The overview of interesting Data & IT Law articles and news in September 2016!
The new case law about applicable data protection law in the EU
The Centre for IT & IP at KU Leuven law had published a blog post about new developments in the applicable data protection law regulation in the EU. It focuses on one of the recent cases Verein für Konsummenteninformation and Weltimmo.
It deals with the applicable national law in a situation when an undertaking operates in more than one EU Member state. „(E)ven if an undertaking is not registered in a certain EU Member State, the data protection laws of that Member State may still apply if the conditions of Article 4 (1)(a) are fulfilled (the data processing is carried out in the context of the activities of that establishment) (…) (A)n “establishment” refers to “any real and effective activity” which is exercised through “stable arrangements.”
Thus, to assess whether an undertaking has an establishment in the meaning of Article 4(1)(a) Directive 95/46/EC, one has to assess the degree of stability of the arrangement in the Member State in question and the effectiveness of the exercise of activities there (par. 77) (…) In a second step, after one has defined in which Member State an undertaking has an establishment in the meaning of Directive 95/46/EC, one needs to examine whether the data processing operations are carried out “in the context of” the activities of that establishment. “
The person that offers a free Wi-Fi network access is not liable for copyright infringements committed by users
In the EU context, the European Court of Justice dealt with an issue of copyright infringement in the case no. C-484/14.
The court held that:
“making a Wi-Fi network available to the general public free of charge in order to draw the attention of potential customers to the goods and services of a shop constitutes an ‘information society service’ under the directive (Directive 2000/31/EC on electronic commerce)
the exemption of liability takes effect provided that three cumulative conditions are satisfied: (i) the provider of the mere conduit service must not have initiated the transmission; (ii) it must not have selected the recipient of the transmission; and (iii) it must neither have selected nor modified the information contained in the transmission.
the directive does not preclude the copyright holder from seeking before a national authority or court to have such a service provider ordered to end, or prevent, any infringement of copyright committed by its customers.
an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users”
Old consent under new regime under the General Data Protection
The article at germanitlaw.com deals with the non-binding opinion issued by a so-called “circle of Düsseldorf”, gathering the German data protection authorities. The opinion gives a guidance on the lawfulness of consents obtained under the current legal framework.
The opinion refers to recital 171 of the GDPR and the authors argue that “currently given consents remain valid “if the manner in which the consent has been given is in line with the conditions of” the GDPR.” Moreover, the authorities refer to the conditions set by the Article 7 paragraph 4 and the Article 8 paragraph 1. “If these two conditions are not met, existing consents will not continue to apply.”
These conditions are: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” (Art. 7 para. 4)“(I)n relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.” (Art. 8 para. 1)
Member States’ room for manoeuvre in the General Data Protection Regulation
Finally, have a look at a nice visual overview of the Member States’ room for manoeuvre in the General Data protection Regulation.