Author: Emmanouil Savoidakis

Buyer’s review following an eBay transaction

In a recently published judgement (Urt. v. 23.09.2016, Az. 142 C 12436 /16) the District Court of Munich ruled that a false review of an eBay transaction constitutes a contractual breach and should be deleted by its author.

In the said case, the plaintiff offered on sale a high-end amplifier “Burmester 808 MK 3”. Pursuant to the description of the item, “the 808 MK3 would be delivered in its original packaging“. The buyer, however, acting in bad faith, reviewed the plaintiff’s profile negatively and lessened its status from 5 to 4,75 stars. The reviewer, in particular falsely claimed that the packaging was not the original one and discouraged other potential buyers from concluding an agreement with the plaintiff.

The plaintiff then repeatedly asked the buyer to withdraw the review and finally brought an action before the District Court of Munich.

The District Court of Munich ruled that an eBay buyer is obliged under the purchase agreement to disclose a truthful valuation regarding the seller and the transaction, and consequently condemned the defendant to remove his negative review.

“Wahrheitsgemäße Bewertungen nach einer Ebay Auktion sind ein zentrales Informationsinstrument der Internetplattform Ebay, da damit anderen potentiellen Käufern Informationen über frühere Käufe und damit Kenntnisse über den Verkäufer, der ansonsten nicht greifbar ist und zuweilen lediglich als beliebiger Ebay- Mitgliedsname erscheint, vermittelt werden. Bewertungen stellen damit quasi eine Kundenempfehlung bzw. Warnung dar. Daraus ergibt sich ein zentrales Interesse des Verkäufers auf Ebay an einer zutreffenden Bewertung.”

According to the court, the truthful assessment after an auction poses a central information tool of the platform eBay, through which other potential buyers are informed about previous purchases and have access to intelligence regarding the trustworthiness of the seller. The breach of this secondary obligation creates hence a right of the falsely assessed person to have any false review erased.

#RunForAmnesty

On March 19th I’ll be running in the 6th Athens Half Marathon for Amnesty International. Amnesty works tirelessly to protect the safety of millions of refugees who are forced to flee their homes to escape war, genocide, torture and persecution.

You can also help keep their vital work going by supporting Amnesty International Greece.

Asia Minor Mother, statue sculpted by Katerina Halepa Katsatou in Lesvos, Eastern Aegean.

Charging customers above basic telephone rate

In a question  referred to the European Court of Justice for preliminary ruling, the Court was called to interpret Directive 2011/83/EU on consumer rights. Under that directive, the Member States must ensure that where a trader operates a telephone line for the purpose of being contacted in relation to contracts concluded with consumers, consumers are not to be bound to pay more than the basic rate for calls to that line. However, the concept of a “basic rate” is not defined by the above directive.

The ruling came after Zentrale zur Bekämpfung unlauteren Wettbewerbs Frankfurt am Main, a German association for combating unfair commercial practices, requested an injunction from Landgericht Stuttgart, ordering comtech GmbH, a German company selling electrical and electronic equipment to discontinue extra-charging customers for telephone after-sales services, a commercial practice deemed unfair.

In its judgment of 2 March 2017, the Court’s answer was that the concept of ‘basic rate’ must be interpreted as meaning that call charges relating to a contract concluded with a trader to a telephone helpline operated by the trader may not exceed the cost of a call to a standard geographic landline or mobile telephone line.

According to the Court, in everyday language ‘the basic rate’ refers to the standard cost of a call. Both the context in which that concept occurs in the directive and the purpose of that directive, namely to ensure a high level of consumer protection, confirm that the concept must be understood in that ordinary sense of the term.

To permit traders to charge rates higher than that of a standard call would result to discouraging consumers from using a telephone helpline in order  for them to obtain information in relation to the contract, or from asserting their rights, in particular, relating to a guarantee or withdrawal.

Directive 2011/83/EU has been transposed into Greek law by virtue of Joint Ministerial Decision Ζ1-891/2013, pursuant to which a new Article 4e was added to Law 2251/1994 on Consumer Protection. Citing the relevant provision of the directive, Article 4e stipulates that “where the trader operates a telephone line for the purpose of contacting him by telephone in relation to concluded contracts, the consumer, when contacting him is not bound to pay more than the basic rate“. The Greek legislator has introduced, however, a sole exception, further providing in Article 4e that “the first subparagraph enters into force without any prejudice to the right of telecommunications service providers to charge for these calls“.

The CJEU judgment might be a good opportunity for us to reevaluate the relevance and justification of an exception favoring Greek TSPs.

Hellenic Data Protection Authority rules on the “right to be forgotten”

Ulysses and His Companions in the Land of the Lotus-Eaters, etching and engraving by Theodoor van Thulden.

Following the path of Google v. Spain, whereby the European Court of Justice ruled that European citizens can request commercial search firms to remove links to information deemed “inaccurate, inadequate, irrelevant or excessive” for the purposes of data processing, the Hellenic Data Protection Authority issued Decision 83/2016, dealing with a similar case of Greek interest.

The Decision came after a licensed obstetrician complained to the Greek data protection watchdog against Google’s denial to remove a link about a criminal conviction against him for child adoption fraud.

In its reply to the contested removal request, Google considered: (a) the relevance and truthfulness of the data, (b) the fact that the applicant was practicing a regulated profession as a physician, and (c) the severity of the crime for which he was sentenced and its relevance to his profession (proxy attempt at illegal adoption of a minor at gainful employment). Namely, the company’s reply had as follows:

“In this case it appears that the URL in question relates to matters of substantial interest to the public regarding your professional life. For example, this URL may be of interest to potential or current consumers, users, or participants of your services. Information about recent professions or businesses you were involved with may also be of interest to potential or current, users, or participants of your services. Accordingly, the reference to this document in our search results for your name is justified by the interest of the general public in having access to it.”

Following a complaint lodged with the Hellenic Data Protection Authority, the authority examined whether Google’s negative response had met the de-listing criteria provided by the Article 29 Working Party. Opining that the company failed to do so, they ordered Google to remove the contested link on the ground that the data it linked to was inaccurate. Its inaccuracy lied on the fact that the criminal conviction had been replaced – though not entirely overruled – by a milder sentence  by the court of appeal at a later time.

Decision 83/2016 may open the door to complaints of similar nature before the Hellenic Data Protection Authority and heralds the liability of search engines in Greece for the content they link to with regard to privacy. Forthcoming jurisprudence by Greek courts is eagerly anticipated, as balance should now be stricken between a novel “right to be forgotten” and other fundamental rights, such as the freedom of expression and the freedom of the press.

Generalized data retention not compatible with EU law

In 2006 the EU issued its Data Retention Directive. According to that Directive, EU Member States had to store electronic telecommunications data for at least six months and at most 24 months for investigating, detecting and prosecuting serious crime.

The directive was invalidated by the CJEU with its Digital Rights Ireland judgment in 2014, where it held that the directive provided insufficient safeguards against interferences with the rights to privacy and data protection.

In the aftermath of the above judgement, two references for a preliminary ruling were made to the Court, in relation to the general obligation imposed, in Sweden and in the UK, on providers of electronic communications services to retain their clients’ data.

In its eagerly anticipated Judgment in Joined Cases C-203/15, C-698/15, the Court ruled that EU law precludes a general and indiscriminate retention of traffic data and location data by the national legislation of the member-states. Targeted retention of data may only be allowed as a preventive measure, said the Court, when this is solely for the purpose of fighting serious crime. Even in this exceptional case, however, such retention should be limited to what is strictly necessary, with respect to the categories of the retained data, the means of communication affected, the duration and the persons concerned.

Finally, the Court held that access of national authorities to the retained data must be subject to certain conditions, including prior review by an independent authority and the data being retained within the EU.

In Greece, Law 3917/2011 that transposed the Data Retention Directive is still in force and obliges providers of electronic communications services to identify and retain the source, destination, date, time, duration, type and equipment of a communication for 12 months. The list of data retained only excludes the content of the information communicated and may easily identify a wide ambit of the citizens’ social interactions, a situation that leaves their data vulnerable to uses  potentially detrimental to privacy or, more broadly, fraudulent or even malicious.

The recent CJEU judgment is expected to trigger some activity at both a judicial and legislative national level, leading to the annulment and/or amendment of the relevant law. This amendment, however, should be effected in such a way that public safety is efficiently safeguarded, whereas at the same time no compromises are made to the rights of natural persons with regard to the processing of their personal data.

Citadel of Rhodes

The other day I was for a short visit at the city of Rhodes, Southern Aegean, representing a client before the local  Administrative Court of First Instance.

Right after the hearing the winter sunny day gave me a window of opportunity to leisurely stroll in the medieval citadel of Rhodes. The citadel was built by the Hospitallers in the 14th century following their persecution from Cyprus and today it demonstrates Ancient Greek, Christian, Muslim and Jewish monuments.

The visitor is left a bit disappointed, though, as its UNESCO World Heritage Site designation clashes with the existence of roaming vehicles and a handful of dilapidated tourist shops allowed to operate along its cobbled streets. World heritage preservation in times of crisis; a crisis that apparently extends beyond its sovereign debt aspect.

Rhodes Courthouse.
Rhodes, Steps leading up to a medieval bastion.
Citadel of Rhodes, Gate of St Paul.

Law in the Age of Big Data

The following opening paragraphs could be from any contemporary data privacy journal:

“The creation of advanced computer technology has resulted in jurists having to face a range of new and awkward problems. Through interlinking, copying and other automated data processing, modern technology has made it possible to, collect, compare, and combine enormous amounts of data about every person. Also data that in and of itself is not secret can, through its currency, quantity and internal correlation place the individual under the magnifying glass and expose much of his private life …”

What makes the quote unique, though, is that it was written back in 1978, well before the internet started impacting culture and commerce, by Professor Michael Bogdan of Lund University, and published in the Swedish law journal “Svensk Juristtidning”.

The article addresses the world’s first national data privacy law, that of Sweden, elaborating private international law issues stemming from the complexities surrounding dataflykt (‘data drain’ or ‘data flight’).

Since 1978 technological advancements in the field of data processing have been breathtaking, creating challenges that were previously contemplated only by sci-fi novelists. The legal discourse, however, has not managed to keep pace. The relevance of the article referred to above highlights, before anything, that the law will never manage to keep up with the pace of technological developments. How far behind, however, should we accept it to be?

In the end, perhaps, it would be more meaningful if we distinguished between “legal thinking and knowledge” on the one hand, and “legal principles” on the other. Professor Bogdan’s 1978 article shows that academic commentary on the relevant legal issues was already then at an advanced stage. Looking, however at modern technological applications such as facial recognition, or Internet of Things, it is striking in how much detail the legal issues arising therefrom are analyzed by the academia and the international legal community. By realizing this, we may arguably assume that legal thinking and knowledge, as such, is not necessarily always the tortoise while technology is the hare disappearing into the horizon.

The question here, as posed by Dr Christopher Kuner, Editor-in-Chief of the Journal International Data Privacy Law, in an editorial note he published back in 2014, is how we can speed up this conversion of legal thinking and knowledge into appropriate legal principles and rules. This key challenge remains to be addressed.

Privacy Shield: stronger protection for transatlantic data flows

In the aftermath of the CJEU judgment in Maximillian Schrems vs Data Protection Commissioner case (Case C-362/14), and following the invalidation of the Safe Harbor in October 2015, the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic data transfers on Tuesday, 2 February 2016: the EU-U.S. Privacy Shield (IP/16/216).

The adoption procedure of the decision texts was finalized by the European Commission on 12 July 2016, after the relevant opinion of the article 29 working party (national data protection authorities) and the European Parliament resolution of 26 May.

This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States and offers legal clarity for businesses relying on transatlantic data transfers. The Shield has been drafted, among others, to further illuminate the bulk collection of data, strengthen the Ombudsperson mechanism, and set more explicit obligations on companies as regards limits on retention and onward transfers.

The EU-U.S. Privacy Shield summarily touches upon the following points:

  • Strong obligations on companies handling data: under the new arrangement, U.S. companies wishing to abide by the EU-U.S Privacy Shield will be obliged to register in the Privacy Shield register and re-certify annually. Moreover, their privacy policies will have to be updated, so as to appropriately inform data subjects on their current access rights and the available recourse mechanisms. Especially for onward transfers to third party service providers, companies will remain fully liable and will ensure that third parties’ processing data enjoy the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Notably, the U.S. Government has ruled out indiscriminate mass surveillance on personal data transferred to the US. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State. It is notable that on 24 February 2016, the Judicial Redress Act was signed. The Act permits EU data subjects to seek remedies for violation of their personal data against U.S agencies in U.S courts.
  • Effective redress mechanisms: Any citizen who considers that their data has been misused shall benefit from several dispute resolution mechanisms. Ideally, the complaint shall be resolved by the company itself, or by an Alternative Dispute resolution (ADR) process, the costs thereof shall not be incurred by the concerned individual. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.

For further information, you can have a look at the EU-U.S. Privacy Shield fact-sheet, published by the European Commission in July 2016 [link], as well as the European Commission’s practical guide to the EU-U.S. Privacy Shield  [link].

Quote of the Day

A lawyer’s either a social engineer or … a parasite on society … A social engineer [is] a highly skilled, perceptive, sensitive lawyer who [understands] the Constitution of the United States and [knows] how to explore its uses in the solving of problems of local communities and in bettering conditions of the underprivileged citizens.

Charles Hamilton Houston