On 1st January 2017 France brought into force a law on the “right to disconnect”, which aims at banning office emails outside working hours.
Conceived as a means to combat an increase in stress, linked to compulsive out-of-hours email checking, the new legislation requires all companies with more than 50 employees to start negotiations in order to define the rights of employees to ignore their smartphones out of working hours.
As is well known, replying to emails outside working hours is not usually considered as overtime and therefore generally remains unpaid. Moreover, employee availability during off-hours is nowadays considered “a duty” by many employers. For this reason the new law requires companies to reach an agreement with their employees, in which the out-of-hours times when employees are required to reply to office communications must be explicitly detailed. The new measure also aims to protect digital professionals, who work remotely and are therefore more exposed to off-hours calls.
The law was introduced after Labour Minister Myriam El Khomri had commissioned a report on the health impact of the uninterrupted flow of digital information, so-called “info-obesity”, coming from the workplace. The excessive use of digital devices on which employees are reachable 24/7 has been considered the cause of any number of health conditions from “burnout”, to sleeplessness and relationship problems.
A number of multinational companies based in France have already announced that they have already taken steps to put in place innovative solutions such as a “curfew” on evening communications or systems that automatically delete emails sent to employees when they are on holiday or not working.
The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.
Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.
A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.
In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.
For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.
It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.
As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.
The 54th session of UNCITRAL Working Group IV on Electronic Commerce brought to a close work on the regulation of “Electronic Transferable Records”, following which a new Working Group on Identity Management was formed.
During the last session in Vienna, Working Group IV on Electronic Commerce of the United Nations Commission on International Trade Law (UNCITRAL) produced a final version of the International Model Law on Electronic Transferable Records and invited the UNCITRAL Secretariat to forward the text to all Member States and international organisations for their opinions, after which the text will then be submitted to the UNCITRAL Commission in Vienna in July 2017.
Over the last five years the Working Group’s activity focused on the definition, the rules and the use of these particular electronic financial data. As its President, Giusella Finocchiaro chaired the Working Group from 2012 until the termination of its work.
In its activity concerning ETRs, the Working Group drew inspiration from a number of fundamental principles such as those of technology neutrality and of non-discrimination between paper and electronic documents, keeping the impact on national substantive legislation to a minimum.
At the same time as they brought to an end their analysis of Electronic Transferable Records, the Working Group initiated a discussion on the new Identity Management project assigned by the Commission, which is currently an issue of significant national and international interest.
The new Working Group will be required to focus both on Digital Identification systems with a diversity of subjects and on bilateral systems and will have to take into consideration the identities of both natural persons and legal persons, without at the moment excluding digital objects. There was a reminder that the Commission’s mandate also concerns “Trust Services” the detailed study of which will be made in the future, but which will immediately be taken into consideration working out their definitions.
Therefore a group of experts has been created for the elaboration of first drafts. Given that the European Regulation on this subject has recently come into force, the European approach, which the Commission strongly supports, will be most significant.
A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.
The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.
Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.
Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.
Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.
As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.
The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.
First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.
According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.
Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.
Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.
The European Court of Justice decision is available HERE.
This is the interview Giusella Finocchiaro gave to Vanity Fair and which was published in issue 39/2016 of the weekly.
What laws do we have to protect us?
«Quite a few. Both of these recent incidents, for example, contain a series of civil offences that range from the violation of privacy legislation to the violation of a person’s fundamental rights. There are a number of possible offences that could be brought before a criminal court such as instigation to commit suicide, unlawful interference in a person’s private life and the handling of child-pornography material».
Who to press charges against? And how effective is it?
«Those to take action against are the authors, those who put the videos online. Then, naturally, action may also be taken against service providers, namely those companies which provide access to the Net, but only on certain conditions: they’re under no obligation to monitor in advance what’s made available online, nonetheless they’re legally required to remove contents if there’s provision to do so on the part of the judicial authority or of any other competent authority».
But can everything be blocked and for always?
«The possibility can’t be ruled out that the video has been downloaded by other users and that it keeps on circulating. Of course these other users are committing a crime as well. In practice, it’s a constant game of catch-up: in the digital dimension it’s extremely easy to even reproduce multiple copies of a message».
Should providers be given more responsibilities?
«Certainly, but not with a control system, because it’s very laborious. A mechanism to allow users to contact providers would be useful, because in this way, when they received a complaint, providers could verify and remove contents in a very short space of time».
What advice would you give to make good use of the Net?
« Never forget that when you access the Net you leave a strictly private dimension and you enter a very public one».
The Italian Supreme Court has found the Zecca dello Stato (The State Institute of Printing and Minting) guilty of monitoring its employees’ web surfing data, emails and phone calls, in violation of a number of provisions of the Statuto dei Lavoratori (Workers’ Statute of Rights, L. 300 of 1970).
With its decision of the 19th September 2016, n. 18302, the Court of Cassation established the illegality of the storage activity on the company server of employees’ emails, phone calls and web surfing data without prior application of the authorization procedure provided for by the Workers’ Statute of Rights and the Code for the protection of personal data.
The facts of the case on which the decision is based are as follows: in 2011 the Italian Data Protection Supervisor had emphasized with a disciplinary provision, that the Internet service provided by the Istituto Poligrafico e Zecca dello Stato (The State Institute of Printing and Minting) for its own employees not only prevented access to websites not inherent to work activity, but also stored every access, or attempt to access, any website, thus allowing the reconstruction of every single worker’s web browsing activity. In addition, the employees’ web surfing data were stored on the system for a length of time varying anywhere from six months to a year.
The Supervisor had also noticed the illegality of the storage system of employees’ sent and received emails on the company’s server, which allowed full view of them to the system administrators without any specific information on privacy having been provided in regard to the matter.
It had also been pointed out that the State Institute of Printing and Minting implemented a method of telephone traffic monitoring through the VoIP system which also in this case allowed the recording and prolonged storage of traffic data without providing any adequate privacy information for its employees.
Therefore, the Supervisor had considered that the activity of the State Institute of Printing and Minting violated L. n. 300 of 1970, arts. 4 and 8 of the Workers’ Statute of Rights as it made possible the disclosure of employees’ sensitive data without having acquired their prior consent (and consequently also in violation of arts. 11, 113 and 114 of the Code for the Protection of Personal Data). Therefore the provision prohibited the State Institute of Printing and Minting from storing and categorizing employees web surfing data in addition to their emails and phone calls, obliging the Institute to inform those involved about the ways in which their personal data were processed. The Supervisor had also required that the identities of the system administrators with authorization to access the company’s databases should be made public (and therefore known to the company’s employees) and that there should be the guarantee of all accesses made by the administrators being revealed in full.
In 2011 the Court of Rome rejected the appeal by the State Institute of Printing and Minting against the Supervisor’s provision, clarifying that, as provided for by art. 4 of the Workers’ Statute of Rights, employers are only allowed to use monitoring systems for requirements of organisation and production in agreement with the trade unions or in compliance with legal obligations, whereas the use of such systems is prohibited if it is carried out for monitoring the activity of employees. With reference to other previous decisions, the Court pointed out that the necessity to protect the company (and its activity) cannot legitimise suppressing fundamental employee rights such as the right to privacy.
Consequently, the State Institute of Printing and Minting appealed against the decision to the Supreme Court, maintaining that those controls not directed at work activities but rather at other employee conduct in the workplace, which might expose the business assets of the company to serious danger and which might be potentially harmful for third parties, with consequent liability on the part of the employer, fall entirely outside the scope of application of the provisions of the Workers’ Statute of Rights. This risk is all the more significant in that the Institute carries out public interest activities such as the printing of the Gazzetta Ufficiale (Italian Official Journal) and of the Raccolta ufficiale degli atti normativi della Repubblica italiana (the Official Compendium of Legislative Acts of the Italian Republic), the production of personal identification documents, security and anti-counterfeiting systems, legal tender and so on.
However the Court of Cassation considered that the significance of the public role entrusted to the State Institute of Printing and Minting does not justify violation of the current legislation, which aims to protect guarantees for constitutionally recognised workers’ rights. To this effect, the Judge emphasised the second paragraph of art. 4, which provides that monitoring systems required for organizational reasons or for safety in the workplace, but which also allow the distance monitoring of employee activity, may only be installed with the prior agreement of company trade union representatives or, in their absence, of the shop stewards’ committee. In the absence of an agreement and at the request of the employer, the Ispettorato del lavoro (the Labour Inspectorate) mediates, setting out where necessary the procedure for the use of such systems.
Therefore, rejecting the appeal and confirming the observations of the Court of Rome’s decision, the Court of Cassation underlined the necessity to strike a balance between the employer’s rights, in particular the right to conduct business and to protect the company’s business assets, and the protection of worker rights, first and foremost the right to privacy.
The European Court of Justice has recently been called on to rule on the use of the Internet and more specifically, of so called free wifi networks (namely wifi networks not protected by passwords), which are often used by Internet users who violate copyright rights, in taking advantage of the anonymity guaranteed by the net.
With its decision of the 15th September 2016 regarding lawsuit C-484/14, the Court of Justice ruled in favour of the acquittal of the administrator of a local wireless network, which was free and accessible without authorization, and which had been used by a user for the online distribution of a piece of music without the consent of the copyright holders.
Acknowledging Internet access services to be a service in the information society, which simply consist in the provision of access to a communication network, the Luxembourg Court adjudged the wifi network administrator to be exempt from all liability in accordance with Directive 2000/31/EC. As in the case of hosting service providers, the latter is in fact under no obligation (nor does he have the concrete means) to have any knowledge of and monitor information transmitted by his network.
However, keeping the necessary balance between fundamental rights (in the present case, the freedom to do business and copyright), the Court further stated that national judicial authorities may require service providers to put a stop to copyright violations or to prevent them, provided that the technical measures necessary to achieve this do not excessively restrict the provider’s freedom to do business.
According to the Court of Justice, protecting wifi networks with a password represents a technical measure which “in no way prejudices the essential content of the rights” of access service providers and at the same time, is appropriate for protecting copyright “insofar as network users are obliged to reveal their identity and cannot therefore act anonymously”.
The Italian Government has signed an agreement with the Chinese e-commerce giant in order to promote the excellence of Italian agricultural products and to fight against the phenomenon of counterfeit produce.
The agreement will enable Italian producers to satisfy the increasing demand for typical Italian products on the Chinese platform, which counts over 430 million consumers. The agreement aims at guaranteeing our Italian brands with a high level of protection against the counterfeit products market. This is also an important result in light of the fact that for decades the WTO has been searching for an adequate form of protection, which in this case has been achieved with a private company in the space of just a few months.
Since last year it has no longer been possible to find counterfeit Italian agricultural produce and foodstuffs on the Chinese website, which has prevented the monthly sale of 99 thousand tonnes of counterfeit Parmesan cheese, 10 times more than the production of the authentic cheese itself, and the sale of 13 million bottles of Prosecco which did not originate from the Veneto Region (in Italy). Italy is currently the only country on Alibaba, which has granted the same level of anti-counterfeit protection to DOP and IGP products as that provided for commercial brands. A level of protection which under this agreement is extended from the b2b platform, accessible solely to companies, to the b2c platform, consequently assuring that those 430 million Alibaba website users will be able to purchase genuine “Made in Italy” products.
The Ministry of Agriculture has set up an operational task force at the Anti-Fraud Inspectorate with the aim of identifying and reporting counterfeit products on a daily basis. The ads are removed within 3 days and the vendors are informed that they are violating Italian geographical indications and designations of origin.
We should point out that Italy has also invested in the promotion of Italian wine and food on the Chinese e-commerce platform. With this agreement Alibaba has undertaken to instruct both vendors and consumers on the importance of geographical indications and designations of origin in the food industry.