Blog

Quote of the Day

The charming aspect of Christmas is the fact that it expresses good will in a cheerful, happy, benevolent, non-sacrificial way. One says: “Merry Christmas”—not “Weep and Repent.” And the good will is expressed in a material, earthly form—by giving presents to one’s friends, or by sending them cards in token of remembrance …

The best aspect of Christmas is the aspect usually decried by the mystics: the fact that Christmas has been commercialized. The gift-buying … stimulates an enormous outpouring of ingenuity in the creation of products devoted to a single purpose: to give men pleasure. And the street decorations put up by department stores and other institutions — the Christmas trees, the winking lights, the glittering colors — provide the city with a spectacular display, which only “commercial greed” could afford to give us. One would have to be terribly depressed to resist the wonderful gaiety of that spectacle.

Ayn Rand, The Objectivist Calendar, Dec. 1976

The New Hammer of the CPC Regulation

 

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

Abraham Maslow

 

The other day the European Parliament has repassed the Consumer Protection Cooperation (CPC) regulation, with an eye on the creation of an effective mechanism to combat rogue traders both online and offline. Provisions stipulated therein are bound to  enforce consumers’ rights in the Single Market and close legal loopholes, which are exacerbated because consumer protection systems differ among EU member-states.

Investigation and enforcement powers of national consumer authorities shall include, among others:

  • requesting information from domain registrars and banks to identify rogue traders,
  • purchasing goods or services as test purchases, including under a cover identity (“mystery shopping”),
  • ordering the explicit display of a warning to consumers, or ordering a hosting service provider to remove, disable or restrict access to an online interface (e.g. website or app) if there are no other effective means to stop an illegal practice,
  • imposing penalties, such as fines or periodic penalty payments, and
  • seeking to obtain commitments from the trader to offer adequate remedies to the affected consumers, and informing them of how to seek compensation.

One of the less appealing features of the regulation, however, is the introduction of an overreaching general website blocking provision. Instead of providing for the removal of content that infringes on consumer protection laws as a last resort measure, the regulation introduces overreaching internet blocking measures and sets them readily available in the hands of the national competent authorities, without prior judicial authorization.

In particular, Article 9 par. 4 of the regulation on the minimum powers of competent national authorities provides that:

Competent authorities shall have at least the following enforcement powers: […] (g) where no other effective means are available to bring about the cessation or the prohibition of the infringement covered by this Regulation and in order to avoid the risk of serious harm to the collective interests of consumers:

(i) the power to remove content or to restrict access to an online interface or to order the explicit display of a warning to consumers when they access an online interface;
(ii) the power to order a hosting service provider to remove, disable or restrict access to an online interface; or
(iii) where appropriate, the power to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to register it; including by requesting a third party or other public authority to implement such measures; […]

Such a provision forces internet access providers to create a website blocking infrastructure, which is viewed by many as a tool to potential abuse for any number of other purposes, including censorship. To give a recent example, independence-related websites were blocked in Catalunya just weeks ago. The swift blocking of those websites was made possible only because of website blocking infrastructure that had previously been put in place for other purposes, such as barring access to sites involving copyright infringement.

Bracing up for GDPR

With the new EU General Data Protection Regulation ante portas, companies handling personal customer data throughout the EU are set to face a considerable operational challenge. In fact, the GDPR extends compliance requirements to both data controllers and processors and is oriented towards establishing a modern and uniform data protection framework across the EU, reinforcing individuals’ rights and introducing a number of “data governance” concepts, especially in the area of data security.

Companies eager to move proactively and prepare well ahead of May 2018 need to proceed with a series of steps, such as mapping their data, conducting a due diligence review and implementing a robust response plan in case of data breach. The most important, they should redraft their privacy policies and nurture an inclusive personal data corporate culture, since conformity to GDPR is expected to be an ongoing obligation, demanding constant adjustments and a more hands-on approach.

A controller’s responsibilities summarily comprise:

  • Carrying out data protection impact assessments (PIAs) when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
  • Assuring the effective protection of individuals, such as erasure, reporting and notice requirements, and maintaining records of processing activities.
  • Duties towards the competent regulatory authority, such as consultation prior to processing and data breach notification. To this purpose, the appointment of a Data Protection Officer, who would mediate as a contact point – or a breakwater – between the company and the authority could play a vital role in ensuring maximum compliance.

Finally, a processor of personal data is not exempt from the regulatory ambit of the GDPR and is therefore burdened with a number of responsibilities, including:

  • The pseudonymisation and encryption of the personal data processed on behalf of the controller,
  • the ability to ensure ongoing confidentiality, integrity and resilience of its processing systems and services,
  • the ability to restore access to personal data in a timely manner in the event of a malicious attack, or a physical incident, and
  • a process for regularly testing, assessing and evaluating the effectiveness of its technical and organizational systems, thus demonstrating that it puts every reasonable effort into safeguarding the security of processing.

Personal Data Protection in the Employment Context

Article 29 Working Party has recently adopted Opinion 2/2017 on data processing at work. By elaborating nine hypothetical scenarios, the Opinion builds on Opinion 8/2001 and its 2002 Working Document on the surveillance of electronic communications in the workplace, and attempts to regulate other types of monitoring technologies such as cloud services, vehicle tracking, smart devices etc.

Over the last couple of years, these technologies have posed significant new challenges to privacy and data protection at only a fraction of the costs. As a result, Opinion 2/2017 now attempts to strike a new balance between the legitimate interests of employers and the reasonable privacy expectations of the employees.

This balance is made in light of the Data Protection Directive and the General Data Protection Regulation. The golden rules confirmed therewith are the following:

  • employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
  • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
  • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
  • performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
  • employees should receive effective information about the monitoring that takes place; and
  • any international transfer of employee data should take place only where an adequate level of protection is ensured.

In its concluding remarks, Opinion 2/2017 stresses that data processing at work must be a proportionate response to the risks faced by an employer. Internet misuse, for example, can be detected without the necessity of analysing website content. If misuse can be prevented (e.g., by using web filters) the employer has no general right to monitor.

Furthermore, a blanket ban on communication for personal reasons is impractical and enforcement may require a level of monitoring that may be disproportionate. Prevention should be therefore given much more weight than detection – the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse.

With regard to data minimization, it is emphasized that the information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees for example should have the possibility to temporarily shut off location tracking, if justified by the circumstances. Employers in their turn are required to take the principle of data minimization by design into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified, and whenever it is no longer needed it should be deleted.

 

 

Buyer’s review following an eBay transaction

In a recently published judgement (Urt. v. 23.09.2016, Az. 142 C 12436 /16) the District Court of Munich ruled that a false review of an eBay transaction constitutes a contractual breach and should be deleted by its author.

In the said case, the plaintiff offered on sale a high-end amplifier “Burmester 808 MK 3”. Pursuant to the description of the item, “the 808 MK3 would be delivered in its original packaging“. The buyer, however, acting in bad faith, reviewed the plaintiff’s profile negatively and lessened its status from 5 to 4,75 stars. The reviewer, in particular falsely claimed that the packaging was not the original one and discouraged other potential buyers from concluding an agreement with the plaintiff.

The plaintiff then repeatedly asked the buyer to withdraw the review and finally brought an action before the District Court of Munich.

The District Court of Munich ruled that an eBay buyer is obliged under the purchase agreement to disclose a truthful valuation regarding the seller and the transaction, and consequently condemned the defendant to remove his negative review.

“Wahrheitsgemäße Bewertungen nach einer Ebay Auktion sind ein zentrales Informationsinstrument der Internetplattform Ebay, da damit anderen potentiellen Käufern Informationen über frühere Käufe und damit Kenntnisse über den Verkäufer, der ansonsten nicht greifbar ist und zuweilen lediglich als beliebiger Ebay- Mitgliedsname erscheint, vermittelt werden. Bewertungen stellen damit quasi eine Kundenempfehlung bzw. Warnung dar. Daraus ergibt sich ein zentrales Interesse des Verkäufers auf Ebay an einer zutreffenden Bewertung.”

According to the court, the truthful assessment after an auction poses a central information tool of the platform eBay, through which other potential buyers are informed about previous purchases and have access to intelligence regarding the trustworthiness of the seller. The breach of this secondary obligation creates hence a right of the falsely assessed person to have any false review erased.

#RunForAmnesty

On March 19th I’ll be running in the 6th Athens Half Marathon for Amnesty International. Amnesty works tirelessly to protect the safety of millions of refugees who are forced to flee their homes to escape war, genocide, torture and persecution.

You can also help keep their vital work going by supporting Amnesty International Greece.

Asia Minor Mother, statue sculpted by Katerina Halepa Katsatou in Lesvos, Eastern Aegean.

Charging customers above basic telephone rate

In a question  referred to the European Court of Justice for preliminary ruling, the Court was called to interpret Directive 2011/83/EU on consumer rights. Under that directive, the Member States must ensure that where a trader operates a telephone line for the purpose of being contacted in relation to contracts concluded with consumers, consumers are not to be bound to pay more than the basic rate for calls to that line. However, the concept of a “basic rate” is not defined by the above directive.

The ruling came after Zentrale zur Bekämpfung unlauteren Wettbewerbs Frankfurt am Main, a German association for combating unfair commercial practices, requested an injunction from Landgericht Stuttgart, ordering comtech GmbH, a German company selling electrical and electronic equipment to discontinue extra-charging customers for telephone after-sales services, a commercial practice deemed unfair.

In its judgment of 2 March 2017, the Court’s answer was that the concept of ‘basic rate’ must be interpreted as meaning that call charges relating to a contract concluded with a trader to a telephone helpline operated by the trader may not exceed the cost of a call to a standard geographic landline or mobile telephone line.

According to the Court, in everyday language ‘the basic rate’ refers to the standard cost of a call. Both the context in which that concept occurs in the directive and the purpose of that directive, namely to ensure a high level of consumer protection, confirm that the concept must be understood in that ordinary sense of the term.

To permit traders to charge rates higher than that of a standard call would result to discouraging consumers from using a telephone helpline in order  for them to obtain information in relation to the contract, or from asserting their rights, in particular, relating to a guarantee or withdrawal.

Directive 2011/83/EU has been transposed into Greek law by virtue of Joint Ministerial Decision Ζ1-891/2013, pursuant to which a new Article 4e was added to Law 2251/1994 on Consumer Protection. Citing the relevant provision of the directive, Article 4e stipulates that “where the trader operates a telephone line for the purpose of contacting him by telephone in relation to concluded contracts, the consumer, when contacting him is not bound to pay more than the basic rate“. The Greek legislator has introduced, however, a sole exception, further providing in Article 4e that “the first subparagraph enters into force without any prejudice to the right of telecommunications service providers to charge for these calls“.

The CJEU judgment might be a good opportunity for us to reevaluate the relevance and justification of an exception favoring Greek TSPs.

Hellenic Data Protection Authority rules on the “right to be forgotten”

Ulysses and His Companions in the Land of the Lotus-Eaters, etching and engraving by Theodoor van Thulden.

Following the path of Google v. Spain, whereby the European Court of Justice ruled that European citizens can request commercial search firms to remove links to information deemed “inaccurate, inadequate, irrelevant or excessive” for the purposes of data processing, the Hellenic Data Protection Authority issued Decision 83/2016, dealing with a similar case of Greek interest.

The Decision came after a licensed obstetrician complained to the Greek data protection watchdog against Google’s denial to remove a link about a criminal conviction against him for child adoption fraud.

In its reply to the contested removal request, Google considered: (a) the relevance and truthfulness of the data, (b) the fact that the applicant was practicing a regulated profession as a physician, and (c) the severity of the crime for which he was sentenced and its relevance to his profession (proxy attempt at illegal adoption of a minor at gainful employment). Namely, the company’s reply had as follows:

“In this case it appears that the URL in question relates to matters of substantial interest to the public regarding your professional life. For example, this URL may be of interest to potential or current consumers, users, or participants of your services. Information about recent professions or businesses you were involved with may also be of interest to potential or current, users, or participants of your services. Accordingly, the reference to this document in our search results for your name is justified by the interest of the general public in having access to it.”

Following a complaint lodged with the Hellenic Data Protection Authority, the authority examined whether Google’s negative response had met the de-listing criteria provided by the Article 29 Working Party. Opining that the company failed to do so, they ordered Google to remove the contested link on the ground that the data it linked to was inaccurate. Its inaccuracy lied on the fact that the criminal conviction had been replaced – though not entirely overruled – by a milder sentence  by the court of appeal at a later time.

Decision 83/2016 may open the door to complaints of similar nature before the Hellenic Data Protection Authority and heralds the liability of search engines in Greece for the content they link to with regard to privacy. Forthcoming jurisprudence by Greek courts is eagerly anticipated, as balance should now be stricken between a novel “right to be forgotten” and other fundamental rights, such as the freedom of expression and the freedom of the press.

Generalized data retention not compatible with EU law

In 2006 the EU issued its Data Retention Directive. According to that Directive, EU Member States had to store electronic telecommunications data for at least six months and at most 24 months for investigating, detecting and prosecuting serious crime.

The directive was invalidated by the CJEU with its Digital Rights Ireland judgment in 2014, where it held that the directive provided insufficient safeguards against interferences with the rights to privacy and data protection.

In the aftermath of the above judgement, two references for a preliminary ruling were made to the Court, in relation to the general obligation imposed, in Sweden and in the UK, on providers of electronic communications services to retain their clients’ data.

In its eagerly anticipated Judgment in Joined Cases C-203/15, C-698/15, the Court ruled that EU law precludes a general and indiscriminate retention of traffic data and location data by the national legislation of the member-states. Targeted retention of data may only be allowed as a preventive measure, said the Court, when this is solely for the purpose of fighting serious crime. Even in this exceptional case, however, such retention should be limited to what is strictly necessary, with respect to the categories of the retained data, the means of communication affected, the duration and the persons concerned.

Finally, the Court held that access of national authorities to the retained data must be subject to certain conditions, including prior review by an independent authority and the data being retained within the EU.

In Greece, Law 3917/2011 that transposed the Data Retention Directive is still in force and obliges providers of electronic communications services to identify and retain the source, destination, date, time, duration, type and equipment of a communication for 12 months. The list of data retained only excludes the content of the information communicated and may easily identify a wide ambit of the citizens’ social interactions, a situation that leaves their data vulnerable to uses  potentially detrimental to privacy or, more broadly, fraudulent or even malicious.

The recent CJEU judgment is expected to trigger some activity at both a judicial and legislative national level, leading to the annulment and/or amendment of the relevant law. This amendment, however, should be effected in such a way that public safety is efficiently safeguarded, whereas at the same time no compromises are made to the rights of natural persons with regard to the processing of their personal data.

Citadel of Rhodes

The other day I was for a short visit at the city of Rhodes, Southern Aegean, representing a client before the local  Administrative Court of First Instance.

Right after the hearing the winter sunny day gave me a window of opportunity to leisurely stroll in the medieval citadel of Rhodes. The citadel was built by the Hospitallers in the 14th century following their persecution from Cyprus and today it demonstrates Ancient Greek, Christian, Muslim and Jewish monuments.

The visitor is left a bit disappointed, though, as its UNESCO World Heritage Site designation clashes with the existence of roaming vehicles and a handful of dilapidated tourist shops allowed to operate along its cobbled streets. World heritage preservation in times of crisis; a crisis that apparently extends beyond its sovereign debt aspect.

Rhodes Courthouse.
Rhodes, Steps leading up to a medieval bastion.
Citadel of Rhodes, Gate of St Paul.