Administrators of Facebook Fan Pages, Beware!

Have you set up a fan page on Facebook for your enterprize or to boost your fan base? The European Court of Justice has some news for you.

As you may know, administrators of Facebook fan pages can obtain anonymous statistical data on visitors to their fan pages via a function called “Facebook Insights”, which Facebook makes available to them free of charge under non-negotiable conditions of use. The data is collected by means of cookies, which are active for two years and are stored by Facebook on the hard disk of the computer or on another device of visitors to the fan page. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed every time the fan pages are opened.

By decision of 3 November 2011, a local German supervisory authority in Schleswig-Holstein, ordered Wirtschaftsakademie, a fan page administrator, to deactivate its fan page.

According to the supervising authority, neither Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data.

Wirtschaftsakademie brought an action against that decision before the German administrative courts, arguing that the processing of personal data by Facebook could not be attributed to it, and that it had not commissioned Facebook to process data that it controlled or was able to influence. Wirtschaftsakademie concluded that the Unabhängiges Landeszentrum should have acted directly against Facebook instead of against it.

It is in that context that the European Court of Justice was asked to interpret Directive 95/46 on data protection. The Court delivered Judgment in Case C-210/16, whereby it observed that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.

Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of manging or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. In particular, the Court noted that the administrator of the fan page can ask for demographic data (in anonymised form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers.

According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.

The Court further stated that, where the supervisory authority of a Member State (in this case, the German supervisor) intends to exercise with respect to an entity established in the territory of that Member State (in this case, Wirtschaftsakademie) the powers of intervention provided for in Directive 95/46, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State (in this case, Facebook Ireland), that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

The above judgment comes to reiterate that there must be no gaps in responsibility under data-protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law.

Such a joint responsibility is particularly important with regard to a controller’s information obligations: transparency is required for the processing of data concerning all users, whether they are member of Facebook or non-members.

 

Live your Anti-Trust Legend in Greece

Private enforcement of anti-trust law is here to stay; the long awaited introduction of Law 4529/2018 on Wednesday 14 March 2018 offers a valuable tool in the hands of the Greek market player, who now plays an equally essential part in applying competition rules (private enforcement). Law 4529/2018 transposed Directive 2014/104/EU and applies to individual civil actions for damages incurred following a breach of competition law.

Key features of Law 4529/2018:

  • The Law clarifies that victims are entitled to full compensation for the harm suffered, which covers compensation for actual lossand for loss of profit, plus payment of interest from the time the harm occurred until compensation is paid.
  • Parties will have easier access to evidence  they need in actions for damages in the antitrust field. In particular, if a party needs documents that are in the hands of other parties or third parties to prove a claim or a defence, it may obtain a court order for the disclosure of those documents. The judge will have to ensure, however, that disclosure orders are proportionate and that confidential information is duly protected.
  • Any participant in an infringement will be responsible towards the victims for the whole harm caused by the infringement (joint and several liability), with the possibility of obtaining a contribution from other infringers for their share of responsibility. However, to safeguard the effectiveness of leniency programmes, this will not apply to infringers which obtained immunity from fines in return for their voluntary cooperation with a competition authority during an investigation; these immunity recipients will normally be obliged to compensate only their (direct and indirect) customers.
  • The Law establishes a rebuttable presumption that cartels cause harm. This will facilitate compensation, given that victims often have difficulty in proving the harm they have suffered. The presumption is based on the finding that more than 90% of cartels cause a price increase. In the very rare cases where a cartel does not cause price increases, infringers can still prove that their cartel did not cause harm.
  • Clear limitation period rules are established so that victims have sufficient time to bring an action. In particular, victims will have at least 5 years to bring damages claims, starting from the moment when they had the possibility to discover that they suffered harm from an infringement. This period will be suspended or interrupted if a competition authority starts infringement proceedings, so that victims can decide to wait until the public proceedings are over.
  • From 16 September 2018 onwards, all actions raised on the basis of Law 4529/2018 shall be heard before a special devision of the First Instance Court of Athens, which shall be comparted by judges specialized in competition law.

New Law on Consumer Protection

The recent enactment of Law 4512/2018 on 17 January 2018 has introduced, among others, a series of amendments to the framework governing consumer protection in Greece. The most important of these amendments are summarily the following:

    • The definitions of “consumer” and “supplier” are now clarified and amended to conform with ECJ jurisprudence and EU secondary law. In this regard, the consumer’s definition is narrowed down to include only persons acting for purposes which are not related to their trade, business or profession. Small scale enterprises, however, may now enjoy a protection equivalent to that of natural persons, as regards General Terms of Business.
    • It is clarified that all goods are covered by a free two (2) year legal guarantee.
    • The vendor’s obligation to provide an additional (commercial) guarantee is abolished. A commercial guarantee, however, may be provided following payment of an extra fee or in the form of extension of the guarantee already provided.
    • Issues in connection with the provision of an instruction manual and after-sales technical support services are now clarified. Such services include technical, repair and maintenance services, as well as the seamless supply of spare parts and components required for the purchased item.
    • General product safety rules and the corresponding producer’s and distributor’s obligations are set out in a clear and inambiguous manner. In addition, the obligations regarding CE marking, i.e. the manufacturer’s declaration that the product meets the requirements of the applicable EC directives, are now clearly defined.
    • The provisions on the protection of mental health of minors are being amended to introduce specific arrangements prohibiting the marketing of products which pose a risk to the psychological, mental or moral development of minors, or promote discrimination based on race, sex, religion, nationality, disability or sexual orientation.
    • Consumer associations may now be subsidized through donations, sponsorships and aids from scientific institutions, foundations or legal entities. Such donations, however may not stem from individual suppliers or organizations these suppliers belong to.

In addition, Ministerial Decision 5338/2018 has codified Law on Consumer Protection, including all amendments and additions effected over the last years. If you are interested in this recent Codified Version, you may find it by following this link.

Free Software Licenses and Friends

Last week I participated in a workshop on Software Licenses, organized by the Open Technologies Alliance (ELLAK). The workshop was led by Mr. Alexios Zavras, Senior Open Source Compliance Engineer of Intel Corp., who has been involved with OSS since 1983. Mr. Zavras presented a brief overview of the most widely used open-source licenses, elaborated on software licensing issues, and worked on scenarios arising from the licensing of derivative products released under copyleft, permissive and proprietary licenses.

The workshop was of particular relevance, since in the last couple of years hundreds of creators and organizations choose to distribute their data and works with free licenses, rendering this way open-source applications an integral part of the operation of businesses and organizations, both public and private. This rapid rise in the use of free software and free licenses has resulted in an increased need for specialized legal support in a number of relevant subject areas.

If you are interested in finding out more about Open Source Software, or consider licensing your own work under a free software license, you can find out more at the introductory guide provided by the Open Source Initiative, or consult with your IT lawyer.

The New Hammer of the CPC Regulation

 

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

Abraham Maslow

 

The other day the European Parliament has repassed the Consumer Protection Cooperation (CPC) regulation, with an eye on the creation of an effective mechanism to combat rogue traders both online and offline. Provisions stipulated therein are bound to  enforce consumers’ rights in the Single Market and close legal loopholes, which are exacerbated because consumer protection systems differ among EU member-states.

Investigation and enforcement powers of national consumer authorities shall include, among others:

  • requesting information from domain registrars and banks to identify rogue traders,
  • purchasing goods or services as test purchases, including under a cover identity (“mystery shopping”),
  • ordering the explicit display of a warning to consumers, or ordering a hosting service provider to remove, disable or restrict access to an online interface (e.g. website or app) if there are no other effective means to stop an illegal practice,
  • imposing penalties, such as fines or periodic penalty payments, and
  • seeking to obtain commitments from the trader to offer adequate remedies to the affected consumers, and informing them of how to seek compensation.

One of the less appealing features of the regulation, however, is the introduction of an overreaching general website blocking provision. Instead of providing for the removal of content that infringes on consumer protection laws as a last resort measure, the regulation introduces overreaching internet blocking measures and sets them readily available in the hands of the national competent authorities, without prior judicial authorization.

In particular, Article 9 par. 4 of the regulation on the minimum powers of competent national authorities provides that:

Competent authorities shall have at least the following enforcement powers: […] (g) where no other effective means are available to bring about the cessation or the prohibition of the infringement covered by this Regulation and in order to avoid the risk of serious harm to the collective interests of consumers:

(i) the power to remove content or to restrict access to an online interface or to order the explicit display of a warning to consumers when they access an online interface;
(ii) the power to order a hosting service provider to remove, disable or restrict access to an online interface; or
(iii) where appropriate, the power to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to register it; including by requesting a third party or other public authority to implement such measures; […]

Such a provision forces internet access providers to create a website blocking infrastructure, which is viewed by many as a tool to potential abuse for any number of other purposes, including censorship. To give a recent example, independence-related websites were blocked in Catalunya just weeks ago. The swift blocking of those websites was made possible only because of website blocking infrastructure that had previously been put in place for other purposes, such as barring access to sites involving copyright infringement.

Bracing up for GDPR

With the new EU General Data Protection Regulation ante portas, companies handling personal customer data throughout the EU are set to face a considerable operational challenge. In fact, the GDPR extends compliance requirements to both data controllers and processors and is oriented towards establishing a modern and uniform data protection framework across the EU, reinforcing individuals’ rights and introducing a number of “data governance” concepts, especially in the area of data security.

Companies eager to move proactively and prepare well ahead of May 2018 need to proceed with a series of steps, such as mapping their data, conducting a due diligence review and implementing a robust response plan in case of data breach. The most important, they should redraft their privacy policies and nurture an inclusive personal data corporate culture, since conformity to GDPR is expected to be an ongoing obligation, demanding constant adjustments and a more hands-on approach.

A controller’s responsibilities summarily comprise:

  • Carrying out data protection impact assessments (PIAs) when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
  • Assuring the effective protection of individuals, such as erasure, reporting and notice requirements, and maintaining records of processing activities.
  • Duties towards the competent regulatory authority, such as consultation prior to processing and data breach notification. To this purpose, the appointment of a Data Protection Officer, who would mediate as a contact point – or a breakwater – between the company and the authority could play a vital role in ensuring maximum compliance.

Finally, a processor of personal data is not exempt from the regulatory ambit of the GDPR and is therefore burdened with a number of responsibilities, including:

  • The pseudonymisation and encryption of the personal data processed on behalf of the controller,
  • the ability to ensure ongoing confidentiality, integrity and resilience of its processing systems and services,
  • the ability to restore access to personal data in a timely manner in the event of a malicious attack, or a physical incident, and
  • a process for regularly testing, assessing and evaluating the effectiveness of its technical and organizational systems, thus demonstrating that it puts every reasonable effort into safeguarding the security of processing.

Personal Data Protection in the Employment Context

Article 29 Working Party has recently adopted Opinion 2/2017 on data processing at work. By elaborating nine hypothetical scenarios, the Opinion builds on Opinion 8/2001 and its 2002 Working Document on the surveillance of electronic communications in the workplace, and attempts to regulate other types of monitoring technologies such as cloud services, vehicle tracking, smart devices etc.

Over the last couple of years, these technologies have posed significant new challenges to privacy and data protection at only a fraction of the costs. As a result, Opinion 2/2017 now attempts to strike a new balance between the legitimate interests of employers and the reasonable privacy expectations of the employees.

This balance is made in light of the Data Protection Directive and the General Data Protection Regulation. The golden rules confirmed therewith are the following:

  • employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
  • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
  • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
  • performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
  • employees should receive effective information about the monitoring that takes place; and
  • any international transfer of employee data should take place only where an adequate level of protection is ensured.

In its concluding remarks, Opinion 2/2017 stresses that data processing at work must be a proportionate response to the risks faced by an employer. Internet misuse, for example, can be detected without the necessity of analysing website content. If misuse can be prevented (e.g., by using web filters) the employer has no general right to monitor.

Furthermore, a blanket ban on communication for personal reasons is impractical and enforcement may require a level of monitoring that may be disproportionate. Prevention should be therefore given much more weight than detection – the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse.

With regard to data minimization, it is emphasized that the information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees for example should have the possibility to temporarily shut off location tracking, if justified by the circumstances. Employers in their turn are required to take the principle of data minimization by design into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified, and whenever it is no longer needed it should be deleted.

 

 

Buyer’s review following an eBay transaction

In a recently published judgement (Urt. v. 23.09.2016, Az. 142 C 12436 /16) the District Court of Munich ruled that a false review of an eBay transaction constitutes a contractual breach and should be deleted by its author.

In the said case, the plaintiff offered on sale a high-end amplifier “Burmester 808 MK 3”. Pursuant to the description of the item, “the 808 MK3 would be delivered in its original packaging“. The buyer, however, acting in bad faith, reviewed the plaintiff’s profile negatively and lessened its status from 5 to 4,75 stars. The reviewer, in particular falsely claimed that the packaging was not the original one and discouraged other potential buyers from concluding an agreement with the plaintiff.

The plaintiff then repeatedly asked the buyer to withdraw the review and finally brought an action before the District Court of Munich.

The District Court of Munich ruled that an eBay buyer is obliged under the purchase agreement to disclose a truthful valuation regarding the seller and the transaction, and consequently condemned the defendant to remove his negative review.

“Wahrheitsgemäße Bewertungen nach einer Ebay Auktion sind ein zentrales Informationsinstrument der Internetplattform Ebay, da damit anderen potentiellen Käufern Informationen über frühere Käufe und damit Kenntnisse über den Verkäufer, der ansonsten nicht greifbar ist und zuweilen lediglich als beliebiger Ebay- Mitgliedsname erscheint, vermittelt werden. Bewertungen stellen damit quasi eine Kundenempfehlung bzw. Warnung dar. Daraus ergibt sich ein zentrales Interesse des Verkäufers auf Ebay an einer zutreffenden Bewertung.”

According to the court, the truthful assessment after an auction poses a central information tool of the platform eBay, through which other potential buyers are informed about previous purchases and have access to intelligence regarding the trustworthiness of the seller. The breach of this secondary obligation creates hence a right of the falsely assessed person to have any false review erased.

Charging customers above basic telephone rate

In a question  referred to the European Court of Justice for preliminary ruling, the Court was called to interpret Directive 2011/83/EU on consumer rights. Under that directive, the Member States must ensure that where a trader operates a telephone line for the purpose of being contacted in relation to contracts concluded with consumers, consumers are not to be bound to pay more than the basic rate for calls to that line. However, the concept of a “basic rate” is not defined by the above directive.

The ruling came after Zentrale zur Bekämpfung unlauteren Wettbewerbs Frankfurt am Main, a German association for combating unfair commercial practices, requested an injunction from Landgericht Stuttgart, ordering comtech GmbH, a German company selling electrical and electronic equipment to discontinue extra-charging customers for telephone after-sales services, a commercial practice deemed unfair.

In its judgment of 2 March 2017, the Court’s answer was that the concept of ‘basic rate’ must be interpreted as meaning that call charges relating to a contract concluded with a trader to a telephone helpline operated by the trader may not exceed the cost of a call to a standard geographic landline or mobile telephone line.

According to the Court, in everyday language ‘the basic rate’ refers to the standard cost of a call. Both the context in which that concept occurs in the directive and the purpose of that directive, namely to ensure a high level of consumer protection, confirm that the concept must be understood in that ordinary sense of the term.

To permit traders to charge rates higher than that of a standard call would result to discouraging consumers from using a telephone helpline in order  for them to obtain information in relation to the contract, or from asserting their rights, in particular, relating to a guarantee or withdrawal.

Directive 2011/83/EU has been transposed into Greek law by virtue of Joint Ministerial Decision Ζ1-891/2013, pursuant to which a new Article 4e was added to Law 2251/1994 on Consumer Protection. Citing the relevant provision of the directive, Article 4e stipulates that “where the trader operates a telephone line for the purpose of contacting him by telephone in relation to concluded contracts, the consumer, when contacting him is not bound to pay more than the basic rate“. The Greek legislator has introduced, however, a sole exception, further providing in Article 4e that “the first subparagraph enters into force without any prejudice to the right of telecommunications service providers to charge for these calls“.

The CJEU judgment might be a good opportunity for us to reevaluate the relevance and justification of an exception favoring Greek TSPs.

Hellenic Data Protection Authority rules on the “right to be forgotten”

Ulysses and His Companions in the Land of the Lotus-Eaters, etching and engraving by Theodoor van Thulden.

Following the path of Google v. Spain, whereby the European Court of Justice ruled that European citizens can request commercial search firms to remove links to information deemed “inaccurate, inadequate, irrelevant or excessive” for the purposes of data processing, the Hellenic Data Protection Authority issued Decision 83/2016, dealing with a similar case of Greek interest.

The Decision came after a licensed obstetrician complained to the Greek data protection watchdog against Google’s denial to remove a link about a criminal conviction against him for child adoption fraud.

In its reply to the contested removal request, Google considered: (a) the relevance and truthfulness of the data, (b) the fact that the applicant was practicing a regulated profession as a physician, and (c) the severity of the crime for which he was sentenced and its relevance to his profession (proxy attempt at illegal adoption of a minor at gainful employment). Namely, the company’s reply had as follows:

“In this case it appears that the URL in question relates to matters of substantial interest to the public regarding your professional life. For example, this URL may be of interest to potential or current consumers, users, or participants of your services. Information about recent professions or businesses you were involved with may also be of interest to potential or current, users, or participants of your services. Accordingly, the reference to this document in our search results for your name is justified by the interest of the general public in having access to it.”

Following a complaint lodged with the Hellenic Data Protection Authority, the authority examined whether Google’s negative response had met the de-listing criteria provided by the Article 29 Working Party. Opining that the company failed to do so, they ordered Google to remove the contested link on the ground that the data it linked to was inaccurate. Its inaccuracy lied on the fact that the criminal conviction had been replaced – though not entirely overruled – by a milder sentence  by the court of appeal at a later time.

Decision 83/2016 may open the door to complaints of similar nature before the Hellenic Data Protection Authority and heralds the liability of search engines in Greece for the content they link to with regard to privacy. Forthcoming jurisprudence by Greek courts is eagerly anticipated, as balance should now be stricken between a novel “right to be forgotten” and other fundamental rights, such as the freedom of expression and the freedom of the press.