. According to this section, based on Article 4 of the European Directive on Privacy and Electronic Communications, the provider shall, inter alia, implement “the necessary security measures” to protect communications and data in its own electronic communications network and services. Furthermore, in the event of a particular risk of breach of security and if such breach could damage or destroy data or breach the subscriber’s or user’s privacy, the provider must inform the subscriber or user of the risk. Therefore, the Privacy Appeals Board first examined whether the registration of such data was necessary. Holding Telenor’s infrastructure to be an important element of the necessary security measures, the Board noted that Telenor’s customers could protect themselves from such types of cyber-attacks only to a very limited degree. While noting that it is important to balance the provider’s statutory duties with the potential repercussions on privacy, the Board concluded that the security
548
computer law & security review 32 (2016) 546–548
measures in question do not constitute a disproportionate attack on users’ privacy.
8.
Spain
Albert Agustinoy, Partner, [email protected], Jorge Monclús, Senior Associate, [email protected] and Daniel Urbán, Associate, [email protected] from Cuatrecasas, Gonçalves Pereira, Spain (Tel.: +34 932 905 585).
8.1. Right to be forgotten cannot be exercised before Google Spain The Spanish Supreme Court has declared in a recent judgment that the so-called right to be forgotten must be exercised against Google Inc., and not Google Spain. In a complaint field before the Spanish Data Protection Agency (SDPA), a Spaniard asked for Google Spain to delete certain results showing up in the relevant Google search. The petition was not contested by Google’s Spanish subsidiary and the SDPA issued a decision ordering Google Spain to delete the results at issue. On appeal, the Supreme Court found that the decision by the SDPA was contrary to Spanish data protection law and the recent judgment by the European Court of Justice in Google vs. Costeja (C-131/12). Firstly, the Court pointed out that the actual data controller for the search engine activities is Google Inc. (not Google Spain), as the US company is solely responsible for determining the purposes of the data processing (i.e., in the case of search engines, searching and indexing information on the Internet, and making it available to web users based on pre-determined parameters). Secondly, the Court stated that the activities actually carried out by Google Spain (primarily aimed at selling advertisement slots on Google Inc.’s webpages) did not impact the data processing carried out by the American company. Therefore Google Spain could not be considered a ‘joint controller’ in the context of data processing carried out by Google Inc. As a result of this ruling, the exercise of any of the basic rights granted by Spanish law (access, rectification, cancellation and opposition), as well as the right to be forgotten, in connection with the search engine activities conducted by Google Inc., have to be exercised against the US company instead of the Spanish subsidiary.
9.
Sweden
No contribution for this issue. Agne Lindberg, Partner, [email protected], and Erika Hammar, Associate, [email protected] from the Stockholm Office of Advokatfirman Delphi (Tel.: +46 8 677 54 00).
10.
UK
Nick Pantlin, Partner, [email protected], Miriam Everett, Professional Support Consultant, [email protected] and Fiona Mckenzie, Associate, [email protected] from the London Office of Herbert Smith Freehills LLP (Tel.: +44 20 7374 8000).
10.1. Snooper’s back: investigatory Powers Bill introduced to the House of Commons Against the backdrop of an ongoing global battle between public authority access to data for national security purposes and individuals’ right to privacy, the controversial UK Investigatory Powers Bill (the “Bill”) has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place. The Investigatory Powers Bill was introduced to the House of Commons on 1 March 2016. The Bill is intended to address the deficiencies of the Regulation of Investigatory Powers Act 2000, which was drafted before the advent of, for example, social media and over the top messaging services such as WhatsApp. Some of the key provisions likely to affect communication service providers (“CSPs”) are: • The provision for interception of communication, which will be lawful when carried out with a warrant, with consent or in the exercise of any statutory power. • The creation of a judicial oversight body, with Judicial Commissioners acting as a check for the Secretary of State’s warrant decisions. • The obligation on CSPs to collect and store internet connection records (“ICRs”). The first draft of the Bill was published in November 2015, after which various government committees, among them the Joint Committee on the Draft Investigatory Powers Bill, submitted their recommendations to the Home Office. The Bill which has now been introduced to the House of Commons has been revised to respond to some of the concerns raised by these committees. The main changes are: • amended definitions and additional material published to provide further guidance on how the powers are to be used; • strengthening of privacy safeguards, particularly with regard to the protection of journalists’ and lawyers’ communications; and • developing implementation plans with industry experts for retaining ICRs. The Bill was backed by 281 votes to 15 during its second reading in the House of Commons on the 15 March 2016. A final vote is expected in April 2016, with the Home Office aiming for the new legislation to be in force by 31 December 2016. To view a copy of the Home Office papers, please click here: https://www.gov.uk/government/collections/investigatory -powers-bill.
Available online at www.sciencedirect.com
ScienceDirect w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m
European national news Nick Pantlin * Herbert Smith Freehills LLP, London, United Kingdom
A B S T R A C T Keywords:
This is a regular article tracking developments at the national level in key European coun-
Internet
tries in the area of IT and communications – co-ordinated by Herbert Smith Freehills LLP
ISP/internet service provider
and contributed to by firms across Europe. This column provides a concise alerting service
Software
of important national developments in key European countries. Part of its purpose is to comple-
Data protection
ment the journal’s feature articles and briefing notes by keeping readers abreast of what
IT/information
is currently happening “on the ground” at a national level in implementing EU level legis-
Technology
lation and international conventions and treaties. Where an item of European National News
Communications
is of particular significance, CLSR may also cover it in more detail in the current or a sub-
European law/Europe
sequent edition. © 2016 Herbert Smith Freehills LLP. Published by Elsevier Ltd. All rights reserved.
1.
Belgium
Cédric Lindenmann, Associate, [email protected] and Carol Evrard, Associate, [email protected] from Stibbe, Brussels (Tel.: +32 2533 53 51). No contribution for this issue.
2.
Denmark
[email protected] from the Paris Office of Herbert Smith Freehills LLP (Tel.: +33 1 53 57 78 57). No contribution for this issue.
4.
Germany
Dr. Stefan Weidert, LL.M. (Cornell), Partner, stefan.weidert@ gleisslutz.com and Dr. Martin Hossenfelder, Associate, [email protected], from the Berlin Office of Gleiss Lutz (Tel.: +49 30 800 979 0).
Arly Carlquist, Partner, [email protected] and Anders Futtrup, Junior Associate, [email protected] from Bech-Bruun, Copenhagen office, Denmark (Tel.: +45 7227 0000). No contribution for this issue.
4.1. No specific grounds required for a consumer to exercise right to withdraw from long distance contracts
3.
On 16 March 2016, the German Federal Court of Justice (BGH) ruled on whether a consumer’s right to withdraw from long distance contracts (e.g. contracts concluded on the Internet) can be excluded on the basis of that consumer’s grounds for the withdrawal. In the case at hand, the plaintiff had ordered two mattresses from the defendant on the Internet. Making reference
France
Alexandra Neri, Partner, [email protected] and JeanBaptiste Thomas-Sertillanges, Avocat, Jean-Baptiste.Thomas-
For further information see: www.herbertsmithfreehills.com. * Herbert Smith Freehills Exchange House, Primrose St, London EC2A 2HS. Tel.: +44 20 7374 8000; fax.: +44 20 7374 0888. E-mail address: [email protected]. http://dx.doi.org/10.1016/j.clsr.2016.04.002 0267-3649/© 2016 Herbert Smith Freehills LLP. Published by Elsevier Ltd. All rights reserved.
computer law & security review 32 (2016) 546–548
to a more favourable offer by another provider and a “low price guarantee” of the defendant, the plaintiff asked for reimbursement of the amount of the difference. In exchange, the plaintiff said that he would not avail himself of the right of withdrawal from the contract. No agreement was reached. The plaintiff then withdrew from the purchase agreement. The defendant argued that the withdrawal was invalid, since the plaintiff withdrew from the contract in order to enforce (unjustified) claims arising from the “low price guarantee”. The Federal Court of Justice ruled that the plaintiff had validly withdrawn from the purchase agreement. For the validity of a withdrawal from a purchase agreement concluded on the Internet, it is sufficient that the withdrawal is merely declared in a timely manner (within 14 days). The Court stressed that the legal provisions on withdrawal are supposed to provide the consumer with a right to dissolve a contract which is effective and easy to implement and that the statutory provision explicitly states that it is not necessary to give reasons for a withdrawal. It is therefore generally of no relevance for what reason a consumer avails himself or herself of a right of withdrawal.
5.
Italy
Salvatore Orlando, Partner [email protected] and Laura Liberati, Associate [email protected], Rome office of Macchi di Cellere Gangemi (Tel.: +39 06 362141).
5.1. PayPal agrees to amend some of its Buyer Protection programme terms upon investigation by the Italian Antitrust Authority On 5 August 2015, the Italian Antitrust Authority (the “Authority”), after receiving several complaints from two Italian consumers’ associations, started an investigation against PayPal Europe s.à.r.l. and CIE Sca (jointly “PayPal”) to verify whether PayPal’s Buyer Protection programme contained unfair contract terms. In particular, the Authority focused its investigation on specific clauses of PayPal’s User Agreement: clause 13.9 (b) on the meaning of “Significantly Not as Described” (“SNAD”) purchases, and clauses 14.3, 14.4, and 14.5 on the applicable law, jurisdiction, and consumer’s protection respectively. With respect to clause 13.9 (b), the Authority considered that such term could be construed as unfair since the wording “Your purchase is not significantly as described . . .” and the relevant examples were ambiguous and could be arbitrarily used by PayPal to limit reimbursements, and therefore violating article 33, para. 1 and article 33, para. 2, letters b) and p) of the Italian Consumers’ Code (the “Code”) (such two letters containing the same provisions as those contained in letters b) and m) under the Annex of Directive 93/13/EEC). The terms contained in clauses 14.3, 14.4 and 14.5, providing the applicability of English law and the jurisdiction of the courts of England or Luxembourg, were viewed as unfair since they cause a significant imbalance in the parties’ rights and obligations, and are contrary to the principle of jurisdiction in favour of the courts of the consumer’s domicile. In light of the conclusions reached by the Authority, PayPal proposed several
547
amendments to the said terms, and such amendments were finally accepted by the Authority on 24 February 2016. The new amendments – which PayPal has also decided to adopt for the other EU countries – have been in effect from 23 March 2016, and can be consulted at https://www.paypal.com/it/webapps/ mpp/ua/useragreement-full.
6.
The Netherlands
Joost van Eymeren, Junior Associate, joost.vaneymeren@ stibbe.com, Amsterdam office of Stibbe (Tel.: +31 20 546 0332). No contribution for this issue.
7.
Norway
Dr. Rolf Riisnæs, Partner, [email protected] and Dr. Emily M. Weitzenboeck, Senior Associate, [email protected], from Wikborg, Rein & Co. Advokatfirma DA, Norway (Tel.: +47 22 82 75 00).
7.1. Registration of customer’s destination IP by mobile communications network provider Telenor’s practice of registering and storing its mobile internet customers’ destination IP addresses for a period of 21 days, in cases when the source of a communication came from outside Telenor’s network, was recently called into question by the Norwegian Data Protection Authority. Telenor argued that such storage was necessary to ensure security in its network and enabled Telenor to identify and warn clients who were exposed to a cyber-attack. This was not possible, Telenor claimed, if it were unable to analyse historical traffic-metadata, i.e. data relating to the originating and destination IP-addresses for traffic sessions. The Norwegian Data Protection Authority objected to this practice, holding that such practice required the consent of Telenor’s customers and that any eventual storage could not exceed a very short period of time. Telenor submitted that section 2–7, first paragraph, of the Norwegian Electronic Communications Act provided a statutory basis for the storage of the destination IP. According to this section, based on Article 4 of the European Directive on Privacy and Electronic Communications, the provider shall, inter alia, implement “the necessary security measures” to protect communications and data in its own electronic communications network and services. Furthermore, in the event of a particular risk of breach of security and if such breach could damage or destroy data or breach the subscriber’s or user’s privacy, the provider must inform the subscriber or user of the risk. Therefore, the Privacy Appeals Board first examined whether the registration of such data was necessary. Holding Telenor’s infrastructure to be an important element of the necessary security measures, the Board noted that Telenor’s customers could protect themselves from such types of cyber-attacks only to a very limited degree. While noting that it is important to balance the provider’s statutory duties with the potential repercussions on privacy, the Board concluded that the security
548
computer law & security review 32 (2016) 546–548
measures in question do not constitute a disproportionate attack on users’ privacy.
8.
Spain
Albert Agustinoy, Partner, [email protected], Jorge Monclús, Senior Associate, [email protected] and Daniel Urbán, Associate, [email protected] from Cuatrecasas, Gonçalves Pereira, Spain (Tel.: +34 932 905 585).
8.1. Right to be forgotten cannot be exercised before Google Spain The Spanish Supreme Court has declared in a recent judgment that the so-called right to be forgotten must be exercised against Google Inc., and not Google Spain. In a complaint field before the Spanish Data Protection Agency (SDPA), a Spaniard asked for Google Spain to delete certain results showing up in the relevant Google search. The petition was not contested by Google’s Spanish subsidiary and the SDPA issued a decision ordering Google Spain to delete the results at issue. On appeal, the Supreme Court found that the decision by the SDPA was contrary to Spanish data protection law and the recent judgment by the European Court of Justice in Google vs. Costeja (C-131/12). Firstly, the Court pointed out that the actual data controller for the search engine activities is Google Inc. (not Google Spain), as the US company is solely responsible for determining the purposes of the data processing (i.e., in the case of search engines, searching and indexing information on the Internet, and making it available to web users based on pre-determined parameters). Secondly, the Court stated that the activities actually carried out by Google Spain (primarily aimed at selling advertisement slots on Google Inc.’s webpages) did not impact the data processing carried out by the American company. Therefore Google Spain could not be considered a ‘joint controller’ in the context of data processing carried out by Google Inc. As a result of this ruling, the exercise of any of the basic rights granted by Spanish law (access, rectification, cancellation and opposition), as well as the right to be forgotten, in connection with the search engine activities conducted by Google Inc., have to be exercised against the US company instead of the Spanish subsidiary.
9.
Sweden
No contribution for this issue. Agne Lindberg, Partner, [email protected], and Erika Hammar, Associate, [email protected] from the Stockholm Office of Advokatfirman Delphi (Tel.: +46 8 677 54 00).
10.
UK
Nick Pantlin, Partner, [email protected], Miriam Everett, Professional Support Consultant, [email protected] and Fiona Mckenzie, Associate, [email protected] from the London Office of Herbert Smith Freehills LLP (Tel.: +44 20 7374 8000).
10.1. Snooper’s back: investigatory Powers Bill introduced to the House of Commons Against the backdrop of an ongoing global battle between public authority access to data for national security purposes and individuals’ right to privacy, the controversial UK Investigatory Powers Bill (the “Bill”) has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place. The Investigatory Powers Bill was introduced to the House of Commons on 1 March 2016. The Bill is intended to address the deficiencies of the Regulation of Investigatory Powers Act 2000, which was drafted before the advent of, for example, social media and over the top messaging services such as WhatsApp. Some of the key provisions likely to affect communication service providers (“CSPs”) are: • The provision for interception of communication, which will be lawful when carried out with a warrant, with consent or in the exercise of any statutory power. • The creation of a judicial oversight body, with Judicial Commissioners acting as a check for the Secretary of State’s warrant decisions. • The obligation on CSPs to collect and store internet connection records (“ICRs”). The first draft of the Bill was published in November 2015, after which various government committees, among them the Joint Committee on the Draft Investigatory Powers Bill, submitted their recommendations to the Home Office. The Bill which has now been introduced to the House of Commons has been revised to respond to some of the concerns raised by these committees. The main changes are: • amended definitions and additional material published to provide further guidance on how the powers are to be used; • strengthening of privacy safeguards, particularly with regard to the protection of journalists’ and lawyers’ communications; and • developing implementation plans with industry experts for retaining ICRs. The Bill was backed by 281 votes to 15 during its second reading in the House of Commons on the 15 March 2016. A final vote is expected in April 2016, with the Home Office aiming for the new legislation to be in force by 31 December 2016. To view a copy of the Home Office papers, please click here: https://www.gov.uk/government/collections/investigatory -powers-bill.