On 1st January 2017 France brought into force a law on the “right to disconnect”, which aims at banning office emails outside working hours.
Conceived as a means to combat an increase in stress, linked to compulsive out-of-hours email checking, the new legislation requires all companies with more than 50 employees to start negotiations in order to define the rights of employees to ignore their smartphones out of working hours.
As is well known, replying to emails outside working hours is not usually considered as overtime and therefore generally remains unpaid. Moreover, employee availability during off-hours is nowadays considered “a duty” by many employers. For this reason the new law requires companies to reach an agreement with their employees, in which the out-of-hours times when employees are required to reply to office communications must be explicitly detailed. The new measure also aims to protect digital professionals, who work remotely and are therefore more exposed to off-hours calls.
The law was introduced after Labour Minister Myriam El Khomri had commissioned a report on the health impact of the uninterrupted flow of digital information, so-called “info-obesity”, coming from the workplace. The excessive use of digital devices on which employees are reachable 24/7 has been considered the cause of any number of health conditions from “burnout”, to sleeplessness and relationship problems.
A number of multinational companies based in France have already announced that they have already taken steps to put in place innovative solutions such as a “curfew” on evening communications or systems that automatically delete emails sent to employees when they are on holiday or not working.
The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.
Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.
A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.
In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.
For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.
It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.
As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.
The 54th session of UNCITRAL Working Group IV on Electronic Commerce brought to a close work on the regulation of “Electronic Transferable Records”, following which a new Working Group on Identity Management was formed.
During the last session in Vienna, Working Group IV on Electronic Commerce of the United Nations Commission on International Trade Law (UNCITRAL) produced a final version of the International Model Law on Electronic Transferable Records and invited the UNCITRAL Secretariat to forward the text to all Member States and international organisations for their opinions, after which the text will then be submitted to the UNCITRAL Commission in Vienna in July 2017.
Over the last five years the Working Group’s activity focused on the definition, the rules and the use of these particular electronic financial data. As its President, Giusella Finocchiaro chaired the Working Group from 2012 until the termination of its work.
In its activity concerning ETRs, the Working Group drew inspiration from a number of fundamental principles such as those of technology neutrality and of non-discrimination between paper and electronic documents, keeping the impact on national substantive legislation to a minimum.
At the same time as they brought to an end their analysis of Electronic Transferable Records, the Working Group initiated a discussion on the new Identity Management project assigned by the Commission, which is currently an issue of significant national and international interest.
The new Working Group will be required to focus both on Digital Identification systems with a diversity of subjects and on bilateral systems and will have to take into consideration the identities of both natural persons and legal persons, without at the moment excluding digital objects. There was a reminder that the Commission’s mandate also concerns “Trust Services” the detailed study of which will be made in the future, but which will immediately be taken into consideration working out their definitions.
Therefore a group of experts has been created for the elaboration of first drafts. Given that the European Regulation on this subject has recently come into force, the European approach, which the Commission strongly supports, will be most significant.
A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.
The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.
Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.
Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.
Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.
As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.
The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.
First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.
According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.
Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.
Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.
The European Court of Justice decision is available HERE.
This is the interview Giusella Finocchiaro gave to Vanity Fair and which was published in issue 39/2016 of the weekly.
What laws do we have to protect us?
«Quite a few. Both of these recent incidents, for example, contain a series of civil offences that range from the violation of privacy legislation to the violation of a person’s fundamental rights. There are a number of possible offences that could be brought before a criminal court such as instigation to commit suicide, unlawful interference in a person’s private life and the handling of child-pornography material».
Who to press charges against? And how effective is it?
«Those to take action against are the authors, those who put the videos online. Then, naturally, action may also be taken against service providers, namely those companies which provide access to the Net, but only on certain conditions: they’re under no obligation to monitor in advance what’s made available online, nonetheless they’re legally required to remove contents if there’s provision to do so on the part of the judicial authority or of any other competent authority».
But can everything be blocked and for always?
«The possibility can’t be ruled out that the video has been downloaded by other users and that it keeps on circulating. Of course these other users are committing a crime as well. In practice, it’s a constant game of catch-up: in the digital dimension it’s extremely easy to even reproduce multiple copies of a message».
Should providers be given more responsibilities?
«Certainly, but not with a control system, because it’s very laborious. A mechanism to allow users to contact providers would be useful, because in this way, when they received a complaint, providers could verify and remove contents in a very short space of time».
What advice would you give to make good use of the Net?
« Never forget that when you access the Net you leave a strictly private dimension and you enter a very public one».
The European Court of Justice has recently been called on to rule on the use of the Internet and more specifically, of so called free wifi networks (namely wifi networks not protected by passwords), which are often used by Internet users who violate copyright rights, in taking advantage of the anonymity guaranteed by the net.
With its decision of the 15th September 2016 regarding lawsuit C-484/14, the Court of Justice ruled in favour of the acquittal of the administrator of a local wireless network, which was free and accessible without authorization, and which had been used by a user for the online distribution of a piece of music without the consent of the copyright holders.
Acknowledging Internet access services to be a service in the information society, which simply consist in the provision of access to a communication network, the Luxembourg Court adjudged the wifi network administrator to be exempt from all liability in accordance with Directive 2000/31/EC. As in the case of hosting service providers, the latter is in fact under no obligation (nor does he have the concrete means) to have any knowledge of and monitor information transmitted by his network.
However, keeping the necessary balance between fundamental rights (in the present case, the freedom to do business and copyright), the Court further stated that national judicial authorities may require service providers to put a stop to copyright violations or to prevent them, provided that the technical measures necessary to achieve this do not excessively restrict the provider’s freedom to do business.
According to the Court of Justice, protecting wifi networks with a password represents a technical measure which “in no way prejudices the essential content of the rights” of access service providers and at the same time, is appropriate for protecting copyright “insofar as network users are obliged to reveal their identity and cannot therefore act anonymously”.