Blog

Protecting your personal data in elections

A year ago, the Facebook–Cambridge Analytica data scandal was illustrating in the most obvious way that data processing techniques for political purposes can pose serious risks, not just with regard to the rights to privacy and data protection, but also to the institutional integrity of democracy.

This matter of digital precariousness has been recently addressed by the European Data Protection Board, which adopted on 13 March 2019 a statement on the use of personal data during election campaigns. In this statement EDPB welcomes the set of measures presented by the European Commission in September 2018, and highlights a number of key points that need to be taken into consideration, when political parties and candidates process personal data in the course of electoral activities.

In the said statement, following bullet points were underlined to be respected when political parties process personal data during their election campaigns:

  • Personal data revealing political opinions is a special category of data under the GDPR. As a general principle, the processing of such data is prohibited and is subject to a number of narrowly-interpreted conditions, such as the explicit, specific, fully informed, and freely given consent of the individuals.
  • Personal data which have been made public, or otherwise been shared by individual voters, even if they are not data revealing political opinions, are still subject to, and protected, by EU data protection law. As an example, using personal data collected through social media cannot be undertaken without complying with the obligations concerning transparency, purpose specification and lawfulness.
  • Even where the processing is lawful, organisations need to observe their other duties pursuant to the GDPR, including the duty to be transparent and provide sufficient information to the individuals who are being analysed and whose personal data are being processed, whether data has been obtained directly or indirectly. Political parties and candidates must stand ready to demonstrate how they have complied with data protection principles, especially the principles of lawfulness, fairness and transparency.
  • Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted. Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject.
  • In case of targeting, adequate information should be provided to voters explaining why they are receiving a particular message, who is responsible for it and how they can exercise their rights as data subjects. In addition, the Board notes that, under the law of some Member States, there is a transparency requirement as to payments for political advertisement.

The above opinion has been published with an eye on the upcoming European elections and other elections taking place across the EU.

More particularly, as regards Greece, the Hellenic Data Protection Authority has already provided practical guidance and recommendations to stakeholders by means of Directive 1/2010 (available in Greek). Directive 1/2000 covers not only EU and national, but also local, municipal and regional election campaigns. Therein, the Greek Authority clarifies, among others, that communicating a political campaign by e-mail, or SMS messages is allowed without the consent of the potential voter, only exceptionally, that is under the following two concurring conditions: (i) the sender has legally obtained the potential voter’s details in the context of a prior transaction of similar scope, i.e. an older political campaign, and (ii) the recipient is able to exercise the right to object, by being provided with an easy and clear “opt-out” system.

Political campaigners are about to face rough seas in getting their message across this time. And it is a matter of time until the Hellenic Data Protection Authority announces the first sanctions against stakeholders and players of the political arena.

Unlocking e-commerce in Europe

On 3 December 2018, Regulation (EU) 2018/302, better known as the Geo-blocking Regulation, entered into force. This development is a part of the European Commission’s digital single market strategy to ban unjustified geo-blocking, which restricts the consumers’ ability to access a website, complete a purchase, being rerouted to a country specific website, or refused delivery or payment because of their location.

Geo-blocking occurs when a consumer wants to browse products or services on a trader’s website, but is denied access. This can include the practice of rerouting to a country specific version which may display different products or prices. Even when consumers can access their preferred site, they may be prevented from finalising the purchase or are required to pay by debit or credit card from a particular country. Geo-blocking Regulation now prevents this behaviour by prohibiting the practice of automatically rerouting consumers to country specific websites and banning unjustified discrimination in relation to payment methods. In fact, only few days following the Regulation’s entry into force, the European Commission fined Guess €40 million for anticompetitive agreements to block cross-border sales.

Nevertheless, although EU-based traders will no longer be permitted to refuse to sell to consumers based on their nationality or place of residence, the new rules do not require such traders to offer delivery of the goods to consumers who live in a different country. Certain goods and services are excluded from the scope of the Regulation, including transport services, retail financial services and healthcare service. Importantly, the Regulation does not cover the provision of (non-audiovisual) copyright protected content services (such as e-books, online music, software and videogames). Audio-visual services also do not fall within the scope of the Regulation.

This webpage, provided by the European Commission, explains in a concise way how online sellers can ensure their services are compatible with the new rules and provides examples of best practices.

The Moral Choice on Self Driving Vehicles

In March 2018, a self-driving Uber Volvo XC90 operating in autonomous mode struck and killed a woman named Elaine Herzberg in Tempe, Arizona. The crash raised a number of suddenly pressing questions about testing autonomous vehicles on public roads.

Actually, everytime a driver slams on the brakes to avoid hitting a pedestrian crossing the road illegally, he is actually taking a moral decision that shifts risk from the pedestrian to the people in his horseless carriage.

Self-driving cars might soon have to make such ethical judgments on their own. But pursuant to a remarkably large survey on machine ethics, which was recently published in Nature, setting a universal moral code for these  vehicles might be not easier than sailing rough seas.

Chatbots – Die Geister, die ich rief…

Back in 1966, MIT professor Joseph Weizenbaum developed a comparatively simple program called ELIZA, which performed natural language processing. ELIZA was initially published to show the superficiality of communication between man and machine but ended up surprising a considerable number of individuals, who attributed human-like feelings to the computer program.

Half a century later chatbots are technically advanced enough to appeal to a broader audience and are increasingly used to handle communications with customers, operating in absence of a clear legal framework for their use.

But, can a chatbot make a legally binding declaration of intent on behalf of a company, given that declarations under the law are to be performed only by natural persons or legal entities?

There is broad legal consensus that – at least for automated chatbots – this is practically a non-issue, as the declaration of a chatbot can be always attributed to its operator. With automated chatbots, declarations of intent are generated based on predefined settings, i.e. computer declarations which may not be explicitly regulated by law but are nevertheless legally binding.

Although the will to act, which is necessary for a legally binding declaration of intent, is not present at the time a computer declaration is generated, proof of intent is provided through the activation of the chatbot by the operator.

Legal scholars have in fact constructed the presence of all requirements necessary for a  declaration of intent to be legally binding: (a) awareness of intention and (b) the will to engage in a transaction. Due to the automation, both requirements may not present when a chatbot generates a declaration of intent; Ultimately, though, they are both satisfied, since they can be traced back to the human operator.

LIABILITY IN The Age of AUTONOMY

The Sorcerer’s Apprentice, Illustration of Ferdinand Barth, 1882.

The above construction of a computer declaration, however, presents certain limitations in regard to autonomous chatbots. In contrast to automated chatbots, autonomous chatbots make decisions using self-learning algorithms. Here, artificial intelligence is used and the chatbot operator no longer has any direct influence on the results and, as a rule, cannot even verify the decisions that are made.

Against this background, the correlation between the actions of the system operator and that of the chatbot does not seem satisfactory, and subsequently the principles of a computer declaration no longer apply.

At present, autonomous systems are still in an early phase of development, so that this restriction has little practical relevance. However, this is bound to change more sooner than later, and will require legislative adjustments.

One of the main issues to be addressed, here, is whether a tortuous act performed by the chatbot is due to human error, for example the incorrect programming of the chatbot. While with automated chatbots it seems possible to attribute the tortuous act to the actual cause, this becomes more difficult to prove with increasingly autonomous chatbots.

In questions of liability relating to the use of chatbots and similar systems, the injured party faces the problem of having to prove possible neglect of duty or system errors. With the increasing complexity of systems, this is a huge challenge and a considerable obstacle if the injured party wants to assert its claims successfully.

For this reason, some believe that the burden of proof should be carried by the manufacturer or operator of the system. This implies that a manufacturer or operator must prove that there was no misconduct on their part, and that they have exercised proper diligence in programming and operating the system.

A so-called objective liability is also being considered in connection with automated systems. The liability gap created by the complexity of automated systems, no longer allowing for “actions” to be easily attributed to a natural or legal entity, could be closed by holding operators liable for damages caused by their system, whether they are to blame or not.

Last comes the ground-breaking – yet distant – option for attributing a distinct legal personality to automated chatbots. In fact, the more self-learning systems become independent from the originally intended and programmed approach, the louder the demand is to grant them their own legal personality, at least in respect with liability issues. As a consequence, any damage caused by such a system would have to be compensated by the system itself. This could be done by means made available by the operator or the manufacturer.

An interim step, broadly contemplated by legal scholares, would be introducing a compulsory insurance policy, to cover damages caused by either automated or autonomous systems. This prerequisite is already a rule, when large market players contract with chatbot manufacturers.

As the case may be, chatbots are here to stay, to provide an enhanced user experience and give a new soul to daily interactions, or take what’s left of it. Chatbot manufacturers and operators should hence be well prepared, by drafting an inclusive End User’s License Agreement and having all necessary policies in place to ensure that their broom is timely stopped, before the floor is awash with water.

Trade Secrets finally protected?

Contrary to IP rights, trade secrets do not enjoy absolute and exclusive protection under Greek law. They are protected by means of confidentiality, non-use, non-disclosure agreements, and their protection is always “post factum”. Furthermore, civil proceedings do not offer an appropriate measure to preserve the secrecy of confidential information enforced in trade secret litigation. Nevertheless, trade secret protection is a company must-have, no less vital than protecting your patents, design rights or trademarks.

Trade Secrets Directive

The landscape is about to change. In 2016, the EU took steps to harmonize EU law, to ensure businesses can protect their innovative work and preserve competitive gains, by adopting the Trade Secrets Directive, which Greece should have transposed by June 9, 2018. The Directive contributes to the commitment to create a single market in the EU for intellectual property rights. Although the domestic legislative initiatives remain unclear, what is certain is that companies doing business in Europe must act now to ready themselves for this important reform.

The Trade Secrets Directive creates a baseline minimum level of protection which every member state must institute. It starts by setting out a uniform definition of a trade secret: any information that is secret (not generally known among or readily accessible to persons within the relevant circles of trade) and has commercial value because it is secret. The definition thus extends beyond more classic trade secrets like construction drawings or recipes and may include negative information like known product defects or company code of conduct violations.

Intent will no longer suffice. Companies must actively take reasonable steps to protect their trade secrets – and be able to show they did in court. A company failing to take such steps, or unable to prove it did so, could lose its trade secret protection.

When deciding on the scope of protection granted to a trade secret, courts will therefore consider the protective measures a company can show it employed. This makes it especially important for companies to implement far-reaching protective steps.

Furthermore, the Directive strengthens the position of employees – most notably, their freedom to bring any knowledge and experience gained during their tenure with a company to their next employer. Companies should therefore take steps to contractually ensure confidentiality during an employee’s tenure.

The Way Forward

If applied correctly, trade secret protection can be a cost-efficient way to protect a company’s intellectual property. But companies need to actively shape their trade secret compliance strategy to properly protect their assets. Companies should hence consider following precautionary measures:

  • Think about what information may qualify as trade secret and Include its protection as part of the corporate IP strategy.
  • Identify risks to the trade secrets, either such risks arise from employees or business partners, especially in R&D projects.
  • Apply effective protection of trade secrets, by resorting to: (a) practical protection measures, such as restricted access, password protection or decentralization; (b) contractual measures, especially with employees and business partners, by revisiting many of your agreements; and (c) legal measures, such as prosecuting known misappropriation before Greek courts.

Implementing a trade secret protection strategy now wards off a case of unexpected misappropriation and is in parallel the optimal way to properly protect a valuable asset in view of the forthcoming legislative changes.

Administrators of Facebook Fan Pages, Beware!

Have you set up a fan page on Facebook for your enterprize or to boost your fan base? The European Court of Justice has some news for you.

As you may know, administrators of Facebook fan pages can obtain anonymous statistical data on visitors to their fan pages via a function called “Facebook Insights”, which Facebook makes available to them free of charge under non-negotiable conditions of use. The data is collected by means of cookies, which are active for two years and are stored by Facebook on the hard disk of the computer or on another device of visitors to the fan page. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed every time the fan pages are opened.

By decision of 3 November 2011, a local German supervisory authority in Schleswig-Holstein, ordered Wirtschaftsakademie, a fan page administrator, to deactivate its fan page.

According to the supervising authority, neither Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data.

Wirtschaftsakademie brought an action against that decision before the German administrative courts, arguing that the processing of personal data by Facebook could not be attributed to it, and that it had not commissioned Facebook to process data that it controlled or was able to influence. Wirtschaftsakademie concluded that the Unabhängiges Landeszentrum should have acted directly against Facebook instead of against it.

It is in that context that the European Court of Justice was asked to interpret Directive 95/46 on data protection. The Court delivered Judgment in Case C-210/16, whereby it observed that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.

Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of manging or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. In particular, the Court noted that the administrator of the fan page can ask for demographic data (in anonymised form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers.

According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.

The Court further stated that, where the supervisory authority of a Member State (in this case, the German supervisor) intends to exercise with respect to an entity established in the territory of that Member State (in this case, Wirtschaftsakademie) the powers of intervention provided for in Directive 95/46, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State (in this case, Facebook Ireland), that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

The above judgment comes to reiterate that there must be no gaps in responsibility under data-protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law.

Such a joint responsibility is particularly important with regard to a controller’s information obligations: transparency is required for the processing of data concerning all users, whether they are member of Facebook or non-members.

 

Live your Anti-Trust Legend in Greece

Private enforcement of anti-trust law is here to stay; the long awaited introduction of Law 4529/2018 on Wednesday 14 March 2018 offers a valuable tool in the hands of the Greek market player, who now plays an equally essential part in applying competition rules (private enforcement). Law 4529/2018 transposed Directive 2014/104/EU and applies to individual civil actions for damages incurred following a breach of competition law.

Key features of Law 4529/2018:

  • The Law clarifies that victims are entitled to full compensation for the harm suffered, which covers compensation for actual lossand for loss of profit, plus payment of interest from the time the harm occurred until compensation is paid.
  • Parties will have easier access to evidence  they need in actions for damages in the antitrust field. In particular, if a party needs documents that are in the hands of other parties or third parties to prove a claim or a defence, it may obtain a court order for the disclosure of those documents. The judge will have to ensure, however, that disclosure orders are proportionate and that confidential information is duly protected.
  • Any participant in an infringement will be responsible towards the victims for the whole harm caused by the infringement (joint and several liability), with the possibility of obtaining a contribution from other infringers for their share of responsibility. However, to safeguard the effectiveness of leniency programmes, this will not apply to infringers which obtained immunity from fines in return for their voluntary cooperation with a competition authority during an investigation; these immunity recipients will normally be obliged to compensate only their (direct and indirect) customers.
  • The Law establishes a rebuttable presumption that cartels cause harm. This will facilitate compensation, given that victims often have difficulty in proving the harm they have suffered. The presumption is based on the finding that more than 90% of cartels cause a price increase. In the very rare cases where a cartel does not cause price increases, infringers can still prove that their cartel did not cause harm.
  • Clear limitation period rules are established so that victims have sufficient time to bring an action. In particular, victims will have at least 5 years to bring damages claims, starting from the moment when they had the possibility to discover that they suffered harm from an infringement. This period will be suspended or interrupted if a competition authority starts infringement proceedings, so that victims can decide to wait until the public proceedings are over.
  • From 16 September 2018 onwards, all actions raised on the basis of Law 4529/2018 shall be heard before a special devision of the First Instance Court of Athens, which shall be comparted by judges specialized in competition law.

New Law on Consumer Protection

The recent enactment of Law 4512/2018 on 17 January 2018 has introduced, among others, a series of amendments to the framework governing consumer protection in Greece. The most important of these amendments are summarily the following:

    • The definitions of “consumer” and “supplier” are now clarified and amended to conform with ECJ jurisprudence and EU secondary law. In this regard, the consumer’s definition is narrowed down to include only persons acting for purposes which are not related to their trade, business or profession. Small scale enterprises, however, may now enjoy a protection equivalent to that of natural persons, as regards General Terms of Business.
    • It is clarified that all goods are covered by a free two (2) year legal guarantee.
    • The vendor’s obligation to provide an additional (commercial) guarantee is abolished. A commercial guarantee, however, may be provided following payment of an extra fee or in the form of extension of the guarantee already provided.
    • Issues in connection with the provision of an instruction manual and after-sales technical support services are now clarified. Such services include technical, repair and maintenance services, as well as the seamless supply of spare parts and components required for the purchased item.
    • General product safety rules and the corresponding producer’s and distributor’s obligations are set out in a clear and inambiguous manner. In addition, the obligations regarding CE marking, i.e. the manufacturer’s declaration that the product meets the requirements of the applicable EC directives, are now clearly defined.
    • The provisions on the protection of mental health of minors are being amended to introduce specific arrangements prohibiting the marketing of products which pose a risk to the psychological, mental or moral development of minors, or promote discrimination based on race, sex, religion, nationality, disability or sexual orientation.
    • Consumer associations may now be subsidized through donations, sponsorships and aids from scientific institutions, foundations or legal entities. Such donations, however may not stem from individual suppliers or organizations these suppliers belong to.

In addition, Ministerial Decision 5338/2018 has codified Law on Consumer Protection, including all amendments and additions effected over the last years. If you are interested in this recent Codified Version, you may find it by following this link.

Free Software Licenses and Friends

Last week I participated in a workshop on Software Licenses, organized by the Open Technologies Alliance (ELLAK). The workshop was led by Mr. Alexios Zavras, Senior Open Source Compliance Engineer of Intel Corp., who has been involved with OSS since 1983. Mr. Zavras presented a brief overview of the most widely used open-source licenses, elaborated on software licensing issues, and worked on scenarios arising from the licensing of derivative products released under copyleft, permissive and proprietary licenses.

The workshop was of particular relevance, since in the last couple of years hundreds of creators and organizations choose to distribute their data and works with free licenses, rendering this way open-source applications an integral part of the operation of businesses and organizations, both public and private. This rapid rise in the use of free software and free licenses has resulted in an increased need for specialized legal support in a number of relevant subject areas.

If you are interested in finding out more about Open Source Software, or consider licensing your own work under a free software license, you can find out more at the introductory guide provided by the Open Source Initiative, or consult with your IT lawyer.