Photo of Chris Stynes

On 26 July 2017 the Court of Justice of the European Union (CJEU) delivered its Opinion that the draft Passenger Name Record (PNR) Agreement between the EU and Canada is not compatible with the EU Charter of Fundamental Rights (the Charter) and may not be concluded in its current form. The Opinion follows a referral by the European Parliament to the CJEU and is the first time the Court has been requested to examine the compatibility of an international agreement with the EU Charter.

The Court observed that the Charter rights are not absolute, and that an agreement allowing for the transfer and retention of data to ensure public security would be capable of justifying even serious interference with fundamental rights such as privacy and personal data protection. Any such interference should, however, be (1) proportionate, (2) strictly necessary and (3) guided by clear and precise rules governing its scope and application. The transfer of sensitive data would also require a precise and solid justification in addition to that of public security and the Court concluded that in this instance, there was no such justification.

Retention of Data

The envisaged Agreement provided that PNR data may be retained by Canada for five years after receipt of such data. The Court observed that the retention of data for the duration of a visitor’s stay in Canada did not exceed the limits of what is strictly necessary, but noted that as PNR data would be used as part of the verification process to grant entry into the territory, subsequent use of that data would require fresh justification by way of new circumstances or objective evidence. The Court suggested that except in cases of valid urgency, any decision by Canadian authorities to use PSN data after entry has been granted should be subject to prior review by a court or independent body. The retention of data after departure from Canada should also be limited to air passengers only when there is objective evidence available inferring a terrorism or crime risk.

The Court declared that as a number of other provisions were vague and did not adequately address the processing of PNR data in a clear and precise manner, it was not satisfied that the Agreement in its current form was compatible with the Charter.

 

Photo of Neasa Ni Ghrada

The European Commission (EC) has opened an online public consultation on the targeted revision of EU consumer law (the Consultation). The Consultation follows the EC’s publication of the results of its Fitness Check on consumer and marketing law and of the evaluation of the Consumer Rights Directive (Directive 2011/83/EU) (the CRD).

Background

Both the Consultation and the Fitness Check form part of the EC’s Regulatory Fitness and Performance (REFIT) programme, which aims to make EU law simpler, less costly and identify any inconsistencies and/or obsolete measures which may have appeared over time.

The Fitness Check carried out a comprehensive evaluation of six directives:

– the Unfair Commercial Practices Directive 2005/29/EC;

– the Unfair Contract Terms Directive 93/13/EEC;

– the Price Indication Directive 98/6/EC;

– the Consumer Sales and Guarantees Directive 1999/44/EC;

– the Injunctions Directive 2009/22/EC; and

– the Misleading and Comparative Advertising Directive 2006/114/EC.

In late May, the EC published its findings of its analysis of these six directives and its separate parallel review of the CRD. In brief, the EC found that “[t]he evaluations confirm that in general consumer law remains fit for purpose.” It did identify, however, the need to improve awareness, enforcement of the rules and redress opportunities to make the best of the existing legislation. It also stated that targeted legislative changes to address certain identified shortcomings of the directives could be beneficial.

Free Online/Digital Services

One of the shortcomings that the EC identified is that the CRD does not currently apply to the provision of ‘free’ online/digital services. ‘Free’ in this context means that the consumer does not pay with money for the service but instead provides data. Examples of this are cloud storage, social media or webmail, where the main contractual obligation of the trader is not to provide digital content but rather a service allowing the creation, processing, storing or sharing of data that is produced by the consumer.

The EC has stated that it will examine extending the scope of the CRD to include such contracts for ‘free’ digital services. This would extend traders’ pre-contractual information requirements and consumers’ 14 days right of withdrawal to any digital services. This singling out of the providers of ‘free’ digital services, demonstrates the EC’s continued focus on the digital economy and protecting consumers rights online.

The Consultation offers all citizens and organisations the opportunity to have their say on this matter along with other consumer law matters such as banning doorstop selling and better individual remedies for consumers harmed by unfair commercial practices including misleading “green” claims.

Timing

The Consultation will run for 14 weeks (June – October 2017). Click here for more details.

Photo of Davinia Brennan

Stakeholders have written a joint letter to Article 29 Working Party (WP29) expressing their concerns about the GDPR consultation process. ​ They believe that the GDPR consultation processes which have taken place so far with 30-day deadlines to respond were much too short, and that a reasonable consultation period (for example 8 weeks) should be set.

An additional concern is that the WP29 guidelines effectively introduce additional rules. The WP29 guidelines are non-binding, but can still be introduced as compulsory requirements at national level.  The stakeholders therefore point out that whilst it is important that they provide clarity and help facilitate implementation, they should not undermine the GDPR’s provisions.

To date, the WP29 have issued guidelines on data portability, data protection officers and lead supervisory authorities, as well as draft guidelines on data protection impact assessments.  Further guidance is being prepared by the WP29 on:

  • Administrative fines
  • Certification
  • Consent
  • Profiling
  • Notification of personal data breaches
  • Transparency
  • Tools for international transfers

 

Joint letter to express concerns about the stakeholder consultation for Article 29 Working Party data protection guidelines

Photo of Laura Scanlan

The UK Information Commissioners Office (the ICO) has released an International Strategy (the Strategy) in which it outlines its plans for 2017 – 2021 to deal with the data protection challenges presented by globalism, the GDPR and Brexit. The Strategy which can be read in full here is the first with an international emphasis released by the ICO. It is described by the UK Information Commissioner, Elizabeth Denham, in a statement on 4 July, as a “blueprint” for how the ICO will deliver its international objectives.

The Strategy reiterates the ICO’s commitment to assisting with the implementation of the GDPR into UK law. Operating on the assumption that the UK will implement the provisions of the GDPR prior to leaving the EU, the ICO expresses an intention to strongly engage with the Article 29 Working Party and the European Data Protection Board up until the UK’s exit from the EU. Furthermore, it notes that it will seek to maintain working relationships with these groups post-Brexit. The ICO qualifies this by stating this will be dependent on the outcome of the Brexit negotiations.

While the Strategy encompasses a 5 year time period, the ICO envisages that it will be subject to regular review and updated to reflect any new challenges that may arise in the protection of personal data.

 

Photo of Neasa Ni Ghrada

The UK Information Commissioner’s Office (the ICO) has ruled that Virgin Trains East Coast (Virgin) did not break data protection law when it published CCTV images of the UK’s Labour party leader, Jeremy Corbyn. Virgin released the footage last year following Mr Corbyn’s comments that a Virgin train he was travelling on from London to Newcastle was “ram-packed”. The footage shows Mr Corbyn walking past empty seats.

Following its investigation, the ICO found that Virgin had a “legitimate interest” to release the footage of Mr Corbyn: “namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests”. The ICO acknowledged that Virgin could not have achieved this without publishing Mr Corbyn’s image.

The ICO did find, however, that Virgin breached the law when it published images of other passengers on the same service. It stated that Virgin should have taken better care to obscure the faces of other passengers on the train. Publication of their images was unfair and a breach of the first principle of the UK Data Protection Act that personal data shall be processed fairly and lawfully.

The ICO stopped short of formal regulatory action against Virgin to reflect “the exceptional circumstances of the breach”. It noted that it was “a one-off incident, and the people identified were unlikely to suffer serious distress or detriment”. However, the ICO did stress that Virgin “has not been let off the hook” and will strengthen its data protection training and policies and ensure it has easy access to pixelation services should the need arise again.

Photo of Chris Stynes

The Article 29 Working Party (WP29) has recently provided its Opinion 2/2017 on data processing at work. The Opinion, adopted on 8 June 2017, highlights the risks and challenges of processing employees’ personal data in light of new technologies. While the Opinion focuses on the current data protection regime, it also considers some of the obligations arising under the General Data Protection Regulation (GDPR) from 25 May 2018.

The Opinion emphasises that despite a proliferation of new and affordable technologies that facilitate both covert and overt surveillance, fundamental principles of data protection will continue to apply. These principles include:

  • the satisfaction of a legal basis to process under Article 7 of the DPD;
  • whether the processing activity is both necessary and fair to the employee;
  • whether the processing activity is proportionate; and
  • whether the processing activity is transparent.

The WP29 reiterate that due to the imbalance between employer and employee, consent as a legal basis of processing will not be satisfactory for the majority of data processing at work. In some cases, the employer will be able to rely on contractual necessity to process personal data (such as paying the employee). The imposition of legal obligations (such as for the purpose of tax calculation) will also constitute a valid legal basis for processing. In order to rely on legitimate interests to legitimise data processing, the technology or method utilised must be necessary, proportionate and carried out in the least intrusive manner possible.

The WP29 emphasise that regardless of the legal basis for processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as ensuring that any measures infringing the right to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA).

GDPR

The WP29 comment that  the GDPR requires the most privacy friendly settings to be provided as default when an employer issues a device to an employee. The GDPR also requires a DPIA to be carried out when processing is likely to result in a high risk to the rights and freedoms of employees, particularly when using new technologies. The employer must consult the supervisory authority prior to processing if these risks cannot be adequately addressed. The WP29 Opinion considers a number of data processing at work scenarios in which new technologies have the potential to result in high risks to the privacy of employees. In all such cases the WP29 highlight that the employer must consider whether the proposed processing is: (i) necessary, and if so the legal grounds that apply; (ii) fair to employees; (iii) proportionate to the concerns raised; and (iv) transparent.

The full opinion can be read here.

Photo of Alison Quinn

The European Council has finalised its position on the directive setting out new rules relating to the supply of digital content and digital services, acknowledging it as a priority for the Digital Single Market. The makings of the proposed directive were initially presented by the European Commission in late 2015 as part of the move towards a connected digital single market.  On 8 June 2017, the European Council adopted its position on the scope of the proposed directive, the remedies for lack of supply and non-conformity, supplier liability and burden of proof restrictions.

Continue Reading Digital Single Market- Digital Content

Photo of Laura Scanlan

The German Constitutional Court (Bundesverfassungsgericht) has delayed the ratification of the Unified Patent Court (UPC) Agreement. This is the result of a challenge to the UPC on constitutional grounds by a private individual who has not been named.

The German newspaper Frankfurter Allgemeine Zeitung, reported on 12 June, that the Federal Constitutional Court has requested the Federal President refrain from signing the legislation, until consideration has been given to the challenge. The Court is of the opinion that the challenge is not “hopeless” and therefore must be heard before the UPC can be ratified. The legislation had already been approved by Germany’s other legislative bodies (the Bundestag and the Bundesrat).

The UPC was due to become operational by December 2017. However, in a statement published on 7 June 2017, the UPC’s Preparatory Committee noted that this target would not be possible due to delays in the ratification process. The delay in ratification on the part of Germany is likely to be a significant factor in the future timeline of the Court, as Germany, along with the UK and France (who have ratified) are required to ratify the UPC Agreement before it can come into effect due to their status as the three EU member states with the highest number of patents.

The Agreement has been ratified so far by Austria, Belgium, Bulgaria, Denmark, France, Italy, Luxembourg, Malta, the Netherlands, Portugal, Sweden and Finland. Ireland has not yet ratified the UPC Agreement as a constitutional amendment to endorse the UPC must first be put to referendum.

 

Photo of John Cahir

The Court of Justice of the European Union (CJEU) has handed down a reference for a preliminary ruling in Case C-610/15 (Stichtin Brein v Ziggo BV, XS4ALL Internet BV), holding that making available and managing an online platform for sharing copyright-protected works may constitute an infringement of copyright.

The case was brought by a Dutch anti-piracy group Stichtin Brein against two internet service providers and was referred to the CJEU by the Supreme Court of the Netherlands to seek clarification on a point of EU law.

The CJEU considered whether an internet sharing platform, such as ‘The Pirate Bay’, which makes available and manages the indexation of metadata relating to copyrighted works, was providing ‘communication to the public’ of copyrighted materials within the meaning of Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society. It was noted that although copyrighted material was placed online by users and not by the operators of ‘The Pirate Bay’, by indexing files to allow users locate and share protected works, it played “an essential role in making the works in question available.”

It was also noted that although ‘The Pirate Bay’ does not host content, it provides a torrent search engine, classifying files under different categories and providing access to protected material “with full knowledge of the consequences of their conduct.”

The case will now return to the Dutch courts for final determination on the issue, but the ruling strengthens the position of copyright holders throughout the EU who wish to hold online sharing platforms accountable.

 

Photo of Davinia Brennan

In Aldi Stores (Ireland) Limited and Aldi GMBH & Co. KG v Dunnes Stores [2017] IECA 116, Dunnes Stores (Dunnes) succeeded in its  appeal against a High Court ruling that its 2013 comparative advertising campaign against Aldi was contrary to EC (Misleading and Comparative Advertising) Regulations, 2007 (the 2007 Regulations) and the Consumer Protection Act, 2007 (the 2007 Act).

In essence, the Court of Appeal determined that the High Court applied the wrong test.  It did not make a decision as to whether the 2013 campaign was lawful, but criticised a number of adverse findings made by the High Court.

Continue Reading Comparative Advertising in the Court of Appeal