On June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies.
After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.
The main finding of these audits was that for the most part, companies do not comply with the law in this area, the two main pitfalls being (i) the lack of comprehensive information and (ii) the fact that cookies are deployed on the user’s equipment before his/her consent has been collected.
In its press release, the CNIL pointed out that even where websites provide a cookie banner, they all automatically deploy cookies on users’ equipment anyhow, without waiting for the user consent.
The CNIL requires that websites:
China’s regulatory framework for foreign investment in the e-commerce industry has undergone significant liberalization. Previous pilot programs on a local level have been extended nationwide, with directives from the highest political level to remove restrictions.
On 19 June 2015, the Ministry of Industry and Information Technology issued a notice to lift foreign ownership restrictions in the e-commerce sector, subject to certain existing rules. A day later, the State Council issued guidance to encourage the development of cross-border e-commerce flows, a wider initiative to push China’s e-commerce champions to expand overseas.
For the full alert, please click here.
On 11 June 2015, Hogan Lovells’ Paris office hosted a seminar on cybercrime, focusing on practical ways for companies to address cybersecurity challenges.
Whether it takes the form of thefts or misappropriation of personal data or of attacks against a computer system or website, cybercrime is a threat that has considerably increased over the last years and that all companies must now face. The seminar featured presentations of renowned experts who provided their insight on how to improve companies’ cybersecurity.
This seminar was introduced by Christine Gateau, Winston Maxwell and David Taylor, Partners in Hogan Lovells’ Paris office, all three members of the firm’s TMT (Technology, Media and Telecoms) industry sector team.
The Polish Copyright and Neighbouring Rights Act gives the injured party an option to claim from the copyright infringer triple the value of license fees if the infringement was culpable. The value of the license fees is calculated on the basis of the market standard in similar cases. On 23 June the Polish Constitutional Tribunal found that provision to be unconstitutional.
The decision was made upon a request filed by UPC – one of largest digital cable television providers in Poland. The request was made in the context of a court decision awarding punitive damages against UPC in favour of the Association of Polish Film Makers for rebroadcasting of TV programs without paying a license fee.
In the second part of the French Digital Ambition Report (the “Report”), entitled “towards a new concept of public action: openness, innovation, participation“, the French Digital Council highlights the need to induce public authorities to act with more transparency and efficiency. The 15 practical recommendations in this section focus on opening up and digitalizing public services, notably to improve transparency and participation of citizens, as well as opening up public data to support innovation, the sharing of information and experiences.
The third part of the Report is dedicated to the promotion of French growth “towards an economy of innovation“. The French Digital Council makes recommendations to reform European law in order to harmonize the notion of innovation and to create a European “Innovation Act” (recommendation no. 33) notably to bring more flexibility in public procurement rules and state aid legislation. At national level, the funding policies (legal and tax frameworks) and the State’s actions (public procurements, State aids, etc.) should be adapted to new forms of innovation.
On 18 June 2015, the “Digital Ambition” Report “for a French and European digital transition policy” (“the Report”) was submitted to the French Prime Minister by the French Digital Council (Conseil National du Numérique).
As reported last October 2014, this Report is the result of a five-month (October 2014 – February 2015) national consultation launched by French Prime Minister Manuel Valls, along with State Secretary for digital economy Axelle Lemaire. Overall, 17,678 contributions were received from 2,300 contributors. On the basis of these contributions, the French Digital Council drafted its Report containing 70 recommendations to change the current legislation. The Report is divided into four parts, just like the national consultation.
A stricter regime for profiling
Profiling and Big Data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation.
What’s the deal?
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations.
Clearer information provision
Consumer groups often complain that information notices are too long and difficult for consumers to understand. This issue has become more significant as personal data is now collected in a variety of different situations (for example through mobile devices and the internet of things), where the nature of data collection and processing is less obvious. The Regulation requires controllers to tell individuals how their information will be used in clear and plain language, adapted to the individual data subject. For example, if information is being collected from a child, the language of the notice must be such that a child can understand it. Continue Reading
The German Federal Supreme Court handed down a decision concerning a dentist playing background music from broadcasting stations in the waiting area of his practice (I ZR 14/14). If this sounds familiar to you it is because the CJEU decided about a nearly identical case on the 15 March 2012 (C-135/10).
In the CJEU case, the “SCF”, the Italian collecting society for music rights, sued a dentist for playing background music from broadcasting stations in his practice without paying a license fee. The CJEU decided in this case that playing music from broadcasting stations within private dental practices is not “communication to the public” thus a license fee cannot be required. The Court stated that such a broadcast is not public, because the number of persons present in a dental practice at the same time is, in general, very limited. Furthermore, the broadcast is not of a profit-making nature, since patients visit a dental practice with the sole objective of receiving treatment and listening to music is not part of dental treatment.
Grounds for processing
Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent.
Stringent and uncertain consent rules
For starters, under the draft Regulation, if the data subject’s consent is given in a written document, and that document also concerns other matters (e.g. terms of service), the consent must be presented in a form that is distinguishable from the remaining contents of that document. This will result in the need to review existing contracts, general terms and conditions and other existing documents, in order to differentiate the consent language from the remaining subject matter.