data it law September 2016: applicable data protection law, lawfulness of old consents

The overview of interesting Data & IT Law articles and news in September 2016!

The new case law about applicable data protection law in the EU

The Centre for IT & IP at KU Leuven law had published a blog post about new developments in the applicable data protection law regulation in the EU. It focuses on one of the recent cases Verein für Konsummenteninformation and Weltimmo.

It deals with the applicable national law in a situation when an undertaking operates in more than one EU Member state. „(E)ven if an undertaking is not registered in a certain EU Member State, the data protection laws of that Member State may still apply if the conditions of Article 4 (1)(a) are fulfilled (the data processing is carried out in the context of the activities of that establishment) (…) (A)n “establishment” refers to “any real and effective activity” which is exercised through “stable arrangements.”

Thus, to assess whether an undertaking has an establishment in the meaning of Article 4(1)(a) Directive 95/46/EC, one has to assess the degree of stability of the arrangement in the Member State in question and the effectiveness of the exercise of activities there (par. 77) (…) In a second step, after one has defined in which Member State an undertaking has an establishment in the meaning of Directive 95/46/EC, one needs to examine whether the data processing operations are carried out “in the context of” the activities of that establishment. “

The person that offers a free Wi-Fi network access is not liable for copyright infringements committed by users

In the EU context, the European Court of Justice dealt with an issue of copyright infringement in the case no. C-484/14.

The court held that:

• “making a Wi-Fi network available to the general public free of charge in order to draw the attention of potential customers to the goods and services of a shop constitutes an ‘information society service’ under the directive (Directive 2000/31/EC on electronic commerce)
• the exemption of liability takes effect provided that three cumulative conditions are satisfied: (i) the provider of the mere conduit service must not have initiated the transmission; (ii) it must not have selected the recipient of the transmission; and (iii) it must neither have selected nor modified the information contained in the transmission.
• the directive does not preclude the copyright holder from seeking before a national authority or court to have such a service provider ordered to end, or prevent, any infringement of copyright committed by its customers.
• an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users”

The new JIPITEC issue for September 2016

It is possible to read a new issue of the Journal of Intellectual Property, Information Technology and Electronic Commerce Law.

It includes several articles that might be interesting for dataitlaw readers:

• The Feasibility of Applying EU Data Privacy Law to Biological Materials: Challenging ‘Data’ as Exclusively Informational
• 
Ten Questions for Future Regulation of Big Data:
A Comparative and Empirical Legal Study

• Personal Data and Encryption in the European General Data Protection Regulation


For example, the last article addresses several issues for a possible non-application of the General Data Protection Regulation via data encryption, such as:

• “whether an absolute or a relative approach has to be used for the assessment of the identifiability of data subjects.
• whether the anonymisation process itself constitutes a further processing of personal data which needs to have a legal basis in the GDPR
• gives an overview of relevant encryption techniques and examine their impact upon the GDPR’s material scope.”

For more information about anonymisation, look at the article about the criteria to evaluate, if the subject is identifiable or EU principles of anonymisation of personal data.

Old consent under new regime under the General Data Protection

The article at germanitlaw.com deals with the non-binding opinion issued by a so-called “circle of Düsseldorf”, gathering the German data protection authorities. The opinion gives a guidance on the lawfulness of consents obtained under the current legal framework.

The opinion refers to recital 171 of the GDPR and the authors argue that “currently given consents remain valid “if the manner in which the consent has been given is in line with the conditions of” the GDPR.” Moreover, the authorities refer to the conditions set by the Article 7 paragraph 4 and the Article 8 paragraph 1. “If these two conditions are not met, existing consents will not continue to apply.”

These conditions are: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” (Art. 7 para. 4) “(I)n relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.” (Art. 8 para. 1)

Member States’ room for manoeuvre in the General Data Protection Regulation

Finally, have a look at a nice visual overview of the Member States’ room for manoeuvre in the General Data protection Regulation.