EU Internet Law in the Digital Single Market 3030695824, 9783030695828

Citation preview

Tatiana-Eleni Synodinou Philippe Jougleux Christiana Markou Thalia Prastitou-Merdi  Editors

EU Internet Law in the Digital Single Market

EU Internet Law in the Digital Single Market

Tatiana-Eleni Synodinou • Philippe Jougleux • Christiana Markou • Thalia Prastitou-Merdi Editors

EU Internet Law in the Digital Single Market

Editors Tatiana-Eleni Synodinou Department of Law University of Cyprus Nicosia, Cyprus

Philippe Jougleux School of Law European University Cyprus Nicosia, Cyprus

Christiana Markou School of Law European University Cyprus Nicosia, Cyprus

Thalia Prastitou-Merdi School of Law European University Cyprus Nicosia, Cyprus

ISBN 978-3-030-69582-8 ISBN 978-3-030-69583-5 https://doi.org/10.1007/978-3-030-69583-5

(eBook)

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG. The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

While the, still ongoing, evolution of the digital society is altering the boundaries of law, new challenges appear - and new answers are given – even now, four decades after the digital revolution. In detail, for a long period of time the Internet was described as a universe without frontiers, as a cyberspace detached from real geography. In a sense, it was seen as the realization of a prophetic dream of a “global village,” especially at the beginning of the existence of the Network. Now, one could claim that the Internet is mostly seen as an inherently cross-border technology that, constantly, poses multiple challenges for the practical application of the law. The European Union (EU), by harmonizing, or, even unifying the law of its Member States in many areas, such as data protection, intellectual property rights, e-commerce, or even criminal law, to tackle these new challenges, is now regarded as a key player of global influence, in shaping this fast-evolving area of law. For instance, the enactment of Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR), in 2016, has led to the blocking of access of EU readers to thousands of American websites. Based on the process of European integration that continues to shape a political union slowly and gradually, Internet law has started to acquire a truly EU dimension. One key example of this growing interest is the recent creation of a filtering service regarding online copyright law (through Directive (EU) 2019/790). Another one is the introduction, for the first time, of transparency obligations, for online platforms, towards their business users (through Regulation (EU) 2019/1150 or Platform Regulation). This Book highlights some of the latest and most significant evolutions in the EU Internet law, presenting topics in highly related areas of law, including copyright law, data protection, criminal law and business and consumer protection and focuses specifically on their regulation and enforcement in the digital single market. It provides an overview and analysis of recent key developments affecting the EU Internet legal framework, written by a large panel of legal specialists, and edited by a team of experts on the EU Internet law. This collective volume is the result of the interesting and enthusiastic discussions that took place during the two-day international conference titled “Regulation and v

vi

Preface

Enforcement in the Digital Age” in 2019, in Nicosia, Cyprus and follows upon the two previously published books by Springer International Publishing on this innovative and highly important area of law. This Book is divided in six different parts. The first part, consisting of eight chapters, is titled “Copyright Law in the Digital Single Market,” and touches upon recent evolutions in online copyright law, especially after the modernization of the EU copyright rules and the enactment, along various other legislative instruments, of Directive (EU) 2019/790 on copyright and related rights in the digital single market (DSM Directive). In Chap. 1, Bernd Justin Jütte discusses about copyright and fundamental rights in the Digital Single Market. As he remarks, European copyright law has undergone an unprecedented reform process. Not in the extent to which the rules were changed, but by the background noise created by public interest groups which feared the abolished of fundamental rights on the Internet. In his contribution the author examines how fundamental rights have shaped the making and interpretation of European copyright law in the past and projects how this process might continue in the future, looking specifically at the use of fundamental rights arguments in the case-law of the Court of Justice of the European Union (CJEU or Court) and the relevant policy documents. He concludes, inter alia, that the CJEU, throughout its copyright case law, fails to develop a systematic approach how to balance, on one side, the different fundamental rights in their respective relationships, and, on the other, how fundamental rights relate to other fundamental principles and freedoms of the EU law. In Chap. 2, Tatiana Eleni Synodinou focuses on the direct and wider implications of the CJEU’s ruling in the Spiegel Online case on freedom of expression and other fundamental rights. She proceeds to a critical analysis of whether and how the balancing of copyright law with the right of freedom of expression, and other fundamental rights, through exceptions, limitations and, mainly, through the external limits of copyright law is affected by this CJEU ruling. Her chapter starts off by presenting the main findings of the Court on copyright exceptions and limitations stricto sensu. In the second part of the chapter, the author, focuses on the direct influence of human rights on copyright law, and on the analysis of how this ruling might or might not influence the status quo in these fields. She concludes that although the Spiegel Online case, has closed the door to the doctrinal and jurisprudential movement towards the direct influence of freedom of expression, this does mean that the past thirty years of jurisprudential use of a human rights approach in copyright law should be forgotten. Victor Castro Rosa, defends, in Chap. 3, his personal perspective on how Article 17 of the DSM Directive should be implemented. As he states the main purpose for Article 17 is to compel online content-sharing service providers (OCSSPs), to obtain blanket licenses on each Member State as a form of clearance for their main activity as providers of significant amounts of works and other protected matter, in the form of user-generated content. The author explains that in case where such licenses are not available, or if rights holders decide not to license OCSSPs, these will still be eligible for the exemption of liability, if they can show that they applied for such licenses and negotiated in good faith, including litigation under the national courts

Preface

vii

over the concrete amount to pay. He concludes that Article 17 represents the legal support for technology-enabled solutions aimed at restoring the exclusive rights of “communication to the public” and “making available.” These are highly necessary for the recovering of money and energy invested in intellectual creation. In Chap. 4, Yannos Paramythiotis focuses on fairness in copyright contract law and remuneration for authors and performers under the DSM Directive. He argues that Articles 18 and 20 of the said Directive introduce new legal tools for the protection of authors and performers against unfair agreements concerning their remuneration for the contractual exploitation of their works and performances. The author analyzes various issues relating to the scope, interpretation and national implementation of these new provisions while being critical towards certain choices of the European legislator. More specifically he concludes, inter alia, that it cannot be doubted that these provisions are a step in the right direction. However, the provisions’ actual impact on authors’ and performers’ income will be largely determined by the way the member states will implement them into their national legal orders. Anna Despotidou continues the discussion on the DSM Directive, in Chap. 5, focusing on the new mandatory teaching exception or limitation that has been introduced by Article 5 of the DSM Directive to allow the digital use of works and other protected subject matter for teaching purposes, including cross-border activities. After discussing the ratio of the teaching exception or limitation as well as its significance for the improvement and enrichment of the learning experience, the analysis focuses first on the rights covered by the above exception or limitation, and then on the conditions, under which it is provided. The author afterwards proceeds to assess the boundaries and “limitations” of the new teaching exception or limitation. In concluding, Anna Despotidou states that the wording of Article of the said Directive provides national legislators with a considerable degree of discretion in implementing the respective exception or limitation. As a result, the aim of full harmonization in the context of e-education seems difficult to be achieved and, thus, fragmentation in the internal market might not -once more- be avoided. As she claims a lot depends on the way national legislators will respond to the “challenge” that lies ahead of them. In Chap. 6, Caterina Sganga focuses on digital Exhaustion in the post-Tom Kabinet era. After years of controversial national decisions and CJEU’s dicta, the Grand Chamber’s ruling in the Tom Kabinet case seems to have excluded once forever – save for an ad hoc legislative intervention – the admissibility of digital exhaustion under Article 4(2) InfoSoc. This chapter provides an overview of the legislative and judicial debate that led to the Grand Chamber’s decision, analyzing the most relevant economic and legal arguments advanced in favor and against the extension of Article 4(2) InfoSoc to cover digital copies. The author then comments on the strengths and weaknesses of the Tom Kabinet ruling. Finally, although she states that the most appropriate solution to the stalemate would be a legislative intervention on Directive 2001/29/EC (InfoSoc Directive), provided that this does not feature among the priorities of the EU legislator, she proposes two different paths as a judicial solution to temporarily bridge this regulatory gap existing.

viii

Preface

Giorgos Demetris Vrakas, in Chap. 7, questions whether does copyright support musical creativity in a remix era. The author remarks that advancements of technology in music, the popularization and ease of access to home recording software and hardware, and the creation of user generated content orientated websites, have resulted in a move from users exhibiting a mere passive role towards having a more active role in the creation and dissemination of music. With his contribution the author aims to demonstrate whether the EU copyright and related enforcement regimes support musical creativity in a remix era by drawing inferences from the UK case law and beyond. It does so, using two sections. In the first main section of his chapter, the author, defines what a remix is and makes distinctions between different forms of musical remixes. In the second one copyright is viewed through the lens of three different perceptions of creativity and the question of whether musical remixes can be regarded as creative works under each of those perceptions is answered. Finally, the author brings together his concluding remarks on the three perceptions of creativity discussed in his chapter. In the last chapter of the first part of this Book, Chap. 8, Sevra Guler Guzel returns to the DSM Directive and investigates the negative outcomes of its Article 17 by examining the incompatibilities of content recognition and filtering technologies visa-vis the right of freedom of expression, found under Article 10 of the EU Charter on Fundamental Rights. The author concludes that although the DSM Directive presents new challenges for the protection of freedom of expression and the promotion of culture by not providing the necessary incentives and remedies, its ultimate impact depends on how the final version of this legislative instrument will be in practice applied. The second part of this Book, titled “AI Law in the Digital Single Market” introduces, through three different chapters, the growing involvement of Artificial Intelligence (AI), and consequently, its legal implications in our lives and economy. Cristina and Alexandra Vanberghen’ contribution, in Chap. 9, examines AI Governance as a patchwork. Their chapter explains the importance of bringing AI to the next level, by increasing the EU digital prowess of European citizens, fixing the rules for market power of tech giants, and understanding that transparency is essential to build trust in AI. Briefly, it examines AI governance from an institutional and regulatory perspective at international and the EU level. In detail the authors outline the importance of drawing up of the AI’s legal definition and briefly explore some of the challenges of AI in the military sector as well as the need of an EU strategic approach in its governance. They conclude that AI represents a new source of power and influence, therefore, approaching AI with constant attention for the quality of its regulatory approach will support the EU to remain a strategic digital actor at international level. Lilian Mitrou and Apostolos Vorras, in Chap. 10, unbox the black box of AI and claim that in the light of the growing impact of artificial intelligence on both society and individuals, the issue of “traceability” of automated decision-making processes arises. In detail, their chapter discusses the application of transparency and explainability principles to artificial intelligence, taking into consideration the nature, the inherent obstacles and the risks associated with such application, in the

Preface

ix

light of the new regulatory framework, and provides a pragmatic explanation as to why and how the black box will not become another Pandora’s Box. According to the authors, algorithmic transparency and explainability are not a standalone obligation but form an integral part of an overall algorithmic accountability regime, by virtue of which data controllers are required to employ a variety of controls and mechanisms to achieve compliance of algorithmic systems and data processing with the privacy framework. As they conclude, it is undisputable that this conversation over transparency and explainability will continue, since there are still several open challenges for artificial intelligence systems. The main challenge remains, how to convert “black box” to “glass box” models, without stifling innovation. Each actor, either private or public, has its own significant role in this process. Theodoros Chiou analyses, in Chap. 11, the relationship between copyright law and algorithmic creativity. As the author observes copyright protection is shaped based on the “traditional” creativity process paradigm, whereas access to previous – even copyrighted – works and their “use” as a source of inspiration is regarded as outside copyright law coverage. According to the author nowadays, a new creativity paradigm is rising. AI systems may emulate several types of human behavior in terms of computational processes, among which, the creation of a big variety of artistic works. This process could be characterized as “algorithmic creativity.” A question yet arises. Is algorithmic creativity process copyright-restrained, insofar training of AI systems relies on copyrighted training pre-existing works? This chapter answers this question through the lens of the EU copyright law. The author concludes his chapter by bringing forward certain de lege lata and de lege artis considerations. In the third part of the Book, entitled “Emerging Issues in EU Digital Law,” the authors explore out of the box approaches of the EU Internet law. In Chap. 12, Costas Paraskevas presents the duties and responsibilities of an Internet news portal on online comments posted by users in the European Court of Human Rights case law. The purpose of his chapter is to examine the Court’s responses in cases concerning the complex and multifaceted context of the Internet. It is argued that the Court has moved beyond its traditional approach concerning the right to freedom of expression and has developed certain guiding principles about the scope and limitations of the right within the digital environment. Focus is placed on the Court’s case law concerning the liability of Internet intermediaries for the violation of the right to reputation under Article 8 of the Convention. This case-law clearly illustrates the Court’s struggle in delineating the proper balance to be struck between freedom of expression, reputational and privacy interests in the Internet setting. The author concludes, inter alia, that the Court is alert to the dangers of undermining the right to receive and impart information through the Internet when holding Internet intermediaries accountable for user generated comments or hyperlinks and, considering its more recent case law, the original criticisms raised after Delfi SA, no longer seem justified. In Chap. 13, Ioanna Hadjiyianni investigates the global reach of the EU law in the digital age focusing on the territorial scope of data protection. As the author claims the unilateral extension of EU stringent data protection requirements beyond EU

x

Preface

borders is welcomed by many as ensuring the protection of privacy in a globalized digital world that knows no boundaries. Yet, despite the increasing importance and recognition of data protection rights, there is still considerable diversity around the world as to the appropriate level of protection. Within this context, her chapter analyses the enabling features of the EU law and relevant case law that have facilitated the extraterritorial reach of the EU law. It also assesses the constraining features of the EU law and the CJEU’s recent attempt to limit this territorial expansion on the right to be forgotten. She concludes, inter alia, that up to now, the EU legislature, reinforced by the CJEU’s interpretation, has struck a balance largely in favor of privacy and data protection that has enabled the extraterritorial reach of the EU data protection requirements. This balance and the enabling function of the EU law has not been significantly curtailed by the latest attempt of the CJEU to determine the right to be forgotten, an EU-cherished, judicially created right, with potentially universal application in case Google v CNIL. The author concludes that although the EU has leveraged the existing gap of effective regulation of data protection, considering significant legal and cultural differences around the globe, the unilateral extension of EU strict standards on data protection can give rise to legitimacy concerns if the EU ignores the interests of third country actors. In its fourth part titled “Fighting Cyber Criminality: European and National Approaches,” the Book presents, in four different chapters, the latest cyber criminality law trends. Cybercrime is a rapidly growing problem for various EU Member States. As the number and frequency of cyber breaches is increasing, this consequently leads to more cases of fraud and extortion that call for further legislative measures to be adopted. Philippe Jougleux, in Chap. 14, examines various legal issues related to malicious mining of cryptocurrencies from the scope of the EU law. First, his chapter explores the various methods of malicious cryptomining and then it focuses on the threats posed by this new phenomenon. It refers to existing relevant criminal legislation and analyses its adequacy to malicious cryptomining. Specifically, the possibility to apply the Convention of Budapest’s taxonomy on cyber offenses to malicious cryptomining and the new EU Directive on combating fraud are considered. Finally, issues related to enforcement and evidence are analyzed. This chapter concludes, that taking into consideration the legislative gaps currently existing, there is a need to introduce specific legislative measures to better apprehend this new damaging behavior. In Chap. 15, Vagia Polyzoidou shares her thoughts on the draft content of the Second Additional Protocol to the Budapest Convention on Cybercrime. As she clarifies, this Protocol is being prepared for a few years now and attempts to capture some of the most complicated aspects of cybercrime – such as mutual legal assistance, cooperation between authorities and service providers (in general) and data protection requirements. Because of the limitations on fundamental rights and freedoms that these issues bring forward, the chapter discusses how individuals and legal entities would be after all protected taking into consideration the protection afforded by the EU Charter of Fundamental Rights, general principles of the EU law and the Court of Justice of the European Union case law. In this context, the author

Preface

xi

examines the compatibility between these EU law provisions and the Council of Europe’s forthcoming protocol in question. She concludes that on the doorstep of this Second Additional Protocol the matters it deals with are more than complicated, while the expectations for this new instrument are more than high, just like the Budapest Convention. Nikolaos Zeniou explores in the following chapter, Chap. 16, the criminal law responses to “Revenge Porn” in Cyprus and England to identify this offense and assess the need for its legislative regulation and prevention. The technological development, the excessive utilization of technological means and the new forms of sexual expression, have increased the impact and prevalence of the, as it is generally known, “revenge porn.” However, despite the gravity and severity of the phenomenon, the adopted criminal law responses, particularly in England and Cyprus, seem to be misleading, unsatisfactory, and inadequate for various reasons. At the same time, the preventive techniques, in these countries, could be described as problematic, being unable to prevent the commission of the offense by future offenders and protect their potential victims from further damage. The chapter focuses on these issues and, by referring to various theories, reports and searches, attempts to identify this offense and its seriousness. Subsequently, by comparing the law in England and Cyprus, the author interestingly concludes his chapter by suggesting various legislative improvements and practical, preventive, solutions, which could be used to provide coherent and efficient responses to the offense. The final chapter of part IV, Chap. 17, comes from Yianna Danidou. This chapter focuses on cybersecurity aspects of Internet of Thing (IoT) that should be considered while regulating. As the author notes IoT is one of the most significant disruptive emerging technologies, harboring the potential for massive societal impact. IoT is expected to enable mass participation of end users (individuals) on mission critical services (energy, mobility, legal and democratic stability). More importantly the adoption of IoT and emergence of AI has raised many new legal, policy and regulatory challenges, broad and complex in scope. The author, in this chapter, focuses only on consumer IoT devices, how these exchange data reveal information, which can lead inferences revealing a specific person/ action and what are the considerations that can be taken in terms of cybersecurity and IoT. Among others, the author’s analysis shows that the existing EU legislation is being inevitably challenged by IoT. Furthermore, this chapter aims to provide the basis for an analysis of the current gaps and the needed recommendations for legal, accountability and liability issues in the consumer IoT domain. The author concludes that Industry Revolution 4.0 which is underway needs to be adequately regulated in all aspects – privacy, data breach, liabilities, compliance, and security. This is a necessity that is twofold: for the consumers to feel secure and privacy protected; and for the businesses and organizations to feel the obligation to comply or they will have to face the consequences of the law. In part V, titled “Privacy and Information Self-Determination in the Digital Age,” the Book focuses on some of the latest developments in the area of personal data protection law in the digital age. This part consists of three chapters.

xii

Preface

Komninos Komnios, in Chap. 18, views mediation under the GDPR lens. As the author claims although this Regulation covers data processing in mediation, as a variety of out-of-court procedures for dispute resolution, it does not explicitly clarify how it is to be applied to mediation. More importantly the European Data Protection Board, formerly known as the Article 29 of the Data Protection Party, have not issued any guidelines on the application of the GDPR to “out-of-court” dispute resolution mechanisms to date. Given the lack of direct guidance about the application of the GDPR to Mediation, the author discusses and assesses the GDPR’s impact on mediation and on key players processing personal data in the mediation process. Based on this analysis, the author arrives to the conclusion that applying the GDPR to mediation, and its special characteristics, is indeed challenging. This is further complicated by the overlapping rights and duties that the GDPR places on the parties, their legal counsels, Mediation institutions and Mediators, each of whom may have individual obligations for GDPR compliance. In the following chapter, Chap. 19, Eleni Tzoulia, covers the topic of targeted advertising in the digital era, with emphasis on the challenges to consumer privacy and economic freedom. Targeted advertising is considered to jeopardize both the privacy and the economic freedom of individuals. Therefore, at the EU level it is scrutinized, both, from a data protection and a consumer law perspective. It is argued that, in contemporary algorithmic society and digitalized economy, targeted advertising entails additional risks, which relate mainly to: a) excessive data processing and the formation of hyper-analytical consumer profiles, b) unfair algorithmic treatment and obscure decision-making process based on autonomous software (AI), c) intra-platform and in-app transactions. The author examines whether the applicable EU regulatory framework provides the necessary toolkit to address these modern challenges. In this respect, it conducts a critical analysis pertaining to the GDPR, Directive 2002/58/EC (the ePrivacy Directive) and its long-anticipated successor, the ePrivacy Regulation, as well as Directive 2005/29/EC on unfair commercial practices, taking into consideration the latest pertinent jurisprudence. The author concludes that online targeted advertising is considered likely to distort the economic behavior of the average consumer in any case that it is not meticulously labelled as such and not providing in a clear, unambiguous, and timely way all information necessary for the consumer to meet an informed transactional decision. Tine Munk, in Chap. 20, asks whether online privacy exists, focusing on the topic of voice recognition technologies and the Google Voice Assistance Case. This chapter focuses on the impact of the GDPR on data protection and privacy rights of online users in the light of the increasing data collection and processing from voice recognition technologies (voice assistants). It focuses on the use of the GDPR’s Article 66 to stop data collection/processing practices that potentially violate the provisions of this Regulation. The case study outlined in this chapter investigates how data is managed by the Internet and various tech companies, such as Apple, Google, Amazon, and Facebook – and how these companies data collection/processing practices circumvent online users’ privacy rights. More specifically the case study predominately focuses on Google’s practice of manually assessing personal data collected from voice assistants and highlights, as the author concludes,

Preface

xiii

only a snapshot of the problems associated with the use of IoT and voice recognition technologies. Finally, the last part of this Book, part VI, evaluates, in seven interesting chapters, new technological developments and the degree of protection of consumers as well as of companies in the digital environment. Geraint Howells, Christian Twigg-Flesner and Chris Willett introduce, in Chap. 21, new developments of 3D printing to clarify legal principles and concepts. Their contribution, which draws upon their earlier work on this topic, after explaining what 3D printing involves, summarizes how 3D printing regulation should continue to reflect traditional consumer values. However, as the authors argue the issues raised by 3D printing should be the occasion to test existing legal doctrine to see if any modifications are necessary. Although such arguments are found in the authors’ earlier work, in this chapter they are reviewed and expanded as they were able to take additionally into account Directive (EU) 2019/770 (the Digital Content Directive). The authors conclude that 3D printing has the potential to disrupt traditional manufacturing and distribution practices. Yet, consumer protection needs of consumers remain constant and some aspects of 3D printing may even increase risks as more non-professionals or parties with limited experience of 3D printing become involved in the production process. Therefore, the case for strict liability remains valid and consumer protection may even call for some new forms of liability to capture the significance of the supply network and the crucial role of platforms. Based on this, they propose that the law can be updated without discarding its core values. Ioannis Iglezakis, Vasiliki Samartzi, Ria Papadimitriou, and Evgenia Smyrnaki analyze in Chap. 22, private law considerations in the context of apps’ distribution via app stores. In the first part of their chapter, the various actors engaged in the distribution of applications are identified and the role of the app stores as online platforms - marketplaces is analyzed. The authors argue that the end-user (consumer) is the reference point of the legal approach to interpret the relations created and classify the contract typology. The second part of this chapter focuses on copyright law considerations based on the fact that certain features of an app are protected under Directive 2009/24/EC (the Software Directive) while other features are protected under the InfoSoc Directive. In particular, the evolution of traditional copyright concepts such as the “exhaustion of rights” and “first sale” doctrine, in the context of App Markets, is discussed. The authors conclude that, for the time being, application of traditional rules in the app environment does not contribute to legal certainty and in practice, the existing legal framework is inadequate to deal with the triangular relationships formed and restrictive license terms. Thus, there is need for a proper legal regulation of app distribution via app stores. Thalia Prastitou Merdi, in Chap. 23, deals with the problematic notion of “online intermediation services” found in the new EU Platform Regulation. The EU legislation on the regulation of fairness and transparency in commercial transactions has traditionally been brought forward using a consumer-oriented approach. In contrast

xiv

Preface

to this approach, and working upon the Digital Single Market Strategy, the EU legislators, adopted in July 2019, the new EU Platform Regulation, aiming to create a fair and transparent environment for businesses and traders when using online platforms. Her chapter, at first, introduces the main provisions of this Regulation aiming to unfold what is this new legislative initiative about. Second, and most importantly, the author focuses on the notion of “online intermediation services” found in this new Regulation. More specifically by discussing in detail recent important case law of the CJEU in this area of law, such as Uber Spain, Uber France and Airbnb Ireland that interpret and apply the notion of “information society service,” found in the complex notion of “online intermediation services,” the author attempts to answer the question of who is caught after all by this Regulation. The author arrives to the conclusion, inter alia, that this question cannot be readily answered with certainty in advance. It is a question that will be answered in practice on a case-by-case basis. In Chap. 24, Juan Salmeron calls into question the practice of loot boxes and gambling and the challenge of regulating random chance purchases in videogames. Using microtransactions, videogame publishers have developed a method through which they continue to extract profit from the games after the initial purchase, by urging the player to make further purchases within the games themselves. Of particular concern for regulators have been the so-called loot boxes, where players purchase a random chance of obtaining certain in-game content, which in turn might even be tradeable for real currency. In this chapter, the author, initially reviews the changes in the videogame market that have led to the current landscape and then moves on to an analysis of lootboxes, this controversial type of microtransactions, and whether these, due to their characteristics and mechanics, can be understood as a type of gambling. In the final part of his chapter, the author analyzes and compares the regulatory approaches taken by the Netherlands and the United Kingdom on this matter. In bringing together his conclusions the author argues that the way both the Netherlands and the UK have approached the issue of loot boxes is illuminating, as it highlights some of the challenges of regulating novel activities that are similar (bot not equal) to gambling. Michalis Chatzipanagiotis explores in Chap. 25 the issue of third-party liability of automated vehicles manufacturers for over-the-air software updates under the EU and national law. His chapter explains that automated vehicles combine software and hardware components in an integrated system. Over-the-air (OTA) updates are a practical method for manufacturers to deliver rapidly system updates. However, such updates may lead to legal complications, as they may not function properly or may create malfunctions or even may not be delivered on time to solve critical problems. The author examines these legal complications from the perspective of manufacturer third-part liability, under Directive 85/374/EEC (the Product Liability Directive) and the English tort of negligence, considering furthermore the role of insurance. The special statutory rules enacted in the UK and Germany are also considered. This chapter concludes that claimants will face significant challenges in establishing

Preface

xv

liability for OTA, especially from an evidentiary perspective, and that the most appropriate solutions should be insurance based. Evripides Rizos, covers in Chap. 26, the interesting question of the nature of rights upon cryptocurrencies from a European and a comparative law perspective. The chapter examines whether a legally recognized right or interest upon virtual currencies is indeed established and if so, what is the legal nature of such a right or interest. As the author claims the answers to these questions depend on the legislation of each jurisdiction, since no legislation has been adopted at the EU level, at least up to now, on the issue of cryptocurrency ownership and its legal nature. However, as no specific legislation on virtual currencies seems to exist additionally, at national level, the answers to the questions, seem to depend, after all, in practice on national general legal principles and rules, which of course differ from one national jurisdiction to another. This chapter distinguishes between common and civil law systems and explains how these issues are or could be dealt with, in each of these two legal systems in general and in some national jurisdictions in particular to discover common grounds or principles on this issue. Finally, a solution concerning certain civil law jurisdictions with respect to both the de lege lata and the de lege ferenda understanding of these issues is proposed. The author concludes that in the light of Directive (EU) 2019/713 the establishment and the recognition of a new, sui generis right with two components might seem like a way out of the problems related to the cryptocurrency ownership phenomenon. The final chapter of this part, and Book, Chap. 27, comes from Anna Plevri. The author focuses on the relationship between consumers and digital currencies in the EU and proceeds to a comparative analysis between fiat currencies and blockchain payment methods. Bitcoins and other digital currencies are used online and payments via these “currencies” for the selling of goods and services are made through the blockchain network. This chapter focuses on the “ecosystem” of digital currencies, and the legal risks and implications of blockchain payment methods for consumers. More specifically it defines the notion of “digital currencies,” it identifies key differences between digital and traditional currencies and commonly used forms of online payment and analyses the legal nature of digital currencies, in an EU law, if at all, perspective. Lastly, this chapter explores the legal issues, risks, and implications of the use of digital currencies by consumers mostly in terms of consumer protection and legal recourse. The author concludes that as there is still no EU-specific legislation targeting cryptocurrencies, this leads to legal uncertainty and facilitates unlawful actions. Legal certainty on the status of crypto assets, their ownership, their “transportation” as well as on the nature of smart contracts is crucial and when determined this will form a critical step in the future application of private law to transactions involving cryptocurrencies. After having a general overview of all twenty-seven chapters of the Book, one issue cannot be doubted. This Book gathers multiple interesting and recent topics of the EU Internet law, in general, and of legal sectors falling within it, in particular, that are readily available for anyone fascinated by this new legal area to read, think,

xvi

Preface

discuss, and reflect upon further in the future. Any piece of legal writing in such a novel and exciting area of law, aims to analyze the content, uncover the problems as well as open new perspectives of the EU Internet law, in an overall attempt to achieve better regulation and enforcement of the law in the digital age. This Book aims to form no exception and the editorial team would like to wish you, dear reader, a wonderful experience in exploring its content! Nicosia, Cyprus Nicosia, Cyprus Nicosia, Cyprus Nicosia, Cyprus

Tatiana-Eleni Synodinou Philippe Jougleux Christiana Markou Thalia Prastitou-Merdi

Contents

Part I

Copyright Law in the Digital Single Market

1

Copyright and Fundamental Rights in the Digital Single Market . . . Bernd Justin Jütte

2

Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online Case on Freedom of Expression and Other Fundamental Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tatiana-Eleni Synodinou

3

4

5

How Article 17 of the Digital Single Market Directive Should Be Implemented: A Personal View . . . . . . . . . . . . . . . . . . . . . . . . . . . . Victor Castro Rosa Fairness in Copyright Contract Law: Remuneration for Authors and Performers Under the Copyright in the Digital Single Market Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yannos Paramythiotis The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM Directive): Ensuring Its Application in the Digital and Cross-Border Environment(s) While Losing the Way to Harmonization? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anna Despotidou

3

27

49

77

99

6

Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate . . . 141 Caterina Sganga

7

Does Copyright Support Musical Creativity in a Remix Era? . . . . . 177 Giorgos D. Vrakas

8

Directive on Copyright in the Digital Single Market and Freedom of Expression: The EU’s Online Dilemma . . . . . . . . . . . . . . . . . . . . 205 Sevra Guler Guzel xvii

xviii

Contents

Part II

AI Law in the Digital Single Market

9

AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of AI at International and European Level . . . . . . . . . . . 233 Cristina Vanberghen and Alexandra Vanberghen

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic Transparency and/or a Right to Functional Explainability . . . . . . . 247 Apostolos Vorras and Lilian Mitrou

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Theodoros Chiou

Part III

Emerging Issues in EU Digital Law

12

The Duties and Responsibilities of an Internet News Portal on Online Comments Posted by Users in the ECtHR Case Law . . . 295 Costas Paraskeva

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of Data Protection . . . . . . . . . . . . . . . . . . . . . 311 Ioanna Hadjiyianni

Part IV

Fighting Cyber Criminality: European and National Approaches

14

Legal Aspects of Malicious Cryptomining in the EU . . . . . . . . . . . . 339 Philippe Jougleux

15

Combatting the Cybercrime: Thoughts Based on the Second Additional Protocol (Draft) to the Budapest Convention on Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Vagia Polyzoidou

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England: Identification of the Offence and the Need for Legislative Regulations and Prevention . . . . . . . . . . . . . . . . . . . . . . 377 Nikolaos Z. Zeniou

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While Regulating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Yianna Danidou

Part V 18

Privacy and Information Self-determination in the Digital Age

Viewing Mediation Under the GDPR Lens . . . . . . . . . . . . . . . . . . . 419 Komninos Komnios

Contents

xix

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer Privacy and Economic Freedom: The Responses of the EU Legal Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Eleni Tzoulia

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Tine Munk

21

3D Printing: Clarifying Legal Principles and Concepts . . . . . . . . . . 509 Geraint Howells, Christian Twigg-Flesner, and Chris Willett

22

Private Law Considerations in the Context of Apps’ Distribution via App Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Ioannis Iglezakis, Vasiliki Samartzi, Ria Papadimitriou, and Evgenia Smyrnaki

Part VI

Consumer and Corporate Protection in the Digital Environment

23

The Notion of “Online Intermediation Services” Found in the New EU Platform Regulation: Who Is Caught After All? . . . . . . . . . . . . 543 Thalia Prastitou-Merdi

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance Purchases in Videogames . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Juan Salmerón

25

Third-Party Liability of Manufacturers of Automated Vehicles for Over-the-Air Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 Michael Chatzipanagiotis

26

The Nature of Rights Upon Cryptocurrencies . . . . . . . . . . . . . . . . . 605 Evripidis Rizos

27

Consumer Protection and Digital Currencies in the EU: A Comparative Analysis Between Fiat Currencies and Blockchain Payment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 Anna Plevri

List of Contributors

Michael Chatzipanagiotis Law Department, University of Cyprus, Nicosia, Cyprus Theodoros Chiou Department of Private Law Α, School of Law, University of Athens, Athina, Greece Yianna Danidou Department of Computer Science and Engineering and Research Associate, School of Sciences, European University Cyprus, Nicosia, Cyprus Anna Despotidou Law Faculty, Aristotle University Thessaloniki, Thessaloniki, Greece Sevra Guler Guzel University of Hertfordshire De Havilland Campus, Hatfield, UK Ioanna Hadjiyianni Department of Law, University of Cyprus, Nicosia, Cyprus Geraint Howells University of Manchester, Manchester, UK Ioannis Iglezakis Faculty of Law, The Aristotle University, Thessaloniki, Greece Philippe Jougleux School of Law, European University Cyprus, Nicosia, Cyprus Bernd Justin Jütte Sutherland School of Law, University College Dublin, Dublin, Ireland Faculty of Law, Vytautas Magnus University, Kaunas, Lithuania Komninos Komnios International Hellenic University, Thessaloniki, Greece Lilian Mitrou Department of Information and Communication Systems Engineering, University of the Aegean, Karlovasi, Greece Tine Munk Middlesex University, London, UK Ria Papadimitriou Faculty of Law, The Aristotle University, Thessaloniki, Greece

xxi

xxii

List of Contributors

Yannos Paramythiotis Department of Law, Democritus University of Thrace, Komotini, Greece Costas Paraskeva Department of Law, University of Cyprus, Nicosia, Cyprus Anna Plevri School of Law, University of Nicosia, Nicosia, Cyprus Vagia Polyzoidou Law School, University of Nicosia, Nicosia, Cyprus Thalia Prastitou-Merdi School of Law, European University Cyprus, Nicosia, Cyprus Evripidis Rizos Law Faculty, Aristotle University Thessaloniki, Thessaloniki, Greece Victor Castro Rosa Cabinet for Studies and External Relations at GEDIPE Collecting Society for Audiovisual Producers, Lisbon, Portugal Juan A. Salmerón Henríquez Erasmus University Rotterdam, Rotterdam, Netherlands Vasiliki Samartzi Faculty of Law, The Aristotle University, Thessaloniki, Greece Caterina Sganga Scuola Superiore Sant’Anna, Pisa, PI, Italy Evgenia Smyrnaki Faculty of Law, The Aristotle University, Thessaloniki, Greece Tatiana-Eleni Synodinou Department of Law, University of Cyprus, Nicosia, Cyprus Christian Twigg-Flesner School of Law, University of Warwick, Coventry, UK Eleni Tzoulia Department for Economic and Commercial Law, Law School, Aristotle University of Thessaloniki, Thessaloniki, Greece Alexandra Vanberghen European School of Brussels, Brussels, Belgium Cristina Vanberghen Institute of European Studies, Brussels, Belgium Apostolos Vorras Department of Information and Communication Systems Engineering, University of the Aegean, Karlovasi, Greece Giorgos D. Vrakas The University of Edinburgh, Edinburgh, Scotland, UK Chris Willett University of Essex, Colchester, UK Nikolaos Zeniou Andreas Christou and Associates LLC, Nicosia, Cyprus

Part I

Copyright Law in the Digital Single Market

Chapter 1

Copyright and Fundamental Rights in the Digital Single Market Bernd Justin Jütte

Abstract European copyright law has undergone an unprecedented reform process, not in the extent to which the rules were changed, mainly by Directive (EU) 2019/ 790 on copyright and related rights in the Digital Single Market (DSM), but by the background noise created by public interest groups that feared the abolishment of fundamental rights on the Internet. This legislation developed almost in parallel to an increasing number of copyright cases before the Court of Justice of the European Union (CJEU) in which the established equilibrium in copyright law was challenged through fundamental rights. This contribution looks at the use of fundamental rights arguments in the case law of the CJEU and the relevant policy documents. It examines how fundamental rights have shaped the making and interpretation of European copyright law in the past and projects how this process might continue in the future.

1 Introduction Over the last two decades, EU copyright law has developed from a fragmented collection of vertical harmonization directives to a more comprehensive system with significant horizontal elements. The Information Society Directive1 was adopted in 2001. Eighteen years later, the Directive on Copyright in a Digital Single Market updated these rules to adapt them “to the evolution of digital technologies”.2

1

Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, OJ L 167, 22.6.2001, pp. 10–19. 2 Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market COM(2016) 593 final, p. 1. B. J. Jütte (*) Sutherland School of Law, University College Dublin, Dublin, Ireland Faculty of Law, Vytautas Magnus University, Kaunas, Lithuania e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_1

3

4

B. J. Jütte

Between these two cornerstones, as they stand today, of European copyright harmonization, other instruments harmonized certain aspects of copyright management,3 limitations and exceptions (L&E),4 orphan works,5 and cross-border uses.6 In parallel to the adoption of new rules, old ones made their way to the courts. The first referral for a preliminary decision on a provision of the Information Society Directive was made in 2004,7 and the number of cases on this particular directive has increased ever since. A theme that slowly developed in the jurisprudence of the Court of Justice of the European Union (CJEU) is the interplay between copyright and fundamental rights.8 The growing influence was predicted to have significant impacts on the interpretation of European copyright law and indeed increased after the adoption of the Charter of Fundamental Rights of the European Union (EU Charter)9 in 2009. Geiger had argued that giving intellectual property a new foundation would create a better balance within this area of law and give it legitimacy in the eye of the public. The investment-centered rationale of the twentieth century should be replaced by a fundamental and human rights foundation in order to “humanise the subject.”10 The CJEU had ample opportunity to recalibrate the balance as the number of preliminary references in copyright law increased steadily over the years, and so did the Court’s use of fundamental rights to interpret the balance between the interests of rightholders, users and intermediaries. With the limitations of the rules in the light of technological development becoming ever more apparent, the EU set out to reform copyright in a series of ambitious policy programs.11 This process culminated in a proposal for the DSM Directive as a second horizontal harmonization directive, 3 Directive 2014/26/EU of the European Parliament and of the Council of 26 February 2014 on collective management of copyright and related rights and multi-territorial licensing of rights in musical works for online use in the internal market, OJ L 84, 20.3.2014, pp. 72–98. 4 Directive (EU) 2017/1564 of the European Parliament and of the Council of 13 September 2017 on certain permitted uses of certain works and other subject matter protected by copyright and related rights for the benefit of persons who are blind, visually impaired or otherwise print-disabled and amending Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society, OJ L 242, 20.9.2017, pp. 6–13. 5 Directive 2012/28/EU of the European Parliament and of the Council of 25 October 2012 on certain permitted uses of orphan works, OJ L 299/5, 27.10.2012, pp. 5–12. 6 Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on cross-border portability of online content services in the internal market, OJ L 168, 30.6.2017, pp. 1–11. 7 CJEU, Judgment of 12.09.2006, Laserdisken ApS v Kulturministeriet, Case C-479/04, EU: C:2006:549. 8 See for example Jütte (2016), Geiger (2006a, b), Geiger and Izyumenko (2020), Izyumenko (2016), Jütte (2019c) and Husovec (2016). 9 Charter of Fundamental Rights of the European Union, OJ C 326, 26.10.202, pp. 391–407. 10 Geiger referred to this process as a ‘constitutionalization’ of European intellectual property law, Geiger (2006b), p. 406. 11 See for a comprehensive summary until 2016, Jütte (2017b), pp. 66–94.

1 Copyright and Fundamental Rights in the Digital Single Market

5

which sparked an unprecedented public debate on copyright reform. The legitimacy that Geiger had hoped to fortify with fundamental rights was eroded, while backroom lobbying resulted in a piece of legislation that left academics frustrated and the public disappointed.12 The criticism of the DSM Directive focused on the introduction of a new right for press publishers and a highly controversial recalibration of the liability regime for online platforms. One of the general criticisms leveled against the proposal was that certain provisions did not respect the fundamental rights of users, in particular the right to freedom of expression and information. This chapter examines the policy program of the EU Commission from 2010 to 2017, which led to the adoption of the DSM Directive. It then traces fundamental rights arguments in the copyright case law of the CJEU before discussing the recent challenge to certain provisions of the DSM Directive initiated by the Polish government in late 2019. This analysis will serve, by way of conclusion, to discuss how fundamental rights may be used in the future to rebalance European copyright law.

2 Fundamental Rights in EU Copyright Policy In 2010, the European Commission started a process that led to significant changes in copyright law. Roughly ten years after the adoption of the Directive on copyright in the Information Society, the Commission communication “A Digital Agenda for Europe”,13 among other policy goals, set out to modernize the EU copyright rules in order to realize the economic potential of the digital single market. The Digital Agenda relied mainly on transactional approaches to facilitate copyright clearance and cross-border management.14 However, it also recognized the need to review the legal framework for intellectual property enforcement in the light of growing and persistent online infringement of intellectual property rights and with regard to the protection of fundamental rights on data protection and privacy.15 The follow-up communication, “A Single Market for Intellectual Property Rights,”16 further elaborated the Commission’s strategy for developing a single market for intellectual

This frustration was due to the genesis of the text which was finally adopted and the final vote in the European Parliament. The critique during and after the legislative process address a lack of evidence for the proposal, the failure to adopt flexible and future-proof solutions and a disregard of fundamental rights. 13 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions. A Digital Agenda for Europe COM(2010) 245 final/2. 14 COM(2010) 245 final/2, pp. 7–10. 15 COM(2010) 245 final/2, pp. 9–10. 16 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions. A Single Market for Intellectual Property Rights. Boosting creativity and innovation to provide economic growth, high quality jobs and first class products and services in Europe COM(2011) 287 final. 12

6

B. J. Jütte

property rights. The Commission stressed that “[c]are should be taken to ensure the right balance between protection of rights and access, i.e. to develop fair regimes rewarding and incentivising inventors and creators, whilst ensuring the circulation and dissemination of goods and services, the exercise of other fundamental rights and the promotion and preservation of cultural and linguistic diversity.”17 The communication stressed that a review of the Directive on the enforcement of intellectual property rights (IPRED)18 must “respect all fundamental rights [. . .] in particular also the rights to private life, protection of personal data, freedom of expression and information and to an effective remedy.”19 It thereby expressly recognized rights of users of protected content as important elements in the balance that must inform a review of the existing legal framework. This broader approach reflected the Commission’s ambition to create a comprehensive framework for copyright in the digital single market that considers the interests of rightholders and users alike.20 An indication of this more balanced approach is the section on user-generated content (UGC). In this part, the Commission acknowledged that it is necessary to strike a balance between the rights of content creators and the need to take account of new forms of expression.21 Although not formulated as a right, the express recognition of UGC as a form of expression gives a new quality to users as elementary actors in the digital single market whose rights have to be respected beyond the realm of online copyright enforcement. This communication also considered exploring a more comprehensive reform of European copyright law in form of a “European Copyright Code,”22 but fundamental rights were not part of the initial considerations. However, in this context, the Commission also considered it necessary to review the appropriateness of the existing system of copyright exceptions in order to clarify the relationship between the various exclusive rights enjoyed by rights holders and the scope of the exceptions and limitations to those rights.23 These great ambitions did not immediately materialize in the form of concrete proposals. Instead, the second Barroso Commission initiated a number of more targeted legislative projects, which included the Collective Management Directive.24 The directive in its adopted form only makes reference to fundamental rights in relation to the monitoring of the use of licenses25 and its dispute settlement COM(2011) 287 final, p. 7. Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, OJ L 195, 2.6.2004, pp. 16–25. 19 COM(2011) 287 final, p. 19. 20 COM(2011) 287 final, p. 9. 21 COM(2011) 287 final, p. 12. 22 COM(2011) 287 final, p. 11. 23 COM(2011) 287 final, p. 11. 24 Directive 2014/26/EU of the European Parliament and of the Council of 26 February 2014 on collective management of copyright and related rights and multi-territorial licensing of rights in musical works for online use in the internal market, OJ L 84, 20.3.2014, pp. 72–98. 25 Recital 43, Directive 2014/26/EU of the European Parliament and of the Council of 26 February 2014 on collective management of copyright and related rights and multi-territorial licensing of rights in musical works for online use in the internal market, OJ L 84, 20.3.2014, pp. 72–98. 17 18

1 Copyright and Fundamental Rights in the Digital Single Market

7

provisions.26 The Orphan Works Directive,27 passed in 2012, does not mention fundamental rights at all. The communication “Single Market Act,”28 which dealt with a wider array of policy areas, also highlighted that intellectual property is protected as a fundamental right. The protection of this property rights, which importance for the sustainable economies of the EU the document compares to “raw materials or the industrial base,” would encourage investment. The protection of intellectual property must, however, have due regard for fundamental rights.29 Which rights these are the communication remained silent on. A staff working document accompanying a Commission communication that provided guidance on the interpretation of the Enforcement Directive emphasized the important role played by the CJEU in clarifying the relationship between the different fundamental rights concerned by the enforcement of IPR.30 A summary of the relevant case law is provided in the main communication, which dedicates a separate section on the interplay between enforcement and fundamental rights.31 Here it is stated that the rules set out in the Directive must be interpreted and applied in such a way that not only is this specific fundamental right safeguarded, but other fundamental rights at issue are also fully considered and respected.32 Although it is repeatedly underlined, with reference to the relevant case law, that all fundamental rights must be respected when balancing the respective interest against each other, the document then highlights conflicts in relation to the right of information under Article 8 Enforcement Directive.33 A follow-up titled “Promoting a fair, efficient and

26 Recital 54, Directive 2014/26/EU of the European Parliament and of the Council of 26 February 2014 on collective management of copyright and related rights and multi-territorial licensing of rights in musical works for online use in the internal market, OJ L 84, 20.3.2014, pp. 72–98. 27 Directive 2012/28/EU of the European Parliament and of the Council of 25 October 2012 on certain permitted uses of orphan works, OJ L 299/5, 27.10.2012, pp. 5–12. 28 Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions. Single Market Act. Twelve levers to boost growth and strengthen confidence. “Working together to create growth” COM(2011) 206 final. 29 Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee COM(2011) 206 final, p. 8. 30 Commission Staff Working Document. Evaluation. Accompanying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee. Guidance on certain aspects of Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights SWD(2017) 431 final, p. 29. 31 Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee. Guidance on certain aspects of Directive 2004/48/EC of the European Parliament and of the Council on the enforcement of intellectual property rights COM (2017) 708 final, esp. pp. 9–12. 32 COM(2017) 708 final, p. 10. 33 COM(2017) 708 final, pp. 11–12.

8

B. J. Jütte

competitive European copyright-based economy in the Digital Single Market”34 addressed various aspects of copyright law, including a separate section on copyright exceptions, but failed to mention fundamental rights in this or other contexts. The Digital Agenda itself delivered little in terms of addressing the balance between copyright and other fundamental rights. The legislation adopted under the 2010 policy program eventually did not tackle the thorny enforcement issues that were emerging in parallel.35 The agenda also failed to address a more comprehensive reform of the substantive copyright rules to review and reshift the balance of interest only ten years after the adoption of the Information Society Directive and left this task to its successor. The Junker Commission continued in the tracks of its predecessor and outlined its approach to copyright regulation in the “Digital Single Market Strategy.”36 Although the section dedicated to the modernization of copyright law37 did not address fundamental rights, it stressed the role of intermediaries, which role was also examined in a section on combatting illegal content online. With reference to illegal content in general, which should also include works unlawfully made available, the measures to fight such illegal content should be employed with due regard to their impact on the fundamental right to freedom of expression and information.38 The communication “Towards a modern, more European copyright framework,” which gave concrete shape to the Commission copyright policy under the Digital Single Market Strategy, disappointed by merely referring to fundamental rights with the by now well-established formula that a civil enforcement system must take full account of fundamental rights.39 The 2017 mid-term review of the Digital Single Market Strategy added nothing new when it stated that in the fight against illegal content online, “fundamental rights, such as freedom of speech, must be safeguarded and innovation needs to be encouraged. The Commission made the commitment to maintain a balanced and predictable liability regime for online platforms and to pursue a sectoral, problem-

34 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions Promoting a fair, efficient and competitive European copyright-based economy in the Digital Single Market COM(2016) 592 final. 35 Two years before the adoption of the Digital Agenda as the Commission policy program, the CJEU decided CJEU, Judgment of 29.01.2008, Productores de Música de España (Promusicae) v Telefónica de España SAU, Case C-275/06, EU:C:2008:54. 36 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions. A Digital Single Market Strategy for Europe COM(2015) 192 final. 37 COM(2015) 192 final, at 2.4. 38 COM(2015) 192 final, p. 12. 39 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Towards a modern, more European copyright framework COM(2015) 626 final, p. 11.

1 Copyright and Fundamental Rights in the Digital Single Market

9

driven approach when it comes to fighting illegal content online.”40 It seemed to contrast the safeguarding of fundamental rights and encouraging innovations as mutually exclusive objectives pursued by the policy strategy. The accompanying staff working document added that civil rights associations, consumers, fundamental rights experts and national authorities complain about the lack of public accountability for the mechanisms by which online platforms take decisions regarding removal of content.41 The efforts in the context of the Digital Single Market Strategy materialized in 2019 in form of the Directive on Copyright in a Digital Single Market.42 The explanatory memorandum to the first draft of a proposal for the directive posited that “[b]y improving the bargaining position of authors and performers and the control rightholders have on the use of their copyright-protected content, the proposal will have a positive impact on copyright as a property right,” and the introduction of new exceptions for text and data mining, the preservation of cultural heritage, and cross-border online teaching activities will have a positive impact on the right to education and cultural diversity, while the modified enforcement regime under what ultimately became Article 17 DSM Directive will only have “a limited impact on the freedom to conduct a business and on the freedom of expression and information [. . .] due to the mitigation measures put in place and a balanced approach to the obligations set on the relevant stakeholders.”43 Of course, the first draft underwent significant changes after the publication of the first draft,44 but it still must be measured against this strong expression of a desire to balance rights, exceptions, and enforcement mechanisms. Although copyright law is by now widely harmonized at EU level, copyright policy is mainly concerned with efficient management and economic exploitation of digital content. This includes enforcement of copyright in a digital environment, which is also consistently discussed with reference to a proper balance of fundamental rights. Recent legislative initiatives have been more balanced, including new

40

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. on the Mid-Term Review on the Mid-Term Review on the implementation of the Digital Single Market Strategy A Connected Digital Single Market for All COM(2017) 228 final, p. 8. 41 Commission Staff Working Document accompanying the document Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. on the Mid-Term Review on the implementation of the Digital Single Market Strategy. A Connected Digital Single Market for All SWD(2017) 155 final, pp. 28–29. 42 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, OJ L 130, 17.5.2019, pp. 92–125. 43 Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market COM(2016) 593 final, p. 9. 44 A comparison table of the different draft versions of the directive has been made available by the UK Copyright and Creative Economy Centre at the University of Glasgow: https://www.create.ac. uk/policy-responses/eu-copyright-reform/#table (last accessed on 07.05.2020).

10

B. J. Jütte

exceptions, exclusive rights, and a revamp of online enforcement mechanisms for certain platforms. Nevertheless, it has become apparent in the brief review of the Commission’s policy agenda that fundamental rights are not absolutely central to its considerations on copyright reform. At best, the rights protected by the EU Charter are on equal footing with other policy goals, mainly the realization of a digital single market. The formulations used by the Commission when referring to fundamental rights suggest that the safeguarding of fundamental right is, at best, a secondary objective. However, because copyright is itself protected as a fundamental right under Article 17(2) EU Charter, this neglect of other rights casts doubts on whether the policy approach to copyright is already flawed with imbalance.

3 The Emancipation of Fundamental Rights in Copyright Law Briefly after the Information Society Directive had been adopted in 2001, Hugenholtz disputed its legality because, as he argued, the directive failed to remove obstacles for the internal market. The discretion left to the Member States (MSs), especially in the field of L&Es, would not create legal certainty. He therefore questioned the validity of its legal basis and predicted a flood of preliminary references to finish the job left largely undone by the European legislature.45 The directive was not challenged for lack of proper legal basis, but the Court received a constant stream of cases on the interpretation of many of its aspects.46 Aside from Article 8 of the Information Society Directive, which provides rules on sanctions and remedies for copyright infringements, its provisions relate to substantive copyright law. Therefore, the first wave of cases addressed the interpretation of concepts used in the directive. The Court gave substance to notions that the directive had left undefined and harmonized European copyright law through judicial intervention.47 Three structural principles stand out in the case law on the Information Society Directive. First, the Court established that the exclusive rights of Articles 2–4 have to be interpreted widely in order to provide a high level of protection48 and that limitations and exceptions are to be interpreted narrowly.49 45

Hugenholtz (2000), p. 501. To date, more than 80 cases have been referred to the CJEU, from the substantive provisions of the Directive, admittedly only seven in total, only Article 7 has not been subject to preliminary reference. 47 Hugenholtz argues that the Court “pursued and activist agenda”, Hugenholtz (2013), p. 62. 48 See recital 4 Information Society Directive. 49 Already in other areas of EU the Court had established that derogations for a general principle have to be interpreted strictly, see CJEU, Judgment of 19.07.2009, Infopaq International A/S v Danske Dagblades Forening, Case C-5/08, EU:C:2009:465, para. 52, CJEU, Judgment of 4.10.2011, Football Association Premier League Ltd and Others v QC Leisure and Others (C-403/08) and Karen Murphy v. Media Protection Services Ltd (C-429/08), Joined cases C-403/ 46

1 Copyright and Fundamental Rights in the Digital Single Market

11

Second, the terms used in the directive which do not make reference to national law constitute autonomous concepts of EU law and must be given uniform interpretation in the Member States.50 Third, the interpretation of the rules must ensure a fair balance between the competing interests.51 In parallel to developments at policy level, the CJEU started shaping copyright law in the light of fundamental rights. The Court’s growing concern with fundamental rights and substantive copyright law was triggered by a question of ownership, an area hardly touched by harmonization. In Luksan,52 the CJEU examined an Austrian law which vested ownership of certain rights in a cinematographic work in the producer, however the relevant EU legislation53 originally vested the relevant exploitation right in the principal director. The Court argued that the allocation of the rights, under EU law, to the principal director established a property right protected by Article 17(2) EU Charter. A national law that would alter this original allocation of a rights would, therefore, violate the right to intellectual property established and protected by EU law.54 Accordingly, it is the European legislator who draws the contours of intellectual property protection in the harmonized area but also finetunes the balance between the various rights at stake. Before Luksan, the Court had already examined the compatibility of a national rule that provided for the exhaustion of the distribution right in relation to originals or copies of works lawfully put into circulation outside the EU. The claimant in Laserdisken argued that a prohibition to import lawfully marketed copies from outside the EU violated the right to freedom of expression. The Danish law in question had implemented Article 4(2) of the Information Society Directive, which only provides for “Community exhaustion.” The claimant challenged the rule arguing that Danish citizens would be limited in their right to receive information.55 The Court found that Article 4(2) did not constitute a restriction on the right to

08 and C-429/08, EU:C:2011:631, para 162, CJEU, Judgment of 10.04.2014, ACI Adam BV and Others v Stichting de Thuiskopie and Stichting Onderhandelingen Thuiskopie vergoeding, Case C-435/12, EU:C:2014:254, para. 23, CJEU, Judgment of 03.09.2014, Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others, Case C-201/13, EU:C:2014:2132, para. 22. 50 This, also, is a theme in the general CJEU case law, to which the Court referred in CJEU, of 21.10.2010, Padawan SL v Sociedad General de Autores y Editores de España (SGAE), Case C-467/08, EU:C:2010:620, para. 32, see also CJEU, Judgment of 03.09.2014, Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others, Case C-201/13, EU:C:2014:2132, para.14 and Jütte (2017b), p. 23. 51 See only CJEU, Judgment of 03.09.2014, Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others, Case C-201/13, EU:C:2014:2132, para. 26. 52 CJEU, Judgment of 9.02.2012, Martin Luksan v Petrus van der Let, Case C-277/10, EU: C:2012:65. 53 Article 1(5) and 2(1) of Directive 93/83 in connection with Article 2 and 3 of 2001/29 and Article 2(2), (4) and (5) of Directive 2006/115. 54 CJEU, Judgment of 9.02.2012, Martin Luksan v Petrus van der Let, Case C-277/10, EU: C:2012:65, paras. 68–70. 55 In its judgment the CJEU also examined whether Article 4(2) breached the principle of proportionality (paras. 52–59 and the principle of equal treatment (paras 67–70).

12

B. J. Jütte

receive information and, alternatively, that a restriction would be justified in the light of the need to protect intellectual property rights, including copyright, which form part of the right to property.56 It is worth noting that the first of two preliminary questions in Laserdisken read: “Is Article 4(2) of Directive [2001/29] invalid?”57 Neither did the Court engage substantially with the potential restriction of what was pre-Lisbon only a general principle, nor did it accept a challenge based on proportionality. It argued that the two objectives of the exhaustion rule were to ensure the smooth functioning of the internal market and to protect intellectual property rights. However, the analysis did not go beyond a recitation of the objectives set out in the recitals of the Information Society Directive.58 The Luksan ruling already demonstrated quite early in the Court’s engagement with fundamental rights in copyright cases that the legislative prerogative in determining the allocation of rights is final. The legislator established the distribution of rights and privileges and thereby created a property framework that cannot be altered by the Member States. The Court’s reluctance to intensively engage with fundamental rights in the framework of a proportionality analysis became apparent in Laserdisken. But gradually, though not very often, the judgments of the Court integrated fundamental rights in their arsenal for interpreting copyright law. By interpreting the copyright directives, the CJEU shaped substantive copyright law and enforcement mechanisms increasingly with references to fundamental rights, first as general principles and then as rights guaranteed by the EU Charter. Often, the Court raises fundamental rights on its own initiative; only occasionally did the national courts refer to firmamental right in their preliminary references. Until the references by the German Bundesgerichtshof (BHG) in Pelham, Funke Medien, and Spiegel Online (the “trilogy”),59 referring courts raised fundamental rights concerns

56 CJEU, Judgment of 12.09.2006, Laserdisken ApS v Kulturministeriet, Case C-479/04, EU: C:2006:549, paras. 60–66. 57 CJEU, Judgment of 12.09.2006, Laserdisken ApS v Kulturministeriet, Case C-479/04, EU: C:2006:549, para. 16. 58 The judgment referred recitals 9–11 of the Information Society Directive which state that the protection of copyright and related rights “helps to ensure the maintenance and development of creativity in the interests of authors, performers, producers, consumers, culture, industry and the public at large” and that authors and performer “have to receive an appropriate reward for the use of their work” which is why “[a] rigorous, effective system for the protection of copyright and related rights is one of the main ways of ensuring that European cultural creativity and production receive the necessary resources and of safeguarding the independence and dignity of artistic creators and performers.” In the light of these objective the legislative choice made by the legislator was not disproportionate (para. 59 of the judgment). 59 CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623; CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian Schneider-Esleben, Case C-476/17, EU:C:2019:624; CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU:C:2019:625.

1 Copyright and Fundamental Rights in the Digital Single Market

13

almost exclusively in enforcement cases.60 In the latter, the rigtholders’ interest to enforce their rights collides with other interests of potential infringers and intermediaries without touching upon the normative structure of substantive copyright law. This is different when the Court is asked to interpret substantive copyright rules in the light of fundamental rights. In these cases, fundamental rights are generally used as tools to determine the internal balance in copyright law. The following sections will illustrate how in its case law the CJEU has approached the internal balance of copyright and enforcement of copyright in the light of fundamental rights, before examining external challenges to copyright law in the trilogy of cases. This overview will illustrate how the use of fundamental rights became more frequent until the BGH submitted three bold challenges disguised as preliminary references.

3.1

Copyright’s Internal Flexibility

The internal balance of copyright between the interest of rightholders and users of protected works in copyright law is a delicate affair to begin with. The Court took control of this balance when it introduced into copyright law the notion of autonomous concepts of EU law, which required that many terms in the acquis had to be shaped and filled with substance. Looking for the meaning of these concepts in the preambles often turned out to be futile as they offered little in terms of guidance other than that a fair balance must be struck between the various interests. As a result, the CJEU created a balance founded on the three structural principles to gradually fill these concepts with life. It defined the scope of protection of the exclusive rights and the scope of L&Es. Especially the exceptions of Article 5 Information Society Directive gave the Court the opportunity to develop its own interpretation of a balance within copyright law. The interpretation of exclusive rights remained largely untouched by fundamental rights, with two major exceptions. GS Media61 and Renckhoff62 helped to shape the

60

CJEU, Judgment of 24.11.2011, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), Case C-70/10, EU:C:2011:771; CJEU, Judgment of 16.06.2012, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV, Case C-360/10, EU:C:2012:85; Joined Cases C-457/11 to 460/11, EU:C:2013:426; CJEU, Judgment of 27.03.2014, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproducktionsgesellschaft mbH, Case C-314/12, EU:C:2014:192; CJEU, Judgement of 15.09.2016, Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, C-484/14, EU: C:2016:689, with the exception of CJEU, Judgment of 27.06.2013, Verwertungsgesellschaft Wort (VG Wort) v Kyocera and Others and Canon Deutschland GmbH, and Fujitsu Technology Solutions GmbH and Hewlett-Packard GmbH v Verwertungsgesellschaft Wort (VG Wort), Joined Cases C-457/11 to 460/11, EU:C:2013:426. 61 CJEU, Judgment of 08.09.2016, GS Media BV v Sanoma Media Netherlands BV and Others, Case C-160/15, EU:C:2016:644. 62 CJEU, Judgment of 07.08.2018, Land Nordrhein-Westfalen v Dirk Renckhoff, Case C-161/17, EU:C:2018:634.

14

B. J. Jütte

contours of the right of communication to the public63 and used fundamental rights to determine the limits of Article 3(1) Information Society Directive. In GS Media, the Court used fundamental rights to establish a distinction between different motivations to set hyperlinks. In order to avoid restrictive consequences for freedom of expression and of information, the same act of setting a hyperlink may or may not constitute a communication to the public within the meaning of Article 3 (1) Information Society Directive. Users who link to freely available content on the Internet and who do not pursue a profit do not make an act of communication to the public.64 While hyperlinks set by users not pursuing profit from copyright-protected content unlawfully made available on the Internet do not constitute an act of communication to the public, such links are, as general rule, an act under Article 3 (1) Information Society Directive if the user pursues a profit from setting the link. The Court’s interpretation partially constitutes an expansion of the notion of communication to the public compared to the Svensson ruling65 but justifies a narrower interpretation of the scope of protection for nonprofit uses with reference to the importance of the Internet for the exercise of certain fundamental rights.66 The Renckhoff ruling further fortified a rightholder-friendly interpretation of Article 3(1). The Court ruled that the reproduction on a website of a photo that is freely available on another website constitutes an act of communication to the public. In distinguishing the facts from those in GS Media, the judges argued that the functional difference between a reproduction and hyperlinking would not justify

63

In a line of cases the CJEU defined the right of communication to the public and making available under Article 3(1) Information Society Directive. The result has been heavily criticized for its complexity and for the judicial creativity the Court demonstrated. See only: Quintais (2018), Rosati (2017), and Hugenholtz and van Velze (2016). 64 CJEU, Judgment of 08.09.2016, GS Media BV v Sanoma Media Netherlands BV and Others, Case C-160/15, EU:C:2016:644, paras. 47–52; the Court argued that a user not acting for profit does not “intervene in full knowledge of the consequences of his conduct”, whereas a for-profit hyperlinker “can be expected [to carry] out the necessary checks to ensure that the work concerned is not illegally published on the website to which those hyperlinks lead.” 65 CJEU, Judgment of 13.02.2014, Nils Svensson and Others v Retriever Sverige AB, Case C-466/ 12, EU:C:2014:76. 66 In order to protect the proprietary interest of rightholders, commercial operators of websites or services must ascertain that links lead only to content lawfully made available. The interest that is tilted against the right to property here is not the economic interest of the operators, i.e. their right to conduct a business, but the right to information of the general public. Because of the importance of hyperlinks for the operation of the Internet, which according to the Court and the European Court of Human Rights (ECtHR) is of a particular importance for the exercise of the freedom of expression, a distinction based on a subjective element justifies the limitation of the rights of for-profit hyperlinkers, whereas non-for-profit hyperlinkers can exercise their freedom of expression unhindered. The right to information of the general public is ensured as hyperlinks, as one of the backbones of the Internet, only rarely will constitute an act of communication to the public. This argument is more implicit in the relevant part of the judgment: Judgment of 08.09.2016, GS Media BV v Sanoma Media Netherlands BV and Others, Case C-160/15, EU:C:2016:644 CJEU, Judgment of 08.09.2016, GS Media BV v Sanoma Media Netherlands BV and Others, Case C-160/15, EU: C:2016:644, paras. 45–54.

1 Copyright and Fundamental Rights in the Digital Single Market

15

a (noncommercial) user-friendly approach which permitted hyperlinking because of its fundamental importance for the sound operation of the internet by enabling the dissemination of information in that network characterised by the availability of immense amounts of information. Permitting the unauthorized reproduction of protected works freely available on the Internet would fail to strike a fair balance between the right to intellectual property under Article 17(2) of the EU Charter and the freedom of information and expression as guaranteed by Article 11.67 Here, the argument is much more pronounced and elaborate and the Court engages with the balancing exercise much more explicitly. In Pelham, the Court reduced the scope of the related rights of phonogram producers in instances where a user makes a reproduction of a protected phonogram in exercising the freedom of the arts.68 In this case, the fundamental right of Article 13 EU Charter serves an interpretative function in the determination whether the exclusive right of Article 2(c) Information Society Directive is infringed based on the subjective intention of the potential infringer.69 The struggle to find a “fair balance” is much more pronounced in the case law on L&Es. When interpreting the scope of the parody defense under Article 5(3) (k) Information Society Directive, the CJEU used fundamental rights to illustrate the objective of this particular exception. It stated that parody is an appropriate way to express an opinion. Freedom of expression and the public interest, according to the Court, are some of the objectives of the Information Society Directive, along with the protection of intellectual property.70 But, subsequently, the Court reduced the scope of the exception arguing that in its interpretation, a national court must also have regard to the principle of nondiscrimination embodied in Article 21(2) EU Charter.71 In Deckmyn, the Court used fundamental rights to restrict the parody defense in its concrete application to avoid results that are normatively undesirable. Systematically, in the absence of harmonization, fundamental rights are used as a backdoor for moral rights into the acquis. Why the Court resorted directly to fundamental rights instead of applying the three-step test of Article 5(5) Information Society Directive does not directly become apparent. However, the “right” not to be associated with a discriminatory message caused by the distortion of the work of an author could be considered as falling within the legitimate interests of the author. Either way, relying on fundamental rights enables the courts to correct the effects of a wide interpretation of the parody defense, which in itself in an expression of the balance between 67

CJEU, Judgment of 07.08.2018, Land Nordrhein-Westfalen v Dirk Renckhoff, Case C-161/17, EU:C:2018:634, paras. 40–42. 68 CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian SchneiderEsleben, Case C-476/17, EU:C:2019:624, para. 31. 69 See Jütte (2019a), p. 827. 70 CJEU, Judgment of 03.09.2014, Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others, Case C-201/13, EU:C:2014:2132, para. 25. 71 CJEU, Judgment of 03.09.2014, Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others, Case C-201/13, EU:C:2014:2132, paras. 29–30.

16

B. J. Jütte

different fundamental rights. Fundamental rights serve both an expanding and a restricting function, which is the essence of a balancing exercise. This balancing, within the wording of the law, is left to the national courts. The Court gave fundamental rights an even more prominent function in the balancing exercise in Funke Medien. When interpreting Article 5(3)(c) and (d) of the Information Society Directive, the Court recalled the structural elements of interpretation for L&Es. The general principle of strict interpretation is countered with the requirement that the effectiveness of L&Es is safeguarded, which, in the Court’s argumentation are the two main elements of the ‘fair balance’ in copyright law72 It is here where fundamental rights are introduced into the argument. Pursuant to the Court, one of the aims of the exceptions for quotation and the reporting of current events is to ensure observance of fundamental freedoms. While it is necessary to protect the right to intellectual property, the protection provided by the EU Charter for intellectual property is not absolute.73 It must be reconciled with the right to freedom of expression, and in this interpretation regard must also be had to the interpretation given to both rights and their interaction with the jurisprudence of the ECtHR.74 Unfortunately, in the following two paragraphs, after having established the general framework to be applied and one source from which inspiration to give shape to that balance must be sought, the application of this general framework is rather disappointing and gives little instruction for future cases. With reference to one case decided by the Strasbourg Court,75 the CJEU recalls that when striking a balance between copyright and the right to freedom of expression, particular weight must be given to the nature of the speech concerned. The Court went on to find that the publication of the material, in this case confidential military reports, and the way it was presented could fall within the scope of application of Article 5(3)(c), second case of the Information Society Directive.76 What the Court is omitting is how exactly the process should look like that leads to establishing the result of the balancing exercise in a particular case. The Luxembourg judges, and it should be noted that the trilogy cases were decided by a Grand Chamber, seems to give national courts the tools but no instruction on how to operate them.77 In Spiegel Online, the Court argues very similarly but concludes its argument more detached form the facts. It establishes that when applying the exclusive rights and L&Es of the Information Society Directive, national courts must rely on an interpretation of those provisions which, whilst consistent with their wording and 72

CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, paras. 68–71. 73 CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, para. 72. 74 CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, para 73. 75 ECtHR (2013). 76 CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, paras. 74–75. 77 This image of (power) tool is borrowed from Griffiths (2018).

1 Copyright and Fundamental Rights in the Digital Single Market

17

safeguarding their effectiveness, fully adheres to the fundamental rights enshrined in the Charter.78 Again, this finding provides little in terms of guidance or instructions on how the balance must be struck. What becomes clear is that neither fundamental right—property or expression—is absolute. One indication the Court gives, which does not make this intellectual exercise much easier, is that L&Es confer rights on the users of works79 and, therefore, users of protected works enjoy at least equal standing in relation to rightholders. When the German Federal Court of Justice, the Bundesgerichtshof (BGH), delivered its rulings that had given rise to the preliminary references in the trilogy cases, it explored this internal flexibility. When interpreting the exception for the reporting of current events under Article 5(3)(c) Information Society Directive, the BGH gave precedence to freedom of expression and freedom of the press. In the context of a proportionality analysis, these fundamental rights were weighed against the right to property but also the moral rights of the authors.80 However, the BGH did not apply the standards of the EU Charter but resorted to national fundamental rights standards under the German Basic Law. It followed the lead of the CJEU, which had ruled in Spiegel Online that in areas not fully harmonized by EU law, the Member States are free to apply national standards of fundamental rights protection, as long as the level of protection guaranteed by the EU Charter is not compromised.81 Accordingly, in an area of full harmonization, such as the right of phonogram producers under Article 2(c), the BGH refrained from applying national standards and merely referred to the balance struck by the CJEU in Pelham.82

3.2

The Main Theatre: Enforcement

Until the trilogy, the vast majority of copyright cases in which the CJEU made reference to fundamental rights dealt with online enforcement. This mirrors the focus

78 CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU: C:2019:625, para 59. 79 See CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, para. 70 and CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU:C:2019:625 para. 54. 80 BGH, Judgment of 30. April 2020, I ZR 228/15 (‘Reformistischer Aufbruch’), DE: BGH:2020:300420UIZR228.15.0, paras. 60–76 and BGH, Judgment of 30. April 2020, I ZR 139/15 (‘Afghanistan Papiere’), DE:BGH:2020:300420UIZR139.15.0, paras. 49–55; see for comment: Priora and Jütte (2020) and Jütte and Priora (2020). 81 CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU: C:2019:625 para. 21; see e.g. BGH, Judgment of 30 April 2020, I ZR 139/15 (‘Afghanistan Papiere’), DE:BGH:2020:300420UIZR139.15.0, para. 24. 82 BGH, Judgment of 30 April 2020, I ZR 115/16 (‘Metall auf Metall IV’), DE: BGH:2020:300420UIZR115.16.0, para. 29.

18

B. J. Jütte

of concern in the policy documents identified above83 but could also simply reflect litigation realities. In its case law, the Court regularly had to examine specific enforcement measures and under which condition online intermediaries can be ordered to actively participate in online copyright enforcement. Enforcement cases are particularly complex as they involve multiple interests, including those of the rightholder, those of the infringer, and the economic interests of the intermediary. This particular constellation provides ample opportunities to shape the balance in this triangular relationship. When striking the balance between the different fundamental rights, the Courts seems to base itself on the assumption that all fundamental right have equal status.84 Therefore, it is nearly impossible to identify a certain pattern in the Court’s decisions.85 The balance very much depends on the individual circumstances of a particular case. In Promusicae, the Court decided that Member States can limit the requirement for an access provider to retain and make available information of persons who have infringed copyright to the context of criminal proceedings.86 However, when implementing the relevant European directives into their national law, and when applying national law, the Member States and their courts must ensure that a fair balance is struck between the competing rights.87 In its practical application, enforcement measures must not place an overly heavy burden on intermediaries, but they must nevertheless be effective in order to ensure the essence of the right to property. Accordingly, in Mc Fadden, the Court found that from three potential measures, the requirement to protect an open wireless network with a password constitutes a measure that would ensure an effective protection of copyright if no other less restrictive measures are available, if otherwise the rightholder would be left unprotected.88 In general, however, an intermediary can be obliged to decide on the measures necessary to terminate infringements without disproportionately restricting the intermediary’s right to conduct a business.89 In Bastei Lübbe, the Court ruled that the owner of an Internet access, who himself claimed not to have

83

See under Sect. 2. Peukert criticizes this approach based on a distinction between fundamental rights that do not require state activity to be enjoyed, for example the rights to freedom of expression, to conduct a business, to private and family life, and to undertake scientific and artistic activities, and the right to property, which only takes shape once a property right is established through national legislation, see Peukert (2015), pp. 135–136. 85 Sganga conceptualized the Court’s approach to a ‘fair balance’ in Sganga (2019), in particular pp. 694–696. 86 CJEU, Judgment of 29.01.2008, Productores de Música de España (Promusicae) v Telefónica de España SAU, Case C-275/06, EU:C:2008:54, para. 70. 87 CJEU, Judgment of 29.01.2008, Productores de Música de España (Promusicae) v Telefónica de España SAU, Case C-275/06, EU:C:2008:54, para. 68. 88 CJEU, Judgement of 15.09.2016, Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, C-484/14, EU:C:2016:689, para. 98. 89 CJEU, Judgment of 27.03.2014, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproducktionsgesellschaft mbH, Case C-314/12, EU:C:2014:192, paras. 41–65. 84

1 Copyright and Fundamental Rights in the Digital Single Market

19

infringed copyright, cannot rely on the right to family life in order to disclose which member of his household might have committed infringing acts. Another interpretation, according to the Court, would render the exercise of the right to an effective remedy impossible and completely obliterate the right to property.90 But although the intensity of review in enforcement cases is higher compared to cases in which the Court interprets substantive rules, highlights are rare.91 The Court remains focused on a case-specific analysis of the facts and argues by implication rather than developing a coherent and systematically sound framework for balancing copyright with other interests.

3.3

The Firmness of Written Law

The trilogy of Pelham, Funke Medien, and Spiegel Online explored the external limits of copyright. In three different scenarios, the BGH tested the limits of L&Es and sought to explore whether there is flexibility beyond Article 5 of the Information Society Directive.92 Compared to all other cases before them, these references suggested that fundamental rights could do more than interpret the internal balance within copyright, Instead, they proposed fundamental rights as external controls to excessive exercises of copyright to restrict speech and artistic expression. Especially Pelham seemed to suggest that copyright is imbalanced. The German Constitutional Court, which had already decided on a constitutional complaint in this litigation, had already dictated an outcome that sat uneasy with the rules of the Information Society Directive.93 Central to all three preliminary references was the question whether the right to freedom of expression or, in Pelham, the right to artistic freedom could justify exceptions to the exclusive rights of the Information Society Directive which are not expressly included in the list of Article 5 of the same directive. The Pelham reference also raised the question whether a flexible norm similar to the US fair use defense could be maintained in the national copyright law of a Member State.94 The three judgments are a good illustration of the difference between internal and

90

CJEU, Judgment of 18 October 2018, Bastei Lübbe GmbH & Co. KG v Michael Strotzer, Case CC-149/17, EU:C:2018:841, para. 51. 91 Sganga (2019), pp. 685–688. 92 See for argument in this direction: Jütte (2019b) and Griffiths (2018). 93 See on the ‘Metall auf Metall’ see for example: Jütte and Maier (2017), Jütte (2017a, c), Jütte and Quintais (2019), Jütte (2019a), Leistner (2016), Apel (2019) and Böttger and Clark (2016). 94 See on an assessment of the compatibility of the German ‘free use’ (‘freie Benutzung’) exception: CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian SchneiderEsleben, Case C-476/17, EU:C:2019:624, paras. 56–65.

20

B. J. Jütte

external flexibility,95 as the Court also had to interpret other core concepts, especially because both dimensions were argued in these cases.96 With reference to fair balance, the Court argued that “[t]he mechanisms allowing those different rights and interests to be balanced are contained in Directive 2001/29 itself” in the form of exclusive rights and limitations and exceptions.97 This statement is flanked by references to the aim of harmonization, which is to establish a fair balance between the interest of users and rightholders, and a reference to the sources of the fundamental rights of the Charter in the common constitutional traditions of the Member States and international instruments, a reminder that L&Es serve to give expression to specific fundamental rights, including the freedom of expression and the freedom of the press, and also to the three-step test of Article 5(5) Information Society Directive, which states that L&Es should be “applied only in certain special cases which do not conflict with a normal exploitation of the work or other subject matter and do not unreasonably prejudice the legitimate interests of the rightholder”.98 From this buildup, the Court concludes that permitting derogations from the author’s exclusive rights “would endanger the effectiveness of the harmonisation of copyright and related rights effected by that directive, as well as the objective of legal certainty pursued by it”.99 The Court does not say that this would endanger the right to property of the author; neither does it consider that this might severely restrict the freedom of expression of a user of protected works. Instead, this approach prioritizes the aim and purpose of copyright harmonization and legal certainty. In the CJEU’s jurisprudence, fundamental rights disappear behind market efficiency, or, read differently, a proper functioning of the internal market can only be ensured if fundamental rights are balanced identically in all Member States.100 These counterweights to potentially expansive fundamental rights arguments restrict the scope for an external control of copyright. Once the “fair balance” is cast into law it is difficult to challenge it before the CJEU. Accordingly, imbalances have to be addressed at an earlier stage. 95

See further Jütte (2020). See supra 3.1, on the decision of the Bundesverfassungsgericht see e.g. Leistner (2016), Jütte and Maier (2017), p. 785 and Maier (2018), pp. 54–56. 97 CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian SchneiderEsleben, Case C-476/17, EU:C:2019:624, para. 60; identical in CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, para. 58 and CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU: C:2019:625, para. 43. 98 CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian SchneiderEsleben, Case C-476/17, EU:C:2019:624, paras. 59–62. 99 CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian SchneiderEsleben, Case C-476/17, EU:C:2019:624, para. 63. 100 What the Court does not address is that the optional nature of the L&Es of Article 5(2) and (3) Information Society Directive are optional and an identical list of exceptions is difficult to find in any two Member States. This is what Hugenholtz already criticized after the adoption of the Directive, and which has since been regularly remarked by a variety of academics, see only Guibault (2010), para. 48 and Jütte (2017b), p. 243. 96

1 Copyright and Fundamental Rights in the Digital Single Market

21

4 External Challenges to EU Copyright Law The trilogy cases did not challenge the Information Society Directive directly; they merely suggested that flexibility should be introduced through either a more flexible interpretation of L&Es or a margin of discretion on the part of MSs when implementing the provisions of the Directive. The BGH had also not suggested in any way that Article 5 itself was in violation of the fundamental rights of the EU Charter; it had merely proposed to give Member States flexibility to accommodate uses that are string expression of Articles 11 and 13 EU Charter. While the Court granted Member States a small margin of discretion in Funke Medien and Spiegel Online when it ruled that the exception for the reporting of current events under Article 5(3), second case, and the exception for quotation under (d) do not constitute a measure of full harmonization,101 it remained adamant that the list of L&Es contained in Article 5 of the Information Society Directive is exhaustive.102 Instead, the Court introduced marginal flexibility by relaxing the strict interpretation of the related right for phonogram producers, but in reality the standard still constitutes a very high hurdle.103 With this interpretative stretch based on fundamental rights, in these specific cases, the Court was able to reduce the tensions between the need to give protection to intellectual property under Article 17(2) of the EU Charter and the freedoms of expression and the arts under Articles 11 and 13 EU Charter. But the trilogy judgments did not bring about major systematic changes in EU copyright law. In Poland v Parliament and Council, the situation is fundamentally different. Instead of challenging an act of secondary legislation indirectly through a preliminary reference under Article 267 TFEU, the Republic of Poland challenges a provision of the DSM Directive through an action for annulment under Article 263 TFEU. It argues that Article 17(4)(b) and Article 17(4)(c), in fine, violate the fundamental right of freedom of expression and information guaranteed by Article

101

CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, para. 54, CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU:C:2019:625, para. 39. The Court argued that the wording “to the extent justified by the informatory purpose” (Article 5(3), second case) and “in accordance with fair practice, and to the extent required by the specific purpose” (Article 5(3)(d)) leave the Member States a significant margin of discretion to balance the interests involved. 102 CJEU, Judgment of 29.07.2019, Spiegel Online GmbH v Volker Beck, Case C-516/17, EU: C:2019:625, paras. 40–49; CJEU, Judgment of 29.07.2019, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, EU:C:2019:623, paras. 55–64; CJEU, Judgment of 29.07.2019, Pelham GmbH and Others v Ralf Hütter and Florian Schneider-Esleben, Case C-476/ 17, EU:C:2019:624, paras. 56–65. 103 The BGH ruled that the condition for an infringement of the reproduction right of the right of phonogram producers, namely that that the sequence taken from the original must be recognizable to the ear in the new work, must be assessed from the perspective of the average listener. Arguably, this standard is relatively low and a parallel comparison of two songs would in most cases, most certainly so in Pelham, result in the finding of an infringement.

22

B. J. Jütte

11 of the EU Charter.104 It might simply be a growing awareness of the relevance of fundamental rights for copyright law, which was reflected in the heated debates leading to the adoption of the DSM Directive,105 that led Poland to challenge Article 17.106 Either way, the action for annulment will provide more angles to examine the interplay between copyright and freedom of expression. The argument in the trilogy of cases pertaining to legal certainty will not carry in annulment proceedings. The maturity that the rules of Articles 2–5 of the Information Society Directive had acquired over the years stands in stark contrast to the freshness of Article 17 DSM Directive. The stakeholder dialogue initiated pursuant to Article 17(10), ongoing at the time of writing, exposed the many weaknesses and inconsistencies of the new enforcement regime for online content-sharing service providers (OCSSPs).107 Whatever the Advocate General and the Court will argue in the proceedings, the argument that saved the exhaustive nature of Article 5 Information Society Directive in the trilogy will not work in this case. The legal certainty and the proper functioning of the internal market that were maintained by adhering to the exhaustive list in Article 5 have not yet developed in relation to Article 17 DSM Directive. The balancing exercise is therefore reduced to the right to property under Article 17 (2) EU Charter and the right to receive and impart information under Article 11 EU Charter. This external scrutiny of the balance struck by the EU legislator in a fresh piece of legislation is much less complex than the balancing of competing fundamental rights in enforcement cases or the delicate dance within the limits of Article 5 and further constrained by the structural principles of European copyright the CJEU has developed in its case law. It will, hopefully, result in a more elaborate balancing between the right to property and the right to freedom of expression and shed light on the limits of these two rights.

104

CJEU, Application of 26.07.2019, Republic of Poland v European Parliament and Council of the European Union, Case C-401/19. 105 For academic criticism of Spindler (2020), who considers already the obligation to license under Article 17(1) in violation of EU law, see in particular the full legal opinion (Spindler, G., Gutachten zur Urheberrechtsrichtlinie (DSM-RL) Europarechtliche Vereinbarkeit (Artikel 17), Vorschläge zur nationalen Umsetzung und zur Stärkung der Urheberinnen und Urheber erstattet im Auftrag der Fraktion BÜNDNIS90/DIE GRÜNEN im deutschen Bundestag, available at: https://www.gruenebundestag.de/fileadmin/media/gruenebundestag_de/themen_az/netzpolitik/pdf/Gutachten_ Urheberrechtsrichtlinie_01.pdf, last accessed on 03.05.2020.) See also Ohly (2018), p. 675, more moderate in his criticism is Gerpott (2019). 106 There is also a particular political flavour to the challenge brought by the Polish government, see Targosz (06.09.2019). 107 See for a summary of the first stages of the stakeholder dialogues see Keller (07.05.2020a) and Keller (07.05.2020b).

1 Copyright and Fundamental Rights in the Digital Single Market

23

5 Concluding Remarks Griffiths argued in 2013 that half-hearted references to fundamental rights in the CJEU’s case law would negatively affect the status of fundamental rights in the EU legal order.108 The general shallowness of proportionality reviews in attempts to strike a proper balance based on fundamental rights has confirmed these fears. Throughout its copyright case law, be it on enforcement or the interpretation of the substantive law contained in the various directives, the Court fails to develop a systematic approach on how to balance, on one side, the different fundamental rights in their respective relationships and, on the other, how fundamental rights relate to other fundamental principles and freedoms of EU law.109 The notions of “fair balance” and “proportionality” fail to function as arbitrators between the interests of rightholders, users, intermediaries, and the general public.110 This is even more so because the Court has closed in on the substantive rules with interpretative techniques such as the narrow interpretation of L&Es, a wider interpretation of exclusive rights, and the development of autonomous concepts, all of which reflect an almost obsessive fascination with ever-increasing harmonization.111 Fundamental rights merely serve as weathervanes for the interpretation of existing law, the conformity of which with Charter rights the Court seems to take as given. Challenging the law forged by the EU legislator is difficult, if not impossible, because the Court will not review the law in the light of the EU Charter.112 In its rulings on the substantive rules of the EU copyright acquis, the Court clearly rejects rewriting the law or letting Member States rewrite the law. Accordingly, it cemented the allocation of exclusive rights in Luksan and denied Member States flexibility to develop limitations and exception inside the harmonized field in the trilogy. In its interpretation of the rules, the Court is slightly more flexible and allows for limited flexibility. The interpretation of the Information Society Directive in Deckmyn and Pelham has demonstrated the Court’s readiness to allow flexibilities within strict boundaries. Indirect challenges to the harmonized rules through the preliminary reference procedure are unlikely to have immediate effect, considering the limited willingness of the Court to stretch the rules by judicial intervention. However, persistent efforts to expose the absence of a proper balance through unsuccessful challenges can raise awareness of the need to reform copyright systematically. Although the European

108

Griffiths (2013), p. 78. See Griffiths (2019), pp. 36–37. 110 Griffiths argues that “that the concept of ‘fair balance’ offers no real assistance as a guiding principle”, Griffiths (2013), p. 73, with reference to Drassionover (2009). 111 Cf. Rognstad (2018), pp. 176–177 and Griffiths (2013), p. 75. 112 See critically Geiger and Izyumenko (2020), arguing that by refusing to conduct external reviews of the EU’s copyright rules in the light of fundamental rights the Court fails to complete a full constitutionalization of European copyright law and also takes a position contrary to that of the European Court of Human Rights (pp. 300–303). 109

24

B. J. Jütte

Commission has not taken up its promise to reform copyright substantially, constant reminders might eventually lead to legislative intervention—though this might still be a many years away. An opportunity to challenge a copyright directive rarely presents itself, especially one in which the arguments have already been prepared in a public discourse. The irony is that the stakeholder dialogue on best practices for cooperation between online content-sharing service providers and rightholders will provide the courts with arguments against the position of the Polish government. This is why it is even more important that the Court engages in a thorough discussion why Article 17 does or does not infringe the right to receive and impart information (which it certainly does) and whether such an interference can be justified. The ways on how the balance can be restruck through a cooperation between all the three groups of stakeholders would then be relevant in the discussion on what means are available to mitigate the effects of a violation of Article 11 EU Charter. The Court should also use this occasion to make an attempt to sketch the contours of a balance between intellectual property and freedom of expression instead of sticking to a case-specific balancing exercise every single time the question of balance is raised.113 This is certainly a political decision; however, it would be the task of the judiciary to rein in the legislature if the latter has skewed the balance too far. What gives hope is that the Court will not be able to rely on legal certainty and the proper functioning of the internal market as principles that would add further variables to the balancing exercise. A decision in favor of Article 11 could influence the appreciation of fundamental rights in the case law of the Court significantly; too much deference to the prerogative of the legislature would reduce the role that fundamental rights play in copyright law significantly. And here lies the danger that Griffiths has warned against. Paying lip service to fundamental rights could not only undermine their status as constitutional pillars of the EU legal order, stemming from the constitutional traditions of the Member States. Half-hearted references to fundamental rights that only cement the status quo can also harm copyright as a normative system. Striking a balance between the different fundamental rights and the interests of rightholders, users, and the public is indeed a delicate task, but it is a task that must be taken seriously. Otherwise, it will become a ritual without meaning.

References Apel S (2019) Unionsrechtliche Beurteilung des Tonträgersamplings “Metall auf Metall” – Schlussantrag. MMR 22:97 Böttger F, Clark B (2016) German Constitutional Court decides that artistic freedom may prevail over copyright exploitation rights (‘Metall auf Metall’). JIPLP 11:812–814

113

For a critique of this repetitive exercise see Sganga (2019), p. 659.

1 Copyright and Fundamental Rights in the Digital Single Market

25

Drassionover A (2009) From distribution to dialogue: remarks on the concept of balance in copyright law. J Corp Law 34:991 Geiger C (2006a) Copyright and free access to information: for a fair balance of interests in a globalised world. EIPR 28:366 Geiger C (2006b) “Constitutionalising” intellectual property law? The influence of fundamental rights on intellectual property in the European Union. IIC 37:371 Geiger C, Izyumenko E (2020) The constitutionalization of intellectual property law in the EU and the Funke Medien, Pelham and Spiegel Online Decisions of the CJEU: progress, but still some way to go! IIC 51:282 Gerpott TJ (2019) Artikel 17 der neuen EU-Urheberrechtsrichtlinie: Fluch oder Segen? Einordnung des Streits um “Upload-Filter” auf Online-Sharing-Plattformen. MMR 22:420 Griffiths J (2013) Constitutionalising or harmonising? The Court of Justice, the right to property and European copyright law. Eur Law Rev 31:65 Griffiths J (2018) Taking power tools to the acquis – the Court of Justice, the Charter of Fundamental Rights and European Union copyright law. In: Geiger C, Nard CA, Seuba X (eds) Intellectual property and the judiciary. Edward Elgar, Cheltenham, Northampton, pp 144–174 Griffiths J (2019) European Union copyright law and the Charter of Fundamental Rights—Advocate General Szpunar’s Opinions in (C-469/17) Funke Medien, (C-476/17) Pelham GmbH and (C-516/17) Spiegel Online. ERA Forum 1 Guibault LMCR (2010) Why Cherry-picking never leads to harmonisation: the case of the limitations on copyright under Directive 2001/29/EC. JIPITEC 1:55 Hugenholtz PB (2000) Why the Copyright Directive is unimportant, and possibly invalid. EIPR 22:499 Hugenholtz B (2013) Is harmonization a good thing? The case of the copyright acquis. In: Pila J, Ohly A (eds) The Europeanization of intellectual property law: towards a European legal methodology. Oxford University Press, Oxford, pp 57–73 Hugenholtz PB, van Velze SC (2016) Communication to a new public? Three reasons why EU copyright law can do without a ‘new public’. IIC 47:797–816 Husovec M (2016) Intellectual property rights and integration by conflict: the past, present and future. CYELS 18:239 Izyumenko E (2016) The freedom of expression contours of copyright in the digital era: a European perspective. JWIP 19:115 Jütte BJ (2016) The beginning of a (happy?) relationship: copyright and freedom of expression in Europe. EIPR 38:11 Jütte BJ (2017a) New perspectives for sampling - US and German developments and what comes next. Entertain Law Rev 28:127 Jütte BJ (2017b) Reconstructing European copyright law for the digital single market: between old paradigms and digital challenges (10). Nomos, Baden-Baden Jütte BJ (2017c) Sampling of sound recordings in the United States and Germany: revival of a discussion on musical creativity. In: Torremans PLC (ed) Research handbook on copyright law, 2nd edn. Edward Elgar, Cheltenham, Northampton, pp 273–297 Jütte BJ (2019a) CJEU permits sampling of phonograms under a de minimis rule and the quotation exception. JIPLP 14:827 Jütte BJ (2019b) Forcing flexibility with fundamental rights: questioning the dominance of exclusive rights. In: Synodinou T-E, Jougleux P, Markou C, Prastitou T (eds) EU internet law in the digital era. Springer, Cham, pp 79–98 Jütte BJ (2019c) The limited effects of fundamental rights on copyright exceptions. MR-Int 16:52 Jütte BJ (2020) Finding the balance in copyright law: internal and external control through fundamental rights. In: Torremans PLC (ed) Intellectual property law and human rights, 4th edn. Kluwer Law International, Alphen aan den Rijn, pp 461–483 Jütte BJ, Maier H (2017) A human right to sample – will the CJEU dance to the BGH-beat. JIPLP 12:784

26

B. J. Jütte

Jütte BJ, Priora G (2020) No copyright infringement for publication by the press of politician’s controversial essay. JIPLP (forthcoming) Jütte BJ, Quintais JP (2019) Advocate General turns down the music - sampling is not a fundamental right under EU copyright law: Pelham v Hutter. EIPR 41:654 Keller P (2020a) Article 17 stakeholder dialogue: what we have learned so far – Part 1. Available via K. C. Blog. http://copyrightblog.kluweriplaw.com/2020/01/13/article-17-stakeholderdialogue-what-we-have-learned-so-far-part-1/. Accessed 13 Jan 2020 Keller P (2020b) Article 17 stakeholder dialogue: what we have learned so far – Part 2. Available via K. C. Blog. http://copyrightblog.kluweriplaw.com/2020/01/14/article-17-stakeholderd i a l o g u e - w ha t - w e - h a v e - l e a r ne d - s o - f a r - p a r t - 2 / ? d oi n g _ w p _ c r o n ¼1 58 8 9 3 6 6 57 . 9141190052032470703125. Accessed 14 Jan 2020 Leistner M (2016) Die “Metall auf Metall” - Entscheidung des BVerfG. Oder: Warum das Urheberrecht in Karlsruhe in guten Händen ist. GRUR 118:772 Maier H (2018) Remixe auf Hosting-Plattformen: Eine urheberrechtliche Untersuchung filmischer Remixe zwischen grundrechtsrelevanten Schranken und Inhaltefiltern (Internet und Gesellschaft, Band 11), 1st edn. Mohr Siebeck, Tübingen Ohly A (2018) The broad concept of “communication to the public” in recent CJEU judgments and the liability of intermediaries: primary, secondary or unitary liability? JIPLP 13:664 Peukert A (2015) The fundamental right to (intellectual) property and the discretion of the legislature. In: Geiger C (ed) Research handbook on human rights and intellectual property. Edward Elgar Publishing, Cheltenham, Northampton, pp 132–148 Priora G, Jütte BJ (2020) Leaking of secret military reports qualifies as reporting of current events. JIPLP (forthcoming) Quintais JP (2018) Untangling the hyperlinking web: in search of the online right of communication to the public. JWILP 21:385 Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on cross-border portability of online content services in the internal market. Content Portability Regulation, OJ L 168, 30.6.2017, pp 1–11 Rognstad O-A (2018) Property aspects of intellectual property. Cambridge University Press, Cambridge Rosati E (2017) GS media and its implications for the construction of the right of communication to the public within EU copyright architecture. Common Market Law Rev 54:1221 Sganga C (2019) A decade of fair balance doctrine, and how to fix it: copyright versus fundamental rights before the CJEU from Promusicae to Funke Medien, Pelham and Spiegel Online. EIPR 41:683 Spindler G (2020) Art. 17 DSM-RL und dessen Vereinbarkeit mit primärem Europarecht. Zugleich ein Beitrag zu Umsetzungsmöglichkeiten. GRUR 122:253

Chapter 2

Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online Case on Freedom of Expression and Other Fundamental Rights Tatiana-Eleni Synodinou

Abstract This chapter aims to provide a critical analysis of whether and how the process of balancing copyright law with fundamental rights through exceptions, limitations and primarily the external limits of copyright law is affected by the Court of Justice of the European Union’s (CJEU’s) decision in the case of Spiegel Online GmbH v Volker Beck (C- 516/17). The first part is dedicated to the main findings of the CJEU with regard to copyright exceptions and limitations stricto sensu (Sect. 2). The second part focuses on the direct influence exerted by human rights on copyright law and refers to an analysis of how the CJEU’s findings might or might not influence the status quo in these fields (Sect. 3).

1 Introduction Historically, copyright law has a peculiar relationship with freedom of expression. First, copyright law and freedom of expression should a priori harmoniously coexist1 since copyright law ensures that authors can enjoy economic and intellectual independence, which was seriously undermined in eras when authors were dependent on sponsors and wealthy patrons.2 Furthermore, copyright serves to incentivise the creation of new forms of expression, thereby promoting freedom of expression, and already incorporates values and notions derived from the right to freedom of expression.3 In addition, attribution of copyright to authors reduces the risk of state censorship, which is serious when the author’s main source of income is state sponsorship. 1

Samuelson (2003). Chafee (1945) and Netanel (1996). 3 Lee (2015). 2

T.-E. Synodinou (*) Department of Law, University of Cyprus, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_2

27

28

T.-E. Synodinou

In modern times, however, this relationship is often seen as mainly controversial, given that copyright law is widely denounced as a barrier to freedom of expression, information and creativity itself. The turbulent relationship between copyright law and freedom of expression has been analysed by the Court of Justice of the European Union (CJEU) in a trilogy of landmark decisions which were delivered the same day.4 Specifically, on 29 July 2019, the CJEU delivered its keenly awaited decisions in the cases of Pelham (C-476/17),5 Funke Medien (C-469/17)6 and Spiegel Online GmbH v Volker Beck (C- 516/17),7 on which this chapter will focus. The facts of the Spiegel Online case are interesting. Mr. Beck, a German politician, wrote a contentious article, which was published in a collection of articles after undergoing certain changes made by the publisher without the author’s consent. Since then, the author has totally distanced himself from the contents of this article. In 2013, the manuscript of the article was discovered and presented to Mr. Beck, who made the document available to various newspaper editors as evidence that his manuscript had been modified in the article published in the collection. While the author did not consent to the publication of the text by the media, he did, however, publish both versions of the manuscript on his own website. The Spiegel Online Internet portal published an article in which it was stated that the defendant had deceived the public because the essential content in the manuscript had not been altered. In addition, both versions of the manuscript were made available for download in their entirety, through hypertext links. Mr. Beck considered that the availability of the full texts of his article on Spiegel Online constituted copyright infringement. One of the fundamental propositions of the Opinion of the Advocate General (AG)8 in the Spiegel Online case, as well as in the other two cases, was that Member 4

With regard to the balancing of copyright law with freedom of expression in the CJEU’s case law, see also: CJEU, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, Case C-314/12, Judgment of the Court (Fourth Chamber) of 27 March 2014, par. 63, ECLI:EU:C:2014:192 (blocking injunctions); CJEU, Tobias Mc Fadden v Sony Music Entertainment Germany GmbH, Case C-484/14, Judgment of the Court (Third Chamber) of 15 September 2016, par. 82, par. 90, ECLI:EU:C:2016:689 (injunction against a WiFi provider). See: Jougleux (2017), p. 792. 5 CJEU, Pelham GmbH and Others v Ralf Hütter and Florian Schneider-Esleben, Case C-476/17, Judgment of the Court (Grand Chamber) of 29 July 2019, ECLI:EU:C:2019:624. 6 CJEU, Funke Medien NRW GmbH v Bundesrepublik Deutschland, Case C-469/17, Judgment of the Court (Grand Chamber) of 29 July 2019, ECLI:EU:C:2019:623. 7 CJEU, Spiegel Online GmbH v Volker Beck, Case C-516/17, Judgment of the Court (Grand Chamber) of 29 July 2019, ECLI:EU:C:2019:625. On the 30th of April 2020, the German Federal Supreme Court (Bundesgerichtshof) published its ruling on the three cases. In its decision on Spiegel Online, the Supreme Court confirmed the legality of the publication of the book chapter finding that the exception for the reporting of current events by the press also applied in this case. See: Reda (2020). 8 Opinion of Advocate General Szpunar, CJEU, Spiegel Online GmbH v Volker Beck, Case C-516/ 17, delivered on 10 January 2019, Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice (Germany), ECLI:EU:C:2019:16. For an analysis, see: Jütte (2019), pp. 79–98, Griffiths (2019), Synodinou (2019b, c).

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

29

States cannot, in principle, rely on fundamental rights, such as freedom of expression, in order to go beyond the exhaustive catalogue of exceptions in Article 5 of Directive 2001/29 since it is the competence of the legislator to strike a fair balance between copyright and other fundamental rights. The CJEU affirmed this position. Specifically, the CJEU recalls the exhaustive nature of the list of exceptions and limitations contained in Article 5 of Directive 2001/29. According to the CJEU’s line of reasoning, the possible destabilising impact of a fundamental rights analysis for the harmonisation of copyright law prevails. In the CJEU’s view, to allow each Member State to derogate from an author’s exclusive rights beyond the exceptions and limitations set out in Article 5 of that Directive would endanger the effectiveness of the harmonisation of copyright and related rights effected by that Directive, the objective of legal certainty and the requirement of consistency in the implementation of those exceptions and limitations. There are two ways of interpreting this finding of the CJEU: firstly, by focusing on its influence on the EU regime of copyright exceptions and on freedom of expression. This is the narrowest approach but also the most logical one in terms of the methodology of law. However, there is a second approach, which is broader in scope. The idea here is to enquire whether the reach of this finding of the Court is broader in the sense that it concerns not only what is strictly defined as copyright exceptions or limitations but also the limits of copyright law, which are justified by the balancing of copyright with fundamental rights, and furthermore to enquire whether this finding concerns all fundamental rights and not just freedom of expression. Traditionally, fundamental rights influence copyright law in two ways: either indirectly through the internal limits of copyright (such as the principle of non-protection of ideas9 and through the establishment of copyright exceptions based on fundamental rights)10 or directly as an external limitation to copyright law, which is based on sources found outside of copyright legislation. This pluralist interaction of copyright law with fundamental rights is often obscured by a lack of a clear normative EU copyright law framework on the concepts of exceptions to, limitations to and limits of copyright law. Starting with the concept of “exceptions or limitations”, these two terms are interconnected and are often used together, not only in EU copyright law11 but also in international copyright law sources.12 However, even though in a broad sense

9

Geiger (2004). Hugenholtz (1997). 11 See: Article 5 of the Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, OJ L 167. Title II of Directive 790/2019 of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, OJ L 130. 12 See: Article 10 of WCT; article 16 of WPPT; article 13 of the Beijing Treaty; article 12 of the Marrakesh Treaty. 10

30

T.-E. Synodinou

these terms are often interconnected,13 in a narrow sense they should be considered as distinct concepts. This distinction has also been established in EU copyright law, even if the exact criteria on which it is based are not clear. In paragraphs 33 and 34 of the VG Wort case,14 which is the CJEU’s sole reference on this issue, we read that “in Article 5, the European Union legislature, in the very title of that article, makes a distinction between, first, exceptions and, secondly, limitations to the exclusive right of rightholders to authorise or prohibit the reproduction of their protected works or other subject-matter” and, “accordingly, that exclusive right may, depending on the circumstances, be either, as an exception, totally excluded, or merely limited. It is conceivable that such a limitation may include, depending on the particular situations that it governs, in part an exclusion, a restriction, or even the retention of that right.” Indeed, there are variant approaches to the understanding of these terms. Often the main criterion used for making the distinction is that the exercising of the right is affected unconditionally in the case of an exception, i.e. without establishing a compensation for the author.15 On the other hand, in the case of a limitation, a remuneration is given to the author or copyright holder. In this context, it has been argued that since exceptions interfere more severely with the author’s rights by neutralising the author’s power to control the use of the work, they should be considered as “absolute restrictions”, while limitations are “relative restrictions” since they interfere with copyright in a more moderate way by providing remuneration.16 With regard to the limits of copyright law, i.e. cases where the author’s exclusivity is restricted by the object and the nature of copyright law, these can be internal, such as the principle of non-protection of ideas, which is to be found inside copyright law, or external, i.e. based on legal rules outside copyright law, such as competition law, consumer law, freedom of expression, business freedom, property law or privacy.17 What is even more important in the context of analysing the reach of the CJEU’s decisions of 29 July 2019 is that the de facto distinction between the exceptions, limitations and limits of copyright law is not always clear. This is because some external limits of copyright law are ontologically very close to the framework of an exception, in the sense that they act de facto as an exception by directly affecting the exercising of the author’s rights.

According to Walter and Lewinski, the Directive 2001/29 uses the terms “exceptions” and “limitations” which describe a carving out of the property right in immaterial goods for the benefit of users who consequently have a defence against any reproach of copyright infringement. Walter and von Lewinski (2010). 14 CJEU, Verwertungsgesellschaft Wort (VG Wort) v Kyocera and Others, C-457/11, Judgment of the Court (Fourth Chamber), 27 June 2013, ECLI:EU:C:2013:426, par. 34 and. 35. 15 Gautier (2015). 16 Alleaume (2010). 17 Lucas et al. (2017). 13

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

31

This chapter aims to provide a critical analysis of whether and how the process of balancing copyright law with fundamental rights through exceptions, limitations and primarily the external limits of copyright law is affected by those decisions. The first part is dedicated to the main findings of the CJEU with regard to copyright exceptions and limitations stricto sensu (Sect. 2). The second part focuses on the direct influence exerted by human rights on copyright law, that is the influence of human rights, which is unrelated to the establishment of exceptions or limitations inside copyright legislation, and on the analysis of how the CJEU’s three decisions might or might not influence the status quo in these fields (Sect. 3).

2 The Indirect Influence of Fundamental Rights on Copyright Law The CJEU examined a series of questions linked to the relationship between copyright law and freedom of expression and broadly regarding the position of copyright exceptions and limitations in European copyright law. A critical analysis of the CJEU’s reply is offered below.

2.1

The Degree of Freedom Enjoyed by Member States in Relation to Copyright Exceptions

One of the central questions of the dispute concerns the delineation of the degree of latitude afforded to Member States (MSs) in transposing the exceptions provided for in Directive 2001/29.18 In the CJEU’s view, there is no uniform answer to this question, but rather it has to be examined whether the specific exception should or should not be construed as constituting a full harmonisation measure. In this context, the scope of the Member States’ discretion in transposing a particular exception into national law must be determined on a case-by-case basis, in particular according to the wording of that provision. In the present case, as emphasised by the CJEU, it is clear from the content of news reporting and the quotation exceptions in the Information Society Directive that they do not constitute full harmonisation. Member States enjoy a degree of freedom to perceive this exception in light of their national constitutional standards governing the protection of fundamental rights, but their discretion is circumscribed in several regards, namely the limits imposed by EU law (which means that Member States are not free in every case to determine, in a

18

Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, OJ L 167, 22.6.2001, pp. 10–19.

32

T.-E. Synodinou

non-harmonised way, the parameters governing these exceptions), the general principles of EU law (including the principle of proportionality), the objectives of the Information Society Directive (which seek to establish a high level of protection for authors and to ensure the proper functioning of the internal market) and the threestep test. Furthermore, Member States are required to safeguard a fair balance of rights and interests between the different categories of rightholders, as well as between the different categories of rightholders and users, and also to interpret matters in a way that allows a fair balance to be struck between the various fundamental rights protected by the Charter of Fundamental Rights of the EU. It is not, however, clear whether the degree of latitude afforded to Member States is also limited in the opposite direction, in the sense that failing to provide for certain exceptions in domestic law could be incompatible with the Charter, as suggested by the AG in his Opinion in the Pelham case.19 The Advocate General’s approach would imply that certain exceptions to Article 5 might be considered as mandatory under the Charter, even though this has not been expressly stated in Directive 2001/ 29. In the first instance, this could be the case for exceptions with a strong foundation based on freedom of expression, news reporting, quotation (mandatory under Article 10 (1) of the Berne Convention) and probably parody, which has often been recognised as a limitation to copyright. So would a Member State be in breach of the Charter if it does not provide for the parody exception, as is the case in certain Member States, where use of a work for satire or parody purposes is directly founded on freedom of expression as the latter is enshrined in their constitution?20 For example, Cypriot and Greek copyright laws do not provide for the parody exception. In Greek law, the concept of satire has emerged in case law,21 in cases of infringement of the personality right, but not in relation to copyright law. In Cyprus, the use of a copyright-protected work for parody could theoretically be covered by the “fair dealing” exception provided for by Article 7 (1) of Law 59/1976, for the purpose of criticism. Although Cypriot copyright law, like UK copyright law, contains the exemption of “fair dealing” of works for the purpose of criticism and review,22 there is no precedent in Cypriot case law accepting the application of the provision concerning the use of a work or other copyrighted work for the purpose of parody or caricature. At the same time, the

19

Opinion of Advocate General Szpunar delivered on 12 December 2018 in CJEU, Pelham GmbH and Others v Ralf Hütter and Florian Schneider-Esleben, Case C-476/17 ECLI:EU:C:2018:1002, par. 77. 20 For the parody exception in the national jurisdictions of the EU Member States, see: De Wolf & Partners (2013). 21 According to Greek case law, the concept of satire characterises any form of artistic activity whereby ‘they are emphasized, burned, and criticized, with elements of mainly comic and deforming, actual situations and identifiable properties, actual traits, defects and imperfections of the saturated person, so as to entertain and entertain the public’. See: Court of appeal of Athens 340/2001, Supreme Court 707/2004, Court of appeal of Athens 340/2001, Multimember District Court of Piraeus 3117/2005. 22 Article 7 (2) (a) of Law 59/1976.

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

33

narrow interpretation adopted by the UK courts to the corresponding exception of the Copyright and Designs and Patents Act (CDPA)23 regarding the possibility of using works for the purpose of parody, especially after the case of Twentieth Century Fox Film Corp v Anglo-Amalgamated Film Distributors,24 could be seen as a deterrent to the application of Section 7 (2) (a) of Law 59/1976 in cases of parody. Indeed, this defence applies only where the use of a work is for the purpose of criticism or review of the work itself, of another work or of a performance of a work, while parodies are not always directed at a work or a performance.25 In this context, the UK courts have opted for a narrow interpretation of the concept of “criticism”, which does not include parody.26 This was also one of the reasons why, in 2014, English law introduced a special exemption covering the use of works for parody purposes.27 This question is crucial since, as we shall see in Part II, the Court has closed the door to the application of fundamental rights as an external limitation to copyright. At the same time, however, a closer analysis of the CJEU’s line of reasoning shows that the Court does not wish to place copyright law in an independent sphere of operation from the Charter. The obligation incumbent on the national courts to safeguard the effectiveness of copyright exceptions established by law, and to interpret them in a way that is fully compliant with the Charter of Fundamental Rights of the European Union, means that the mechanism of balancing of interests is placed at the heart of the interpretation and implementation of copyright exceptions and limitations. This finding is reinforced by the stance adopted by the CJEU in relation to the position of copyright exceptions and limitations in European copyright law.

2.2

The Reinforced Status of Copyright Exceptions and Limitations as Users’ Rights

Specifically, while the CJEU rejected the possibility of justifying further limitation of copyright on the basis of freedom of expression, it did, however, affirm that the exceptions and limitations contained in Article 5 of Directive 2001/29 should be adequately safeguarded because they confer rights on the users of works.28 This is not the first time that the CJEU has referred to copyright exceptions as “users’

23

See section 30 (1) of the UK Copyright, Designs and Patents Act. [1965] 109 SJ 107. 25 Griffiths (2017). 26 Bently et al. (2018). 27 Section 30A (1) of the CDPA. 28 CJEU, Spiegel Online GmbH v Volker Beck, Case C-516/17, Judgment of the Court (Grand Chamber) of 29 July 2019, ECLI:EU:C:2019:625, par. 54. 24

34

T.-E. Synodinou

rights”.29 By doing so, the Court clearly departs from the archetypal approach that considers exceptions and limitations as simple liberties or “privileges” recognised by legislation in favour of users. This is an important reminder that the user of copyright-protected works has emerged as a new norm in the CJEU’s case law. The thesis that it is necessary to safeguard copyright users’ interests or rights30 has effectively emerged as a reaction and a necessary counterbalance to the growing asymmetry between the widespread control enjoyed by rightholders over copyrightprotected works and the ambiguous restricted scope of copyright users’ freedoms. In light of the above, the concepts of the “use” and of the “user” of copyright-protected works have also obtained an autonomous status in European copyright legislation and case law through the corresponding concepts of lawful use, lawful user and lawful access.31 Hitherto, the recognition of certain exceptions as rights of lawful users was inconsistently established only in relation to computer programs and databases. The CJEU’s approach in the present case is, however, broader. The recognition of copyright exceptions and limitations as users’ rights has some important ramifications. Specifically, it requires that, in striking a balance between the exclusive rights of the author and the rights of users, a national court should not give priority to the rights of the author but should promote an interpretation of these provisions that fully adheres to the fundamental rights enshrined in the Charter. Consequently, a national court may depart from a restrictive interpretation of copyright exceptions and limitations in favour of an interpretation that takes full account of the need to respect freedom of expression and freedom of information, as enshrined in Article 11 of the Charter. While the CJEU advances an approach that favours a flexible interpretation by national courts of copyright exceptions, it is not clear whether the “upgrading” of exceptions to the legal category of rights has further implications for the way in which such “user rights” can be claimed and protected. Legislative intervention will probably be needed in order to safeguard copyright exceptions as real “users’ rights”, in the sense that they are jus cogens that cannot be overridden by technological protection measures (TPMs) and by contracts. This change must be accompanied by the introduction of procedural mechanisms, such as the establishment of locus standi for lawful users to bring a claim before a court against the neutralisation or restriction

29 See, for instance, CJEU, Technische Universität Darmstadt v Eugen Ulmer KG, Case C-117/13, Judgment of the Court (Fourth Chamber) of 11 September 2014, ECLI:EU:C:2014:2196, par. 43; CJEU, Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others, Case C-201/13, Judgment of the Court (Grand Chamber) of 3 September 2014, ECLI:EU:C:2014:2132, par. 26; CJEU, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, Case C-314/12, Judgment of the Court (Fourth Chamber) of 27 March 2014, ECLI:EU:C:2014:192. 30 Litman (2011), Patterson and Lindberg (1991), Mazziotti (2008), Chapdelaine (2013) and Dusollier (2010). 31 Analogous developments have taken place worldwide. For the emblematic recognition of exceptions as users’ rights in Canada, see: CCH, Canadian Ltd. v Law Society of Upper Canada 2004 SCC 13.

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

35

of copyright exceptions, and the establishment of out-of-court redress mechanisms for settling these disputes.32

3 The Direct Influence of Human Rights on Copyright Law The direct interaction of fundamental rights with copyright law touches upon various aspects of the author’s control and enjoyment of the work. Specifically, fundamental rights have been affirmed by the courts as a basis for limiting the scope of copyright, the exercise of copyright and the enforcement of copyright. This taxonomy of the way in which fundamental rights interfere with copyright law is significant since, as will be demonstrated, not all forms of this interaction are concerned by the CJEU’s findings. One of the main questions put to the CJEU was that of whether freedom of expression could act as an external, direct limitation on copyright law (Sect. 3.1). However, it is also crucial to ask whether the CJEU’s findings in relation to freedom of expression are directly applicable to the external balancing of copyright law with other fundamental rights (Sect. 3.2). In this context, firstly a brief overview of the direct influence of human rights other than freedom of expression on copyright law will be presented (Sect. 3.2.1). Subsequently, the impact of the CJEU’s trilogy on the external delimitation of other fundamental rights in relation to copyright law will be analysed (Sect. 3.2.2).

3.1

Fundamental Rights as External Limits on Copyright Protection in the CJEU’s Trilogy

One of the fundamental propositions of the Opinion of the Advocate General in the Spiegel case was that Member States cannot in principle rely on fundamental rights, such as freedom of expression, in order to go beyond the exhaustive catalogue of exceptions set out in Article 5 of Directive 2001/29 because it is the task of the legislator to strike a fair balance between copyright and other fundamental rights. The CJEU affirms this position and firmly denies the application of fundamental rights as external limits on copyright protection on the grounds of several arguments. Firstly, the CJEU points out the exhaustive nature of the list of exceptions and limitations contained in Article 5 of Directive 2001/29. In the CJEU’s line of reasoning, the possible destabilising impact of a fundamental rights analysis for the harmonisation of copyright law prevails. The CJEU believes that allowing each Member State to derogate from an author’s exclusive rights beyond the exceptions and limitations set out in Article 5 of that Directive would jeopardise the 32

See: Synodinou (2019a, b, c).

36

T.-E. Synodinou

effectiveness of the harmonisation of copyright and related rights established by that Directive, the objective of legal certainty and the requirement of consistency in the implementation of these exceptions and limitations. The CJEU is far more austere and restrictive than the Advocate General on this point since it appears to make it absolutely impossible to justify a derogation from the author’s exclusive rights on the grounds of freedom of information and freedom of the press. Here, it should be borne in mind that the Advocate General had left the door open for a possible limitation of copyright directly on the ground of freedom of expression in certain specific circumstances, while this opinion was also shared by the doctrine.33 In the Advocate General’s view, the courts’ interventions in this field should only be exceptional (when the “essence of a fundamental right” is at stake).34 Indeed, given that the list appearing in Article 5 of the Information Society Directive is the result of a balance established between fundamental rights, a hermetically closed system of exceptions might not be able to reflect the adjustment of this balancing act to new societal evolutions.35 The Court does not, however, mention the possibility of further limiting copyright in such exceptional circumstances. In this context, it appears that freedom of expression can be safeguarded only via the specific exceptions established in the domestic jurisdiction of Member States, provided that these exceptions are included in the exhaustive list contained in Article 5 of Directive 2001/29. By not holding out the possibility of further limitations on copyright, as described above, the CJEU excludes the option of justifying, directly on the grounds of freedom of expression, uses that are not included in the closed list in Article 5 since such a “meta-exception”, similar to a “fair use” clause, could completely destroy the coherence of the EU regime of copyright exceptions.36 While the national courts are encouraged to opt for an interpretation of the existing exceptions, which safeguard their effectiveness and the balancing of the fundamental rights at stake, no further limitation is possible on the basis of freedom of expression. This would mean in practice that it will not be possible to justify a satirical use or a parody of a work, unless there is a specific copyright exception in the domestic legislation that expressly enables such a use. This is an excessive approach, which could be counterbalanced only if the parody exception is established as mandatory in European copyright law. Indeed, for Griffiths, the fact that, in some instances, the balance between competing rights will inevitably come down in favour of the user means that some of the ostensibly optional exceptions in the list set out in Article 5 of the Directive are actually mandatory.37 As it is noted by Lucas and Ginsburg, “it cannot be ruled out that, when asked to rule on this issue, the Court of Justice of the European Union will prefer a minimalist approach in which the corrective of freedom of expression is restricted to exceptional cases such as, for example, when copyright is brandished in order to object to the dissemination of a message with a political undercurrent”. See: Lucas and Ginsburg (2016), p. 79. 34 Geiger and Izyumenko (2018). 35 Buydens and Dusollier (2001). 36 Lucas et al. (2017). 37 Griffiths (2017). 33

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

37

However, this is not formally the case today. Furthermore, it is not clear whether the exclusion of parody in jurisdictions where it is not expressly provided for in the legislation is a result that was anticipated by the CJEU when rigorously establishing the principle that fundamental rights cannot act as external limitations to copyright law. At the same time, however, a closer analysis of the CJEU’s line of reasoning shows that the Court does not wish to place copyright law in an independent sphere of operation from the Charter. The obligation incumbent on the national courts to safeguard the effectiveness of copyright exceptions established by law, and to interpret them in a way that is fully compliant with the Charter of Fundamental Rights of the European Union, means that the mechanism of balancing of interests is placed at the heart of the interpretation and implementation of copyright exceptions and limitations. This finding is reinforced by the stance adopted by the CJEU in relation to the position of copyright exceptions and limitations in European copyright law.

3.2

The Impact on Other Fundamental Rights

While it is clear that the decisions of the CJEU of 29 July 2019 have a direct influence on the balancing of copyright law with freedom of expression, it is not evident that this finding applies equally to the balancing of copyright law with other fundamental rights. It has been argued that the restrictive stance adopted by the CJEU should be extended only in cases where the fundamental rights at stake have already been taken into consideration by the European legislator when establishing the list of exceptions and limitations in Directive 2001/29 and other pieces of EU copyright law legislation. In this context, given that privacy, for instance, has not been taken into account by the EU legislator, it could be exempted from the ambit of the CJEU’s findings.38 However, this approach has its own limits. Indeed, all copyright exceptions and limitations are based on an underlying normative framework that is shaped by the interplay of fundamental rights. In this context, the list contained in Article 5 of Directive 2001/29 comprises exceptions that are either directly or indirectly based on other fundamental rights. Indeed, behind the private copy exception also lies the right of privacy and the balancing of copyright law with the protection of private life.39 The right to education lies beneath the educational exceptions, while the right to culture is behind the recently established exceptions of Directive 790/2019 for

38

Chénedé (2016) Supra n33. As it is noted by Natali Helberger and Bernt Hugenholtz “The rationale of a private copying exception is informed, at least in part, by the idea of protecting the end user’s private sphere”. Helberger and Hugenholtz (2007).

39

38

T.-E. Synodinou

out-of-print works.40 The right of ownership underlies the exception for architectural works in Article 5 (2) (m) of Directive 2001/29.41 Similarly, business freedom is hidden behind Article 5 3 (j) of Directive 2001/2942 and Article 4 of Directive 790/2019. Does this mean that any limitation of copyright law on the grounds of these fundamental rights should be excluded once and for all? In the following paragraphs, the Gordian knot of influences exercised by other fundamental rights on copyright law will be explored with the aim of demonstrating that the plurality of these rich interactions is not affected by the CJEU’s findings. 3.2.1

3.2.1.1

The Gordian Knot of Influences Exercised by Fundamental Rights on Copyright Law The Influence of the Right of Property on the Moral Right of Integrity

The conflict between copyright law and the right of property enjoyed by the owner of the tangible object which incorporates the “work of mind” is a long-standing one. Classically, national copyright legislation refers to the relationship between these different forms of property by reminding us that intellectual property rights are distinct and separable from property rights in tangible goods,43 in other words that there are two distinct forms of property that coexist and are normally not supposed to meet. In light of copyright law principles, the most obvious way to comprehend this principle is by interpreting it as a safeguard for the rights of the author. Once this division is made, the author enjoys sole control over the intellectual asset, and this necessarily limits the power of the owner of the tangible object to exercise his/her property right unconditionally. This coexistence, however, is also a source of limitation for copyright law. In this context, the author of the intangible good cannot exercise the rights conferred by copyright law in a way that significantly interferes with the peaceful enjoyment, by the owner of this good, of the property right over the tangible object. For instance, we can recall the spectacular destruction of a work by Banksy at an auction sale, as it seems that it was the author himself who trapped the work.44 The need to carefully balance copyright law with the right of property enjoyed by the owner of the tangible copy which incorporates the work in question is

40

Supra n11, Articles 8, 9 and 10 of Directive 790/2019. (m) use of an artistic work in the form of a building or a drawing or plan of a building for the purposes of reconstructing the building. 42 (j) use for the purpose of advertising the public exhibition or sale of artistic works, to the extent necessary to promote the event, excluding any other commercial use. 43 Bently et al. (2018), p. 3. 44 Reyburn (2018). 41

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

39

highlighted by a recent French case. Here, the bartender of a cafe had created a work affixed to two wooden panels, which was intended to cover the window of the cafe when it was closed. When the employee was dismissed, he came back to tag additional—unflattering—drawings on the panels he had already painted and invoked his copyright to justify this addition. However, the French Cour de Cassation held that copyright protection was limited by the bar owner’s right of property. The Court of Appeal had therefore infringed the protection of property as established in Article 544 of the French Civil Code. Indeed, the Court of Appeal should have investigated whether the bar owner had given his permission for the new additions, regardless of whether he had copyright in the work previously affixed.45 Most sources of tension, however, concern the reverse situation, i.e. the power of the owner of the tangible object to intervene in the object and, as a result, in the form of the intellectual creation. Here a distinction is often made between the modification and the destruction of the object by its owner. While courts in general affirm the infringement of the author’s right in cases of modification of the work by the owner of the tangible object which incorporates the work,46 they often admit that the destruction of the work can be justified on the ground of the right of abusus enjoyed by the owner of the tangible object which incorporates the work.47 The question is a delicate one since the destruction of the work does not result in its modification stricto sensu, as the work simply ceases to exist. On the other hand, the destruction by its owner of a work that has been uniquely embodied in a tangible object results in cutting off completely the intellectual bond between the author and his/her work. In this context, the destruction of an original work should be regarded as the most severe form of impairment.48 The question is rarely answered by legislation. A notable exception is Article 15 sub-para. 1 of the Swiss copyright law (LDA),49 where we read that the owner of the only original copy of a work cannot destroy it without having first offered the author the opportunity to take it back. In general, courts seek to arrive at balanced solutions50 and aim to achieve a modus vivendi between both rights by referring to general legal principles, such as

Cour de Cassation, Chambre Criminelle, 20 juin 2018, n
17-86402. The question was often raised for utilitarian works, such as architectural works. The legitimacy of the modification depends on whether it can be justified by the need to adapt the construction in order to respond to new needs and on the degree and the necessity of the intervention (the architect has to accept the modifications only to the degree that they are necessary and proportionate to the aim that they serve. See: Lucas no. 637, pp. 534, 536. 47 See, for instance, the French case “Fresques de Juvicy”: CA Paris, 27 April 1934, DH 1934, p. 385. 48 Nordemann and Leidl (2019). 49 Loi fédérale sur le droit d’auteur et les droits voisins (Loi sur le droit d’auteur, LDA) du 9 octobre 1992 (Etat le 1er janvier 2017). 50 Maffre-Baugé (2006). 45 46

40

T.-E. Synodinou

reasonableness, abuse of right (either of the owner’s right or the author’s right)51 or good faith.52 National courts decide on a case-by-case basis by balancing both rights, and often the limitation of copyright law is affirmed. The German Federal Court of Justice has recently answered the question of whether an author could object to the destruction of an artistic work by its owner on the ground of the author’s moral right of integrity.53 In the view of the Court, which had to rule on this question in three cases at once, the right of integrity also provides protection against the destruction of a work. However, in order to establish infringement of the moral right of integrity, a balancing of interests with the legitimate interests of the owner has to be undertaken. Within the scope of this balancing of interests, it is necessary to take into account whether the destroyed work is the only copy and also the level of originality of the work. It may also be relevant to consider whether the author has had the opportunity to take back the work or to make copies. As a rule, however, the author’s interest in the continued existence of the work of art takes second place behind the building owner’s interest in the other use of the building and the associated destruction of the work.54 This balancing takes place when defining the scope of the moral right and not its exercise. Unlike a copyright exception or limitation, where the use falls within the scope of copyright but the author’s control over this use is excluded or limited, in the present case it is the reach of the author’s control (the scope of exclusivity) that is limited, on the basis of the fundamental right, and it cannot cover the use.

3.2.1.2

The Influence of Commercial Interests (Freedom of Competition, Business Freedom, Free Movement of Goods) on the Economic Rights of the Author

Freedom of business and freedom of competition interfere with copyright law in two main ways. Firstly, freedom of business and freedom of competition were affirmed as an external limit on copyright law at an early stage, at EU level. Based on the

51 Case Maison Girard (Sirvin v Facebat), TGI Nanterre [1994] Gazette du Palais, 1995, somm. 517; Case Swift (Brodzki v Societyfor Worldwide Interbank Financial Telecommunication), 2003, J.T. 515. For these cases, see: Vanbrabant (2005). 52 See: Case Scrive, TGI Paris 1974 et CA Paris 10 juillet 1975, D. 1977, jur. p. 342. 53 German Federal Supreme Court’s decisions of 21 February 2019 (ref.: I ZR 98/17, I ZR 99/17 and I ZR 15/18). 54 Nordemann and Leidl (2019).

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

41

landmark Magill,55 IMS Health56 and also Microsoft decisions,57 freedom of competition was used to limit the absolutist nature of copyright protection, by limiting the exercise of copyright. Secondly, freedom of business, like freedom of expression,58 was in some instances used as a basis for limiting copyright law beyond the list of copyright exceptions established by national law in the landmark Dior v Evora case.59 The case concerned the advertising by an authorised reseller of parallel imports of Dior perfumes. The reseller, Evora, inserted images of Dior’s perfumes in advertising brochures, and Dior was concerned about the potential negative effects on its brand image. Dior advanced the arguments of both copyright and trademark protection in order to stop these images from being used. In the national Dior v Evora decision, which preceded the CJEU judgment, the Dutch Supreme Court affirmed the possibility of the creation of additional limitation of copyright.60 Firstly, copyright over the packaging and bottles was exhausted after the first sale with Dior’s consent. Secondly, the Court drew a parallel between this situation and an existing exception under the Dutch Copyright Act, which allows the owner of a work of (applied) art to include the work in a catalogue necessary for a public exhibition or sale.61 In this context, it concluded that Evora’s commercial interest in the advertising of the resale of Dior perfume in the Netherlands had to prevail.62 At CJEU level, the situation was mainly viewed from the perspective of the free movement of goods and services within the internal market. Specifically, as noted by the CJEU, “It is also clear from the case-law that, while the commercial exploitation of copyright is a source of remuneration for the copyright owner, it also constitutes a form of control on marketing exercisable by the owner and that, from this point of view, commercial exploitation of copyright raises the same issues as that of any other 55 CJEU, Radio Telefis Eireann (RTE) v Independant Television Publications Ltd (ITP), C-241/91, Judgment of 6 April 1995, ECLI:EU:C:1995:98. 56 CJEU, NDC Health GmbH & Co. KG and NDC Health Corporation v Commission of the European Communities and IMS Health Inc., Case C-481/01 P (R), Judgment of 11 April 2002, ECLI:EU:C:2002:223. 57 CJEU, Microsoft Corp. v Commission of the European Communities, Case T–01/04, Judgment of the Court of First Instance (Grand Chamber) of 17 September 2007, ECLI:EU:T:2007:289. 58 See: Cour de Cassation, 1re civ., 2015, no 13-27.391. 59 CJEU, Parfums Christian Dior SA Parfums Christian Dior BV v Evora BV, C-337/95, Judgement of 4 November 1997, ECLI:EU:C:1997:517. 60 Supreme Court of the Netherlands, October 20, 1995, Nederlandse Jurisprudentie 1996, no. 682 (Dior v Evora), par. 3.6.2. See: Senftleben (2013). 61 Article 23 of the Dutch Copyright Act: “Unless otherwise agreed, whoever owns, possesses or holds a work of drawing, painting, sculpture or architecture, or a work of applied art, is permitted to reproduce and make public that work so far as necessary for the public exhibition or public sale of that work, all subject to the exclusion of any other commercial use”: unofficial translation of Copyright Act – Auteurswet by Van Eechoud M. https://www.ivir.nl/syscontent/pdfs/119.pdf. Accessed 13 May 2020. 62 Supra n60.

42

T.-E. Synodinou

industrial or commercial property. The Court has thus held that the exclusive right of exploitation conferred by copyright cannot be relied on by its owner to prevent or restrict the importation of sound recordings of protected works which have been lawfully marketed in another Member State by the owner himself or with his consent (Musik-Vertrieb Membran and K-tel International, cited above, paragraph 15).” Consequently, “. . .the proprietor of a trade mark or holder of copyright may not oppose their use by a reseller who habitually markets articles of the same kind, but not necessarily of the same quality, as the protected goods, in ways customary in the reseller’s sector of trade, for the purpose of bringing to the public's attention the further commercialization of those goods, unless it is established that, having regard to the specific circumstances of the case, the use of those goods for that purpose seriously damages their reputation”.63 As a result, both courts affirmed that using the image of the perfumes was legitimate, even in the absence of a specific copyright exception under national law which would allow such use.

3.2.1.3

The Influence of Protection of Privacy on Enforcement of Copyright Law

Furthermore, both the national courts and the CJEU have affirmed that copyright protection has to be balanced with the protection of privacy and personal data protection. Here, the limitation directly impacts not copyright exclusivity but the enforcement of copyright. The tension between copyright law and privacy has been exacerbated in cases of Internet piracy, where the process of identifying the infringer necessarily requires the processing of the IP address used for the infringement, as well as in relation to filtering measures taken by intermediaries in order to cease such infringements. Both issues have been analysed by the CJEU. Firstly, in Promusicae,64 in relation to the question of whether Member States should impose on an Internet access provider the non-disclosure of the identity of subscribers, whose IP addresses were used for the illegal reproduction and sharing of copyright-protected works, or prohibit such disclosure, the CJEU adopted the approach of a “fair balance” between both rights without giving priority to copyright protection. In this way, the door was left open to Member States to choose whether or not to introduce an obligation for disclosure of personal data.

63

Supra n59. CJEU, Productores de Música de España (Promusicae) v Telefónica de España SAU, C-275/06, Judgment of the Court (Grand Chamber) of 29 January 2008, ECLI:EU:C:2008:54.

64

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

43

In Scarlet v SABAM,65 the CJEU concluded that the imposition of a general filtering mechanism would be a breach of the “no general monitoring” principle established by the E-Commerce Directive. The CJEU also noted that the fact that intellectual property rights enjoy protection under the Charter of Fundamental Rights of the European Union (Article 17 para. 2 of the Charter) does not necessarily mean that these rights should be considered “inviolable”.66 The protection of copyright law is not absolute, and the CJEU affirms the thesis of a “fair balance” between conflicting rights, which can lead to the limitation of copyright law enforcement. The CJEU has adopted a similar line of reasoning in the subsequent cases of Tele 2,67 Bonner Audio,68 Coty Germany69 and Bastei Lubbe.70

65 CJEU, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), Case C-70/10, Judgment of the Court (Third Chamber) of 24 November 2011 ECLI:EU: C:2011:771. 66 Ibid, par. 43. 67 CJEU, LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele 2 Telecommunication GmbH (Tele2), Case C-557/07, Order of the Court (Eighth Chamber) of 19 February 2009, ECLI:EU:C:2009:107. As it is stated in par. 29 of the judgment “Accordingly, the answer to the second question is that Community law – in particular, Article 8(3) of Directive 2004/48, read in conjunction with Article 15(1) of Directive 2002/58 – does not preclude Member States from imposing an obligation to disclose to private third parties personal data relating to Internet traffic in order to enable them to bring civil proceedings for copyright infringements. Community law nevertheless requires Member States to ensure that, when transposing Directives 2000/31, 2001/ 29, 2002/58 and 2004/48 into national law, they rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights involved. Moreover, when applying the measures transposing those directives, the authorities and courts of Member States must not only interpret their national law in a manner consistent with those directives, but must also make sure that they do not rely on an interpretation of those directives which would conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality”. 68 CJEU, Bonnier Audio AB v Perfect Communication Sweden AB (ePhone), Case C-461/10, Judgment of 19 April 2012, ECLI:EU:C:2012:219. As it was held, “Directives 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and 2004/48 must be interpreted as not precluding national legislation such as that at issue in the main proceedings insofar as that legislation enables the national court seised of an application for an order for disclosure of personal data, made by a person who is entitled to act, to weigh the conflicting interests involved, on the basis of the facts of each case and taking due account of the requirements of the principle of proportionality”. 69 CJEU, Coty Germany GmbH v Stadtsparkasse Magdeburg, C-580/13, Judgment of the Court (Fourth Chamber) of 16 July 2015, ECLI:EU:C:2015:485, paras. 34, 35. 70 CJEU, Bastei Lübbe GmbH & Co. KG v Michael Strotzer, Case C-149/17, Judgment of the Court (Third Chamber) of 18 October 2018, ECLI:EU:C:2018:841, paras. 44, 46, 48, 51, 52.

44

3.2.2 3.2.2.1

T.-E. Synodinou

Spiegel Online: Cutting the Gordian Knot? Human Rights Linked to Property and Privacy: The Status Quo Remains Untouched

As has been demonstrated, both the right of property and the right of privacy have often been recognised as a sound basis for a direct limitation on copyright protection. The courts seek to resolve the tension between copyright law and these fundamental rights by focusing on the idea of a “fair balance”. As regards the right of ownership, the process of balancing copyright and ownership considerations has mainly taken place when defining the scope of the right. As regards the right of privacy and balancing it with copyright protection in the CJEU’s case law, the limitation is placed in a different and more remote sphere, i.e. that of enforcement of copyright. Consequently, these limits of copyright law are not concerned by the strict stance adopted by the CJEU. It should also be borne in mind that a close analysis of these rulings shows that the CJEU imposes a limit on the theory of using fundamental rights as a direct source of limitation, yet on the other hand the CJEU also firmly establishes fundamental rights as a major source of interpretation of copyright exceptions and limitations. This influence is expressed mainly through two principles. First, national courts are bound to safeguard the effectiveness of copyright exceptions which have been established by law and to interpret them in a way that fully adheres to the fundamental rights established by the Charter of Fundamental Rights of the European Union. Second, copyright exceptions are expressly recognised by the CJEU as users’ rights.

3.2.2.2

Human Rights Related to Freedom of Business: Some Revision Needed?

However, the influence of freedom of business on copyright law acts primarily in a very similar way to that of freedom of expression, namely as a de facto exception. Since the external limitation of copyright law on the basis of freedom of expression has been outlawed by the CJEU, the question is whether a similar fate should be foreseen for freedom of business. As regards commercial interests, which have not been acknowledged by Article 5 of the Infosoc Directive, these cannot be recognised by national courts by analogy, i.e. by drawing a parallel or an analogy with existing exceptions. This incompatibility has already been affirmed through the principle of the restrictive interpretation of copyright exceptions.71 Nor could a liberal interpretation of these exceptions in accordance with the EU charter enable flexibility. Indeed, the only exceptions in Article 5 of the Infosoc 71

Supra n33, 23.

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

45

Directive that are directly linked to freedom of business rather than to the freedoms of users are very narrowly delineated by their wording.72 In general, there is no broadly formulated exception in EU copyright law that could take into account freedom of business.73 The question of whether other copyright exceptions could justify such uses is certainly open to debate. For example, could the use of the perfume’s image by the reseller be justified on the grounds of other copyright exceptions, such as the quotation exception?

4 Conclusion It could be argued that the Spiegel Online case and the decisions of the CJEU in the Funke Medien and Pelham cases have closed the door to the doctrinal and jurisprudential movement towards the direct influence of freedom of expression and, by extension, that of other human rights in the field of copyright law. However, as has been demonstrated, this does mean that the past 30 years of jurisprudential use of a human rights approach in copyright law should be forgotten. The fair balance of rights is indirectly placed at the heart of the mechanism of interpretation of exceptions and limitations, while the influence of other fundamental rights, such as the rights of property and privacy, is not affected by the restrictive stance adopted by the Court. As we have shown, fundamental rights interact with copyright law in a pluralist way and at different levels: in the context of the definition of the right, as a de facto exception by directly affecting the exercise of the right, and in the sphere of enforcement of the right. Not all of these interfaces are captured by the CJEU’s findings. Indeed, the plurality of these interactions calls for a differentiated, and necessarily fragmented, approach, even with regard to the same

72

Specifically, these are: (j) use for the purpose of advertising the public exhibition or sale of artistic works, to the extent necessary to promote the event, excluding any other commercial use and (l) use in connection with the demonstration or repair of equipment. 73 The Wittem EU Copyright Code proposed a new exception which is based on freedom of competition in Art. 5. 4 (named “Uses for the purpose of enhancing competition”). According to this provision, “(1) The following uses for the purpose of enhancing competition are permitted without authorisation and without remuneration, to the extent justified by the purpose of the use: (a) use for the purpose of advertising public exhibitions or sales of artistic works or goods which have been lawfully put on the market; (b) use for the purpose of reverse engineering in order to obtain access to information, by a person entitled to use the work. (2) Uses of news articles, scientific works, industrial designs, computer programs and databases are permitted without authorisation, but only against payment of a negotiated remuneration, and to the extent justified by the purpose of the use, provided that: (i) the use is indispensable to compete on a derivative market;(ii) the owner of the copyright in the work has refused to license the use on reasonable terms, leading to the elimination of competition in the relevant market and (iii) the use does not unreasonably prejudice the legitimate interests of the owner of the copyright in the work”.

46

T.-E. Synodinou

fundamental right in variant interplays. For instance, in both Svensson74 and GS Media,75 safeguarding freedom of expression has been a decisive factor in the non-application of the right of communication to the public, in linking not-for-profit activities. This interplay is not affected by the principle of excluding fundamental rights as external limitations to copyright law. Similarly, it is also doubtful whether the non-application of the right of communication to the public by the German courts with regard to linking activities that are being performed algorithmically, on the ground of safeguarding the freedom to conduct business,76 is affected by the Court’s trilogy, because here, too, the balancing process takes place when defining the scope of the right of communication to the public and not while it is being exercised. This richness of approaches is certainly encouraging as it is more sensible in terms of really connecting the opposing fundamental rights, and it has the potential to provide breathing space within a legal ecosystem that is often seen as too closed and inflexible. On the other hand, it is characterised by a high level of complexity and, necessarily, by legal uncertainty. Furthermore, ironically, this decision (which is somehow orthodox in relation to an EU copyright-law harmonisation objective) to restrict the influence of human rights in the field of copyright law to an indirect influence/effect (through the existing exceptions) may lead to a more balanced recasting of the three-step test. Indeed, since the search for flexibility within EU copyright law is being intensified, the ways in which the test is interpreted might be affected so that an enhanced integration of copyright law into the realm of human rights can be safeguarded.

References Alleaume C (2010) La mise en balance du droit d’auteur. Revue internationale de droit comparé 62 (2):423–445. Available at https://www.persee.fr/doc/ridc_0035-3337_2010_num_62_2_19949. Accessed 08 May 2020 Bently L, Sherman B, Gangjee D, Johnson P (2018) Intellectual property law, 5th edn. Oxford University Press, Oxford Buydens M, Dusollier S (2001) Les exceptions au droit d’auteur: évolutions dangereuses. Communication Commerce Electronique:10–16 Centre for International Intellectual Property Studies (CEIPI) Research Paper N
2018-12. Available at https://ssrn.com/abstract¼3293735 or https://doi.org/10.2139/ssrn.3293735. Accessed 11 May 2020 Chafee Z (1945) Reflections on the law of copyright. Columbia Law Rev 45:503–529 Chapdelaine P (2013) The ambiguous nature of copyright users’ rights. Intellect Prop J 26:1–47 Chénedé VF (2016) Contre-révolution tranquille à la Cour de cassation? Dalloz, no 14, p 796

74

CJEU, Svensson and Others v Retriever Sverige AB, Case C-466/12, Judgment of 13 February 2014, ECLI:EU:C:2014:76. 75 CJEU, GS Media v Sanoma Media Netherlands BV and Others, Case C-160/15, Judgment of 8 September 2016, ECLI:EU:C:2016:644. 76 LG Hamburg, 308 O 151/17; LG Hamburg, 310 O 117/17. See: Rosati (2019).

2 Direct and Wider Implications of the CJEU’s Decision in the Spiegel Online. . .

47

De Wolf & Partners (2013) Study on the application of Directive 2001/29/EC on copyright and related rights in the information society (the “Infosoc Directive”) Dusollier S (2010) The relations between copyright law and consumer’s rights from a European perspective. European Parliament Publication. Available at https://ssrn.com/abstract¼2127736. Accessed 11 May 2020 Gautier PY (2015) Propriété littéraire et artistique. 9e éd. PUF, Paris Geiger C (2004) Droit d’auteur et droit du public à l’information, Approche de droit comparé. IRPI. Litec, Paris Geiger C, Izyumenko E (2018) Freedom of expression as an external limitation to copyright law in the EU: the advocate general of the CJEU shows the way. Eur Intellect Prop Rev 41(3):131 Griffiths J (2017) Fair dealing after Deckmyn – The United Kingdom’s Defence for Caricature, Parody or Pastiche. In: Richardson M, Ricketson S (eds) Research handbook on intellectual property in media and entertainment. Edward Elgar, Cheltenham Glos, p 64 Griffiths J (2019) European Union copyright law and the Charter of Fundamental Rights—Advocate General Szpunar’s Opinions in (C-469/17) Funke Medien, (C-476/17) Pelham GmbH and (C-516/17) Spiegel Online. ERA Forum 20:35–50. https://doi.org/10.1007/s12027-019-005602. Accessed 12 May 2020 Helberger N, Hugenholtz PB (2007) No place like home for making a copy: private copying in European copyright law and consumer law. Berkeley Technol Law J 22:1061–1098 Hugenholtz PB (1997) Fierce creatures – copyright exemptions: towards extinction? In: Rights, limitations and exceptions: striking a proper balance. Conference IFLA/IMPRIMATUR, Amsterdam. https://www.ivir.nl/publicaties/download/PBH-FierceCreatures.pdf. Accessed 08 May 2020 Jougleux P (2017) Is EU copyright law a danger to online freedom of expression? Conference paper, International Conference on e-Democracy, Communications in Computer and Information Science book series Jütte BJ (2019) Forcing flexibility with fundamental rights: questioning the dominance of exclusive rights. In: Synodinou T-E, Jougleux P, Markou C, Prastitou T (eds) EU internet law in the digital era. Springer, Cham, pp 79–98 Lee YH (2015) Copyright and freedom of expression: a literature review. CREATe Working Paper April 2015 Litman J (2011) Readers’ copyright. J Copyright Soc 58(2):325–353 Lucas A, Ginsburg J (2016) Droit d’auteur, liberté d’expression et libre accès à l’information (Etude comparée de droit américain et européen). Revue Internationale du Droit d’Auteur 249:5–153 Lucas A, Lucas-Schloetter A, Bernault C (2017) Traité de la propriété littéraire et artistique. 5e édition, Lexis Nexis, Paris Maffre-Baugé A (2006) Quel droit moral pour l’œuvre d’art ? LEGICOM N
36:91–100. Available at https://www.cairn.info/revue-legicom-2006-2-page-91.htm. Accessed 12 May 2020 Mazziotti G (2008) EU digital copyright law and the end-user. Springer, Berlin Netanel NW (1996) Copyright and a democratic civil society. Yale Law J 106:283–387 Nordemann JB, Leidl L (2019) German BGH: the destruction of the work does not infringe the moral rights of the author. Kluwer Copyright Blog. Available at http://copyrightblog. kluweriplaw.com/2019/08/19/german-bgh-the-destruction-of-the-work-does-not-infringe-themoral-rights-of-the-author/?print¼print. Accessed 12 May 2020 Patterson LR, Lindberg SW (1991) The nature of copyright: a law of users rights. University of Georgia Press, Athens, Georgia Reda J (2020) German Federal Supreme Court defends press freedom in two high-profile copyright cases, no resolution of sampling dispute, Kluwer Copyright Blog, May 1 2020. Available at http://copyrightblog.kluweriplaw.com/2020/05/01/german-federal-supreme-court-defendspress-freedom-in-two-high-profile-copyright-cases-no-resolution-of-sampling-dispute/. Accessed 8 May 2020

48

T.-E. Synodinou

Reyburn S (2018) Banksy painting self-destructs after fetching $1.4 million at Sotheby’s. The New York Times. Available at https://www.nytimes.com/2018/10/06/arts/design/uk-banksypainting-sothebys.html. Accessed 12 May 2020 Rosati E (2019) Linking and copyright: easier at last? First national applications of the CJEU GS Media Judgment. In: Synodinou T, Jougleux P, Markou C, Prastitou T (eds) EU internet law in the digital era, regulation and enforcement. Springer, Berlin, pp 61–78 Samuelson P (2003) Copyright and freedom of expression in historical perspective. J Intellect Prop Law:319–344 Senftleben M (2013) Comparative approaches to fair use: an important impulse for reforms in EU copyright law. Available at https://www.researchgate.net/publication/256055536_Compara tive_Approaches_to_Fair_Use_An_Important_Impulse_for_Reforms_in_EU_Copyright_Law. Accessed 13 May 2020 Synodinou T (2019a) Lawfulness for users in European copyright law: acquis and perspectives. JIPITEC 10(1) Synodinou T (2019b) Mirror, mirror, tell me, is the Copyright law fair and balanced? Reflection on AG’s conclusions on the Spiegel Online case (Part I). Available at http://copyrightblog. kluweriplaw.com/2019/02/15/mirror-mirror-tell-me-is-the-copyright-law-fair-and-balancedreflection-on-ags-conclusions-on-the-spiegel-online-case-part-i/?print¼print Synodinou T (2019c) Mirror, mirror, tell me, is the Copyright law fair and balanced? Reflection on AG’s conclusions on the Spiegel Online case and (Part II). Available at http://copyrightblog. kluweriplaw.com/2019/02/21/mirror-mirror-tell-me-is-the-copyright-law-fair-and-balancedreflection-on-ags-conclusions-on-the-spiegel-online-case-part-ii/. Accessed 08 May 2020 Vanbrabant B (2005) Corpus mechanicum versus corpus mysticum : des conflits entre l’auteur d’une oeuvre et le propriétaire du support. Revue de la Faculté de Droit de l’Université de Liège:490–562 Walter M, von Lewinski S (2010) European copyright law, a commentary. Oxford University Press, Oxford

Chapter 3

How Article 17 of the Digital Single Market Directive Should Be Implemented: A Personal View Victor Castro Rosa

Abstract In this chapter, the author, who is also the vice president of the Portuguese Group of ALAI and currently leads the Studies and External Relations Department of GEDIPE (audiovisual producers of a collective management organization), defends his personal perspective on how each provision of Article 17 of the Digital Single Market Directive (DSM) should be interpreted and implemented on a national level. The main purpose of Article 17 is to compel online content-sharing service providers (OCSSPs, as defined by Article 2 nr. 6 of the same Directive) to obtain blanket licences on each Member State as a form of clearance for their main activity as providers of significant amounts of works and other protected matter, in the form of user-generated content (UGC). In the case where such licences are not available or if rightsholders decide not to license OCSSPs, they will still be eligible for the exemption of liability if they can show that they applied for such licences and negotiated in good faith, including litigation under the national courts over the concrete amount to pay. They all must also, as a minimum requirement, be technically prepared for identifying and removing or blocking access to the proprietary content that rightsholders previously notify as such. OCSSPs older than three years, earning more than €10 million and having more than five million average monthly unique visitors must also make sure that such content is not uploaded again, by adopting the highest technical standards available. Exceptions and limitations should be handled by national copyright regulators, which should coordinate their own practices at the European level, to provide harmonization and legal certainty.

V. C. Rosa (*) Cabinet for Studies and External Relations at GEDIPE - Collecting Society for Audiovisual Producers, Lisbon, Portugal e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_3

49

50

V. C. Rosa

1 Introduction The structure adopted by this chapter is as follows: Sect. 1 is an introduction, presenting the aim of this article, according to the personal view of the author. Section 2 is about the concept of OCSSP (Recital 62 and Art. 2 nr. 6); Sect. 3 continues with conceptual analysis under Recital 63; Sect. 4 is about communication to the public according to Recital 64 and Article 17 nr. 1; Sect. 5 deals with Recital 65 and Article 17 nr. 3, namely the exclusion of OCSSPs from the safe harbour of Article 14 of the Electronic Commerce Directive1 (ECD); Sect. 6 turns to Recital 66 and explains the new exclusion of liability framework under Article 17 nr. 4, and it also tries to cast some light into high industry standards of professional diligence, the principle of proportionality under nr. 5 and the de minimis framework under Article 17 nr. 6 and Recital 67; Sect. 7 is about exceptions and limitations under Recital 70 and redress and complaint mechanisms (Art. 17 numbers 7 and 9), namely the role of national copyright regulators; Sect. 8 is about cooperation obligations (Recital 68 and Art. 17 nr. 8); Sect. 9 is about Recital 69 and Article 17 nr. 2; and Sect. 10 provides some insight into the stakeholders’ dialogue (Recital 71 and Art. 17 nr. 10), followed by a conclusion. Article 17 of Directive (EU) 2019/790 of the European Parliament and the Council on copyright and related rights in the Digital Single Market and its amending Directives 96/9/EC and 2001/29/EC are seen by many stakeholders in the field of copyright as a game changer or an opportunity to restore the long-lost exclusive right of making a work or other protected subject matter available to the public. Other experts, substantially more critical, regard it as a still-born provision, impossible to operate, contradictory in some of its own terms and, above all, representing a mortal threat to the Internet as we know it and to such fundamental rights as the freedom of expression and general access to culture. In this chapter, the author will try to demonstrate that the provisions of Article 17 are quite understandable and that the balance that emerged from the long and highly heated discussions between the European Parliament (EP), the European Commission (EC) and the European Council is quite manageable and possible to put into practice. There are even some elements in it that may help the Member States achieve a higher degree of harmonization than probably expected, since so many open-ended concepts are left to the discretion of each national legislator. This refers to the complaint and redress mechanism for exceptions and limitations, which the Member States must guarantee and OCSSPs are required to implement. The most important aspect to retain when reading and interpreting Article 17 is that technology has opened to the wide world the once-conditional access to nearly all forms of human knowledge. While this has lifted old economic barriers, the

1

Directive of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ 2000 L 178, p. 1).

3 How Article 17 of the Digital Single Market Directive Should Be. . .

51

creators and the content industries need to be able to regain control of their work dissemination to be compensated for it. This provision is aimed at reintroducing the exclusive right of making content available. It does so by requiring a special category of ISPs (Internet service providers) to contribute and do whatever they can to prevent copyright infringement, according to their own dimension and the availability of technological solutions. This provision is aimed at legitimate content traders—not at those that are professionally dedicated to acts of piracy. Examples of such are some providers of links to offshore-located servers where copyrighted content is made available without the rightsholders’ authorization; these providers disrupt legal businesses by facilitating unfair competition. The final sentence in Recital 62 expressly excludes them from this Directive’s scope. The author would like to express his hope that the online world will soon become a level playing field for everyone because it is a wonderful, brave new world. Nobody’s economic rights should be sacrificed on the altar of the almighty progress and under the false pretence of democratizing access to culture.

2 The Concept of OCSSP According to Article 2 and Recital 62 The basic concept for the operation of Article 17 is online content-sharing service providers, hereafter referred to by the acronym OCSSP. The definition is important for the scope of application of intermediary liability and resides in Article 2(6), complemented by Recital 62: provider of an information society service of which the main or one of the main purposes is to store and give the public access to a large amount of copyright-protected works or other protected subject-matter uploaded by its users, which it organizes and promotes for profitmaking purposes.

What is a large amount? Is there any threshold that we can use as a criterion? And how do we determine the main purpose of a provider of an information society service (ISP)? According to Recital 62, there is, at least, one clue for determining which companies are OCSSPs: only those that play an important role in the online market by competing with other online content services, such as online audio and video streaming services for the same audiences. In fact, they are in direct competition with other content providers that must license the content they provide, such as Netflix, Spotify, iTunes, Amazon, RDio, Deezer, just to name a few. There have been, in fact, many claims of unfair competition by content-sharing platforms that do not get licences on account of invoking the safe harbour contained in ECD. This was, in fact, the so-called issue named ‘value gap’, which aroused a strong discussion, leading to the compromise text that we have now and must transpose into the internal frameworks of each

52

V. C. Rosa

Member State. The main problem seems to be that, so far, these types of contentsharing platforms do not assume any need to negotiate with rightsholders. They are just willing to pay rights on a voluntary basis, threatening to invoke the ‘safe harbour’ if their terms (prices) are not accepted. However, there is another important clue: these providers organize and promote content to attract an audience to their audio and video streaming services. This reflects an aspect that has already been expressed by the Court of Justice of the European Union (CJEU) to distinguish active ISPs from passive or neutral ISPs for the purpose of determining the scope of Article 14 ECD. Logically, one of the basic criteria for excluding an ISP from ‘safe harbour’ is whether it actively organizes and promotes the content it provides. This can be done, for example, by profiling the user and showing him/her precisely what matches his/her watching preferences or creating a database and allowing a search engine to help users easily find the content they are looking for. If we look at CJEU decisions in cases L’Oréal2 and Google France,3 we find that the Court concluded that in order to determine whether the liability of a search engine could be exempted based on Article 14 ECD (safe harbour), one must examine how neutral, purely technical, automatic and passive its behaviour is, implying two requirements: a lack of knowledge and a lack of control of the stored data. In Google France, the CJEU noted that this provider, through its own proprietary software, subjects the data submitted by its advertisers to an organization procedure. According to this procedure, the advertisement is presented in a specific order of appearance, under the control of Google, according to the compensation paid by the advertisers to show their ads. Therefore, Google’s activity amounts to far more than the technical, automatic and passive activity of, for example, a purely storage cloud or a cyberlocker service provider. It was precisely the same criterion that presided over the decision awarded in L’Oréal, where the CJEU found that, since eBay processes data provided by its selling customers, the sales resulting from these commercial offers are, according to eBay, determined modalities. Whenever it is necessary, eBay also pays assistance to its own customers, aiming at optimizing and promoting certain selling offers. Thus, they cease to be regarded as a mere intermediary provider in the sense of Section 4 Chapter II of ECD. The company’s behaviour is no longer neutral nor restricted to mere technical and automatic storage of data provided by its users. Instead, they take a rather active role, with specific knowledge of or control over this data. That case law helped us to differentiate neutral/passive ISPs from active ISPs, actively contributing to removing the ‘safe harbour’. In Article 17, however, we face a stricter notion of ISPs, where we must look at the main purpose or one of the main

2

CJEU, L’Oréal, SA et al. v. eBay International AG, eBay Europe SARL, eBay (UK) Ltd et al,. Case C-324/09, Judgement of 12 July 2011. 3 CJEU, Google France et al. v. Louis Vuitton Malletier et al., Joined Cases C-236/08 to C-238/08, Judgement of 23 March 2010.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

53

purposes: to give the public access to large amounts of copyright-protected works or other protected subject matter uploaded by its users. The importance of distinguishing this particular type of activity from the general notion of ISP is highlighted by three pending Court of Justice of the European Union (CJEU) cases, where the lack of Article 17 of the Digital Single Market (DSM) Directive may lead to exemptions, namely Case C-442/19 (Stichting Brein v News-Service Europe BV) and Joined Cases C-682/18 and C-683/18 (Frank Peterson v Google LLC, YouTube LLC, YouTube Inc., Google Germany GmbH and Elsevier Inc. v Cyando AG (C-683/18)). These are to be decided under the safe harbour doctrine (Art. 14 ECD) in case the Court rules out communication to the public under Article 3(1) of the 2001/29/EC Directive. It will also be interesting to see how the CJEU decides Case C-500/19 (Puls 4 TV GmbH & Co. KG v YouTube LLC and Google Austria GmbH) because in case the Court rules that video platforms play an active role, leading to a loss of the liability privilege, this may cast some light into the issue of liability on behalf of hosting ISPs, even independently from Article 17 of DSM. How shall we make a distinction between OCSSPs and digital piracy websites or peer-to-peer file-sharing services? As we have seen, the last sentence of Recital 62 excludes those services whose main purpose is to engage in or to facilitate copyright piracy. So one distinctive characteristic is the main purpose: if an ISP deliberately aims at providing copyright-infringing content, Article 17 provides them no ‘safe harbour’; if its aim is to share user-uploaded content, requiring users to respect copyright and neighbouring rights, then it falls under the scope of Article 17. The main idea seems to be that the ‘safe harbour’ cannot protect those who deliberately choose to infringe copyright but only those who wish to conduct a legal and compliant service. Reading the General Terms and Conditions (T&C) for subscribing to the service and uploading content may help, but then it is of essence that the OCSSP actually intervenes and cancels the service to those who repeatedly neglect to respect them. All piracy websites and certainly most providers of proxy servers and publicly shared cyberlockers do include those provisions in their T&C. After all, it is an easy way to shift liability to the users. Notwithstanding, there is a need to demonstrate how serious they are about the enforcement of their own T&C. Have there been cases of users who got blacklisted or disconnected for repeated breach? One of the first ISP liability cases where this issue was decisive was the case BMG v Cox in the United States.4 It turned out that repeated infringers were never disconnected because the company’s policy was simply to keep as many users as possible. Another useful criterion would be to evaluate how serious ISPs are about fighting piracy, measured by active policies for enforcement and public engagement in antipiracy policies.

4 BMG Rights Management (US) LLC, and Round Hill Music LP, v. Cox Communications, Inc., and Coxcom, LLC149 F.Supp.3d 634 (3d Cir. 2015).

54

V. C. Rosa

One last important distinctive criterion relies on whether the service actually ‘hosts’ the content. Hosting service providers are different from services that only share hyperlinks to third-party servers where the content is lodged (generally situated in non-copyright-compliant countries or off-shore territories) or services that provide software applications to aggregate data collected from users and generate content that is made available to everyone on the user network (peer-to-peer file sharing). However, if an OCSSP makes use of a third party’s hosting service (e.g. cloud facilities) for providing large amounts of content to the public, it should not be disqualified as an OCSSP for this. So the most important characteristic of an OCSSP seems to be its main purpose, which must be the provision to the public of a substantial amount of content uploaded by its users, as a commercial activity, coupled with the hosting of such content, even though the lodging servers may belong to a third party, as long as these are allocated to the service. Article 2(6) has several explicit exclusions, such as i) search engines ii) not-forprofit online encyclopaedias, iii) not-for-profit educational and scientific repositories, iii) open-source software-developing and sharing platforms, iv) electronic communication services as defined in Directive (EU) 2018/1972, v) online marketplaces, vi) business-to-business cloud services and vii) cloud services that allow users to upload content for their own use. Some of these services would be excluded on account of their not-for-profit nature; others, like search engines, are excluded because they are not hosting the content they give access to. Private cyberlockers do not address the public but only serve as hosts for private content; hence they are also excluded.

3 The Concept of OCSSP According to Recital 63 According to Recital 63, falling under the concept of OCSSP requires a case-by-case analysis, involving the audience gathered as well as the number of files uploaded by the users. This suggests that a small group of users who organize a platform for sharing their own holiday pictures or domestic footage cannot obviously qualify as an OCSSP, even if someone assumes the role of lodging, organizing and promoting such content. The lack of commercial purpose would also prevent qualification as an OCSSP. However, there is a special regime for small providers that do not reach a minimum threshold of five million monthly average viewers. This implies that a provider of content-sharing services may well have a small audience and still qualify as an OCSSP, so the only criterion left out seems to be the amount of content made available, regardless of how many users are actually regular visitors. As such, a caseby-case analysis is always necessary, and, as there is no predetermined threshold, we could almost go by the old saying: ‘I will know one when I see it.’ Nevertheless, we may conclude that there are some obviously included services, such as YouTube, Facebook, Dailymotion, SoundCloud, Twitter, Instagram, TikTok, Snapchat,

3 How Article 17 of the Digital Single Market Directive Should Be. . .

55

TuneIn, etc. It is also important to rely on the notion of user-generated content (UGC), alternatively known as user-created content (UCC): It encompasses any form of content, such as images, videos, text and audio, that has been posted by users on online platforms such as social media and wikis.5 It seems that the definition of OCSSPs is meant to include, prima facie, all those that compete in the UGC market, focusing on capturing advertising and other forms of income for the audience they generate. This is also the reason why the provider’s liability matters so much from the perspective of copyright and neighbouring rights. So for the remainder of this chapter, we shall assume that an OCSSP is a platform or website operator professionally dedicated to the business of sharing UGC among as many people as possible, in order to obtain financial income, through commercial exploitation. We may also compare this approach with the concept of video-sharing platform service, which is presented by Article 1(b) of Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018, amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services in view of changing market realities (Audiovisual Media Services Directive or AVMS). The concept has been inserted in the definitions of the latter, and it means: a service as defined by Articles 56 and 57 of the Treaty on the Functioning of the European Union, where the principal purpose of the service or of a dissociable section thereof or an essential functionality of the service is devoted to providing programs, user-generated videos or both, to the general public, for which the video-sharing platform provider does not have editorial responsibility, in order to inform, entertain or educate, by means of electronic communications networks within the meaning of point (a) of Article 2 of Directive 2002/21/ EC and the organization of which is determined by the video-sharing platform provider, including by automatic means or algorithms in particular by displaying, tagging and sequencing.

Here, the main characteristic seems to be the sharing of video content, whereas an OCSSP may also share other types of content, such as music, games, software, still pictures, drawings and text. Nevertheless, it is interesting to see that, for AVMS, the organization and form of presentation, as well as the use by the public, are also determining factors, side by side with the absence of editorial responsibility by the provider, which seems to match the ‘uploaded by its users’ part of the definition of OCSSPs. In both, the content is provided by the users, not by the service providers themselves. This characteristic may remove from both concepts, for example, all the online professional content services such as BBC Play, audiovisual producers such as MGM and over-the-top (OTT) services such as Netflix, HBO, Apple TV, Amazon Fire TV, etc. These are better qualified as video-on-demand (VoD) services, and as such the AVMS Directive already includes them in the notion of ‘audiovisual media

5

Berthon et al. (2015), pp. 43–62.

56

V. C. Rosa

services’, requiring editorial responsibility as for a television broadcaster and setting up rules.

4 The Right of Communication to the Public Recital 64 and Article 17 nr. 1 take a very affirmative stance in qualifying the activity of OCSSPs as an act of communication to the public, which is, by nature, a form of use of copyrighted works, therefore requiring a licence by itself. The right of communication to the public is established in Article 3(1) of Directive 2001/29/EC but is based upon Article 11bis of the Berne Convention. The EU, despite not being formally a party to the Berne Convention, is nevertheless obliged under Article 1(4) of the WIPO Copyright Treaty, to which it is a party, to comply with Articles 1 to 21 of the Berne Convention.6 In addition, the EU is a party to the 1996 WIPO Copyright Treaty and is, hence, obliged to respect the Berne Convention, where communication to the public was first enunciated as an exclusive right. The Berne Convention distinguishes between communication to the public, broadcast and the public performance of a work, where the latter two are specific modalities of the former. Hence, a different licence is necessary whenever there is a communication to the public by broadcasting (Art. 11bis (1)(i)), a wireless or by wire transmission by an organization that is different from the original one (Art. 11bis (1) ii)) or a public communication of a broadcast by loudspeaker or any other analogous instrument (Art.. 11bis (iii)). In 1961, another international instrument was established, under the World Intellectual Property Organization (WIPO): the Rome Convention of 1961. This statute awarded exclusive public communication rights to performers, phonogram producers and broadcasting organizations, although only in certain cases, namely limiting broadcasters to wireless secondary transmission rights and to communication to the public in places where the admission is paid.7 In December 1996, two new copyright treaties were signed, introducing a new exclusive right, namely the right of making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them. This right, commonly referred to as the ‘making available right’, translates as the right to use the work or performance on the Internet or any other interactive platform. Article 3(1) of the 2001/29/EC Directive awarded this right to authors, and Article 3(2) extended this right to performers, phonogram producers, cinematographic work producers and broadcasters.

6

CJEU, FAPL et al.v. QC Leisure et al., FAPL v. Karen Murphy et al, Case C-403/08 and C-429/08, Judgement of 04 October 2011, par 189 and the case-law cited. 7 CJEU, Verwertungsgesellshaft Rundfunk GmbH v. Hettegger Edelweiss Hotel GmbH, Case C-641/15, Judgement of 16.02.2017.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

57

There is already an extensive case law from several European courts, namely the Court of Justice of the European Union, on the right of communication to the public. The criteria for qualifying an activity as such have changed more than once; therefore, it is important to take an affirmative stance and state, doubtlessly, that OCSSPs, by definition, do perform acts of communication to the public. Therefore, a licence from the rightsholders is always necessary. Nevertheless, Recital 64 has safeguarded other possible situations that may fall under Article 3(1) and 3(2) of Directive 2001/29/EC to other service providers using copyright-protected content.

5 The Exclusion of Article 14 of the E-Commerce Directive Recital 65 and Article 17(3) are clear in the exclusion of OCSSPs from the ‘safe harbour’ provided by Article 14 ECD in relation to copyright. However, they admit the application of that exemption to other non-copyright related infringements (e.g. defamation, extortion, sexual harassment, phishing, hacking) or any other illicit actions committed by users, to which the requirements for liability exemption will apply, as for any other hosting providers. There is, however, an important difference in relation to the framework of Article 14 ECD: in terms of liability requirements, since OCSSPs are regularly engaged, by the nature of their activity, in communication to the public, they are, therefore, liable for third parties’ damages when they are acting without a licence to perform this communication. So, in this perspective, a copyright licence is like an insurance policy covering the risk of third-party infringement. Under Article 14 nr. 1 a) ECD, a provider that does not have actual knowledge of any illegal activity or illicit information and that, as regards claim for damages, is not aware of facts and circumstances from which that illegal activity or information is apparent, is exempt from liability. This means that only in case of an obvious illegality (generating constructive knowledge, which derives from awareness of certain facts or circumstances) will the provider’s liability be implied, and only for civil damage claims: all other cases imply subjective and direct factual knowledge of the specific illegality committed. According to the previous case law on the matter of ‘communication to the public’, it is essential that the copyrighted content is transmitted or that access thereto by the public in general is, at least, provided by the agent, in a way that was not initially intended by the rightsholders. In the leading case, SGAE, the CJEU has held that: the concept of communication must be construed broadly, as referring to any transmission of the protected works, irrespective of the technical means or process used. in the context of this concept, the term “public” refers to an indeterminate number of potential television viewers.8

8 CJEU, SGAE v. Rafael Hoteles SA, Case C-306/05, Judgement of 07 December 2006 and Mediakabel v. Comissariaat vor de Media, Case C-89/04 Judgement of 02 June 2005, Lagardère

58

V. C. Rosa in order for there to be communication to the public, the broadcast work must be transmitted to a ‘public not present at the place where the communication originates’, within the meaning of recital 23 in the preamble to the Copyright Directive.9

By ‘new public’ the CJEU means an audience for which the act of communication was not initially intended and, consequently, not included in the original act of permission. Let us recall that the CJEU has stated that hotels acted like a retransmission antenna by enabling customers to access broadcasts in bedrooms, whereas they would not be able to do it if it were not for the hotel’s means of distribution (2006); later, the Court stated that the responsibility for acquiring broadcast rights for the whole territorial footprint of a broadcast relied upon the distribution platform operator, in case the original broadcasters had not given their permission, as rightsholders, since the broadcasts reached a new public (2011);10 next, it stated that in case of retransmission by another organization, using different technical means of transmission, there was no need to consider whether there was a new public (2013);11 more recently, the CJEU concluded that a new public was involved whenever technical means of access restriction had been circumvented by an hyperlink (2014).12 However, a dentist would not engage in communication to the public because his main business driver is not the music but the skill or other features related with his profession (2014).13 In GS Media,14 the CJEU made a distinction based on the professional or non-professional provision of hyperlinks that point to websites where the content is hosted, indicating that only in the former case may there be a presumption of infringement knowledge that triggers liability, whereas in Ziggo,15 the Court has also: underlined, on numerous occasions, that the profit-making nature of a communication, within the meaning of Article 3(1) of Directive 2001/29/EC, is not irrelevant.16 (. . .) in order for there to be an ‘act of communication’, it is sufficient, in particular, that a work is made available to a public in such a way that the persons comprising that public may access

Active Broadcast. v. SPRE, GVL and CERT, Case C-192/04, Judgement of 14 July 2005, Nils Svensson et al. v. Retriever Sverige AB, Case C-466/12, Judgement of 13 February 2014, Stichting Brein vs Ziggo BV, XS4ALL Internet BV, Case C-610/15, Judgement of 14 June 2017. 9 SGAE v. Rafael Hoteles SA, pars. 200 to 202. 10 CJEU, Airfield NV and Canal Digital BV v. SABAM and AGICOA, Cases C-431/09 and C-432/09, Judgement of 13 October 2011. 11 CJEU, ITV Broadcasting Ltd, et al v. TV Catchup Ltd, Case C-607/11, Judgement of 07 March 2013. 12 CJEU, Nils Svensson et al. v. Retriever Sverige Ab C-466/12, Judgement of 13 February 2014. 13 CJEU, Società Consortile Fonografici (SCF) v. Marco del Corso, Case C-135/10, Judgement of 15 March 2012. 14 CJEU, GS Media BV v. Sanoma Media Netherlands BV et al., Case C-160/15, Judgement of 08 September 2016. 15 CJEU, Stichting Brein v. Ziggo BV, XS4ALL Internet BV C-610/15, Judgement of 14 June 2017. 16 idem.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

59

it, from wherever and whenever they individually choose, irrespective of whether they avail themselves of that opportunity.17

So the Court concludes that [t]he concept of “communication to the public”, within the meaning of Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, must be interpreted as covering, in circumstances such as those at issue in the main proceedings, the making available and management, on the internet, of a sharing platform which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users of that platform to locate those works and to share them in the context of a peer-to-peer network. There are a number of criteria, enumerated by the abundant case law, but the most important aspect for the CJEU is still the novelty of the audience, unforeseen by the rightsholders when the public is undetermined, as opposed to what was in their minds when they gave their original consent. Also of importance is the deliberate intervention by the agent responsible for making the works accessible to the public (as opposed to a small, limited number of users) for commercial reasons. The commercial or profit-oriented activity, by the agent of such communication, based on providing access to such content, thus enhancing the range of people who get access to it (a new public), also plays a part in the definition. This means that the advertising revenue collected by the agent, under the presumption of knowledge criterion of GS MEDIA, would also not be regarded as neglectable. The concern with the respect for copyright, if genuine and fully consequent with actions taken, allows us to consider that it is not a ‘piracy’ service but, instead, a legitimate one. Traditionally, in US law, there are several degrees of direct liability, supplemented by three types of secondary liability (contributory, vicarious and inducement). The lower threshold for direct liability is negligence, like in the European framework under scrutiny: The basic premise of negligence law is additionally that we generally owe third parties a duty to exercise reasonable care in the conduct of our own affairs.18

According to the Restatement (Second) of Torts, §283, to avoid being negligent, actor must act as ‘a reasonable man under like circumstances’.19 The construction of ‘contributory liability’, originating from trademark case law, is based on the test designed in Inwood20 and applies to someone who provides the means to infringe or continues to supply its product or services to another whom he/she knows, or has reason to know, is engaging in infringement and, therefore, indirectly holding such a person contributorily liable for the actions of the latter.

17

Ibidem and also Cases C-466/12 and C-610/15. Farano (2012, p. 45), citing Glannon (2010, p. 118). 19 Farano (2012, p. 45 fn 161). 20 Inwood Labs. v. Ives Labs. Inc 456 U.S. 844 (1982). 18

60

V. C. Rosa

‘Vicarious liability’ also originates in tort law, developed in the Second Circuit as an outgrowth of the agency principles of ‘respondeat superior’.21 It is based on the special position occupied by the secondary infringer, namely involving control and economic benefits. The landmark case is Shapiro,22 followed by Fonovisa,23 and it is parallelly developed for copyright and trademark, relying on a business or contractual partnership where someone controls and derives economic profit from the infringer’s activities. It does not require any kind of knowledge, just the practical as well as lawful capability of putting an end to any act of infringement. In BMG v Cox,24 the Court took the contractual relationship with users as evidence of control for asserting ‘vicarious liability’ to the provider (Cox). The threshold for control may be higher under the Digital Millennium Copyright Act (DMCA) than for common law, but there may be cases where no specific knowledge is required.25 ‘Inducement’ involves a clear intent to cause infringement, way beyond ‘knowledge’. In the case law of the CJEU, namely the cases Ziggo and Filmspeler,26 it was deemed sufficient that the defendants knowingly carried out a high-risk activity and generally expected unlawful uses. This may qualify as a form of presumed awareness of facts or circumstances that rights were being infringed on the platform, which is the basis for a claim of damages, regardless of how many factual details the platform operator actually knows or what the level of intent in relation to each copyright infringement is. So, in conclusion, the qualification of an OCSSP’s activity as the performance of ‘communication to the public’ constitutes the essential basis for liability, for the purposes of the recovery of damages by the affected rightsholder(s), together with the exclusion from the scope of Article 14 ECD because of not being a mere neutral/ passive host of content. It is also necessary for applying Article 13(1) of Directive 2004/48/EC (Enforcement Directive), under which it may respond for the infringement by third parties, i.e. the users, who upload protected material embedded in their own UGC without authorization, despite the need for a copyright licence, either by negligence or with specific intention.

21

See J. Keaton’s opinion in Polygram v. Nevada Polygram v. Nevada, 855 F. Supp. 1314 (D.C. Mass. 1994). 22 Shapiro, Bernstein & Co. v. H.L. Green Co., 316 F. 2d 304 (2nd Cir. 1963). 23 Fonovisa Inc. v. Cherry Auction, Inc, (9th cir. 1996). 24 Fn 4 above. 25 Farano (2012, p. 95 and also 130) See. UMG Recordings, Inc. v. Shelter Capital Partners LLC, 667 F.3d 1022 (9th Cir. 2011), aff’g UMG Recordings v. Veoh Networks Inc, 665 F. Supp. 2d 1099, 1108 (C.D. Cal, 2009) and compare with Viacom International Inc et. Seq. v. Youtube (S.D.N.Y. 2010) (prec.) vacated and remanded by Viacom Int’l, Inc., Football Ass’n Premier League Ltd. v. YouTube, Inc. (2nd Cir. 2012), Docket 10-3270-cv (Apr. 5, 2012) and Tiffany Inc. v. eBay, Inc (S.D.N.Y. 2008) (prec.) at 527. 26 CJEU, Stichting Brein v Jack Frederik Wullems, acting under the name of Filmspeler, Case 527/2015, Judgement of 26 April 2017.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

61

6 OCSSP’s Liability and How to Escape After explaining that the content-sharing activity is subject to a specific liability mechanism, on account of the fact that the content is uploaded not by OCSSPs themselves but by their users, Recital 66 provides some clues into the meaning of ‘high industry standards of professional diligence’: in practice, it is required that the OCSSP: takes all the steps that would be taken by a diligent operator to achieve the result of preventing the availability of unauthorised works or other subject matter on its website, taking into account best industry practices and the effectiveness of the steps taken in light of all relevant factors and developments.

This requirement must refer to the most recent and effective filtering software available. It is a way of updating and reviewing two important CJEU decisions of 2010, namely Scarlet Extended27 and Netlog BV,28 where the CJEU rejected filtering, deemed as a disproportionate obligation, saying that it would be contrary to Article 15 ECD, which bans general monitoring, and to Articles 8, 11, and 16 of the Charter or Fundamental Rights (protection of personal data, freedom of expression and information and freedom of enterprise).29 The CJEU added a special concern for the possibility of processing personal data without satisfying the provisions of EU personal data law and the confidentiality of communications. In Netlog, the CJEU has resumed the same arguments, this time concerning a social network where all users are offered the opportunity to make use, by means of their profile, of the musical and audiovisual works in SABAM’s repertoire, without SABAM’s consent and without Netlog paying any fee to SABAM. In both decisions, the CJEU qualified as general monitoring (i) the filtering of all electronic communications passing via its services, in particular those involving the use of peer-to-peer software, (ii) which applies indiscriminately to all its customers, (iii) as a preventive measure,30 (iv) exclusively at the ISP’s expense,31 (v) for an unlimited period of time,32 (vi) which is capable of identifying on that provider’s network the movement on electronic files containing a musical, cinematographic or audiovisual work in respect of which the applicant claims to hold intellectual property rights, with a view to blocking the transfer of files the sharing of which infringes copyright. The Court also ruled that such a general monitoring obligation would be incompatible with Article 3 of Directive 2004/48/EC, which states that the measures

27

CJEU, Sabam vs Scarlet Extended, Case C-70/10, Judgement of 24 November 2011. CJEU, Sabam vs Netlog, Case C-360/1, Judgement of 16 February 2012. 29 Sabam vs Netlog, par. 44 and Sabam v Scarlet Extended, par. 46. 30 Sabam v.Netlog, par. 37 and Sabam v. Scarlet, par. 39. 31 Sabam v. Netlog, par. 46 and Sabam v. Scarlet, par. 48. 32 Sabam v.Netlog, par. 45 and Sabam v. Scarlet, par. 47. 28

62

V. C. Rosa

referred to by the Directive must be fair and proportionate and must not be excessively costly and that the said injunction: could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications.33

In one particular passage, the Court expresses its concern with the prospect of a monitoring obligation of all or most of the information stored by the hosting service provider concerned, in the interests of those rightholders, that has no limitation in time, is directed at all future infringements and is intended to protect not only existing works but also works that have not yet been created at the time when the system is introduced.34 Article 17(4)(b) and (c) relates to automatic tools that aim at detecting previously identified works or other subject matter, which does not have to be disproportionally expensive, does not cover future works and other subject matter and is supplemented by complaint and redress mechanisms under Article 14(7) and (9) involving human handling. In fact, this is not general monitoring but, instead, a monitoring obligation in a specific case where the protected content has been previously notified by the rightsholder. Under Article 15 of ECD, it is only prohibited for Member States to compel ISPs to monitor the information which they transmit or store or subject them to a general obligation actively to seek facts or circumstances indicating illegal activity. It does not concern the obvious need to cooperate with rightsholders that proactively and previously indicate the works for which they have detected infringement. This is what Recital 47 of ECD, in fact, distinguishes from general monitoring.35 It also seems that the major concern of the Court is for the protection of freedom to conduct business36 on behalf of ISPs and the right to receive or impart information in relation to users. In the Netlog decision, the Court does recall that It follows from the Court’s case-law that the jurisdiction conferred on national courts, in accordance with those provisions, must allow them to order those intermediaries to take measures aimed not only at bringing to an end infringements already committed against intellectual-property rights using their information-society services but also at preventing further infringements.37

These decisions, adopted with such a wide scope, seem, at first reading, to have suddenly forgotten and discarded all the endeavouring promises made in Directive 2001/29/EC regarding the ‘brave new world’ of technological protection measures (TPM) and digital rights management (DRM), which obviously require a specific

33

Sabam v Netlog , par. 50 and Sabam v Scarlet, par 52. Idem. 35 See the contribution of the Council of the EU Legal Service dated 11 October 2017. 36 Sabam v. Netlog, par. 46 and Sabam v. Scarlet par. 48. 37 Sabam v. Netlog, par. 29 and Sabam v. Scarlet, par. 31. 34

3 How Article 17 of the Digital Single Market Directive Should Be. . .

63

acknowledging software to be installed as a pre-requirement for every online use of copyrighted works. As a matter of fact, Recital 47 of Directive 2001/29/EC proclaimed that the technological development will allow rightsholders to make use of technological measures designed to prevent or restrict acts not authorized by the rightsholders of any copyright, rights related to copyright or the sui generis right in databases. Recital 55 adds that ‘Technological development will facilitate the distribution of works, notably on networks and this will entail the need for rightsholders to identify better the work or other subject-matter, the author or any other rightsholder and to provide information about the terms and conditions of use of the work or other subject-matter in order to render easier the management of rights attached to them. Rightsholders should be encouraged to use markings indicating, in addition to the information referred to above, inter alia their authorization when putting works or another subject-matter on networks.’ Furthermore, in a study on the implementation and effects of the Copyright Directive,38 despite its initial disclaimer rejecting any strict correspondence with the Commission’s official position on the subject, it is said that, for the Commission, the main goal of the provision pertaining to the legal protection of TPM was to serve as a support to the successful large-scale introduction of electronic copyright management and protection systems by the private sector.

So what did the DSM legislator have in mind when referring to ‘high industry standards of professional diligence’? It seems quite clear that the law is referring to the most technologically advanced filtering solutions, following the path that was paved by Directive 2001/29/EC, regarding the technological evolution as a form of rebalancing fundamental rights and satisfying the criteria that make filtering a sustainable obligation. For instance, two of the most commonly used forms of TMP are watermarking and fingerprinting, allowing any infringing uses to be traced back to the originator (for instance, when the file is found to be distributed for free over peer-to-peer networks). So, in terms of copyright infringement, it makes no sense that the EU legislator should have put so much effort into drafting a directive to protect TPM (and DRM), encouraging rightsholders to massively adhere to these new forms of tracing their works, only to have the CJEU state that there can be no injunction requiring ISPs to install a filtering mechanism. In addition, none of those two decisions neglects the fact that, once an infringement is communicated to an ISP, there is a duty to prevent further similar infringements; hence, there is no need for a subsequent notification on behalf of the same rightsholder: this is known as ‘notice and stay down’. Of course, this obligation does not stem from Article 14 ECD; it is now a requirement for mature OCSSPs, under the second part of Article 17(4)(c). What stems from those two decisions is an 38 Study commissioned from the IVIR -Institute for Information Law, of the University of Amsterdam, in February 2007.

64

V. C. Rosa

overwhelming concern for the ISP’s economic health and the need to avoid disproportionate costs, something that should be re-evaluated in the light of technological advances and new applications running on free software. Finally, the decisions are aimed at preventing intrusion on user privacy and the right to impart and receive communications. This must also be read in compatibility with third-party rights, such as holders of copyright and neighbouring rights: there are no user rights to receive and impart protected content in breach of IP rights, and the Court’s words may not be interpreted in that manner. All the Court wishes to protect is the freedom to communicate legally, and this did not stop the Court from saying, in the above-referred Ziggo decision, for example, that peer-to-peer file sharing requires preventive authorization since it involves the performance of ‘communication to the public’. So we do have to review our reading of those decisions in light of modern technology or, at the very least, restrict their effect to the rejection of a complicated, costly, permanent software solution, solely at ISPs’ own expense, which would jeopardize their own freedom to conduct their own business in the way they freely decide. In other words, this meant that this restriction would not apply, for example, to standard IP protection software, especially if the costs of these market solutions were reasonable. In other words, supposing the software is to be available at a moderate cost, then, it should not continue to be regarded as ‘an unbearable obligation’ on behalf of ISPs. It is also pertinent to recall that the CJEU has recently returned to the issue of ‘general monitoring’ as opposed to ‘specific monitoring’ in the Facebook case,39 which is precisely the aim of Article 17(4) and the second paragraph of Article 8. This case was not about copyright but was about defamation. However, the same principles apply to copyright. If we carefully read paras. 40, 41 and 45 of that decision, we may conclude that it could apply to Content Acknowledging even in cases where uploaders make unsubstantial changes just to try to avoid the filtering mechanisms. The CJEU has clearly widened its perspective of what constitutes ‘similarity’ of content for the purposes of Recital 47 ECD. The key in distinguishing general from specific monitoring lies in the fact that rightsholders are requested to previously inform OCSSPs of the content (works or other subject matter) that is copyright protected and, preferably, duly fingerprinted or watermarked to enable accurate acknowledgement by algorithms that must be designed to detect it easily. Such automated forms of detecting illegal content are already available, at a various range of prices, for all types of OCSSPs to be able to adopt them, and they are becoming increasingly accurate, as a recent French report by the Conseil Supérieur de la Propriété Littéraire et Artistique (CSPLA) Mission on the effective application of copyright on digital-sharing platforms40 has enhanced.

39 CJEU, Eva Glawischnig-Piesczek v. Facebook Ireland Ltd, Case C-18/18, Judgement of 03 October 2019. 40 Available at https://www.culture.gouv.fr/. Accessed 05 May 2020.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

65

This is the burden that rightsholders must take as a first step to enable ‘notice and take down’ initiatives towards OCSSPs. In addition, things have also changed in the way the legal system perceives ISPs, and the distribution of enforcement costs with ISPs is no longer taboo, in view of the economics of the Internet. See, for instance, the French Supreme Court Decision of 06.07.2017, according to which ISPs are the parties that are better positioned to support the cost of copyright enforcement. Everything considered, we think that Article 17(4) and Recital 66 are a step in the right direction, since this solution represents the use of tools provided by technology to fight a challenge generated by technology itself. As Charles Clarke once said, ‘the answer to the machine is in the machine’. However, as a result of the extremely heated debates held in the EP, there is now a very strong stance taken by Article 17(5) in relation to the requirements of proportionality to evaluate whether the OCSSP has complied with its obligations under Article 17(4). According to the provision, the following elements, among others, shall be considered: (a) the type, the audience and the size of the service and the type of works or other subject matter uploaded by the users of the service; and (b) the availability of suitable and effective means and their cost for service providers. This serves to demonstrate that the real concern is about providers’ economic welfare. Therefore, smaller service providers, with a limited audience, offering a specific type of works or other subject matter in a highly restricted market may be excused for not making the most advanced content recognition technologies available to their users, if it would be too expensive for them. Anyway, as Recital 66 recommends, ‘[a]ny steps taken by service providers should be effective with regard to the objectives pursued but should not go beyond what is necessary to achieve the objective of avoiding and discontinuing the availability of unauthorised works and other subject matter’. This requirement explains, for example, that new online content-sharing service providers with an annual turnover below EUR 10 million, of which the average number of monthly unique visitors in the Union does not exceed 5 million, should not affect the availability of remedies under Union and national law. These smaller and medium enterprise (SME) operators are subject to a specific framework, which, in practice, despite continuing to impose licensing on account of their activity being qualified as ‘communication to the public’, leaves their liability exemption at the same level as it would be under Article 14 ECD. They will only be responsible in the case of a rightsholder notice that they may have failed to expeditiously react to (that is, ‘notice and take down’ only). And these SME OCSSPs will only be subject to Article 17(4)(b) and the second part of Article 17 (4)(c) when their average number of monthly unique visitors exceeds five million, calculated on the basis of the previous calendar year (that is, notice and stay down, also). This is explained by Article 17(6) and Recital 67.

66

V. C. Rosa

So, for the purpose of implementing Article 17, the basic level of cooperation, by which all OCSSPs must cooperate with rightsholders, is by doing their best efforts to get a licence; if the rightsholders do not want to license them, it is not their fault. In that case, they will be limited to the selective removal of, or blocking access to, previously notified proprietary content. The main question that Article 17(4)(a) raises is the following: when can we say that the best efforts have been made? Supposing there is a general licensing tariff, which has been published, legally approved and validly in force, than it would probably make sense to consider that OCSSPs do not apply their best efforts unless they have asked for a blanket licence, as a business obligation, to be assumed before starting to perform their activity as OCSSPs. This blanket licence should be regarded as a requirement for ‘doing business’ as an OCSSP, akin to broadcasters when starting their activity as massive users of copyrighted content. They also need a blanket licence to prevent multiple lawsuits. In fact, OCSSPs are the new broadcasters, the new media, so it also applies to them. For musical works and performances, there are multiterritorial licences in place or, at least, a legal framework that applies: Chapter III of Directive (EU) 2014/26 of 26 of February on Collective Management Organisations (CMOs). However, for the audiovisual sector, the market remains highly segmented, so licensing remains locally based. CMOs, though, are helpful in implementing some of Article 17 provisions since their regular role is to negotiate and publish licensing tariffs for general uses. Furthermore, Directive (UE) 2014/26 of 26 of February requires full transparency and applies a certain amount of principles to the setting up of licensing tariffs, granting its legitimacy. For any rightsholder, in general, publishing general licensing terms and conditions (T&C) and showing an unrestricted will to negotiate licences with OCSSPs should be able to meet his/her part of the burden. After having shown openness and willingness to negotiate, it will be up to OCSSPs as their business counterpart. Once again, we must stress: rightsholders that do not want to license OCSSPs are not obliged to do so. However, a best effort obligation will then apply to OCSSPs, meaning that they will not be liable as long as they remove the protected content previously identified. Now, if OCSSPs and rightsholders do not come to an agreement regarding the licence terms, are they still allowed to claim that they have made their best efforts to get a licence? The logical answer seems to be as follows: as long as there are legal mechanisms in place for setting up a tariff and negotiating a deal, only after having unsuccessfully exhausted all those mechanisms, are OCSSPs allowed to claim having made their best efforts. This leaves out any plain rejection of the obligation to pay a previously legal existing tariff or any refusal to negotiate with rightsholders. In short, only in case of persistent denegation of a licence on behalf of rightsholders can an OCSSP claim a ‘not guilty’ status for the failure to obtain a licence. This should be done on a local basis, so it is possible that ‘one-stop shops’ are to be encouraged for facilitating licensing. This means that, for previously identified works and other subject matter, OCSSPs are required to ensure that they acquire advanced filtering technologies to

3 How Article 17 of the Digital Single Market Directive Should Be. . .

67

prevent the availability thereof on their platforms. Ideally, the information provided by rightsholders to one OCSSP may be the same provided to all, hence the usefulness of a Global Data Registry, an issue that has been already attempted once, but failed to be achieved. In 2014, the project of a Global Data Registry brought together Apple, Amazon, Nokia, PRS, STIM, SACEM, Universal Music Publishing, EMI Music Publishing, ICMP, ECSA and CISAC. Surprisingly, in July of 2014, the project was discontinued, leaving behind a debt of more than $13.7 million. The American Society of Composers, Authors and Publishers (ASCAP) seems to have been the first one to move away from the project and stop funding it. Loss of funding and information gave way to the fear of competition from a more efficient global reference database (GRD) system, which, ultimately killed the dream. It may also have been caused by a dispute over control of the global database and power over the catalogue.41 It is, however, a growing need felt by the market, which will certainly lead to a common European policy.

7 Exceptions and Limitations Available Article 17(7) and (9) is where the true balance between fundamental rights takes place and where most conflicting issues will be raised. It contains mandatory exceptions and limitations aimed at converting copyright into a more flexible right, although remaining an exclusive right. Article 17 is often reported to be contrary to freedom of speech since it requires OCSSPs to filter the uploaded information and prevent the availability of copyrightprotected content. Filtering illegal content through an ex ante evaluation of lawfulness is not contrary to fundamental rights such as freedom of speech or freedom of expression, as has been established in a number of court decisions, not only by the CJEU but also by the European Court of Human Rights (ECtHR). The CJEU has already enhanced the fact that the protection of IP rights is enshrined in Article 17(2) of the Charter of Fundamental Rights42 and that those rights are also protected and guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), signed in Rome on 4 November 1950. Therefore, the Charter seeks to ensure the necessary consistency between both legal instruments.43 The CJEU has also stated, in Funke Medien,44 that freedom of speech and information is not, per se, an acceptable ground for further exceptions or limitations to copyright beyond those already included in Article 5 of Directive 2001/29/EC.

41

Finck and Moscon. IIC 50, 20 December 2018, pp. 77–108. CJEU, Funke Medien NRW GmbH v. BRD, Case C-469/17, Judgement of 29 July 2019 par. 72. 43 Funke Medien NRW GmbH v. BRD, par. 73. 44 Idem, par. 64. 42

68

V. C. Rosa

So, even if we were to regard the issue of filtering or ex ante evaluation as a direct conflict between two fundamental rights, the balance that would be necessary would not accept any solution that could sacrifice one of the fundamental rights in conflict, such as if the copyrighted content were to be made publicly available, even if it was just for a short time. In several ECtHR cases, two fundamental rights, such as freedom of expression or freedom of enterprise, clash with privacy or copyright. They must be regarded as equivalent interests and must be weighed and balanced against each other.45 In fact, we must consider the fact that both the reproduction right and the making available right are exclusive rights according to the WIPO treaties and Directive 2001/29/EC, which render unlawful any online availability that has not been decided or authorized by the rightsholders. And, as Internet experience shows, any form of availability is likely to generate further dissemination of unlimited perfect copies, thus affecting the very essence of such rights, by competing against lawful acquisition. We must also bear in mind that even the ECtHR has clearly admitted the possibility of Internet filtering, namely in the referential Delfi case.46 According to Article 10 (2) ECHR, any interference with freedom of expression must be (i) prescribed by law; (ii) with a legitimate aim, which may be the prevention of crime as well as the rights of others; and (iii) necessary in a democratic society.47 In the case Yildrim,48 the ECtHR stated that the expression ‘prescribed by law’ requires, firstly, that the impugned measure should have some basis in domestic law. However, it also refers to the quality of the law in question, requiring that it should be accessible to the person concerned, who must moreover be able to foresee its consequences, and that it should be compatible with the rule of law.49 The most important ECtHR case about the conflict between copyright and freedom of expression is Ashby Donald v France,50 in which the ECtHR declared that copyright protection is covered by the scope of Article 10(2), clearly distinguishing between political matters, where restrictions may not be tolerated, and commercial matters, where contracting states enjoy a larger degree of discretion. The case has been decided positively in relation to the way the national authorities had acted, given the fact that it dealt with the photographs of a fashion event, a purely commercial affair.51 It must be clearly said that copyright and neighbouring rights are also fundamental rights. Their protection as exclusive rights against the unauthorized dissemination of perfect copies that directly affects the legitimate exploitation by the rightsholders

45

Van der Sloot et al. (2015), p. 220. ECHR, Delfi v Estonia,, App No. 64569/09 16 June 2015. 47 See e.g. ECHR, Golder v. the U.K., App. No 4451/70, 21 February 1975 par 44. 48 ECHR, Yildrim v. Turkey, App No. 3111/10, 18 December 2012, par. 57. 49 Marsoof (2015), p. 2. 50 ECHR, Ashby Donald v. France, App No. 36769/08,10 January 2013. 51 Idem, pars 39–40. 46

3 How Article 17 of the Digital Single Market Directive Should Be. . .

69

meets all the criteria to justify a restriction to freedom of speech/freedom of expression. This makes filtering a legitimate practice in the framework of fundamental rights. In the Pirate Bay case, the ECtHR has also stated that “In the present case, although protected by Article 10, the safeguards afforded to the distributed material in respect of which the applicants were convicted cannot reach the same level as that afforded to political expression and debate. It follows that the nature of the information at hand and the balancing interest mentioned above, both are such as to afford the State a wide margin of appreciation (. . .).”52 We must also bear in mind that users may very well choose to freely express themselves in multiple ways, without necessarily having to infringe third-party copyright, e.g. by asking for a licence themselves, in case OCSSPs licenses do not exist or do not cover their users. Another argument that has been constantly repeated to attack Article 17 is the argument of disproportionality in relation to legitimate exceptions or limitations like parody or quotation. Here, the argument is that an automatized filtering system is not sensitive to legitimate exceptions, and therefore there would be an unnecessary blocking of legal content, to the prejudice of the users. This would be the result of overblocking or overfiltering, if we prefer this expression. The argument is too biased towards the side of users: if we think of the Internet as a major mall or supermarket where every product can be taken for free and where the only means for enforcing the payment of the price is by installing an alarm at the door or several alarm-equipped barriers, the argument is the same as saying that the alarms should be permanently switched off because some consumers are entitled to take some products for free so that the alarm should not be offset by those lawful consumers. This, in turn, stifles widespread abuse—it is only human nature— whereas an appropriate solution would be to verify each case of unjustified alarm bell ringing. Why should the rightsholders, in their condition of exclusive beneficiary owners of the right to make available, need to tolerate a general right to upload their works or subject matter? Is it only to avoid the minor inconvenience of those users who claim to be beneficiary of exceptions or limitations having to demonstrate such legitimacy to bypass the filters? In other words, if the exclusive right to make available is the rule and parody or quotation the exception, why should the default settings favour the latter and compel the former to engage in an unlimited and possibly ineffective chase of infringers? Is it not the very denial of the exclusive right? It seems that the Internet has really turned the rules of the offline world upside down, and now the Internet is a kind of public domain, where everyone has the right to upload and share content freely with the whole world, if desired, and then it is up

52

Ibidem, par. 641 cited by te ECtHR in Fredrik NEIJ and Peter Sunde Kolmisoppi v. Sweden, App. No. 40397/12, 19 February 2013.

70

V. C. Rosa

to the so-called owners of the so-called exclusive right to fight a never-ending and seldom lost battle for preserving their rights. The author is sure that neither the European legislator nor the CJEU ever meant to illegalize filters that can be activated by ISPs, following the initiative of the rightsholders or their representatives, in order to prevent future reiterated infringements of the same nature, namely through the illegal uploading of the same works or subject matter. European law does not encompass the awarding of an exclusive right to make available and inherent the protection of DRM systems that enable identification of works and another subject matter in the digital environment, only to allow a general breach to such right by banning ex ante filtering. The latter seems to be, in fact, the only effective way to fight widespread illegal content uploading. All that is required is that there is a rebalancing of copyright and neighbouring rights with user rights, at the ‘marketplace’. It is up to OCSSPs to install technological systems that make such rights effective, reinstating the exclusive right of uploading, without prejudice to legitimate exceptions and limitations, which can be demonstrated by those that claim to benefit by means of third-party certification. There is no point in ‘turning-off’ all the alarms just to avoid false positives. These are generally reported to be statistically very rare. Exceptions and limitations do exist, precisely in order to allow that balance between the exclusive rights of creators and the freedom of (re)creation by users, who may eventually include third parties’ protected material into their own UGC, either inadvertently or by careless knowledge (wilful blindness). The circumstance of the inexistence of a global work/performances database favours negligent activity. However, collective management organizations do exist and one of their jobs is to connect the users to the rightsholders, and therefore CMOs must be part of the solution. Besides this, the law also includes the protection of rights management information, so technology works both ways. There is no ‘bad’ or ‘good’ technology; it is the purpose of its use that defines it. The need for legal certainty and clarity in relation to what is permitted under the exceptions of quotation, criticism and review on one hand and caricature, parody or pastiche on the other, will require the full commitment of Member States in applying such mandatory exceptions in a rather uniform way among themselves, except in cases of national specificity. This is also a goal that is perfectly attainable through the approach suggested above, inspired by the AVMS Directive. The other exceptions and limitations available are all those considered in Article 5 of Directive 2001/29/EC, but since only one of these is mandatory, EU Member States may have a quite different framework in relation to each other. That is why the DSM legislator determined the mandatory adoption of quotation, criticism and review on one hand and caricature, parody and pastiche on the other hand. These exceptions and limitations are not new, since they are already in the closed list of Directive 2001/29/EC. And, as such, they must be applied within their own limits and with consideration of their nature as exceptions and limitations to exclusive rights rather than ‘user rights’. This is the subject addressed by an

3 How Article 17 of the Digital Single Market Directive Should Be. . .

71

Association Littéraire et Artistique Internationale (ALAI) draft opinion,53 in reaction to an academic paper dated November 19, entitled ‘Safeguarding User Freedoms in Implementing Article 17 of the Copyright in the Digital Single Market Directive: Recommendations from European Academics’.54 This latter paper is based on the idea of giving users an opportunity to invoke the use of an exception or limitation before OCSSPs taking the content down, i.e. in other words, setting up a presumption of lawful use. This presumption is not compatible with Art 17 and would hurt the main principles of copyright as well as increase the damage to the rightsholder, given the fact that the protected content would still be available during the evaluation. Quotation, criticism and review, according to Article 5(3)(d) of Directive 2001/ 29/EC, is admissible provided that they relate to a work or other subject-matter which has already been lawfully made available to the public unless it turns out to be impossible, the source, including the author's name, is indicated and that their use is in accordance with fair practice and to the extent required by the specific purpose. As particular guidance in the way to interpret and implement this exception or limitation, we may now return to Funke Medien,55 where the CJEU says that we need to take into account the nature of the ‘speech’ or information and its particular importance, inter alia, political discourse and discourse concerning matters of public interest.56 Parody, for example, according to Article 5(3)(k) of Directive 2001/29/EC has been the subject of the CJEU decision Deckmyn.57 According to this decision, it is an autonomous concept of EU law, whose essential characteristics are (i) to evoke an existing work while being noticeably different from it and (ii) to constitute an expression of humour or mockery. It is not subject to the condition that the parody should display an original character of its own, other than that of displaying noticeable differences with respect to the original parodied work. It must be made in a way that it can reasonably be attributed to a person other than the author of the original work itself; it should also relate to the original work itself or mention the source of the parodied work. There must always be a fair balance between, on the one hand, the interests of rightsholders and, on the other hand, the freedom of expression of the user of a protected work who is relying on the expression of parody, within the meaning of

53

Available at https://www.alai.org/en/assets/files/resolutions/200330-opinion-article-17-directive2019_790-en.pdf. 54 Available at https://www.ivir.nl/recommendationsarticle17/. 55 CJEU, Funke Medien NRW GmbH v.Bundesrepublik Deutschland, Case C-469/17, Judgement of 29 July 2019. 56 See also ECHR, Ashby Donald and Others v. France, App No. 36769/08, par. 39, 10 January 2013; Barbulescu v. Romania, App No. 61496/08, par. 30, 05 September 2017; Axel Springer v. Germany, App No. 39954/08, 07 February 2012, par. 90; Von Hannover v. German, No. 1 and No. 2, App Nos. 40660/08 and 60641/08, 07 February 2012, par. 109. 57 CJEU, Johan Deckmyn, Vrijheidsfonds VZW v. Helena Vandersteen, Case C-201/13, Judgement of 03.09.2014 par. 74.

72

V. C. Rosa

Article 5(3)(k) of Directive 2001/29/EC. This flexibility must be seen as valuable guidance for the practice of disseminating so-called memes. It requires that parodies do not involve an abusive appropriation of the parodied work, thus allowing a clear distinction from the parody itself, even as regards the identity of each author, as well as the obvious need to identify the source, in the absence of which it may be rejected as a lawful exception case. Who will be able to evaluate whether the user is entitled to benefit from these exceptions and limitations? Recital 70 and Article 17(9) build on the subject of complaint and redress mechanisms, alternative dispute mechanisms (ADR) and right of access to courts of law. There is also reference to the need to ensure respect for the EU framework of personal data protection and a special duty by OCSSPs to inform their users in their terms and conditions that they can use works and other subject matters under exceptions or limitations to copyright and related rights provided for in Union law. This relates to the subject of exceptions and limitations but does not mean that this information should be restated every time there is a prima facie situation of copyright infringement, as if OCSSPs were compelled to allow the claiming for an exception or limitation before blocking or removing the copyright protected content. The need to implement complaint and redress mechanisms that shall mandatorily include human review is a burden that must necessarily fall on the shoulders of OCSSPs as an administrative requirement for their activity. However, the functioning of such mechanisms cannot be influenced by OCSSPs themselves, for example, where decisions are leaning towards granting more audience or more traffic, at the expense of the rightsholder. This calls for an independent review, and this is one reason for suggesting that the Member States should be strongly encouraged to set up independent regulatory bodies for copyright, to monitor the functioning of such mechanisms or even to respond to users in case of any doubt. Another practical form of discharging such obligations could be to commit the supervision of such mechanisms to existing copyright regulators and then foster a cross-European platform of regulators, to harmonize criteria and exchange experiences. Bodies such as these could identify similar practices and issue guidelines that could, in turn, provide users with relevant instructions on how to comply with the law. Another field where there must be room for the Member States to supervise the practical implementation of Article 17 is, of course, complaint and redress mechanisms that OCSSPs must put in place for disputes over the disabling of access to, or the removal of, works or another subject matter uploaded by users. Here, we are addressing the issue of ex post validation of UGC that may qualify for an exception or limitation to copyright, meaning the effective possibility that users must dispose of, for the purpose of defending the legitimacy of restating the UGC back online or making it available. Similarly to the approach taken by the recent revision of AVMS,58 such regulatory bodies should, then, be able to exchange experiences and harmonize procedures

58

Directive (EU) 2018/1808 of 14 November 2018, Articles 30 and 30b.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

73

among themselves, thus contributing towards a more predictable and harmonized application of the rules laid out by the DSM Directive and helping to provide legal certainty.

8 Cooperation Obligations Recital 68 and Article 17(8) are helpful in contributing to densify cooperation obligations between OCSSPs and rightsholders. It seems that Article 17(8) requirements of transparency as well as full cooperation between the rightsholders and the OCSSPs regarding the necessary exchange of information for the purpose of Article 17(4) are precisely designed to foster a framework of foreseeability. This will also enable users to predict and understand the reasons for the prevention of the availability of their UGC. That is why harmonized independent procedures would be useful. It is also expected that, in any situation of UGC being rejected following a notice of copyright infringement, OCSSPs will promptly inform the users affected on the reasons leading to such rejection, thus enabling them to recreate the content without risking another rejection or sustain the legitimacy of the UGC, by invoking either a licence or an exception or limitation. Article 17(8) stipulates that this practice shall not lead to any general monitoring obligation. The subject has been extensively dealt with above, in relation to Article 17(4)(b), which requires the adoption of filtering mechanisms for a previously notified situation. We must also clarify that Article 17(4)(b), when requiring that OCSSPs implement ex ante filtering, is by no means in contradiction with the first paragraph of Article 17(8) ban of general monitoring. It must be regarded by rightsholders and the cultural community, in general, as a way of using technology to regain legitimate control of their own intellectual property and, as a response to the challenge presented by the Internet to the traditional framework of copyright and neighbouring rights, that technology must remain neutral and should not be only used for disrupting copyright rules. In fact, so far, the internet has been used to help users evading the payment of rights and fostering freeriding. It is time for a rebalancing. Rightsholders must be given the same possibilities that are given to users, as regards the technological exploitation of protected works.

9 Scope of the OCSSP Licence Recital 69 explains the scope of the licence to be obtained by OCSSPs, namely by stating that it covers all non-commercial users. OCSSP’s obtained licences are also important for users of their services since they cover acts carried out by them, falling within the scope of Article 3 of Directive

74

V. C. Rosa

2001/29/EC, when they are not acting on a commercial basis or where their activity does not generate significant revenues. This is, of course, another concept that must be construed at the Member State level, meaning that any user that surpasses the threshold becomes liable for copyright, even in cases where the OCSSP is licensed for communication to the public. This means that users can only rely on licensed services for uploading copyrighted content, provided the OCSSP has obtained the relevant blanket licences, covering at least the European market. That is valid, of course, unless the user obtains an individual licence. In fact, there is no legal support for any presumption of lawfulness for UGC, so the risk of liability is, in fact, higher for users than for OCSSPs, given the many possibilities of an exemption that are granted to the latter. Each user is, in fact, the primary infringer of copyright when protected works and other subject matter are used, unless an exception or limitation applies. This leaves room for conscious and zealous users that want to be careful enough to use only licensed works or any other subject matter. There are plenty of licensing offers in the market by CMOs and publishers for such lawful uses, and users would be welcome to previously validate the use of market released material with CMOs, publishers or each national copyright regulator.

10

Stakeholder Dialogues

As regards stakeholder dialogues, foreseen by Recital 71 and nr. 10, it should be said that some of the sessions have been spent discussing and analyzing acknowledgment tools already in the market, meeting all the necessary requirements, especially after the presentation of the French Mission Report of CSPLA and HADOPI (Haute Autorité pour la Diffusion des Oeuvres et la Protection des droits sur Internet) ‘Towards More Effectiveness of Copyright Law on Online Content Sharing Platforms: Overview of Content Recognition Tools and Possible Ways Forward’.59 Content ID is obviously the application that inspired Article 17: it relies on the initiative of rightsholders, which are invited to previously upload the contents that they want to protect, so that the algorithm is able to match them every time someone else uploads the same contents without their permission. In case of such a match, the system prevents the availability of the content, then, the rightsholder is informed and is asked to decide whether it should be removed or shared with the public and whether it should be monetized. In case the user defends that this exploitation should not take place on account of any exception or public domain status of the contents, there may be a complaint. This must be decided by human judgment, and there must always be a legal possibility of having a court decision. During the first sessions, all the rightsholders seemed to praise the technical virtues of CONTENT ID, with some rightholders’ representatives only regretting

59

Available at https://www.culture.gouv.fr. Accessed 05 May 2020.

3 How Article 17 of the Digital Single Market Directive Should Be. . .

75

the strict criteria of YouTube for allowing them to use the tool, depite its limitations. One could generally make a joke about all rightsholders being quite content with Content ID. There are plenty of other solutions in the market, but none has been considered as accurate as CONTENT ID, so that one possible outcome might be to ensure that YouTube licenses it to other OCSSPs. Those rightholders who complained about not getting access to ‘the VIP club’ said that it was due to YouTube’s intention to prioritize those who are willing to monetize their content and leave the rest without access to the tool. Whatever the technological solution is, one thing is quite certain: a best effort obligation by OCSSPs is incompatible with doing nothing.

11

Conclusion

Article 17 represents the legal support for technology-enabled solutions aimed at restoring the exclusive rights of ‘communication to the public’ and ‘making available’. These are highly necessary for the recovering of money and energy invested in intellectual creation. Accuracy in identifying similar or equal content is what may distinguish these technological solutions; however, OCSSPs that do not obtain a licence for ‘communication to the public’ after having applied for such licensing will need to implement some form of filtering technology since Article 17(4)(b) requires that they employ their ‘best efforts’, in accordance with ‘high industry standards of professional diligence’, to ensure the unavailability of specific works and another subject matter previously identified by their rightsholders. That is why Article 17(4)(b) is only applicable to mature and stronger OCSSPs. Otherwise, these latter will become liable for copyright infringement and will be forced to compensate rightsholders for damages, which may be, at least, equal to the putative licensing fees but may even rise to double or more. It only depends on the damage. The most important guideline should be the requirement that copyrighted content uploaded by unauthorized users be prevented from being made publicly available while the legality of its use, whether under a licence, exception or limitation is being verified by the complaint and redressing structures, so that only after such use is cleared as lawful may UGC be accessible to everyone. If OCSSPs do not prevent the widespread dissemination of such content, there will be nothing left of the exclusive right to make available, so this is the only way to make copyright and freedom of speech and information compatible, as fundamental rights of equal importance and dignity.

References Berthon P et al (2015) CGIP: Managing Consumer-Generated Intellectual Property. Calif Manag Rev 4:43–62 Farano BM (2012) Trademark infringement: reconciling the EU and U.S. approaches. TTLF Working Paper No. 14, pp 31–100

76

V. C. Rosa

Glannon JW (2010) The law of torts, 4th edn. Wolters Kluwer Marsoof A (2015) Blocking injunctions protect trademark rights on the internet, https://academic. oup.com/jiplp/article-abstract/10/3/158/786639?redirectedFrom¼fulltext. Accessed 05 May 2020 Van der Sloot B et al (2015) Welcome to the jungle: the liability of ISPs for violation of privacy in Europe. JPITEC 6:211–228

Chapter 4

Fairness in Copyright Contract Law: Remuneration for Authors and Performers Under the Copyright in the Digital Single Market Directive Yannos Paramythiotis

Abstract Articles 18 and 20 of Directive 2019/790 introduce new legal tools for the protection of authors and performers against unfair agreements as regards their remuneration for the contractual exploitation of their works and performances. Article 18 establishes a general principle according to which authors and performers are entitled to receive appropriate and proportionate remuneration when they grant exclusive exploitation rights. The principle can be implemented into the laws of member states with the use of various legal mechanisms. Article 20 provides for a right to additional, appropriate, and fair remuneration when the one originally agreed upon turns out to be disproportionately low compared to the exploitation revenue. The formulation of the provisions leaves room for different interpretative approaches. This fact, combined with the legislative discretion left to national legislators, makes the implementation of the new articles into the legal orders of the member states a challenging task. The author analyzes various issues relating to the scope, interpretation, and national implementation of the new provisions while being critical toward certain choices of the European legislator.

1 Introduction If one were to specify the imperatives of contemporary, democratic, and open societies, one would find that the advancement of art and science, the promotion of knowledge economy and innovation, cultural progress, and independence of the media would fill some of the top positions of the list. These objectives, which contribute to social progress and welfare, cannot be achieved without the work and input of authors of creative works. Authors are a source of progress. They provide intellectual starting material; they shape aesthetic and social trends and

Y. Paramythiotis (*) Democritus University of Thrace, Department of Law, Komotini, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_4

77

78

Y. Paramythiotis

elevate the intellectual standards of society. However, in most cases, they do not have the means and expertise to communicate their works to society. The failure to disseminate their works would be detrimental for both the authors, as they would be deprived of the economic fruits and moral fulfillment of such dissemination, and society, as the abovementioned social objectives would not be accomplished. The solution to this undesirable outcome is provided by the intervention of commercial entities, usually publishers, producers, or other undertakings of the cultural, educational, media, and technology sectors. Their task is to add value to the creative content and pursue its broad dissemination in the market.1 As far as works of the performing arts are concerned, the chain of dissemination and exploitation also includes performers. Even though their contribution cannot be characterized as creation, it does, however, reflect their individuality and personal character; hence, it is similarly treated by the law to the one reserved for the creation of works. In light of the above, authors, after having created their works or in some cases even before the completion of the creative procedure, seek to assign the commercial exploitation thereof to publishers or producers. This assignment, which takes place through a license contract or transfer of rights contract, can entail a risk for the authors. It is generally accepted that they are in a disadvantageous position when negotiating such exploitation agreements.2 This is mainly due to inexperience in business matters, lack of prior success, financial dependence, absence of legal or business advice, oversupply of the market,3 or even urgent desire to communicate one’s work.4 On the other hand, publishers and producers usually have the experience and the legal support to draft and propose contractual terms that are favorable to their interests. Moreover, it has been observed that in some cases, publishers or producers that operate in the same market tend to harmonize the contractual terms offered to authors, leaving them with no alternatives as far as choosing their counterparty is concerned. Being the weaker party, authors face the danger of granting exploitation rights under very unfavorable terms, often being offered and having to accept “take it or leave it” deals.5 The lopsided nature of such contractual relationships can result in the authors having an insufficient share in the economic results of the works’ commercial exploitation. The economic value of the works is not distributed fairly between the parties of the contract. The same can be said as far as performers and the contracts for the exploitation of their performances is concerned.

1

Hilty and Moscon (2017), p. 72. See Dusollier et al. (2014), p. 36. 3 Aguilar (2018), p. 178. 4 Impatience is one of the factors that have an impact on negotiation balance. It can be the result of moral factors, e.g. dissemination of one’s creation to a wider audience or acquisition of fame, or from economic factors, e.g. lack of income from other sources. For a full analysis of these factors See Kretschmer et al. (2010), pp. 29 ff. 5 See European Commission (2016), p. 175. 2

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

79

This structural imbalance in bargaining power and the lack of ability of general contract law to fully address it has resulted in the adoption, in many jurisdictions, of special legal provisions that intervene in the contractual relationship between creatives and their counterparties to restore the balance and warrant fairness. This set of rules called altogether “copyright contract law” has similar functionality and objectives to consumer protection law or labor law. As Prof. Gerhard Schricker has put it: “Copyright contract law is the freelance author’s labor law.”6 Despite its importance for authors and performers, copyright contract law had been generally overlooked by the European legislator for many years.7 European copyright legislation focused on the granting of exclusive rights and the protection and enforcement thereof, which benefited mainly publishers and producers of protected content. The protection of creatives from their lack of bargaining power was left to national legislation. The result was a mosaic of different protective regimes within the EU, deploying different legal tools of varying intensity. This has changed since the adoption of the Copyright in the Digital Single Market Directive (Directive (EU) 2019/790—“CDSM Directive”). Chapter 3 of Title IV of the CDSM Directive, entitled “Fair remuneration in exploitation contracts of authors and performers,” includes six provisions (Arts. 18–23) dealing with the relationships between authors and performers and their publishers and producers. For the first time, we have a “European Copyright Contract Law.” Does this mean that this field of law is now unified at an EU level? Not really. But a step toward harmonization has been taken. This paper will focus on articles 18 and 20 of the CDSM Directive. Both articles introduce provisions regarding the remuneration of authors and performers for the contractual exploitation of their works and performances. Furthermore, both articles seem to draw inspiration from articles 32 and 32a of the German Copyright Act (UrhG). Consequently, the findings of German case law and legal literature can be of help for the present analysis.

2 Article 18: Principle of Appropriate and Proportionate Remuneration 2.1

Introduction

Article 18 introduces a general principle according to which authors and performers shall be entitled to receive appropriate and proportionate remuneration when they license or transfer their exclusive rights for the exploitation of their works and

See Schricker (1992), p. 246: “Hauptkampfplatz für die Auseinandersetzung zwischen Verwerterund Urheberinteressen ist das Urhebervertragsrecht. Es ist das Arbeitsrecht der freiberuflichen Autoren.” 7 See Priora (2020), p. 1. 6

80

Y. Paramythiotis

performances. The rationale underlying the principle is that authors and performers shall be able to enjoy the fruits of their works and performances and the exploitation thereof to the greatest extent possible. The principle intends to counterbalance the publishers’ and producers’ bargaining power, which usually results in low contractual remunerations for authors and performers. It should be noted that this provision was not part of the initial proposal for the CDSM Directive. It was added later in course of the lawmaking process, possibly because of pressure from stakeholders’ initiatives8 and criticism expressed in legal literature regarding its absence.9

2.2

Scope of Article 18

The scope of article 18 is rather broad as it applies to all authors and performers operating in any market sectors—“digital” or “analog”—except for software creators, who are expressively excluded from the scope of the whole chapter.10 However, some further concretization is needed. Firstly, article 18 only applies to contracts granting exclusive rights. Nonexclusive licenses do not fall under the scope of the provision. This exception can be understood since nonexclusive licenses permit parallel exploitation of the work or performance, therefore additional revenue for authors and performers. Secondly, article 18 applies to any type of contract authorizing the exploitation of a work or a performance. Consequently, the choice of the parties as to which legal tool they use for the grant of rights—exclusive license or transfer of rights—should be irrelevant for the application of the principle. The dogmatic and practical difference between an exclusive license and a transfer of rights is not exactly clear.11 The European legislator clarifies that the decisive element for the application of article 18 is the existence of a contractual authorization as regards the exploitation of works or performances, regardless of the legal tool used by the parties for the granting thereof. Thirdly, the application of the principle of appropriate and proportionate remuneration is restricted to the first license or transfer of rights, namely, the one between the author or performer and the primary exploiter of the works or performances. The licensee-sublicensor may not invoke the

8 Aguilar (2019a) Part I. However, as Aguilar mentions, the legal instrument demanded by the coalition behind this campaign would be a collectively managed unwaivable equitable remuneration right, comparable to that already existing in relation to broadcasts and public performance in most member states. 9 See Lucas-Schloetter (2018), p. 431. 10 See article 23 para. 2 CDSM Directive. 11 Both the copyright transferee and the exclusive licensee can exercise the copyright, prohibit the use of the work by any person—including their transferor or licensor—and initiate legal action against any infringers. Quite characteristically, in U.S. law (17 U.S.C. § 101) the exclusive license is considered a form of transfer of copyright ownership. For an extensive analysis, see Newman (2013), passim.

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

81

principle vis-à-vis the contract with his sublicensee.12 Relevant to this issue is recital 72, which clarifies that the protection of article 18 should also be afforded in cases where the authors and performers grant a license or transfer their rights through their own companies. Indeed, in some cases, for tax or other reasons, authors and performers operate in the market through companies incorporated by themselves. These companies can act either as their agents or proxies or as separate rightsholders if they have acquired the rights to the works or performances from the authors or performers through a deed of transfer. The existence of such transfer shall not mean that the exploitation contract is considered to be concluded by another entity other than the author or performer so that article 18 does not apply. The contract between the author’s or performer’s company and the publisher or producer is not considered to authorize secondary exploitation of the work or the performance. This is a useful clarification from the European legislator since a contrary interpretation of article 18 would result in an unjustified exemption of protection for the relevant authors and performers. A similar approach should be adopted in relation to cases where the author or performer has completed the production of the protected content, e.g., the production of a sound recording, incorporating her works or performances, and subsequently licenses or transfers the master rights to such recording. Regarding this contract, she should still be considered author or performer and not the producer of the recording, thus falling out of the scope of article 18. Moreover, the principle of article 18, as is the case with all copyright contract law provisions of the CDSM Directive, protects authors and performers alike. In other words, authors and performers receive equal protection from the European legislator.13 One could say that the Directive indicates a general application of the principle of equality between authors and performers as regards their protection from unfair exploitation contracts. The importance of this lies in the fact that in some national jurisdictions within the EU, not all national copyright contract law rules are applied uniformly on authors as well as performers. Usually broader protection is granted to authors compared to performers. In light of the duty of consistent interpretation, such unequal treatment, deriving from national copyright contract laws that relate to matters other than the ones regulated in the Directive (e.g., purpose limited exploitation, exploitation of future works, or unknown exploitation modes), should be reconsidered by national courts when applying said national laws. Finally, the principle of appropriate and proportionate remuneration is to be applied only as regards licenses and transfers of rights “for the exploitation” of works and performances. Consequently, contracts that have other purposes do not fall under article 18. According to recital 72, this could be the case when the contractual counterpart acts as an end user and does not exploit the work or performance itself, making the example of some works made by employees. In the latter case, the employer would be the end user if the work is destined for

12 13

Lucas-Schloetter (2018), p. 430. Dusollier (2020), p. 5.

82

Y. Paramythiotis

intracorporate use.14 One could also think of transfers of rights as byways of parental donation or donation for public benefit purposes (e.g., the author of a book transfers her exploitation rights to a charitable foundation). Such contracts would also not be subject to appropriate and proportionate remuneration. For the same reason, article 18 should not apply to contracts with collective management organizations (CMOs) regarding the authorization to manage the author’s or performer’s rights. More specifically, CMOs do not exploit the works and performances but rather hold the exploitation rights in a fiduciary capacity for the purpose of granting licenses to potential exploiters. As regards the exploitation undertaken by the licensed users of the works and performances, article 16 para. 2 of Directive 2014/26 foresees that “Rightholders shall receive appropriate remuneration for the use of their rights. [. . .].” Such remuneration is collected by the CMOs and distributed to the rightsholders after the deduction of the management fee.

2.3

Implementation into National Law

Article 18 introduces a general principle and sets the goal to be achieved by the member states. The specific legal mechanism used to achieve this goal into their national legal orders is left for the member states to decide. One way of implementation could be through a judicial review of the exploitation agreement. Following legal action by the author or performer, the court could revise and amend specific clauses of the agreement should it find that they do not provide for “appropriate and proportionate” remuneration, leaving the rest of the agreement intact. This way, authors and performers would be granted an ex ante contract revision right or a judicial claim to condemn their counterparty to a declaration of intent for the amendment of the contract. The latter has been the choice of the German legislator in article 32 of the German Copyright Act (UrhG). The retrospective amendment of the contract would be determined by what would be regarded as appropriate at the time the contract was concluded. Another way of implementation could be through minimum remuneration rates set out in the law. For example, according to article 33 of the Greek Copyright Act, authors of books shall receive a minimum of 10% of the books’ retail price provided that 1000 copies have been sold, and according to article 36 of the Greek Copyright Act, theater playwrights are entitled to a minimum of 22% of theater box office gross revenue, as far as public theaters are concerned, and 10% of theater box office gross revenue, as far as private owned theaters are concerned. Even though such minimum legal rates seem to be more favorable to 14 The application of the principle of appropriate and proportionate remuneration as regards authors and performers in employment relationships can be contested, even in cases where the employees create works that will be exploited in the market by the employer. Generally, the salary is considered sufficient remuneration for the transfer of the exploitation rights to the employer, because the employer bears the economic risk for the creation and commercial exploitation of the work. For an extensive analysis see Ulrici (2008), pp. 265–383.

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

83

authors and performers, they have often been inapplicable in practice as they have proved to be too rigid to apply in the long term and unable to cover all possible modes of exploitation. On the other hand, claims for the judicial amendment of the contract come with the risk of “blacklisting” authors and performers and with the high costs of litigation.15 They could, however, lead to publishers and producers offering higher fees to authors and performers since agreements with lower fees could become subject to revision at any time. They could probably also put pressure on publishers and producers to negotiate minimum tariffs on a collective level to achieve legal certainty. A mixed system including provisions foreseeing minimum rates and a general clause that would provide for a right of authors and performers to demand a judicial amendment of the exploitation agreement could also be implemented.

2.4

What Is “Appropriate” Remuneration?

The question what would be regarded as “appropriate” remuneration is not easy to answer. Trying to be more specific unavoidably leads to equally vague concepts such as “fair,” “sufficient,” “reasonable,” or “equitable” remuneration. The use of such vague legal concepts might provide flexibility in the assessment of each case; however, it comes with legal uncertainty. This can prove to be detrimental for authors and performers since usually they are the party that carries the burden of argument and proof of what would be an appropriate remuneration in their case. Therefore, it would be advisable for national legislators to introduce more specific criteria and guidelines or even rebuttable or nonrebuttable legal presumptions as regards the appropriateness of the agreed remuneration. For example, national law could foresee that if the remuneration for a specific mode of exploitation has been subject to a collective agreement, such collectively agreed remuneration shall be considered appropriate.16 The same could apply for tariffs of collective management organizations. Naturally, the nature and scope of the use of the works and performances will play an important role in the assessment.17

2.5

What Is “Proportionate” Remuneration?

The reference to “proportionate” remuneration must be interpreted as introducing a rule of remuneration calculated as a percentage of the revenue generated by the exploitation of the works or performances where “lump sum” agreements should be 15

See Dusollier et al. (2014), p. 22. Schulze (2019), p. 684. European Copyright Society (2017). See art. 32 para. 2 of the German Copyright Act. 17 See European Commission (2016), p. 174. 16

84

Y. Paramythiotis

the exception.18 An exception in favor of lump-sum remuneration could be recognized in cases where the contribution of the author or performer in the work is marginal or secondary or where the calculation of the percentage-based remuneration would be practically very difficult or costly. In any case, exceptions from the principle of “proportionate” remuneration should be duly justified.19 It must be noted, though, that depending on the creative sector and the commercial potential of the work, a lump-sum payment can be preferable for creatives as it eliminates the risk of zero or very low remuneration that would be the result of a commercial failure under a percentage-based deal.20 The economic risk is borne by their counterparty in its entirety.21 Mixed remuneration systems providing for a combination of percentage-based remuneration and nonrefundable advances of that remuneration or a lump-sum payment are the most favorable for authors and performers but are rather rare, usually limited to established authors and performers with a strong bargaining position.

2.6

Overridability by Contract?

According to article 18 para. 2, contractual freedom is to be considered in the implementation of the principle of appropriate and proportionate remuneration into national law. Moreover, article 23 para. 1 provides for an obligation of members states to transpose articles 19, 20, and 21 as mandatory law but not articles 18 and 22. Consequently, member states are given the discretion to implement article 18 as a nonmandatory rule in their national legal orders. This is highly problematic. The purpose of rules like the one introduced in article 18 is to address the failure of the principle of contractual freedom to provide for a fair outcome when it comes to exploitation contracts between creatives and their counterparties.22 Introducing a provision that provides for a right of authors and performers to receive proportionate and appropriate remuneration and at the same time allowing for it to be set aside by contractual agreement leads to a logical contradiction. Such rights must be unwaivable if they are to be effective.23 The nonmandatory character of the provision will result in it becoming practically void.

Dusollier et al. (2020), p. 2. See also Rec. 73 CDSM Directive: “[. . .] A lump sum payment can also constitute proportionate remuneration but it should not be the rule. [. . .]”. According to another interpretation of the provision the term “proportionate” means that authors and performers should receive lower remuneration because they are not entitled to the full value of the rights, but only a portion thereof. See Aguilar (2019a) Part I. 19 Peifer (2020), p. 16. 20 Azzi (2017), p. 90. Kretschmer et al. (2010), p. 24. 21 Guibault et al. (2015), p. 109. 22 Lucas-Schloetter (2017), p. 898. 23 Dusollier et al. (2020), p. 13. 18

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

85

In the same context, the question arises as to the permitted extent of a possible waiver. Would the contractual overridability of a national provision implementing article 18 allow authors and performers to waive their right only as far as the appropriacy and proportionality of the remuneration are concerned (waiver of the right to readjust the agreed remuneration), or would a waiver of the right to remuneration altogether be valid? Does the CDSM allow for or a transfer of exclusive rights or an exclusive license to be granted for free? It is not exactly clear.24 Recital 82 CDSM seems to suggest that a waiver of the right to remuneration altogether would be permitted, although things get confusing because the example used in the recital refers to nonexclusive free licenses for the benefit of any users (e.g., creative commons licenses).25 Such licenses are exempted from the scope of article 18 anyhow, exactly because of their nonexclusive nature.26 It is worth noting that what ended up being the “Principle of appropriate and proportionate remuneration” of article 18 was initially introduced as an “Unwaivable right to remuneration.” This indicates that either opposite interests prevailed in the legislative process or that flexibility was deemed necessary for reasons of compatibility of the provision with the various and different legal traditions within the EU. In any case, member states can indeed choose to implement article 18 as mandatory law, given the fact the Directive follows the principle of minimum harmonization, at least as far as articles 18–23 are concerned.27 Member states should do so since this is dictated by the spirit and purpose of the principle. Also, for member states that recognize the principle of good faith and fair dealing as a pillar of their private law system, implementing article 18 as mandatory law might be the only option, if they want to maintain the coherence of their legal order. Furthermore, the spirit of the provision indicates that authors and performers shall have the right to receive appropriate and proportionate remuneration even if the exploitation agreement does not include a clause about remuneration (neither a waiver). In such cases, the gap in the contract should be closed with an interpretation rule in favor of an “appropriate and proportionate” remuneration instead of a rule in favor of the “usual” remuneration, which is the solution usually given by general contract law. Usual remuneration is not necessarily appropriate and/or proportionate.28 Finally, another issue arising from the fact that the mandatory or optional character of the provision transposing article 18 is left in the discretion of member states is that publishers and producers in member states where the relevant rights will 24

The answer should be negative according to Priora (2020), p. 2. Recital 82 CDSM Directive reads: “Nothing in this Directive should be interpreted as preventing holders of exclusive rights under Union copyright law from authorising the use of their works or other subject matter for free, including through non-exclusive free licences for the benefit of any users.” 26 See Sect. 2.2 above. 27 Würtenberger and Freischem (2019), p. 1162. 28 See BGH, Urteil vom 7. 10. 2009 - I ZR 38/07 (OLG München) - Talking to Addison, GRUR 2009, 1148. 25

86

Y. Paramythiotis

be unwaivable will have a disadvantage over their competitors in member states where the principle of appropriate and proportionate remuneration will be implemented as a nonmandatory law.29 Correspondingly, authors and performers based in member states where their rights can be waived may be preferred by publishers and producers over their colleagues based in member states where the right to appropriate and proportionate remuneration will be unwaivable.30 Subsequently, the implications of the discretion given to the member states will be more far-reaching for the single market than the lack of uniform implementation of the principle.

3 Article 20: Contract Adjustment Mechanism 3.1

Introduction

According to article 20, authors and performers shall have the right to claim additional, appropriate, and fair remuneration for the exploitation of their works or performances when the one originally agreed on turns out to be disproportionately low compared to all the subsequent relevant revenues derived from such exploitation. This is what is commonly called a “best-seller provision.” Cultural products are so-called experience goods, meaning that they must be first consumed for their value to be determined.31 As a result, their commercial potential might be miscalculated. Furthermore, authors and performers often grant their rights for a long time and for lump-sum remuneration, which can prove to be too low in the course of commercial exploitation. The purpose of best-seller provisions is to reassess the allocation of the economic value of the works and performances in favor of authors and performers when their works and performances turn out to be overly successful in the market. They serve to trigger improved financial conditions for everyone involved in the creative value chain, not simply those with the highest bargaining power.32 Their justification and dogmatic foundation, depending on their specific formulation, can be found in the guidelines of the good faith and fair dealing principle and the unjust enrichment doctrine.33 Best-seller provisions can already be found in German,34

29

Houareau (2019), p. 638. Hentsch (2019), p. 352. 31 Bently et al. (2017), p. 54. 32 See Aguilar (2019b) Part II. 33 See Berger (2003), p. 677. 34 Art. 32a German Copyright Act. 30

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

87

French,35 Belgian,36 Czech,37 Croatian,38 Dutch,39 Hungarian,40 Portuguese,41 Polish,42 Romanian,43 Slovenian,44 and Spanish45 law. Some of the most notable cases regarding the application of a national best-seller provision include the “Das Boot” and “Fluch der Karibik” cases before the German Federal Supreme Court and the “Witcher” case in Poland. In the “Das Boot” case, which was brought before the German Supreme Court twice,46 the cinematographer of the film “Das Boot,” who had initially received a lump-sum fee for the assignment of his copyrights to the film’s producer, invoked article 32a of the German Copyright Act against the producer, as well as the film’s video-cassette/DVD distributor and TV networks that broadcasted the film, and was awarded additional remuneration by the German courts in two different procedures. In the “Fluch der Karibik” case, the voice actor who performed the German dubbing for Johnny Depp’s character “Jack Sparrow” in three films of the famous film franchise “Pirates of the Caribbean” and received a lump-sum fee for the assignment of his copyrights was awarded additional remuneration because the initially agreed remuneration was found to be obviously disproportionate to the revenues derived from the exploitation of the films in home entertainment formats (video/DVD/Blu-ray/video on demand/download to own).47 In the “Witcher” case, Andrzej Sapkowski, the Polish author of the books the successful video game “The Witcher” is based on, invoked the Polish best-seller provision against CD Projekt Red, the video game’s developer. Sapkowski had initially received lump-sum remuneration for the grant of license to develop the video game. The video game went to become very successful. The case was eventually settled amicably with the signing of a new licensing agreement between

35

Art. L. 131-5 French Intellectual Property Code. Only as regards publishing and performance contracts. See articles XI.196(2) and XI.202 of Law of April 19, 2014, on the Insertion of Book XI ‘Intellectual Property’ to the Code of Economic Law, and Specific Provisions to the Book XI in Books I, XV and XVII of the Code. 37 Section 2374 para. 1 New Czech Civil Code. 38 Art. 54 Copyright and Related Rights Act (O.G. 167/2003). 39 Art. 25d Law of March 6, 2003, on the Supervision of Collective Management Organizations for Copyright and Related Rights. 40 Art. 48 Act LXXVI of 1999 on Copyright (as of 28/10/2014). 41 Art. 49 Code of Copyright and Related Rights. 42 Art. 44 Polish Copyright Act. 43 Art. 43 para. 3 Law No. 8 of March 14, 1996 on Copyright and Neighboring Rights. 44 Art. 81 para. 2 Law on Copyright and Related Rights. 45 Art. 47 Royal Legislative Decree 1/1996, of April 12, which approves the revised text of the Intellectual Property Law, regularizing, clarifying and harmonizing legal provisions in force on the matter. 46 See BGH, Urteil vom 22.09.2011 – I ZR 127/10 – “Das Boot”, WRP 2012, 565, BGH, Urteil v. 20.02.2020 - I ZR 176/18 – “Das Boot II”, WRP 2020, 591. 47 BGH, Urt. v. 10.5.2012 – I ZR 145/11 – Fluch der Karibik, GRUR 2012, 1248, Kammergericht, Urt. v. 1.6.2016 – 24 U 25/15, mit Berichtigungsbeschl. v. 6.7.2016 - Fluch der Karibik II, GRUR Int. 2016, 1072. 36

88

Y. Paramythiotis

the parties.48 All three cases are good examples of how a best-seller provision can redress the balance and be valuable to authors and performers.

3.2

Scope of Article 20

The scope of article 20 is the same as the one of article 1849 but with the following differences: unlike article 18, the scope of article 20 covers exclusive and nonexclusive exploitation contracts alike. A further difference to article 18 is that article 20 can be also invoked from the representatives of authors and performers if they are dully mandated to do so according to national law. Such representatives might be collective management organizations, guilds, or unions. According to article 21 of the CDSM Directive, these representatives can also initiate alternative dispute resolution procedures as regards disputes deriving from the application of article 20. It must be noted that the exercise of this right is only imaginable in cases of agreements that foresee “lump sum” remuneration, as percentage-based agreements cannot turn disproportionate by their nature. Nevertheless, should the initially agreed percentage be too low, it could be adjusted to a higher level following the invocation of the principle of appropriate and proportionate remuneration. Finally, recital 78 refers to contracts for the exploitation of rights “harmonized at Union level.” Consequently, one could argue that the right to additional remuneration may not be applicable for the exploitation of works and performances regarding nonharmonized rights, like the adaptation right50 (e.g., translations, films based on books). Even so, member states are not prevented from implementing article 20 in their national laws with an extended scope, i.e., including contracts regarding nonharmonized rights. Another important issue regarding the scope of article 20 arises from the inclusion of the “successors in title” of the author’s or performer’s counterparty in the possible debtors of the claim to additional remuneration. It is not exactly clear if the provision’s wording should mean that authors or performers shall have the right to demand additional remuneration, not only from their counterparties but also from any other entity in the licensing chain, e.g. from sublicensees, as is the case with article 32a of the German Copyright Act, or if the term “successors in title” should be understood in a narrower way, restricted, for example, to entities that acquire the whole undertaking of the author’s or performer’s counterparty. The answer depends on the term’s dogmatic subordination. The view expressed in German legal theory is that article 20 does not provide for a direct claim against sublicenses,51 probably because of the use in the German version of the Directive of the term

48

See Hall (2019). See para. 2.2. 50 Bently et al. (2017), p. 48. 51 Peifer (2020), p. 18. Schulze (2019), p. 684. Stieper (2019), p. 396. 49

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

89

“Rechtsnachfolger,” which according to German copyright law does not include licensees.52 The same interpretation is also supported by article 19 paras. 1–2 CDSM, where a differentiation between “successors in title” and “sublicensees” is made. On the other hand, according to article 20, in order to assess disproportionality, the initially agreed remuneration must be compared to “all the subsequent relevant revenues derived from the exploitation of the works or performances,” hence also the revenues gained by third parties in the licensing chain. It would be rather inconsistent to hold the primary exploiter accountable for revenue generated from secondary uses. Moreover, the authors’ and performers’ explicit right to request information on the exploitation by sublicensees, provided for in article 19 para. 2, could indicate that the legislator’s purpose is to include in the scope of the provision any entity that exploits the work or performance by virtue of a contractual agreement. This view could be also supported by the fact that article 20 provides not for a right to amend the contract but for a right to additional remuneration. The latter could be exercised against the counterparty or any other entity that participates in the licensing chain, whereas the right to amend the contract could be invoked only against the counterparty. Should this broader interpretation be correct, the right provided for in article 20 could be exercised directly against subpublishers, distributors, broadcasters, operators of online services, and Internet platforms hosting user-generated content since these types of entities usually obtain licenses from the authors’ and performers’ counterparties, i.e., their publishers or producers. This would be of great importance for authors and performers, especially in the digital world, since in most cases the contract signed between the author or performer and their publisher or producer is followed by licensing agreements between the latter and secondary exploiters, thus extending the value chain of the exploitation.53 It would be undesirable to deprive authors and performers of the possibility to claim additional remuneration at the source of the exploitation revenue. As a result, even if it were to be accepted that the European legislator has not granted authors and performers a right to claim additional remuneration from third-party entities that participate in the licensing chain, national legislators still can choose to do so, following the example of the German legal order. Such a provision would be in conformity with the CDSM.54

3.3

Implementation into National Law

Even though the title of article 20 speaks of a “mechanism,” implying that the implementation method is left open, its wording indicates that member states should introduce a provision providing for a judicial claim for additional remuneration. This

Dreier and Schulze (2018) § 30 Rn 2. See Dusollier et al. (2014), p. 101. 54 Schulze (2019), p. 684. 52 53

90

Y. Paramythiotis

claim can also be submitted to the alternative dispute resolution procedure provided for in article 21, but this course of action may not deprive authors and performers of the right to bring their case before the courts.55

3.4

What Is “Disproportionately Low” Remuneration?

The main condition for the claim of article 20 to be recognized is that the remuneration initially agreed in the exploitation contract is disproportionately low when compared to all revenues generated from the exploitation of the work or performance. According to recital 78, the revenues to be taken into account for the assessment of disproportionality must also include amounts that relate to the work or performance but nonetheless do not derive directly from the exploitation thereof, for example, merchandising revenue. The use of the term “revenues” indicates that the amount to be considered is the gross revenue and not the net profit generated by the exploitation. On the author’s or performer’s side, the contractual remuneration is the only amount to be considered. Any other income of the author or performer deriving from other activities or the exploitation of other works or performances should not play a role in the assessment of disproportionality, even if the defendant’s promotional efforts for the marketing of the contractual work or performance assisted the growth of the author’s or performer’s reputation, which in turn resulted in new professional opportunities and higher fees. The causal connection is loose and indirect. Moreover, the contribution of other factors, such as the quality of the other works or performances, any specific favorable market conditions, or the impact of third-party collaborators could have played a significant role in the generation of the revenue. Moreover, according to recital 78, the economic value of the rights must be “significantly higher” than initially estimated and the agreed remuneration must be “clearly” disproportionate when compared to the exploitation revenue. Consequently, the bar for the establishment is set high. Disproportionality must be obvious; i.e., it must raise an issue of fairness and violate the sense of justice. Profit per se, even if high, should not be sufficient as it serves as a reward for business risk. What should be crucial is the ratio between the agreed remuneration and the revenue generated therefrom. The French legislator has set the limit of disproportionality at 7/12, less of what would have been a fair remuneration.56

See Rec. 78 CDSM Directive: “[. . .] Where the parties do not agree on the adjustment of the remuneration, the author or performer should be entitled to bring a claim before a court or other competent authority [. . .].” 56 See Art. L. 131-5 of the French Intellectual Property Code, the text of which reads as follows: “If the exploitation right has been assigned and the author suffers a prejudice of more than seventwelfths as a result of a burdensome contract or of insufficient advance estimate of the proceeds from the work, he may demand review of the price conditions under the contract. Such demand may only be formulated where the work has been assigned against lump sum remuneration. The 55

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

3.5

91

Foreseeability of the Commercial Success?

Another issue that comes with best-seller provisions is whether they are dogmatically relevant to the frustration of contract and/or revision of contract for unforeseen circumstances doctrines. Should this be the case, the author or performer would only have the right to claim additional remuneration if the market success of her work or performance was unforeseen.57 Would national law be conforming with the CDSM Directive if it provided for a condition of nonforeseeability? Article 20 does not explicitly exclude such a condition,58 and recital 78 underlines that the economic value of the rights should be significantly higher than initially estimated. Should the initial estimation of the work’s or performance’s value, as referred to in recital 78, be a result of thorough market research, the omission or faultiness of which would deprive the author or performer of her right to additional remuneration? Such an interpretation of article 20 would not conform to the purpose of the law as it would render the provision ineffective.59 Indeed, it would be practically impossible for the authors and performers to prove that—despite due diligence—it was not possible to predict the work’s or performance’s success in the market. Consequently, the exercise of the right to additional remuneration should not be subject to the unpredictability of high exploitation revenues.60 Article 20 does not provide for such a condition. Should the national legislator choose to introduce such a condition, national law would be contrary to article 20, which provides for an obligation of the member states to ensure that authors and performers will be able to claim additional remuneration.

3.6

What Is “Additional, Appropriate and Fair” Remuneration?

The additional remuneration of article 20 must be appropriate and fair. However, it must not be proportionate, as is the case with the remuneration of article 18. This means that it can be measured as a specific amount; i.e., it does not have to be defined as a percentage of the defendant’s revenue. Nevertheless, if it is probable that the intensity of the work’s or performance’s commercial success will continue, the court

burdensome contract shall be assessed taking into account the overall exploitation by the assignee of the works of the author who claims to have suffered a prejudice”. 57 This was the case with Art. 36 of the German Copyright Act, which was replaced by Art. 32a in 2002. 58 See Art. 32a para 1(3) of the German Copyright Act, which expressively excludes such a condition: “Ob die Vertragspartner die Höhe der erzielten Erträge oder Vorteile vorhergesehen haben oder hätten vorhersehen können, ist unerheblich”. 59 Lucas-Schloetter (2019), p. 602. 60 Dusollier et al. (2020), p. 19.

92

Y. Paramythiotis

should have the discretion to award the plaintiff author or performer appropriate and fair, percentage-based remuneration. This way, the need for new, costly, and timeconsuming court procedures for the award of future additional remuneration can be avoided.61 The level of the additional remuneration must be set at such height so that the total amount received by the author or performer, i.e. the initially agreed remuneration plus the additional remuneration under article 20, is considered appropriate and fair. Same as the concept of “appropriate and proportionate” remuneration of article 18, the concept of “appropriate and fair” remuneration of article 20 is vague, which will make any prediction as regards the individual assessment of each case by the courts very risky. To provide for some legal certainty, national legislators could introduce minimum standards and methodology for the assessment of fairness. However, such legislative intervention should not limit judicial flexibility to the point where courts will not be able to consider crucial facts and the specificities of each case.

3.7

The Importance of Article 19: Transparency Obligation

As is evident, the right to additional remuneration provided for in article 20 becomes void if the author or performer does not have sufficient insight on the extent of the exploitation of her works or performances and the revenue deriving therefrom.62 Indeed, for one to know if he is entitled to additional remuneration according to a best-seller provision, one must have comprehensive information on the exploitation of her works and performances and its economic value. This is the reason why article 19 CDSM, entitled “Transparency Obligation,” foresees an obligation of the counterparties of authors and performers to provide the latter with “up to date, relevant and comprehensive information” on the exploitation of their works and performances, at least once a year. This information shall include all exploitation undertaken by the counterparty as well as any third party in the licensing chain. Consequently, the provisions of articles 19 and 20 are complementary as far as the protection of authors and performers is concerned. It is characteristic of the connection between articles 19 and 20 that in both cases brought before the German courts that were mentioned above in Sect. 3.1, the plaintiffs first had to raise a claim to obtain information on the exploitation of their work and performance, respectively, in order to support their claims to additional remuneration.

61 62

Reber (2016), pp. 1079–1081. Spindler (2019), p. 952.

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

3.8

93

Implementation as Mandatory Law

Unlike the principle of appropriate and proportionate remuneration, provided for in article 18, the authors’ and performers’ right provided for in article 20 must be implemented into member states’ legal orders as mandatory law.63 The right to additional remuneration cannot be waived. This is, of course, to be welcomed because, as already mentioned earlier under Sect. 2.6, such protective provisions become void if they can be set aside by means of a waiver in the contract. Such a waiver, if permitted, becomes common industry practice at the expense of the weaker contracting party, i.e., authors and performers. However, it must be noted that article 20 entails a limitation of the mandatory character of the provision should an applicable collective bargaining agreement provide for a comparable mechanism. The precedence of collective bargaining agreements and the promotion of collective management of rights is a general tendency in the CDSM Directive.64 This should pose no problem as long as the collective bargaining agreement does not foresee higher standards for the exercise of the right, resulting in lower protection for authors and performers. Furthermore, according to Article 3 para. 4 of the Rome I Regulation,65 where all other elements relevant to the situation at the time of the choice are located in one or more member states, the parties’ choice of applicable law other than that of a member state shall not prejudice the application of provisions of Community law, where appropriate as implemented in the member state of the forum, which cannot be derogated from by agreement. Consequently, the contracting parties cannot bypass the application of article 20 by deciding for the law of a non-EU country as applicable law, if all elements relevant to the contractual relationship are located in one or more member states.66 Should some elements of the contract be located outside the EU, member states could apply the provision implementing article 20 CDSM Directive as an internationally mandatory provision based on article 9 or as public policy based on article 21 of the Rome I Regulation.67

4 Application in Preexisting Contracts According to article 29 para. 1, the transposition deadline of the CDSM Directive is June 7, 2021. Furthermore, according to Article 26 para. 2, the Directive applies without prejudice to any acts concluded and rights acquired before the transposition deadline. Hence, preexisting transfer or licensing contracts seem to be excluded from 63

See article 23 para. 1 CDSM Directive. See articles 8 para. 1, 12, 19 para. 5, 22 para. 5 CDSM Directive. 65 Regulation 593/2008 on the law applicable to contractual obligations. 66 See Rec. 81 CDSM Directive. 67 Dusollier et al. (2020), p. 13. 64

94

Y. Paramythiotis

the scope of articles 18 and 20. However, one could argue that—to the extent that preexisting contracts are still in force after the transposition deadline because their term has not yet expired—the contractual exploitation acts undertaken thereafter do not fall under article 26 para. 2. Consequently, authors and performers should have the right to claim additional, appropriate, and fair remuneration if the remuneration originally agreed upon turns out to be disproportionately low compared to all the subsequent relevant revenues from exploitation acts undertaken after the transposition deadline. Respectively, the mechanism implemented in national legal orders pursuant to article 18 could apply to preexisting contracts under the condition that any exploitation acts undertaken before the transposition deadline are not considered when assessing whether the originally agreed remuneration is appropriate. A different interpretation of article 26 para. 2, precluding the application of articles 18 and 20 to preexisting contracts altogether, would perpetuate contractual unfairness in cases where the term of the exploitation agreement is particularly long, e.g. when the exploitation rights have been granted for the duration of copyright, thus undermining the policy objectives of the Directive.68

5 Concluding Remarks One cannot argue that articles 18 and 20 CDSM are a step in the right direction. The principle of appropriate and proportionate remuneration sets a standard for the systematic interpretation of copyright law in the EU.69 Therefore, it can have a wider effect in favor of authors and performers. Moreover, the introduction of a mandatory best-seller rule is welcomed since some national legal orders within the EU do not provide for such a legal tool. However, the provisions’ actual impact on authors’ and performers’ income will be largely determined by the way the member states will implement them into their national legal orders. Especially as far as the principle of appropriate and proportionate remuneration is concerned, the choice between a nonmandatory or a mandatory rule can be crucial. Moreover, it must be noted that the Directive does not seem to adequately address one of the main problems of authors and performers, which has to do with the practical difficulties or their hesitance to exercise their rights. The alternative dispute resolution procedure foreseen in article 21 presupposes the willingness of the parties to resolve their issues amicably. Empirical evidence shows that this is rarely the case in disputes between authors and performers and the exploiters of their works or performances70 because of the structural imbalance in negotiating power between the parties.71 In

68

Dusollier et al. (2020), p. 11. Priora (2020), p. 3. 70 Schulze (2019), p. 685. 71 Hilty and Moscon (2017), p. 76. 69

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

95

most cases, the need for a trial will not be avoided.72 In view of that, it is argued that the proper way to guarantee higher income for authors and performers in the digital environment is to introduce an unwaivable right to equitable remuneration, which would be paid directly by online platforms, like YouTube, Spotify, or Netflix, to collective management organizations, following the example of the right of performers to equitable remuneration in case of broadcasting or communication to the public of phonograms.73 Maybe this is something the European legislator should consider in the future. Finally, the exception of software creators from the scope of the provisions raises issues as regards the principle of equality.74 The technical and utilitarian nature of software is not enough to justify unequal treatment of software creators compared to creators of other works.75 One must remember that computer programs still enjoy copyright protection. If such protection is justified, so is the protection of software creators. Disclaimer: This paper is part of a postdoctoral research project cofunded by Greece and the European Union (European Social Fund) through the operational programme “Human Capital, Education and Lifelong Learning” under the act “Support of postdoctoral researchers – 2nd round” (MIS 5033021), which is implemented by the State Scholarships Foundation (IKY).

References Aguilar A (2018) ‘We want Artists to be Fully and Fairly Paid for their Work’ - Discourses on Fairness in the Neoliberal European Copyright Reform. J Intellect Prop Inf Technol E-Commerce Law (JIPITEC):160–178 Aguilar A (2019a) The New Copyright Directive: fair remuneration in exploitation contracts of authors and performers – Part 1, Articles 18 and 19, http://copyrightblog.kluweriplaw.com/ 2019/08/01/the-new-copyright-directive-fair-remuneration-in-exploitation-contracts-ofauthors-and-performers-part-ii-articles-20-23/. Accessed 03 Mar 2020 Aguilar A (2019b) The New Copyright Directive: Fair remuneration in exploitation contracts of authors and performers – Part II, Articles 20 and 23. http://copyrightblog.kluweriplaw.com/ 2019/08/01/the-new-copyright-directive-fair-remuneration-in-exploitation-contracts-ofaut ho rs-an d-p erformers -part -ii-arti cles -20 -23 /?do in g_w p_ cron ¼15 89 18 65 75 . 2649030685424804687500. Accessed 05 May 2020 Azzi T (2017) General Report: mechanisms to ensure adequate remuneration for creators and performers. In: von Lewinski S (ed) Remuneration for the use of works. de Gryuter, Berlin/ Boston, pp 85–110

72

Peifer (2019), p. 655. See European Copyright Society (2017). 74 Peifer (2020), p. 16. See also Dusollier et al. (2020), pp. 5–6, according to which the exception should not apply as regards creators of computer programs that are incorporated in complex works like video games. 75 Quite characteristically, various European legal orders provide for rights to additional remuneration like the one foreseen in article 20 CDSM to inventors of patented inventions. 73

96

Y. Paramythiotis

Bently L et al (2017) Strengthening the Position of Press Publishers and Authors and Performers in the Copyright Directive. European Parliament, Directorate General for Internal Policies of the Union. https://www.europarl.europa.eu/RegData/etudes/STUD/2017/596810/IPOL_STU (2017)596810_EN.pdf. Accessed 14 June 2020 Berger C (2003) Grundfragen der “weiteren Beteiligung” des Urhebers nach § URHG § 32a UrhG. Gewerblicher Rechtschutz und Urheberrecht (GRUR):675–681 Dreier T, Schulze G (eds) (2018) Urheberrechtsgesetz, 6. Auflage. Beck, München Dusollier S et al (2014) Contractual arrangements applicable to creators: law and practice of selected member states - study. European Parliament, Directorate-General for internal policies. https://www.europarl.europa.eu/meetdocs/2009_2014/documents/juri/dv/ contractualarangements_/contractualarangements_en.pdf. Accessed 03 June 2020 Dusollier S et al (2020) Comment of the European Copyright Society Addressing Selected Aspects of the Implementation of Articles 18 to 22 of the Directive (EU) 2019/790 on Copyright in the Digital Single Market. https://europeancopyrightsocietydotorg.files.wordpress.com/2020/06/ ecs_comment_art_18-22_contracts_20200611.pdf. Accessed 09 June 2020 European Commission (2016) Impact Assessment on the modernisation of EU copyright rules Accompanying the document Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market. https://ec.europa.eu/digital-single-market/en/ news/impact-assessment-modernisation-eu-copyright-rules. Accessed 10 June 2020 European Copyright Society (2017) General Opinion on the EU Copyright Reform Package. https:// europeancopyrightsocietydotorg.files.wordpress.com/2015/12/ecs-opinion-on-eu-copyrightreform-def.pdf. Accessed 05 May 2020 Guibault L et al (2015) Remuneration of authors and performers for the use of their works and the fixations of their performances. European Commission. http://publications.europa.eu/resource/ cellar/c022cd3c-9a52-11e5-b3b7-01aa75ed71a1.0001.01/DOC_1. Accessed 15 May 2020 Hall C (2019) The Witcher author and CD Projekt end royalties dispute with licensing agreement. https://www.polygon.com/2019/12/20/21032021/the-witcher-author-cd-projekt-legal-battleroyalties-new-contract. Accessed 09 May 2020 Hentsch CH (2019) Die Umsetzung der Urheberrechts-Richtlinie aus Sicht der Games-Branche. Multimedia und recht (MMR):351–355 Hilty R, Moscon V (eds) (2017) Modernisation of the EU Copyright Rules Position Statement of the Max Planck Institute for Innovation and Competition. ISBN 978-3-00-057529-7, Max Planck Institute for Innovation & Competition Research Paper No. 17-12, Available at SSRN: https:// ssrn.com/abstract¼3036787. Accessed 09 May 2020 Houareau R (2019) Die EU-Urheberrechtsrichtlinie aus Sicht der Musikindustrie. Multimedia und Recht (MMR):635–639 Kretschmer M et al (2010) The Relationship Between Copyright and Contract Law. Strategic advisory board for intellectual property policy: a review commissioned by the UK Strategic Advisory Board for Intellectual Property Policy (SABIP), 2010, Available at SSRN: https://ssrn. com/abstract¼2624945. Accessed 10 May 2020 Lucas-Schloetter A (2017) European Copyright Contract Law: a plea for harmonisation. Int Rev Intellect Prop Compet Law (IIC):897–899 Lucas-Schloetter A (2018) Die urhebervertragsrechtlichen Bestimmungen des Richtlinienvorschlags über das Urheberrecht im digitalen Binnenmarkt. Gewerblicher Rechtschutz und Urheberrecht International (GRUR Int):430–433 Lucas-Schloetter A (2019) Copyright contract law. In: Synodinou TE (ed) Pluralism or Universalism in International Copyright Law. Kluwer Law International, pp 597–608 Newman C (2013) An exclusive license is not an assignment: disentangling divisibility and transferability of ownership in copyright. Luisiana Law Rev (La.L.Rev):59–115 Peifer KN (2019) Die urhebervertragsrechtlichen Normen in der DSM-Richtlinie. Zeitschrift für Urheber- und Medienrecht (ZUM):648–658

4 Fairness in Copyright Contract Law: Remuneration for Authors and. . .

97

Peifer KN (2020) Anpassungsbedarf durch die neue Urheberrechtsrichtlinie. Das neue Urhebervertragsrecht und die Verlegerbeteiligung. Gewerblicher Rechtschutz und Urheberrecht (GRUR):14–23 Priora G (2020) The principle of appropriate and proportionate remuneration in the CDSM Directive: a reason for hope? Eur Intellect Prop Rev (EIPR) 42:1–3 Reber N (2016) Comment on Kammergericht, Urt. v. 1.6.2016 – 24 U 25/15, mit Berichtigungsbeschl. v. 6.7.2016 - Fluch der Karibik II. GRUR Int:1079–1081 Schricker G (1992) Urheberrecht zwischen Industrie- und Kulturpolitik. Gewerblicher Rechtschutz und Urheberrecht (GRUR):243–246 Schulze G (2019) Das Urhebervertragsrecht nach Erlass der EU-Richtlinie über das Urheberrecht im digitalen Binnenmarkt. Gewerblicher Rechtschutz und Urheberrecht (GRUR):682–686 Spindler G (2019) Die neue Urheberrechts-Richtlinie der EU (Teil 2). Wettbewerb in Recht und Praxis (WRP):951–959 Stieper M (2019) Ein angemessener Interessenausgleich im Verhältnis von Kreativen zu Rechteinhabern und Verwertungsgesellschaften? Zeitschrift für Urheber- und Medienrecht (ZUM):393–400 Ulrici B (2008) Vermögensrechtliche Grundfragen des Arbeitnehmerurheberrechts. Mohr Siebeck, Tübingen Würtenberger G, Freischem S (2019) Stellungnahme des GRUR-Fachausschusses für Urheber- und Verlagsrecht zur Umsetzung der EU-RL im Urheberrecht (DSM-RL [EU] 2019/790 und Online-SatCab-RL [EU] 2019/789). Gewerblicher Rechtschutz und Urheberrecht (GRUR):1140–1166

Chapter 5

The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM Directive): Ensuring Its Application in the Digital and Cross-Border Environment(s) While Losing the Way to Harmonization? Anna Despotidou Abstract The aim of this chapter is to present the new copyright exception or limitation that has been introduced by Art. 5 of Directive 2019/790/EU (hereinafter CDSM Directive) in order to allow the use of works and/or other protected subject matter in digital teaching activities, including online and across borders. In the context of a short introduction, the ratio of the specific teaching exception or limitation as well as its significance for the improvement and enrichment of the learning experience will be approached. Proceeding, the analysis will focus, first, on the rights covered by the above exception or limitation and, then, on the conditions under which it is provided. Among others, it will be explored (a) what the concept “for the sole purpose of illustration for teaching” implies and to what extent Member States should remain free to specify—in a balanced manner—the proportion of a work (or other subject matter) that may be used for the above purpose and (b) the kind and/or nature of the institutions that are eligible to invoke the specific exception or limitation. Moreover, the condition that each digital use should be accompanied by the indication of the source, including the author’s name, will be examined under the scope of the moral right of attribution. At a further stage, attention will be drawn to the boundaries and “limitations” of the new teaching exception or limitation. These are mainly “created” by the fact that the CDSM Directive allows—in certain, special cases—Member States to subject the application of the respective exception (or limitation) to the availability of suitable licenses in the market (Art. 5 (2)) and to provide that authors (and other rightholders) are entitled to receive fair compensation for the uses of their works (or other subject matter), permitted under it (Art. 5 (4)). In addition, the analysis touches upon the thorny issue that arises when technological protection measures (hereinafter TPMs) restrict uses covered by the teaching

A. Despotidou (*) Law Faculty, Aristotle University Thessaloniki, Thessaloniki, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_5

99

100

A. Despotidou

exception or limitation in question and comments on the consequences of the application of the three-step test in this context. Concluding, some final remarks are made regarding the estimated impact of the above limitation or exception on e-education/teaching within the existing Union copyright framework as well as on the proper functioning of the internal market.

1 Introductory Remarks (a) Exceptions and limitations (hereinafter E&Ls)1 have been finely mentioned as the area where copyright law and politics intersect,2 since they/it expresses the effort of the legislator (at a national, EU, or international level) to achieve (and maintain) the desirable balance between the rights and interests of authors and other rightholders, on the one hand, and the “users” and/or the society as a whole (general pubic), on the other.3 Among others, education has always been recognized, by copyright

The nature and significance of the distinction between the terms “exceptions” and “limitations” (to copyright), which are used cumulatively or alternatively in the 1996 WIPO Copyright Treaty as well as in the EU Directives cited below (fn2), has been extensively discussed in theory. Apart from the opinion that the distinction “shouldn’t be given effect” [Pila and Torremans (2019), no 13.3.5, pp. 322–323; see also Kallinikou (2008), p. 241], it is generally advocated that only provisions guaranteeing complete third party freedom to use a protected work or other subject matter could be classified as exceptions, while those that subject such a use to payment or other conditions, including transforming the exclusive author’s and related rights into remuneration rights (e.g. through compulsory licenses), are to be regarded as limitations [see Court of Justice of the European Union (hereinafter CJEU), VG Wort v Kyocera, Joined Cases C – 457/111 to 460/11, Judgement of 27 June 2013, par. 33–35; see also Ricketson and Richardson (1998), pp. 3–4, Gervais, (2008), p. 1 (fn 2), Xalabarder (2010), p. 231 (fn 5)]. According to another opinion, however, the term “limitation” (or -more precisely- “limits”) should in any case prevail because preference to the term “exception” is ideologically biased, since it is based on the presumption that exclusivity -in principle- precedes over free competition and access [Marinos (2014), pp. 13–18; compare Synodinou (2008), pp. 138–146, with references]. Although further discussion of the matter obviously lies beyond the scope of this chapter, it should be noted that the terminology in question remains (undoubtedly) within the logic of intellectual property rights and is consistent with the legal traditions of the EU Member States as long as it does not (seem to) establish any “users’ rights” [Lewinski and Walter (2010), no 11.5.11, p. 1022; for a different perspective see Hilty and Moscon (2021), p. 2]. In any case, in the chapter hereunder, the words “exception(s)” and “limitation(s)” will be used interchangeably and mostly simultaneously, bearing in mind that the provision of Art. 5 of the CDSM Directive could, in the light of par. 4, be implemented by the national legislators in the form of either an “exception” or a “limitation”, within the meaning stated above. 2 Marinos (2004), p. 216, Marinos (2003), pp. 94–95, Vagena (2011), p. 240. 3 See, for instance, Recital 6 of Directive 2019/790/EU of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, OJ L. 130/92—17.5.2019 (CDSM), Recital 31 of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society, OJ L. 167/10—22.6.2001(InfoSoc), the preamble of the 1996 WIPO Copyright Treaty (hereinafter 1

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

101

instruments of all levels,4 as a public interest/goal that justifies an exception or limitation to the author’s exclusive rights so the public could gain access to and use protected works (or other subject matter) without any obstacles or any kind of payment, for the purpose of enriching its learning experience and broadening its knowledge.5 Moreover, education is a fundamental right, recognized in the national constitutions of all Member States as well as in Art. 14 of the Charter of Fundamental Rights of the EU (hereinafter the Charter),6 that undoubtedly deserves to be balanced against the author’s (and other rightholders’) exclusive rights.7 This becomes more apparent today since digital technology facilitates not only the dissemination of knowledge, online and across borders, but also the development of—digitally supported—teaching and learning activities provided face-to-face or/and at a distance, in the context of which already-existing protected works (or other subject matter) are being used/“exploited” and, thus, the foundations for future innovation and progress are being laid.8 Furthermore, the outbreak of

WCT); from the relevant EU case-law see, in particular, CJEU: Football Association Premier League v. QC Leisure, Cases C-403/08 and C- 429/08, Judgement of 4 October 2011, par. 164; Painer v Standard VerlagsGmbH et al, Case C-145/10, Judgement of 1 December 2011, par. 132; Johan Deckmyn v Helena Vandersteen et al, Case C-201/13, Judgement of 9 September 2014, par. 27; Technische Universität v Eugen Ulmer, Case C-117/13, Judgement of 11 September 2014, par. 31; Pehlam GmbH and others, Case - 476/17, Judgement of 29 July 2019, par. 32, 59; Spiegel Online GmbH v Volker Beck, Case C-516/17, Judgement of 29 July 2019, par. 36, 54; Funke Medien NRW GmbH v BRD, Case C-469/17, Judgement of 29 July 2019, par. 51; among other commentators, see Pila & Torremans, supra n1, no 13.1, pp. 310-311, no 13.3.2, pp. 318-319, no 13.4.1., p. 324, Gervais, supra n1, pp. 3-4, 12, 13-15, 19, 29, Guibault (2003), p. 1-2, referring to a balance that is inherent in the Berne Convention, Xalabarder (2010), p. 230, Schack (2016), p. 268, Raue (2017), p. 12, Marinos, ibid, Marinos (2020), p. 789, Congleton and Yang (2017), pp. 47, 51, 52. 4 Most importantly, see: Art. 10 (2) of the Berne Convention (BC- Stockholm 1976 Revision); Art. 5 of the CDSM Directive (in connection with Recitals 5-7 and 19-24) and Art. 5 (3) (a) of the InfoSoc Directive (in connection with Recitals 31, 40, 42); Art. 21 of Law 2121/1993 “Copyright, related rights and cultural matters” (Greece); §§ 60a, 60b and 60h UrhG, that have been “added” to German Copyright Law by UrhWissG of 1.9.2017(BGBl. I 3346), on which see Durantaye (2017), pp. 558–560, 565–566, Stary (2018). 5 Xalabarder (2010), p. 230, (2009), p. 6, Raue, supra n3, p. 12. 6 “Right to Education”, in: CFR, Title II (Freedoms), Art. 14, OJ C 326/391 – 26.10.2012. Pursuant to Recital no. 84 of the Directive 2019/790/EU, “This Directive respects the fundamental rights and observes the principles recognized in particular by the Charter. Accordingly, this Directive shall be interpreted and applied in accordance with those rights and principles”. 7 Xalabarder (2010), p. 231; to the same direction, see also “The International Instrument on Permitted Uses in Copyright Law”, available at: https://link.springer.com/article/10.1007/s40319020-00999-8 and https://papers.ssrn.com/sol3/papers.cfm?abstract_id¼3771241 (Accessed on March 15, 2021), according to which the Contracting Parties shall permit uses (of works and other portected subject matter) for the purposes codified in five groups (in Part A of this Agreement) and to the extent justified by the purpose of the use under question. Education is referred to as one of these purposes, in Part A.II.2c (p. 30). For the "Instrument', that is the outcome of an international initiative drafted by almost twenty copyright experts from all-over the world, see in particular Hilty and Moscon, supra n1. 8 Raue, supra n3, p. 12; to this direction see also Gervais (2008), p. 13i.f.–14.

102

A. Despotidou

COVID-19 pandemic during the last year not only forced educational institutions of all levels to radically change the way(s) they operate, by integrating digital technologies into their practices, but also revealed that—in most cases—national copyright laws had to be modified in order to endorse the relevant “changes”.9 As a result, promotion of digital education has been officially recognized as a strategic EU policy response to the COVID-19 crisis, whereas the latter has been largely viewed to be a “turning point” for how emerging technology is (to be) used in education and training in general.10 (b) Directive 2019/790/EU on copyright and related rights in the Digital Single Market (CDSM), which is of interest here, provides for a limited number of E&Ls in the fields of research, innovation, education, and cultural heritage (Title II, Arts. 3–7), which constitute a “closed system” and apply only when the specific statutory conditions are (cumulatively) met.11 By doing so, the Union legislator continues to keep distance from the so-called open systems, which are based on general clauses, such as “fair use” or “fair dealing,” and are deeply rooted in the copyright tradition of common law countries (USA, UK, Canada),12 while, at same time, he/she entrusts the effectiveness as well as the flexibility of the system (of the E&Ls he/she recently

9 For example, due to the pandemic urgency, on 16 March 2020, the Hungarian education system shifted to a “digital working order” and shortly after (on the 16th of April) the Hungarian Government implemented, by Decree 125/2020, Art. 5 of the CDSM Directive alone. The reason for this, urgent and partial, implementation was that the national Copyright Act, although—in compliance with the EU acquis—included an exception for digital uses of works (or other subject matter) for the purposes of classroom education, (it) did not provide an exception for the communication to the public of works (or other subject matter) for educational purposes, which would be necessary in order to provide an appropriate legal framework for the above “digital working order”. In this regard see Ujhelyi (2020). 10 See “Digital Education Action Plan (DEAP) 2021–2027 – Resetting education and training for the digital age”, COM (2020) 624 final, and—in particular—the “Commission Staff Working Document”, accompanying the former [SWD (2020) 209 final], pp. 14–23, where the EU experience (“lessons”) from the COVID – 19 crisis in relation to the so-called “remote emergency education” is eloquently expressed. 11 Critically Geiger, Frosio and Bulayenko (2017), Opinion of the CEIPI (Centre for International Intellectual Property Studies) on the European Commission’s proposal to reform copyright limitations and exceptions in the European Union, CEIPI Research paper no. 2017-09, p. 7–9, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id¼3053983 (Accessed on May 20, 2020); see also Hugenholz (2016), pp. 417–433, Guibault, supra n3, p. 5. 12 Geiger et al. (2017), ibid; see also Xalabarder (2009), pp. 51–61, Congelton and Yang, supra n3, pp. 49–51. A semi-open system of E&Ls can be found in the European Copyright Code (Chapter 5, Art. 5.1.–5.8), that has been drafted as a model law by the Wittem Group (2010); available at: https://www.copyrightcode.en; compare the system on “permitted uses” (of protected works) that is proposed by the “Instrument”, reffered to above, at n7.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

103

enacted) to judicial interpretation.13,14 Furthermore, opting for the maximum degree of harmonization throughout the EU Member States and in contrast to the E&Ls contained in Directive 2001/29/EC (hereinafter InfoSoc), he/she chooses to form the “new” ones as mandatory.15 However, as far as the exception or limitation for teaching activities (of Art. 5) is concerned, this is only partially true if one considers the fact that certain licensing schemes, openly offered in the relevant market and not limiting the scope of the specific exception (or limitation), could still prevail over the latter.16 In any case, the CDSM Directive, trying to retain a high level of protection for authors and other rightholders, on the one hand, and to further harmonize EU copyright law in the digital environment, with an emphasis on cross-border uses, in order to create legal certainty and to ensure the proper functioning of the internal market, on the other,17 introduces—among others—a number of rules that aim to adapt certain, purpose-limited E&Ls to this environment(s). Notwithstanding the questions that may be posed, regarding their relationship to the EU acquis, i.e. to the already existing (similar and partially overlapping) exceptions and limitations of Union copyright law, the “research, education and cultural heritage E&Ls,” provided for in the CDSM Directive (Arts. 3–7), are clearly stated and thoroughly explained by the relevant, extensive, and rather detailed

13 According to the (still) prevailing view in the matter, based on Recital 44 of the InfoSoc Directive, E&Ls, especially when they refer to new uses of copyright works and other subject matter in the digital environment, are to be interpreted strictly, in the light of the three-step test and the need for legal certainty for authors (and other rightholders) with regard to their rights; see, in particular, CJEU: Infopaq International S/A v Danske Dagblades Forening, Case C- 5/08, Judgement of 16 July 2009, par. 56-59; CJEU, ACI Adam BV and Others v Stichting de Thuiskopie, Case C-435/ 12, Judgement of 10 April 2014, par. 22-27; see also Spiegel Online GmbH v Volker Beck, Case C516/17, supra n3, Par. 53 and Funke Medien NRW GmbH v BRD, Case C-469/17, supra n3, par. 69, which use a more general and “moderate” wording; for a critical analysis of this doctrine see Marinos (2003), pp. 99–102, Marinos (2014), pp. 10–13, with further references; compare CJEU, Deckmyn, Case C- 201/13, supra n3, par. 24, that departs from the doctrine of strict interpretation of E&Ls in a much-debated case, in which the fundamental right of freedom of expression was involved; see accordingly the European Copyright Society’s (hereinafter ECS) Opinion on the Judgement of the CJEU in Case C- 201/13 Deckmyn, of 1 November 2014, under the title: “Limitations and exceptions as key elements of the legal framework for copyright in the European Union”, available online at: https://europeancopyrightsocietydotorg.files.wordpress. com/2015/12/deckmyn-opinion-final-with-signatures.pdf and https://ssrn.com/abstract¼2564772 (Accessed on June 10, 2020); for a similar approach see also CJEU, Painer v Standard VerlagsGmbH, Judgement of 1 December 2011, par. 132, 134, regarding the quotation exception. 14 In accordance to a rather convincing opinion, the “dogma of strict interpretation itself may be applied rather flexibly by the Court”; Hugenholz and Senftleben (2011), pp. 25–26. 15 Recitals 1-3 in conjunction with Recital 5 of the CDSM Directive; compare Geiger et al. (2017), supra n11, who insist that “in order to achieve true harmonization and legal security for all players in the creative process” the mandatory nature should be extended to all exceptions and limitations of the EU acquis (p. 8i.f.-9); slightly different Raue, supra n3, p. 12; see also Quintais (2019), p. 7. 16 More specifically see under section. 3.1, in this chapter; in the same spirit, see also Raue, ibid. 17 See Recitals 1-3 in relation to Recital 19.

104

A. Despotidou

recitals and could (or, rather, “should”) be interpreted as being technologyneutral, so as not to restrict future technological developments.18 (c) In the light of the above considerations, this chapter aims to present the new “education”/teaching exception or limitation of Art. 5, which is envisioned to encompass all digital teaching activities, including online and across borders, to analyze the—specific and general—conditions under which it is applied and to examine its own boundaries and “limitations.” These are mainly created by the fact that the CDSM Directive allows—in certain, special cases—Member States to subject the application of the respective exception or limitation to the availability of suitable licenses in the market (Art. 5 (2)) and to provide that authors (and other rightholders) are entitled to receive fair compensation for the uses of their works (or other subject matter), permitted under it (Art. 5 (4)). Furthermore, the analysis touches upon the thorny issue that arises when TPMs restrict uses covered by the teaching exception or limitation in question and comments on the consequences of the application of the three-step test in this context.

2 The “New” Education/Teaching Exception or Limitation 2.1

Content, Nature and Scope of the Exception or Limitation Enacted

(a) To start with, the provision of Art. 5 par. 1 of the CDSM Directive repeats—to a certain extend—and further specifies the content of the optional exception or limitation of Art. 5 (3) (a) of the InfoSoc Directive.19 However, at the same time, it excludes nondigital uses, tied to the “physical” factor,20 as well as uses for

18 Recital 3; see also Raue, supra n3, p. 12, who is critical towards the fact that much is to be explained through the Recitals, complicating unnecessarily the understanding of the E&Ls (presented here) by beneficiaries as well as users, who are not lawyers (!). 19 Raue, supra n3, p. 16, Geiger et al. (2017), supra n11, p. 20; slightly differently Jütte (2019), p. 3, who talks about “clarification and extension” of the previous teaching exceptions or limitations of the EU acquis; for the teaching exception or limitation provided for by Art. 5 par. 3 (a) of the InfoSoc Directive, see -among others- Pila & Torremans, supra n1, pp. 332–333, Lewinski and Walter, supra n1, no 11.5.45–11.5.51, pp. 1041–1045. 20 See Gervais, supra n1, pp. 11, 21 (fn 85), who mainly refers to uses taking place “on the premises” of the educational establishment, whereas the “physicality” of the use, in the context under examination here, basically refers to the material form of the medium (e.g. books and other printed material, such as photos or images, as well as CD-ROMs and DVDs), into which the protected work (or other subject matter) is incorporated. It should be noted, that the teaching exception or limitation of the InfoSoc Directive covers also digital uses, but its cross border effect remains unclear; see Recital 19 of the DSM Directive in relation to Recital 42 of the InfoSoc Directive; compare Xalabarder (2010), p. 235 (fn 18), who, based on the Commission’s Explanatory Memorandum, insists that the teaching exception of Art. 5 (3) (a) of the latter is intended to apply to “the new electronic environment”.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

105

scientific research (of works and other protected subject matter), although teaching and research are closely interconnected at most higher education and research organizations; in addition, it has a mandatory nature, in the sense that all Members States are obliged to incorporate it into their national legal orders,21 though retaining a significant degree of discretion as to the special arrangements for the implementation to be made.22 More specifically, the recently enacted “teaching/ education exception or limitation” applies only to digital teaching activities, either in classrooms (i.e. in face-to-face education) or on online teaching platforms, including across borders, and allows uses that take place for the sole purpose of illustration for teaching, rather than illustration for (both) teaching and research, to the extent justified by the noncommercial purpose of the activity in question.23 Obviously, the new provision is consistent with the general idea that E&Ls should be recognized “for clearly (statutorily) specified purposes,”24 thus falling into the general type of purpose-limited E&Ls,25 and could be read as corresponding to the EU principle of proportionality since it permits only “proportionate uses” of protected works and other subject matter.26 Furthermore, the additional condition of lit. b (of Art. 5 (1)), that the specific uses, in order to be permitted, should be accompanied by the indication of the source— including the author’s name—“unless this turns out to be impossible,” is to be found (also) in the abovementioned provision of the InfoSoc Directive, whereas that of lit (a), which provides that they should take place under the responsibility of an “official” educational establishment, narrows the scope of the recent exception or limitation and has been duly criticized.27 (b) As implied previously, the coexistence of the exception or limitation of Art. 5 of the CDSM Directive with E&Ls of similar content and optional/permissive

21 Recital 19, last sentence; see also Raue, supra n3, p. 17, Geiger et al. (2017), supra n11, p. 19, Quintais, supra n15, p. 7, Jütte, supra n19, p. 2; General Opinion of the ECS on the EU Copyright Reform Package, 24 January, 2017, available online at: https://europeancopyrightsocietydotorg. files.wordpress.com/2015/12/ecs-opinion-on-eu-copyright-reform-def.pdf (Accessed on May 10, 2020), p. 2, 4. 22 See Recital 23 (par. 1) in combination with Rec. 7 (s. 3); according to the latter, Member States “should remain free to choose the appropriate means of enabling the beneficiaries of the exceptions and limitations provided for in this directive to benefit from them”. More specifically, see below in this chapter, under section 3.1. 23 Geiger et al. (2017), supra n11, p. 19 , express the opinion that the recent exception of Art. 5 of the CDSM Directive has “a narrower scope than the teaching and research exception in Directive 2001/29/EC”. 24 See Gervais, supra n1, p. 23i.f., with reference to the Records of the Intellectual Property Conference of Stockholm of 1967, concerning the revision of International Bern Convention, p. 112. 25 As to the categorization of the E&Ls of Directive 2001/29/EC, see Pila & Torremans, supra n1, no 13.2.1.1, pp. 311-314. 26 To this direction see—in particular—Pila & Torremans, supra n1, pp. 310i.f., 314, 320–322, 323–326; in detail see below, under 2.3.1 (c) and 2.3.2. 27 Quintais, supra n15, p. 8, Jütte, supra n19, p. 3, Nobre (2019), p. 2.

106

A. Despotidou

nature, which are to be found in the former Directives 96/9/EC and 2001/29/EC, seems to be troublesome.28 However, taking into account that the new Directive is based upon and complements the rules laid down in the above—already existing— EU legislative acts, as regards uses of protected works (and other subject matter) in the digital environment, including cross-border,29 it becomes apparent that all former relevant provisions of Union law should remain in force as long as they are reassessed in the light of the above uses,30 which are becoming increasingly important in the fields of research, education, and cultural heritage. More specifically and in the context that is of interest here, national harmonized rules, which are compatible with the “education”/teaching E&Ls, provided for in Directives 96/9/EC and 2001/29/EC, and do not limit the scope of the mandatory exception or limitation, provided for in Art. 5 of Directive 2019/790/EU (i.e., explicitly or implicitly “cover” the specific digital uses permitted thereunder, including online and across borders), should not be deleted; or, vice versa, they could remain in force. This might well mean that, for purposes of clarity and/or legal certainty, the former could be modified, as long as they are not narrowed down.31 Moreover, if a Member State has not brought into force exceptions or limitations in the field of education/teaching until today, due to the permissive character of the pre-existing, relevant EU rules, or the ones it has already enacted are formed strictly for the analogue environment, it should adopt provisions to implement the exception or limitation of Art. 5 (of the CDSM Directive) by June 2021,32 more suitably where the national copyright law already provides for (other) E&Ls.33 To facilitate this “interpretation,” the provisions of Directives 96/9/EC (Art. 6 (2) (b) and Art. 9 (b)) and 2001/29/EC (Art. 5 (3) (a)), regarding teaching E&Ls, have been amended accordingly.34

28

According to the Opinion of the ECS (2017), supra n21, p. 4, the new mandatory exceptions of the DSM Directive partly overlap the exceptions of Art. 5 of the InfoSoc Directive, adding to the fragmented approach the Commission has chosen in the area of copyright law compare Quintais and Husovec (2021), p. 14 n45, who advocate that in cases of conflict between E&Ls in the CDSM and InfoSoc Directives the former overrides the latter due to the application of the principle lex posterior specialis derogat legi priori generali, which means that a later special rule overrides an earlier general in relation to its particular scope, even if the later rule does not expressely state so. 29 Recital 4; it should be noted that the scope of exceptions or limitations provided for in Arts. 6 (2) (b) and 9 (b) of Directive 96/9/EC as well as in Art. 5 (3) (a) of Directive 2001/29/EC, as they apply to digital uses, has been considered to be unclear, especially in regards to online and crossborder uses of works and other subject matter (see Recital 5 in conjunction with 19 of the CDSM Directive). 30 Recital 5 of the CDSM Directive. 31 For a similar view see Quintais and Husovec, supra n28, p. 37. 32 According to Art. 29, Directive 2019/790/EU should be transposed into the national legal orders of the 27 Member States by June 2021. 33 According to Art. 25 of the CDSM Directive, for the general interpretation of the E&Ls, provided for in (its own) Arts.3 - 6, pars. 3 and 5 of Art 5 of the InfoSoc Directive remain relevant; see Nordemann and Waiblinger (2020), p. 2. 34 See Recital 5 in connection with Arts. 24 and 25 of the CDSM Directive.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

2.2

107

Rights Covered

The “teaching” exception introduced in Art. 5 of the CDSM Directive applies (according to its own par. 1) to a number of exclusive rights, i.e. authors’ rights and related rights, of economic nature, provided for in a series of directives and, more specifically, in Art. 5 (a), (b), (d), and (e), and Art. 7 (1) of Directive 96/9/EC; Arts. 2 and 3 of Directive 2001/29/EC; and Art. 4 (1) of Directive 2009/24/EC,35 as well as Art. 15 (1) of the same Directive. This means that the Directive concerned here, clearly having a “transverse effect,”36 introduces an exception “for use of works and other subject matter in digital teaching activities” to the right of reproduction of copyright-protected works and other subject matter, including databases and computer programs; to the sui generis database extraction right; to the right of communication and of making available to the public of works and other subject matter (including databases); to the right of alteration of a database and a computer program as well as to the right of distribution of the latter; and, finally, to the “new” related right for press (news) publishers.37 It becomes clear that the— recently enacted—mandatory teaching exception or limitation is applicable to both databases and computer programs, to the extent stated above, opting to permit certain uses of these (particular) kinds of “works” for teaching purposes in the digital environment. Moreover, since the distribution right, in general, is restricted to (the dissemination of) tangible originals or copies of works (or other subject matter),38 the non-applicability of the above exception or limitation to it is compatible to this right’s nature and legal structure, under Arts. 4 of the InfoSoc Directive and 5 (c) of the Database Directive, and is of no (or limited) importance in the context of our analysis. However, the broader—as well as more “flexible”— notion of distribution right under Art. 4 (1) (c) of the Computer Program Directive, comprising, in addition to the offering or putting into circulation of tangible fixations, any other form of distribution to the public, such as all kinds of wired and wireless (including “online”) transmissions of computer programs,39 justifies its limitation for the purposes of Art.

35

Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs, OJ L 11/16–5.5.2009. 36 Raue, supra n3, p. 17, characterizing the “teaching”/education exception (or limitation) of Art. 5 as “Querschnittsschranke”. 37 For the content of this right, as well as a range of arguments against its introduction, see: Opinion of the ECS (2017), supra n21 p. 6;. Geiger, Bulayenko, and Frosio (2016), Opinion of the CEIPI on the European Commission’s Copyright Reform Proposal, with a focus on the Introduction of Neighbouring Rights for Press Publishers in EU Law, CEIPI Research Paper No. 2016-01, available at: https://papers.ssrn.com/sol3/papers¼2921334 (Accessed on June 25, 2020); Quintais, supra n15, pp. 15–16, Quintais (2019-2), pp. 1-2; see also Höppner (2018), pp. 1-21, Höppner, Kretschmer and Xalabarder (2017), Chastanet (2019). 38 Lewinski and Walter, supra n1, no. 11.4.6 (p. 993); Papadopoulou (2010), under heading 3.1.1. 39 Blocher and Walter (2010), no 5.4.31, pp. 133–134.

108

A. Despotidou

5 (1) of the CDSM Directive.40 Towards the same direction, Recital 21 clarifies that the distribution of software, allowed under the specific exception or limitation, should be limited to digital transmission of software. Consequently, any acts that fall into the economic content of the abovementioned exclusive rights of authors and/or other rightholders and are necessary for the realization of digital teaching activities, including those that take place online or across borders, are exempted pursuant to the exception or limitation under examination, provided that the rest of the requirements/conditions, analyzed below, are also met.

2.3

Conditions of Application

As already mentioned, the application of the mandatory exception or limitation of Art. 5 of Directive 790/2019/EU depends on (is “tied” to) a number of conditions that seriously limit its scope. They will be approached in view of considerations and/or opinions expressed in relation to former similar provisions, mainly of EU law, taking into account the objectives of the recent legislative initiative, as expressed in the preamble of this Directive. 2.3.1

Purpose of Use

(a) Article 5 (1) of the DSM Directive allows for exceptions or limitations (to the rights stated above, under section 2.2) for the “sole purpose of illustration for teaching,” thus falling into the general group of the so-called purpose-limited exceptions (or limitations). In the absence of a particular definition and taking into account what has already been said in relation to Art. 5 (3) (a) of the InfoSoc Directive, “teaching” will have to be—basically—understood as under Art. 10 (2) of the Berne Convention,41 notwithstanding the restriction of the recent provision to digital uses, which automatically excludes from its scope uses of protected works or other subject matter in tangible form, such as extracts of textbooks or literature books (i.e., novels), poems, articles published in printed periodicals or newspapers, photos, images, etc. Apart from this and in compliance with Recitals 20–22, the exception or limitation in question is wide enough to encompass digital uses of protected works or other subject matter, online or offline, “that support, 40 For the application of the optional education (and research) exception or limitation of Art. 5 (3) (a) of Directive 2001/29/EC to the right of distribution see Lewinski and Walter, supra n1, no 11.5.74 in conjuction with no11.5.76, pp. 1058-1059; see also Papadopoulou, supra n38, under heading 3.1.1. 41 As wisely proposed by Lewinski and Walter, supra n1 no 11.5.47, p. 1043; for the interpretation of the term “teaching”, under Art. 10 (2) of the BC, see the Records of the 1967 Stockholm Conference, p. 1148; see also Lewinski (2008), no 5.171.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

109

enrich or complement the teaching, including learning activities,” as well as “the use of digital tools and resources, that improve(s) the learning experience”42 at all education levels, namely, in primary, secondary, vocational, and higher/university education, as long as the relevant (teaching and learning) activities are carried out under the responsibility of educational establishments recognized by a Member State.43 In the same context, it is made clear that direct, face-to-face teaching activities, which take place on the premises of the above establishments (e.g., in their classrooms) or in other venues (e.g., in libraries or museums) and rely on uses of protected works (or other subject matter), executed through digital means, as, for example, electronic whiteboards, DVD players, projectors, or other devices, that might be connected to the Internet (e.g., PowerPoint (ppt) presentations), certainly fall under the specific exception. In addition, a variety of similar uses made at a distance, through secure electronic environments, for the purposes of online teaching, either live/interactive (“synchronous”) or asynchronous,44 including access to learning resources that complement distance and/or face-to-face instruction,45 are equally covered. The last option, however, is limited to digital teaching and learning platforms, such as Moodle, COMPUS, or e-Learning, access to which is restricted to the teaching staff (teachers, professors, and research/teaching assistants) of the educational establishment, which is in charge of the particular platform, and to learners (pupils or students) enrolled in an official study program, on the condition

42

Recitals 20 and 21 of the (preamble of the) CDSM Directive. Recital 20, ibid; see also Pila & Torremans, supra n1, p. 333, Lewinski and Walter, supra n1, no 11.5.47, p. 1043. Most probably, all kinds of non-formal education, including the so-called “adult” or “further” education, which take place through planned activities (in terms of learning objectives and learning time) where some form of learning support is present, but (which) are not part of the formal education system, are not covered; see Xalabarder (2009), p. 83; for a recent definition of “formal”, “non-formal” and “informal” education, see “Commission Staff Working Document”, accompanying DEAP 2021-2027, supra n10, p. 96. 44 For further information on Digital Distance Education (DDE), in the context of which students are separated by their instructors by time and/or space, see Xalabarder (2009), pp. 53–55; see also Papadopoulou, supra n38, under heading 3.1.1, with reference to the definition given by the U.S. Copyright Office (1999), Report on Copyright and Digital Distance Education (ID: CDS1866), available at: https://www.copyright.gov/reports/de_rptr.pdf; compare the definitions provided for in the recent “Commission Staff Working Document”, accopmanying DEAP 20212027, supra n10, p. 98, according to which synchronous digital teaching (and learning) happens collaboratevily and at the same time with a group of online learners and usually an educator, while asynchronous may take place at any time, individually or in a group, with inteaction and communication spanning across time. 45 In accordance to a most recent definition, provided for in the “Commission Staff Working Document”, accompanying DEAP 2021-2027, supra n10, p.94, blended learning is a—rather popular—paedagogical approach, that mixes face-to-face and online learning, with some element of learner control over time, place, path and pace. 43

110

A. Despotidou

of authentication, usually confirmed by inserting a username and/or a password.46 On the contrary, online courses that are open to the public, i.e. MOOCs (Massive Open Online Courses), as well as the exchange of teaching material in the form of Open Educational Resources (OERs), are not exempted under the specific provision.47 Moreover, no matter how broad the scope of the “teaching” exception or limitation of Art. 5 of the CDSM Directive might initially seem—especially in the light of the above recitals—it should be noted that, in its ordinary meaning, the activity of teaching includes only the conveyance of knowledge or experience to others;48 therefore, the relevant exception or limitation should be regarded to cover a variety of acts by professors/teachers and students/pupils,49 i.e. by those who participate in the lesson/course being taught (learners and educators), to the extent that such acts (i.e., digital uses of works or other subject matter) are “directly related and of material assistance to the teaching content.”50 This means that, in the case of teaching, the exempted act is not necessary to take place during the lesson as long as the protected work (and/or the other subject matter) is used as teaching material or, likewise, as part of (any stage of) the instruction process, in order to prepare, enrich, and—generally—“support” the curriculum being taught, even after class,51 at the office, or at home.52 The same holds true as regards uses made for the needs of giving out or doing homework, initiating or taking part in an online debate, and/or drafting exercises or examination tests,53 including posing (and answering) exam 46 Recital 22 (sentence 3) ibid, in conjunction with Art. 5 (1) (a); see also Raue, supra n3, p. 18, Jütte, supra n19, p. 3. 47 Raue, ibid. It should be noted, that all kinds of “open” courses are accessible by anyone anywhere, as long as they have an internet connection, whereas access and participation to/in them are in principle free of charge, although extra services and certificates may require payment; see in particular “Commission Staff Working Document”, accompanying DEAP 2021-2027, supra n10, pp. 28–30 in conjuction with the relevant definition in p. 97. 48 Lewinski and Walter, supra n1, no 11.5.47, p. 1043; see also Schack, supra n3, p. 275. 49 Raue, supra n3, pp. 17i.f.-18, who seems to prefer the wording of the English teaching exception of Sec 32 (1) (b) Copyright, Designs and Patent Act (hereinafter CDPA), which exempts uses “by a person giving or receiving instruction (or preparing for giving or receiving instruction)”; see also Pila & Torremans, supra n1, p. 333, according to whom the teaching and research exception of the InfoSoc Directive covers also those persons who act on behalf of teachers and students, as, for example, libraries’ staff. 50 § 110 (2) (B) US Copyright ACT—US TEACH Act; see Papadopoulou, supra n38, under heading 3.1.1; see also Pila & Torremans, ibid, who express the opinion that an act, in order to be exempted, “should be directly linked to the clarification or exemplification of a point made in the delivery or examination of a formal educational program”. 51 See Xalabarder (2009), p. 66, Schack, supra n3, p. 275, Raue, supra n3, pp. 17–18, Papadopoulou, ibid. 52 Raue, supra n3, p. 18. 53 See Recital 22 of the CDSM Directive, according to which the (proportionate) use of works and/or other subject matter during examinations is exempted, provided they are taking place in or (at least) under the responsibility of an educational establishment; towards the same direction, see also Xalabarder (2009), p. 66, Pila & Torremans, supra n1, p. 333, Schack, ibid, Raue, supra n3,

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

111

questions at a distance, via a digital platform, used for educational purposes.54 In any case and in compliance with what has already been said in relation to the “teaching and research” exception or limitation of the InfoSoc Directive, public performances of school/university orchestras or drama clubs are unlikely to be considered as uses “for the sole purpose of illustration for teaching,” in the meaning of Art. 5 (1) of the CDSM Directive,55 whereas the proportionate use (for example, the digital reproduction or transmission of parts or extracts) of a musical or dramatic work, in the context of relevant courses, might well be.56 (b) Furthermore, the use of a protected work and/or other subject matter, in order to be exempted under the above provision, must be made for the sole purpose of illustration for teaching. The EU legislator repeats the wording of Art. 5 (3) (a) of Directive 2001/29/EC,57 though the inclusion of the term “illustration” in the specific context has been extensively discussed and criticized.58 However, Recital 21 of the CDSM Directive seems to shed light to the matter by stating that the concept of illustration would, generally, “imply the use only of parts or extracts of works, which should not substitute for the purchase of materials primarily intended for the educational market.” In other words, the condition of “illustration” refers to the amount of the work or other subject matter that may (“is permitted to”) be used pursuant to the recently enacted teaching/education exception or limitation for the relevant purposes; and although it should be regarded to allow (even) the use of entire works or other subject matter in appropriate circumstances (e.g., concerning photographs or poems), the condition at issue - as wisely noticed- “is limiting in principle”.59 Obviously because, in order to “illustrate” a lesson, i.e. to explain what is being taught, in most cases it would be sufficient to use only a part or extract of the respective work (or other subject matter),60 whereas the precise extent of the latter is to be decided, in a balanced manner, by the Member States during the

p. 17 (fn. 98); contra Lewinski and Walter, supra n1, no 11.5.47, p. 1043, who, in the context of Art. 5 (3) (a) of the InfoSoc Directive, insist that the teaching exception is unlikely to include use (of works or other subject matter) for examinations. 54 Towards the same direction, see Sec. 32 (2) CDPA, according to which “‘giving or receiving instruction’ includes setting examination questions, communicating the questions to pupils and answering the questions”. 55 See also Pila & Torremans, supra n1, p. 333, Lewinski and Walter, supra n1, no 11.5.47, p. 1043. 56 Pila & Torremans, ibid. 57 Slightly different is the language used in the framework of the BC, since the respective provision of Art. 10 (2) refers to “utilization of works by way of illustration” for teaching purposes; see, among others Xalabarder (2009), p. 15 (fn 24). 58 See, among others, Xalabarder (2007), p.383–384; Xalabarder (2009), pp. 66–67; Lewinski and Walter, supra n1, no 11.5.47, p. 1043; see also Papadopoulou, supra n38, under heading 3.1.1. 59 Lewinski and Walter, ibid; see also Ricketson (1987), § 9.27, n. 2, p. 496; Guibault, supra n3, p. 15; Jütte, supra n19, p.3; compare Xalabarder (2009), p. 15; Xalabarder (2007), p. 384, who argues that the condition of “illustration for teaching” does not exclude the making of teaching anthologies per se from the scope of the relevant exception of the InfoSoc Directive. 60 Lewinski and Walter, ibid; similarly, Jütte, ibid.

112

A. Despotidou

implementation procedure.61 Consequently, the inclusion of the term “illustration” in the wording of the exception or limitation under examination, although it is not intended to (and it does not) modify its purpose, it—certainly—narrows its scope.62 Moreover, the addition of the adjective “sole” before the noun “purpose” most probably implies that if the use of the work (or other subject matter) is made also for purpose/s other than teaching (e.g. for the entertainment of the students), as perceived under Art. 5 (1) of the CDSM Directive, then it is not covered by the respective exception or limitation.63 (c) Finally, the “use” under par. (1) of the above provision must aim to achieve a non-commercial purpose and is exempted “to the extent justified” by this purpose.64 The condition, which practically repeats the wording of Art. 5 (3) (a) of the InfoSoc Directive, reflects the requirement of Art. 10 (2) of the Berne Convention that the use should be “compatible with fair practice”65 and is—also—decisive as to the determination of the extent (i.e., proportion or quantity) of the work or other subject matter that is permitted to be used, pursuant to the teaching exception or limitation under examination.66 Regarding the interpretation of the term “non-commercial” in this context, the last section of Recital 20 clarifies, firstly, that the use in question is to be exempted, provided it takes place in the context of a teaching activity, which is non-commercial in nature,67 and, secondly, that the latter is dependent not on the “character”, i.e. the organizational structure and/or the means of funding of the educational establishment that is responsible for carrying out the particular teaching

61 Recital 21 of the CDSM Directive; see also Jütte, supra n19, p.2; the matter is further discussed below, under section 2.3.2. 62 Towards this direction see Lewinski and Walter, supra n1, no 11.5.47, p. 1043; compare Xalabarder (2009), pp. 15, 66–67. 63 Ricketson, supra n59, § 9.27 (2); Papadopoulou, supra n38, under heading 3.1.1; see also Lewinski and Walter, supra n1, no 11.5.48, p. 1044, according to whom the reproduction of a work included in a non-fiction book, which is not exclusively designated for teaching purposes at educational insitutions but it addresses the general public as well, it would not be previleged by the relevant exception or limitation. 64 See also Recital 20, sentence 3. 65 Precisely so, Lewinski and Walter, supra n1, no 11.5.50, p. 1045; for interpretation of the conditions laid down in Art. 10 (2) of the Berne Convention see Ricketson and Ginsburg (2006), § 13.45. 66 More specifically see below, under section 2.3.2. 67 In other words, for the exception to apply, it is not sufficient that the work or other protected subject matter is used solely for teaching/educational purposes, but it is also required that the relevant teaching activity is non-commercial in nature; similarly, Lewinski and Walter, supra n1, no 11.5.51, p. 1045, adding (that) “it is not sufficient that the use is to serve a non-commercial purpose; rather, it also must be justified by this purpose”. To our—slightly different—opinion, it is not the “use” per se but the extent (or even the kind) of the use that must be justified by the (non-commercial, educational) purpose.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

113

or learning activity but rather on the activity as such.68 Further and in the light of the Union aquis on the matter, “non-commercial” should be understood as referring to teaching and learning activities that are conducted “not for direct or indirect economic or commercial advantage,”69 in the sense that the focus shifts equally to their consequences/economic results. Accordingly, a postgraduate program that is offered against payment of fees (by the students enrolled) by a publicly owned university could not be considered as a non-commercial teaching activity, and thus it is not covered by the exception or limitation of Art 5 of the CDSM Directive.70 2.3.2

Nature and Extent of Works or Other Subject Matter That May Be Used

(a) Article 5 of the CDSM Directive makes no specific reference or distinction as to the nature and/or the kind of the works (or other subject matter) that may be used.71 Considering that the respective exception or limitation is deemed to cover teaching and learning activities in the digital environment, including online and across borders, it should be inferred that all kinds of works (or other subject matter) that meet the needs of the activity in question and are available in digital form(at)72 fall into its scope. As far as the digitization (including the process of scanning) of works or other protected subject matter, that may be used under the above exception or limitation, is concerned, it should—in principle—be permitted as an act of reporduction.73 However, such a “reproduction”, i.e. the digital conversion of

68 Compare the wording of Recital 42 of the InfoSoc Directive; see also Raue, supra n3, p. 18, Schack, supra n3, p. 274. 69 Lewinski and Walter, supra n1, no 11.5.50 in conjunction with no 11.5.44 and 11.5.38, who refer to Art. 5 (2) (c) of the InfoSoc Directive and to Art. 1 (3) of the Rental and Lending Rights Directive; see also Xalabarder (2009), pp. 83–84, according to whom non-commercial is equal to non-for-profit and it is difficult to be decided as far as teaching activities (i.e. instruction of pupils and/or students) are concerned. 70 For further examples see Lewinski and Walter, sura n1, no 11.5.50, p. 1045; compare Xalabarder (2009), p. 83i.f., who questions the “safety” of this criterion, adding that of the net “benefits” of each educational institution by the activity in question (course, program, etc.), which needs to be applied in casu by the national courts. 71 Nobre, supra n27, p. 3. The same holds true as to Art. 5 (3) (a) of the InfoSoc Directive; see Xalabarder (2010), p. 235, Xalabarder (2009), p. 63, Papadopoulou, supra n38, under heading 3.1.1. 72 This results from the fact that, in order to carry on teaching activities online, uploading, transmission and reception of the respective works (or other subject matter) are needed. These “acts”, which fall into the scope of both the rights of reproduction and communication to public, can only be executed in relation to material that is available in digital format; see in-particular Xalabarder (2009), p. 62. 73 Despite the unique technical differences that exist between them, digitization and scanning are two separate processes for converting/transforming an analogous work (e.g. a paper—book) to a digital copy. Therefore and albeit the modification that is taking place, from the angle of copyright,

114

A. Despotidou

works (e.g., textbooks, compilations, scientific periodicals, documents etc.) that already exist in the premises of the institutions concerned in analogue form(at), is to be exempted only in certain, special cases; and in particular, if no digital version of the work (or the other subject matter) in question is available to the educational establishment or the available one is protected by TPMs,74 as well as if it concerns only the part/extract of the work (or other subject matter) that is to be used for the specific (teaching or learning) activity and not the whole of it. As a result, the— recently enacted—teaching exception or limitation should not be interpreted so broadly as to permit mass digitization projects to be carried out by its beneficiaries.75 Nonetheless, the work (or other subject matter), that is intended for use, must have been lawfully published,76 whereas the original (work or other subject matter), or a copy thereof, must have been acquired lawfully by the institution(s) engaged in the activity.77 (b) Furthermore, the provision under examination poses no explicit limitation as to the actual extent of the work (or the other subject matter) that may be used or to the “quantity” (e.g., duration and/or number) of uses (i.e., downloads, transmissions, etc.) that could be made.78 On the other hand, as has already been advocated in view of Art. 5 (3) (a) of the InfoSoc Directive, the permissive use should not exceed the limits implied by the—statutorily defined/legitimate—purpose to be achieved, which here is the purpose of “illustration for teaching.”79 Therefore, the respective use (e.g., reproduction and/or digital transmission of protected material to registered

the digitization of a work (or other protected subject matter) is deemed to be a reproduction, whereas the same applies to scanning. For the relevant opinion, that is still dominant, see inter alia, Lewinski and Walter, supra n 1, no 11.2.19 in conjunction with 11.2.22, pp. 969–970, Marinos (2001), pp. 32–33, Despotidou (2003), pp. 31–32. 74 These “limitations” correspond to the provisions of Sec 110 (2) of the US TEACH Act; so, Xalabarder (2009), p. 42; in a different context, compare Xalabarder (2004), p. 14 (fn 69), Xalabarder (2009), p. 62, according to whom, as long as the Union legislation does not explicitly provide otherwise, the allowance of digitization is to be decided by domestic laws and national courts. 75 In other words, the idea, that an educational establishment could create (and retain) a repository/ ”library” of digitized works (or other subject matter) for use of its own (academic staff and students), profoundly exceeds the limits of the teaching exception or limitation of the CDSM Directive; to this direction see Xalabarder (2009), p. 62. 76 As derives from the moral right of divulgation; see Xalabarder (2009), p. 85, Papadopoulou, supra n38, under heading 3.1.1. 77 Pila & Torremans, supra n1, p. 324. 78 Compare, as to the number of material copies that may be produced pursuant to Art. 10 (2) BC, Xalabarder (2010), p. 233, fn 12, with reference to Ricketson and Ginsburg, supra n65, § 13.45, p. 794; see also Xalabarder (2004), p. 14. 79 See above, under section 2.3.1 (a).

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

115

students) is privileged/exempted only to the extent it is justified by the above purpose, which is non-commercial in nature,80 namely, as long as it does not go beyond what would be necessary to achieve that purpose.81 This means that the particular use should not substitute for the protected work (or other subject matter) in the market and, more specifically, “for the purchase of materials primarily intended for the educational market.”82 As becomes apparent, the new teaching exception or limitation of Art. 5 of the CDSM Directive allows—in principle—only the use of (small) parts or extracts of the respective works (or other subject matter),83 assuming that the specific educational purposes are satisfied. However, if the nature or size of the work dictates so, as, for example, in case of an image, a song, a fairytale, a short poem, or isolated contributions (e.g., articles) to newspapers or periodicals, it seems reasonable that the use of the entire work is to be exempted.84 Moreover, uses permitted under the above provision should be understood to cover the specific accessibility needs of persons with disability, in the relevant context.85 In any case, according to Recital 21 (last sentence), Member States should remain free to determine, in relation to the different types of works or other subject matter, in a balanced matter, the proportion of a work or other subject matter that can be used for the sole purpose of illustration for teaching.86 While it is not actually clear why the EU legislator did not opt for more flexible solutions, letting practice and courts decide, what is balanced and what is fair in each single case, in view of the principle of proportionality and on the basis of centrally defined and well-justified criteria, there is no doubt that the specification of percentages beforehand, by the national legislators,

80 Raue, supra n3, p. 18; for a similar view as to Art. 5 (3) (a) of the InfoSoc Directive, see Lewinski and Walter, supra n1, no 11.5.51, p. 1045, Papadopoulou, supra n38, under heading 3.1.1. 81 For instance, if it were sufficient to reproduce one or two photographs of a famous photographer to illustrate his special technique or “aesthetic view” to the students of a Fine Arts School, the reproduction of 10-15 works of him, in the same textbook, would no longer be justified by the teaching purpose of Art. 5 (1) of the CDSM Directive; for more examples see Lewinski and Walter, ibid. 82 Recital 21, sentence 3; see also Pila & Torremans, supra n1, p. 323; Jütte, supra n19, p.2. 83 Raue, supra n3, p. 18. 84 Lewinski and Walter, supra n1, no 11.5.47, p. 1043, Gervais, supra n1, p. 32, Norbe, supra n27, p. 3; compare the wording of § 60a II UrhG; in this context see, among others, Dreier (2018), UrhG § 60a, Rn. 16, Durantaye, supra n4, p. 564, who insists that the exempted use could refer to (only) a limited number of certain (whole) contributions/articles of the same newspaper and not to the entire content of it (fn 93). 85 Recital 21, last sentence. 86 See, for example, the recently enacted provisions of §§ 60a and 60b UrhG, in accordance with which the permissive uses should not exceed certain percentages of the entire works that are intended for teaching purposes; i.e., only up to 25% of the entire work (e.g., of a literary or scientific book) may be used for the purpose of illustration for teaching, whereas only up to 10% of a published work may be used in the context of a teaching compilation.

116

A. Despotidou

can only lead to further fragmentation of the internal market and—most probably—to unfair solutions.87 Regarding the “quantity,” i.e. the number as well as the duration of uses that may be permitted under the scope of the teaching exception or limitation in question, the Directive gives no explanation or clarification. It could, thus, be assumed that only uses of protected works (or other subject matter) that meet the above criteria, i.e. are consistent with the purpose to be achieved, (are) limited to participants who are registered in the course or class (e.g., to students of a password-accessed virtual classroom),88 and are not meant to be used/“exploited” by the institutions involved for commercial purposes, are to be privileged.89 Finally, it must not be forgotten that the exempted/permitted “uses” should (also) comply with the “three- step test” so as not to prejudice the legitimate interests of the authors (or other rightholders) concerned and conflict with the normal exploitation of their works (or other subject matter).90 2.3.3

Beneficiaries

As derives from the wording as well as the purpose of the exception or limitation under examination, not only educational establishments but also individuals may benefit from it. (a) In reference to the first category of beneficiaries, Art. 5 of the CDSM Directive does not define the term “educational establishment,” remaining silent as to the kind, the size, the funding, the educational level, the legal nature, and/or the purpose and structure of the institutions, to which the specific exception or limitation may apply.91 However, this crucial matter has not been left to the full discretion of the EU Member States. Recitals 20 and 22 provide useful guidance as to the interpre-

87 Nobre, supra n27, p. 3; compare Xalabarder (2009), p. 88, who, already at an earlier stage, questioned the effectiveness as well as the fairness of relevant quantitative restrictions, provided for in national legislations, while, at the same time, she mentioned the ambiguities of qualitative exclusions (e.g., concerning specific kinds of works, such as films) and favored open and flexible solutions. 88 This specification is consistent with the definition of “secure electronic environments” provided for in Recital 22 (last sentence); see also Xalabarder (2009), p. 89, Xalabarder (2004), p. 14, who claims so in relation to what is valid in the analogue world, where the exempted copies should be limited to the “quantities”/number, required for a specific class or lecture. 89 Therefore, only a small part of the work (or other subject matter), i.e. up to 10–20%, transmitted digitally to the students enrolled in a class or lecture, may be freely reproduced (downloaded or copied) by them; see Durantaye, supra n4, p. 564; towards the same direction, see Xalabarder (2004), p. 14i.f. 90 Raue, supra n3, p. 18; see also Xalabarder (2009), p. 88; more specifically see below in this chapter, under section 4.2. 91 Quintais, supra n15, p. 8, fn 60, Jütte, supra n19, p. 2.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

117

tation of the above term, restricting considerably the circle of the respective beneficiaries. To start with, it is clarified that the teaching exception or limitation is envisioned to encompass only educational establishments “that are recognized (as such) by a Member State.”92 Yet, due to the differences that may exist among the relevant national laws, the kind of institutions that will be privileged by it may vary from country to country. So, and in order to avoid further fragmentation, Recital 20 defines that the exception or limitation concerned should benefit “formal” educational establishments at all education levels, although learning and crossborder education programs are mostly developed at the higher levels. Therefore, it should be concluded that kindergartens, primary and secondary schools, vocational schools, music and drama schools as well schools of fine arts, and all establishments that have been recognized by law as higher education providers (e.g., colleges and universities) fall within the scope of the exception or limitation in question.93 At the same time, though, it becomes apparent that other establishments, such as museums, libraries, and other cultural heritage institutions, that are often engaged in education, organizing and providing relevant programs, by principle do not benefit by it.94 On the contrary, teaching and learning activities that take place in libraries, museums, etc. may be covered as long as they are carried out under the responsibility of (formal/official) educational establishments and involve digital uses of works or other subject matter (e.g., reproductions and/or presentations through digital means).95 This legislative “choice,” which unreasonably restricts the scope of the new teaching exception or limitation in the digital environment, has no sound justification and has been duly criticized.96 Furthermore, Art. 5 (1) makes no distinction between public and private educational establishments, in the sense that both categories may benefit from the teaching exception or limitation in regard to uses of protected works or other subject matter, which take place in the context of non-commercial teaching and learning activities, carried out by them (or under their responsibility). Probably because, as has already been mentioned above (under section 2.3.1 (c)), the organizational structure and the means of funding of an educational establishment are not the decisive factors in determining whether the nature of the activity in question is commercial or not. In other words, a not-for-profit or non-commercial (teaching or learning) activity that is offered by a private educational institution (e.g., a university or a boarding school) may well be exempted.97 And vice versa, a

92

Quintais, ibid, Jütte, ibid; see also Xalabrader (2009), pp. 84–85. Jütte, ibid; see also Schack, supra n3, p. 275, Xalabarder (2009), pp. 82–83. 94 Quintais, supra n15, p. 8, Nobre, supra n27, p. 2; see also Jütte, supra n19, p. 3, who relatively notes that during the negotiation process the draft of the CDSM Directive, approved by the European Parliament, had also included museums and libraries as beneficiaries of the specific exception when the pursue an educational objective. 95 Recital 22, sentences 1–2. 96 Nobre, supra n27, p. 2; see also Quintais, supra n15, p. 8. 97 Jütte, supra n19, p. 2; see also Dreier (2018), UrhG § 60a, Rn. 7. 93

118

A. Despotidou

language school that provides courses exclusively on a for-profit basis, even if publicly owned, will not be privileged.98 (b) In terms of individual users, Art. 5 of the CDSM Directive remains silent. Silence, however, should be interpreted in favor of all individuals who participate in the teaching and learnings activities covered by the specific teaching/education exception or limitation so that both teachers/professors and pupils/students (educators and learners) may be privileged.99 Besides, although certain national legislation explicitly includes—also—other persons who act on behalf of the above beneficiaries, such as library and administrative staff of the respective educational establishments,100 this approach does not seem to be supported either from the language and/or the purpose of the exception or limitation under examination.101 Moreover, from a teleological point of view, it would broaden its scope unnecessarily and create legal uncertainty, since it could go so far as to include persons that are only slightly and—in any case—indirectly connected with the process of instruction. 2.3.4

Geographic Scope: Country of Origin Principle (Art. 5 Par. 3)

The provision of Art 5 par. 3 aims to facilitate online, cross-border teaching activities (i.e., through secure digital environments), which are obviously confronted with the problem of applicable law,102 introducing the country of origin principle. This is a well-known conflict-of-laws rule, which stands as the “cornerstone” of the Audiovisual Media Services Directive (AVMSD)103—which has replaced the former EU

98

Lewinski and Walter, supra n1, no 11.5.50, p. 1045, Nobre, supra n27, p. Raue, supra n3, p. 18; see also Papadopoulou, supra n38, under heading 3.1.1, Xalabarder (2009), p. 36, in reference to Art. 5 (3) (a) of the InfoSoc Directive; compare Dreier (2018), UrhG § 60a, Rn. 9. 100 See, for instance, Xalabarder (2009), p. 47i.f., as regards exceptions (or limitations) for purposes of instruction in the UK and Ireland. 101 To this direction see Dreier (2018), UrhG § 60a, Rn. 6; differently Pila & Torremans, supra n1, no 13.4.4.1, p. 333. 102 It should be mentioned that, since E & Ls are—in principle—governed by the law of the country for which protection is sought [lex loci protectionis - Art. 5 (2) (c) BC; inter alia, see Pila & Torremans, supra n1, pp. 537-538], the application of this conflict – of – laws rule on online, crossborder teaching activities, may well lead to the application of multiple national (and usually different) copyright laws. This means that every country of “reception”, i.e. every country, where a protected work (or other subject matter) is transmitted and, thus, accessed and (possibly) downloaded by students, may have its law applied to “govern” the respective uses done online, in order to define whether they are exempted or not under the national teaching exceptions or limitations; see, in particular, Xalabarder (2009), pp. 131–132. 103 Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2019, amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in member states concerning the provision of audiovisual media services (Audiovisual Media Services Directive) in view of changing market realities, OJ L 303/69–28.11.2018. 99

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

119

Television Without Frontiers Directive (TVWFD)104—and applies where a service provider is established in a different EU member state to that of the recipient.105 In the above context, par. 3 of Art. 5 of the CDSM Directive106 should be understood as to provide that the legal or illegal (i.e., permitted or not) character of the use of a certain work (or other protected subject matter) for the sole purpose of illustration for teaching shall be decided solely on the basis of the (relevant) exception or limitation, which is valid in the country/EU member state where the educational establishment, that is responsible for the cross-border teaching activity, sits (is established).107 This solution, departing significantly form the rule “of the law of the country for which protection is sought” (lex loci protectionis),108 will effectively facilitate the use of protected material not only by institutions that have an international body of students but also (and more importantly) by pure distance learning programs, which are using (solely) online platforms in order to offer their services and disseminate their educational material across borders.109 However, apart from the fact that it— undoubtedly—enhances legal certainty and offers a “pragmatic” solution to copyright territoriality,110 the application of the country of origin principle in the specific case becomes problematic due to the “facultative/optional” elements of the education/teaching exception or limitation under examination. Apparently, because it may well increase the establishment of distance/digital learning institutions or platforms in countries where no licensing schemes or compensation for the rightholders are provided for.111 Or, from another point of view, (because) it could lead to EU 104

Council Directive 89/552/EEC of 3 October 1989 on the coordination of certain provisions laid down by law, regulation and administrative action in Member States concerning the pursuit of television broadcasting activities, OJ L 298/23–17.10.1989. 105 See Art. 2 of Directive (EU) 2010/13, as it has been amended by Directive (EU) 2018/1808 and is in force today. 106 It should be noted, that, in the context of the Commission’s “copyright law reform package”, the country of origin principle has also been adopted in both the Portability Regulation [Art. 4 of Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017, on cross-border portability of online content services in the internal market, OJ L 168/1–30.6.2017] and the Online Broadcasting Directive [Art. 3 of Directive (EU) 2019/789 of the European Parliament and of the Council of 17 April 2019 laying down rules on the exercise of copyright and related rights applicable to certain online transmissions of broadcasting organisations and retransmissions of television and radio programmes, and amending Council Directive 93/83/EEC, OJ L 130/82 – 17.5.2019]; for instance, see Jougleux (2020), p. 103, no 253-256]; see also the Opinion of the ECS (2017), supra n21, p. 2. 107 Raue, supra n3, p. 19. 108 Pila & Torremans, supra n1, pp. 535-538; for the distinction between the choice-of -law rules lex loci protections, on the one hand, and lex fori, on the other, see, inter alia, Marinos (2014), no 783–784, pp. 395–396. 109 Jütte, supra n19, p. 2, Raue, supra n3, p. 19, Quintais, supra n15, p. 9. 110 See Opinion of the ECS (2017), supra n21, p. 2, which expresses the view that the adoption of the country of origin rule by the recently enacted EU legislative acts on copyright law, although it does not solve the “problem” of territoriality, is to be seen as an important intermediate step towards full unification of the EU copyright law. 111 Raue, supra n3, p. 19.

120

A. Despotidou

Member States competing to offer the most lenient levels of copyright protection to authors (or other rightholders) concerning uses of works (or other subject matter) in the educational sector, in order to attract such institutions or platforms (“race to the bottom” result).112 2.3.5

Acknowledgement of Source, Including Reference to Author’s Name

(a) Finally, the exception or limitation of Art. 5 of the CDSM Directive is subject to an additional requirement: that of the acknowledgement of the source of the work, including the name of the author (as it appears on the original), unless this turns out to be impossible. There is no doubt that the above mandatory condition, which could be perceived as either a specific “protective norm” or, merely, a “reminder” (or a “declaration”) that the moral right of attribution is to be respected for any uses covered under the teaching exception or limitation,113 is based on the wording of Art. 10 (3) of the BC.114 In fact, though, it repeats the one of Art. 5 (3) (a) of the InfoSoc Directive, which is obviously more demanding115. And that’s because the EU legislator does not release the respective users/beneficiaries of their obligation to indicate the author’s name if (simply) this does not appear on the source (i.e., the relevant work), but he/she does so only if such an indication turns out to be impossible. Supposing the latter does nothing but repeating a general principle of law, according to which the law can never oblige anyone to do anything that is impossible (impossibilium nulla est obligatio),116 the question, as to when the indication of the name of the author as well as of the source, in general, should be considered impossible, remains.

112

Compare Xalabarder (2009), p. 132, who advocates that the application of one single law to decide for the “reception” of protected works (or other subject matter) in several countries “may easily lead to the creation of “copyright heavens” for educational institutions”, meaning those countries that will purposely enact a rather “generous” copyright exception or limitation for teaching purposes. 113 See Ricketson (2003), p. 16, who talks about a “superfluous”, but rather useful, requirement, Lewinski and Walter, supra n1, no 11.5.46, p. 1042, who mention the “declaratory” nature of the provision, Xalabarder (2009), p. 89, who notices that the specific requirement, even if it was not regulated, “springs form the moral right of attribution”, Papadopoulou, supra n38, under heading 3.1.1; compare Pila & Torremans, supra n1, p. 324, according to whom this provision not only protects the moral rights and interests of the authors/rightholders to be identified, but also facilitates the exploitation of their rights. 114 Lewinski and Walter, supra n1, no 11.5.49, p. 1044; Papadopoulou, supra n38, under heading 3.1.1; regarding the interpretation of Art. 10 (3) BC see—among others—Ricketson (2003), p. 16, Xalabarder (2009), p. 18. 115 Lewinski and Walter, ibid. 116 Lewinski and Walter, supra n1, no 11.5.46, p. 1043, no 11.5.49, p. 1044.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

121

(b) In regard to the above, it should be noted that usually a (proper) reference to the “source” includes the name of the author (even if it is a chosen pseudonym)117 plus the publication details of the work, such as its title, including the title of any larger work (e.g., a collective work, such as an anthology, an encyclopedia, etc.) in which the first one appears;118 the name of the publishing house and the place of its head offices; or another “place” (usually in the electronic environment) where the work has been retrieved from (e.g., a website). If the author has chosen to remain anonymous, the user should respect his/her decision and refrain from mentioning his/her name because, in such a case, the relevant legal obligation does not exist. On the contrary, if the user indicates the author’s name, he/she even violates the moral right (of attribution) of the latter.119 Apart from this typical case of legal impossibility,120 though, the occasions, under which the obligation to find and, thus, to indicate the source (including the author’s name) of the work to be used for teaching purposes becomes impossible, are difficult to be defined. Whereas Art. 5 (1) (b) of the CDSM Directive does not provide what kind of search is to be carried out in order to “locate” the source, i.e. to identify the author and/or find other publication details concerning the work in question, it should be expected that the user will apply a reasonable degree of diligence and bear the efforts needed to fulfill his/her obligation (e.g., by contacting the publisher or the library, using searching engines or data bases accessible to the public, etc.).121 (c) As long as the provision of lit. (b) of Art. 5 (1) seems to protect equally at least the moral rights and interests of all persons involved in the creation and—generally—“the making” of the works and other subject matter, that fall under the scope of the relevant teaching exception or limitation,122 it should be applied by analogy to other rightholders (i.e., to “holders” of related/neighboring rights), in relation to (their) other protected subject matter, i.e., performances, broadcasts, and phonograms.123 Such an application is of a special interest for performers (or performing artists) who have been granted with moral rights in most of the EU Member States.124

117

Lewinski and Walter, supra n1, no 11.5.49, p. 1044. Ricketson (2003), p. 16. 119 Lewinski and Walter, supra n1, no 11.5.49, p. 1044. 120 Lewinski and Walter, ibid. 121 Compare Lewinski and Walter, ibid, according to whom the user is expected to apply “a certain minimal degree of care in searching for the author’s name. . .”. In any case, the degree of diligence that is to be applied in the context of Art. 5 (1) (b) of the CDSM Directive should be regarded to be considerably less than the one demanded in Art. 3 of Directive 2012/28/EU of the European Parliament and of the Council of 25 October 2012 in certain permitted uses of orphan works, OJ L 299/5—27.10.2012. 122 See above, fn 113. 123 Towards this direction see Papadopoulou, supra n38, under heading 3.1.1. 124 See, for example, Art. 50 of L. 2121/1993 (Greek Copyright Law), that grants performers (or performing artists) the moral rights of attribution and integrity, in relation to their performances. 118

122

A. Despotidou

3 The “Boundaries” of the Teaching Exception or Limitation 3.1

The Relation to Licensing Schemes: An Optional “Carve-Out”?

(a) Probably the most “unexpected” as well as ambiguous provision of Art. 5, which has been (already) duly criticized,125 is that of par. 2 because, apart from standing as “an exception to the teaching exception”126 it also deviates from the important rule of Art. 7 (1), which is intended to apply to all E&Ls introduced by the CDSM Directive, safeguarding their mandatory character.127 In fact, the provision discussed here allows Member States (optional/permissive nature)128 to declare the respective teaching exception or limitation inapplicable, in general (i.e., fully) or regarding particular uses or types of works or other subject matter (i.e., partially),129 to the extent suitable licenses, authorizing the acts that fall under its scope and covering the needs and specificities of smaller the educational establishments concerned, are easily available in the market.130 Assuming a Member State decides to do so, it shall take the necessary measures to ensure that the relevant licenses are “available and visible in an appropriate manner” for the above institutions. As derives from the rather detailed Recital 23 (sentence 1), which relates to par. 2 of Art. 5, the decision of the EU legislator, to put aside the aim of full harmonization—enshrined in the mandatory character of the new teaching exception or limitation—in case the above requirements are met,131 is based not only on the observation that a significant number of different arrangements and—in particular—

125 See Geiger et al. (2017), supra n11, p. 21–22; see also Opinion of the ECS (2017), supra n21, p. 4, Nobre, supra n27, p. 2; compare Jütte, supra n19, p. 3, pointing out not only the negative but also the positive effects of this provision, e.g., the possibility for educational establishments to negotiate and even increase the amount of uses allowed for certain categories of works, as well as to make entire textbooks available for students of a specific course, in a secure electronic environment. 126 Jütte, ibid. 127 Opinion of the ECS (2017), supra n21, p. 4; See Geiger et al. (2017), supra n11, pp. 21–22. 128 Jütte, supra n19, p. 2, who assumes that larger Member States, with strong textbook markets, will make use of the provision; compare Raue, supra n3, p. 19, who draws the conclusion, that the Commission was reluctant to decide on the matter, thus letting Member States to allow—and further regulate—private licensing in the educational market, on their discretion. 129 For example, Member States could use this mechanism to give precedence to licenses for material that is primarily intended for the educational market (e.g. textbooks) or sheet music; in this regard, see Recital 23, par. 2, sentence 1; critically Jougleux, supra n106, p. 167. 130 Raue, supra n3, p. 19; compare the wording of the German provision of § 52a (4) UrhG, the application of which in practice has been nothing but easy, even for highly professional institutions; see in detail Durantaye, supra n4, pp. 562-565; see also BGH, GRUR 2014, p. 549, Rn. 58 – Meilensteine der Psychologie; compare the Opinion of the ECS (2017), supra n21, p. 4, Geiger et al. (2017), supra n11, p. 23. 131 See Geiger et al. (2017), supra n11, p. 21.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

123

licensing agreements already exist in the national educational markets of the Member States but also on the belief that this kind of “private” arrangements could equally serve the purposes of the legislative exception or limitation, without hampering its effective application. (b) There is no doubt that the wording of Art. 5 (2) is rather vague and might lead to misunderstandings;132 it should, thus, be construed in the light of Recital 23 as well as the broader context of the CDSM Directive. To this direction, it would be appropriate, first, to define what a suitable license might be and, then, to understand on which occasions such a license becomes easily available in the market. As to the notion of “suitable,” which replaced the one of “adequate”—to be found in the original wording of the provision in question133 —, Recital 23 clarifies that “suitable,” within the meaning of the latter, are (only) licenses covering at least the same uses, as those allowed under the teaching exception or limitation.134 Therefore, whether the existing licensing agreements cover these uses only partially, Member States should make sure that all the other uses remain subject to the exception or limitation provided for in Art. 5 (1)135 and thus permitted. And vice versa, only licenses covering at least the uses allowed pursuant to it could prevail over the exception or limitation provided for, while they might well exceed its scope, permitting more or broader uses on a certain fee.136 Moreover, in order to avoid that subjecting the application of this provision to the availability of licenses results in legal uncertainty or creates an administrative burden for educational establishments, Member States adopting such an approach should take concrete measures to ensure that licensing schemes, allowing digital uses of works or other subject matter for the purpose of illustration of teaching, are easily available and that educational establishments are aware of their existence.137 To this aim, appropriate information tools could also be developed.138 Consequently, only if the above measures are taken will the relevant requirement be fulfilled and the teaching exception or limitation become inapplicable. This means that if a Member State wants to avail itself of the respective rule, it will do whatever is needed to make

132

For example, it might lead to the conclusion that the specific teaching exception or limitation is solely justified by a market failure rationale; see critically Quintais, supra n15, p. 9; Quintais (20192), p. 3; generally, for this justification, used for E&Ls in the context of the economic analysis of law, see Vagena, supra n2, pp. 242–243, with a reference to Gordon (1982), p. 1627, regarded as the founder of the specific approach. 133 See Art. 4 (2) of the proposal of the CDSM Directive [Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market, 14 September 2016, COM (2016), 539 final, 2016/0280]; in relevance, see Geiger et al. (2017), supra n11, pp. 21–22, who claimed that the notion of “adequate” license would be hard to define and might cause uncertainties regarding the interpretation and application of the whole provision, as it was initially expressed. 134 Recital 23, par. 1, sentence 4; see Raue, supra n3, p. 19; compare Jütte, supra n19, p. 3. 135 Recital 23, par. 1, sentence 5; see Jütte, supra n19, p. 2i.f. 136 Jütte, supra n19, p.3. 137 Recital 23, par. 2, s. 2; see Raue, supra n3, p. 19. 138 Recital 23, par. 2, s. 4.

124

A. Despotidou

the suitable licenses visible and, thus, easily accessible in the national market; if not, the specific exception or limitation should remain applicable.139 Furthermore, for reasons of legal certainty, Member States should stipulate the conditions under which the use of a protected work (or other subject matter) by an educational establishment falls within the scope of the teaching exception or limitation or, conversely, should be “covered” by a license.140 Nonetheless, a lot of questions remain open, especially as to the type and/or the “economics” (i.e., the costs) of the licensing schemes under discussion. In this regard, the difference between “unilateral” licensing offers, which allow the enforcement of unfair terms, and bilateral licensing agreements, which are to be negotiated and concluded between educational establishments and various rightholders, becomes crucial.141 Besides, the results of individual negotiations seem to be doubtful since a license that is “suitable” in matters of content (i.e., uses covered) and easily available in the relevant market could be finally denied or offered by the author (and/or the other rightholders) on excessive and/or unfair terms.142 Arguably, some of the issues raised here might be swept off if the national licensing schemes, concerning uses of protected works (or other subject matter) for the purpose of illustration for teaching, were to be based on (voluntary) collective licensing or on extended collective licensing.143 This would lead to licenses negotiated and agreed (as usually) between the respective national collective management organizations (hereinafter CMOs) and the major representatives of the users (e.g., federations of educational establishments falling under the exception’s or limitation’s scope), which, in the second case, would be extended by law to cover also the works (or other subject matter) of rightholders who are not members of and/or have not mandated the CMO accordingly.144 However, the uncertainty that has been caused by Art. 5 par. 2 of the CDSM Directive would not be removed, mainly because the optional carve-out of the new, “mandatory” teaching exception or limitation, by way of licensing/contract, will probably turn educational establishments into applying it narrowly and, thus, result to fragmented solutions within the EU.145

139

Precisely so, Geiger et al. (2017), supra n11, p. 22. Recital 23, par. 2, last sentence. 141 Nobre, supra n27, p. 2; see also Xalabarder (2009), p. 135. 142 See Geiger et al. (2017), supra n11, p. 22, who seem to imply that the denial of the author (or another rightholder) to grant a license, as to a certain (digital) use of his work (or another subject matter), should make the teaching exception or limitation still applicable; see also Xalabarder (2010), p. 248, where the disadvantages of voluntary licensing schemes are presented. 143 Recital 23, par. 2, s. 4; Jütte, supra n19, p. 2; see also Ernst and Häusermann (2006), pp. 7, 14–15, 20, where the Danish model of extended collective licensing, in relation to uses of copyrighted works in education and research [mainly managed by the CMO “Copy-Dan Writing” (more information available at: http://www.copydan.dk/)], is presented and evaluated. 144 Concerning the content and nature of each licensing scheme, see, for instance, Xalabarder (2009), pp. 125–127. 145 Geiger at al. (2017), supra n11, p. 22. 140

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

125

(c) To sum up, Art. 5 par. 2 expresses the trust—as well as the preference—of the EU legislator towards private ordering, at least for copyright-protected material that is primarily intended for the educational market and sheet music, and seems to create more problems than the ones it was intended to solve. This is mainly why it leaves ample room to Member States to “regulate” national educational markets according to their legal traditions,146 putting in force the legisation needed in order not only to make sure that the licensing schemes,which already exist in the field of digital education, are easily accessible by the stakeholders and, therefore, will continue to thrive but also to define when and for which teaching uses and/or categories of works (or other subject matter) the exception or limitation under implementation should apply; or, vice versa, if and under which conditions it could be “overridden” (i.e., waived or limited).147 Although there is no doubt that voluntary licensing schemes allow for “tailormade” solutions that might effectively—and even precisely—meet the needs as well as the specific characteristics of educational establishments of all levels,148 the danger that they might be excessively expensive and/or unfair (i.e., subject to unreasonable prices and terms), thus transferring the cost of education to society and limiting its freedom,149 becomes apparent. Since education is grounded on a strong public interest,150 Member States should take good care that the new (mandatory, in principle) exception or limitation, intended to facilitate uses of works (and other subject matter) in digital and cross-border teaching activities, will be implemented effectively and will not be put aside; unless the (alreadyexisting) licensing schemes in the relevant market offer clear, “suitable” and well-balanced/fair solutions,151 without seriously hampering harmonization. It goes without saying that if the above conditions are met, the possibility for educational establishments to negotiate an increase in the quantity or quality of uses

146

In this context, Recital 23, par. 1, sentence 3, provides that Member States should remain free to require that the use of works or other protected subject matter, for teaching purposes, in the digital and cross-border environment(s), respects the moral rights of authors and performers. 147 According to Xalabarder (2009), p. 126, the difficulty in clearing rights for teaching uses derives mostly from the legal uncertainty, i.e. lack of clarity as to which uses are exempted by law and which are not. 148 Compare Guibault, supra n3, p. 26, noticing that the contractual approach allows authors and other rightholders to better tailor the terms or conditions, of the licenses they offer, to what educational institutions are willing to pay for. 149 See Xalabarder (2009), pp. 127, 135, who [with reference to Merges (1997), p. 136] draws attention to the fact that, by having the power to refuse to offer a license or to offer it on terms that an educational establishment cannot afford or accept, authors (and other rightholders) are ultimately granted the power to control what is taught in the relevant courses; compare Jütte, supra n19, p. 3, who claims that the availability of licenses for specific types of material will most probably affect the amount as well as the variety of accessible material on online learning platforms. 150 Geiger et al. (2017), supra n11, p. 22; Opinion of the ECS (2017), supra n21, p. 4; see also Xalabarder (2009), p. 127, 135–136, Xalabarder (2010), pp. 250–251. 151 Compare Xalabarder (2010), p. 244, who points out that licensing alone cannot be trusted to succeed in finding the right balance, since it departs from an unbalanced ground.

126

A. Despotidou

(of protected material) that might be permitted for teaching purposes is to be welcomed.152

3.2

Optional Compensation (or, Rather, Remuneration) Schemes for Uses Covered by the Teaching Exception or Limitation (Art. 5 Par. 4)

(a) Article 5 par. 4 of the CDSM Directive “allows” Member States (optional/ permissive nature) to provide that authors and other rightholders receive fair compensation for the digital uses of their works or other subject matter, that are covered by the teaching exception or limitation of par. 1 (of the same article). The provision, which is of interest here, is complemented by Recital 24, which is rather brief and offers limited help as to its interpretation. Hence, since similar provisions are to be found in the E&Ls of Art. 5 lit. (a), (b), and (e), of the InfoSoc Directive and (since) the two directives are closely interconnected,153 par. 4 of the recently enacted norm (regarding the teaching exception or limitation) could (and should) be—additionally—construed in the light of Recital 35 of Directive 2001/29/EC. As will be stated below, the latter serves as a justification as well as an explanation of the above, “limitation-related”, compensation (or remuneration),154 while—at the same time—it leaves much room for discretion to Member States.155 (b) To start with, the use of the word “compensation”, which corresponds to extracontractual liability and, more precisely, to infringement (e.g., of absolute rights),156 instead of the more general term “remuneration,” in the context of the new, mandatory teaching exception or limitation, seems to be a result of compromise between the two major copyright law systems within the EU.157 Mainly, due to the fact that it allows for other forms of compensation to be established, apart from the statutory remuneration schemes that already exist in most Member States for private copying and for other uses as well.158 In no case, however, should it be derived that

152

I.e., by all, and not only by the publishers who act in the education market. However, it is rather unlikely that the latter will be willing to offer their printed textbooks online, for something less than a hefty price, due to the losses they will probably suffer in print sales; so Jütte, supra n19, p. 3. 153 More specifically see above, under section 2.1 (b). 154 For definition of this term and -in general- for the interesting issues of terminology that arise in the context or remuneration rights, see, in particular, Geiger and Bulayenko (2017), pp. 113–115, 131. 155 So, Lewinski and Walter, supra n1, no 11.5.24, p. 1028. 156 See Geiger et al. (2017), supra n11, p. 23, who are critical towards the terminology used by the EU legislator. 157 See in detail Lewinski and Walter, supra n1, no 11.5.24, pp. 1028–1029 (and fn. 326, with further references). 158 See Geiger and Bulayenko, supra n154, pp. 116-118; Lewinski and Walter, supra n1, no 11.5.24, p. 1028.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

127

the “compensation”—provided for in the above context—is to be subjected to the condition of the “harm” that the exempted use (of the protected work or other subject matter) might have caused to the respective rightholders and, thus, denied if such a harm cannot be proved.159 The reason is that the use at issue is a privileged one, and in view of the continental EU Member States’ tradition, Art. 5 par. 4 should remunerate authors and other rightholders for the use of their contributions, rather than compensating them for infringement’s harm.160 Therefore, to the extent that remuneration is perceived as a counterpart for the use being made for the purpose of “illustration for teaching,” the criterion of the possible harm to the rightholders (resulting from the act in question), which is indicated by both Recitals 24 and 35— of the CDSM and the InfoSoc Directive(s), respectively—for setting the level of “fair compensation,” should not be the decisive one.161 Additionally and although the text of Art. 5 (4) of the CDSM Directive remains silent, due account should be taken of Member States’ educational objectives162 as well as of the special circumstances of each particular case.163 This means that the level of “fair compensation” should be equally depended not only on the kind of use (e.g., simple access, reproduction, digital transmission, etc.) of the protected work or other subject matter, the extent and “intensity” of the specific use (i.e., number of uses per semester, duration of use, extent/quantity of works or other materials to be used, etc.), and/or the number of students enrolled in the relevant course but also on the nature (profit/ non-profit) of the educational establishment involved,164 its size, funding, turnaround, location, etc.165 Furthermore, since—in accordance with Art. 7 (2) of the CDSM Directive—authors and other rightholders are allowed to use technological protection measures (TPMs) to ensure the effective protection of their rights while assuring that the use of such measures does not prevent the enjoyment of the teaching exception or limitation under examination,166 Member States should be encouraged to take full account of the degree TPMs are used and enforced when determining the

159

Lewinski and Walter, supra n1, no 11.5.25, p. 1029. Geiger et al. (2017), supra n11, p. 23; see also Recital 35, sentence 1, of the InfoSoc Directive. 161 See Recital 24, sentence 2, which refers to the specific factor “inter alia”; similarly, in the light of Recital 35, sentence 3, of the InfoSoc Directive, see Lewinski and Walter, supra n1, no 11.5.25, p. 1029, who underline the fact that this is only one “valuable criterion” among others. 162 Recital 24, sentence 2, of the CDSM Directive. 163 See Recital 35, sentence 2, of the InfoSoc Directive. 164 So, Xalabarder (2004), pp. 27i.f.–28. It should be noted that, in order to decide if an educational establishment is a profit or non-profit organization, the crucial factor to be taken into account is, whether the profits generated go beyond what is necessary to cover administration costs. 165 Compare Geiger et al. (2017), supra n11, pp. 23i.f.–24, who argue that, if a mandatory remuneration regime was to be applied, it should take into account the differences that exist among various educational institutions (in relation to their nature, size, funding etc.), whereas the application of minimum (or even “nominal”) fees for some institutions and higher for others might seem to be a “fair” solution. 166 More specifically see below, under section 4.3. 160

128

A. Despotidou

possible level of the “fair compensation” discussed here.167 The more so because, within the broad range of discretion given to them, rightholders may choose to allow the use of their works or other subject matter (i.e., removing the TPMs imposed on them) in exchange of receiving remuneration directly from the user (e.g., the educational establishment involved in a teaching activity).168 Notwithstanding the fact that this “pay-per-use” situation obviously aggravates access to protected material for teaching purposes, by raising costs for the users,169 additional statutory remuneration in similar cases would amount to a double remuneration and should, thus, be avoided.170 Finally, in certain situations where rightholders have already received some kind of payment, e.g., in the form of a license fee or otherwise, fair compensation may even not be due, whereas if the prejudice to the author or the other rightholders would be minimal, no obligation for payment may arise.171 (c) As it became apparent, though the normative text of the CDSM Directive does not give any indication as to the determination of the level of compensation, provided for in Art. 5 (4), or the estimation of its “fairness,” the recitals discussed above serve as guidelines for interpretation in this matter. Hence, apart from— generally—encouraging the use of systems that do not create an administrative burden for educational establishments,172 neither the provision itself nor these recitals define how the compensation (or, rather, remuneration) in question is to be implemented by the national legislators in case they decide to provide for it, i.e., how it should be established, enforced, and distributed among the various rightholders; who should be the debtor in each case; etc.173 This might lead to different solutions, due to the diversity of the national legal systems of the 27 EU Member States, and— in addition to the possibility that some of them may opt for the “unremunerated” solution—enhance fragmentation and distort competition within the internal market.174 Nevertheless, it could be argued that the option of requiring fair compensation (or remuneration) for rightholders for uses (of their works or other subject

167

Recital 35, sentence 5, of the InfoSoc Directive; see, in particular, Lewinski and Walter, supra n1, no 11.5.25, p. 1029. 168 Lewinski and Walter, ibid. 169 See Ernst and Häusermann, supra n143, p. 20 (in conjunction with fn 91). 170 Lewinski and Walter, supra n1, no 11.5.25, p. 1029; compare Vagena, supra n2, pp. 232-234. 171 Recital 35 of the InfoSoc Directive, sentences 4 and 6, respectively; see Lewinski and Walter, ibid. 172 Recital 24, sentence 4, of the CDSM Directive. 173 See Lewinski and Walter, supra n1, no 11.5.25, p. 1029. 174 So, Geiger at al. (2017), supra n11, p. 23, who point out the possibility that countries, implementing the exception or limitation under discussion as an “unremunerated” one, might free-ride on creators from other Member States and, thus, create inconsistencies within the Digital Single Market. Therefore, they argue that making remuneration mandatory, might foster harmonization.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

129

matter) covered by the teaching exception or limitation of Art. 5 par. 1 of the CDSM Directive, “offered” (to national legislators) by par. 4 of the same provision, is to be welcomed.175 Especially since not only is it consistent with the situation in the EU today,176 considering it does not add transaction costs to uses that might already be free of charge in several Member States,177 but it also clarifies that all of them “are free” to provide (or not) for such a compensation (or remuneration),178 while further details in regard to technical and/or operational aspects could be harmonized at a later stage.179 Although the matter under discussion was of a special interest in the context of Art. 5 (3) (a) of the InfoSoc Directive, which did not require that authors and other rightholders (may) receive fair compensation, it should be noted that in certain circumstances, the application of the three-step test might even result to an obligation of the Member States to introduce some form of compensation or remuneration for specific exempted uses in order for its requirements to be fulfilled.180

4 Further/“Common” Horizontal Conditions (Art. 7 Par. 2) 4.1

In General

Article 7 par. 2 of the CDSM Directive provides for two more “conditions” which further narrow the scope of the teaching exception or limitation under

175 Compare Geiger et al. (2017), ibid; differently Jougleux, supra n106, p. 168, who alleges that the option to establish remuneration schemes, granted to Member States herewith, seriously damages harmonization, as well as the effectiveness of the new teaching exception or limitation. 176 As noted by Geiger et al. (2017), ibid, several EU countries have already put in force remuneration schemes for uses covered by the teaching exception or limitation, while others have implemented it as a—completely or largely—unremunerated one. 177 See Geiger et al. (7), ibid, stating that such an “addition” to the already existing costs would burden and deter teaching activities in these EU countries (at least for educational establishments of limited market power), rather than promoting them. 178 For the “uncertainty” that had been created due to the fact that the teaching exception or limitation of Art. 5 par. 3 (a) of the InfoSoc Directive did not explicitly provide for such an option, see Lewinski and Walter, supra n1, no 11.5.23, pp. 1027i.f.–1028, no 11.5.51, p. 1045. 179 Towards this direction, see Lewinski and Walter, supra n1, no 11.5.24, p. 1028; compare Geiger et al. (2017), supra n11, p. 24, who believe that a better solution might be to establish a mandatory remuneration regime, flexible enough to take into consideration the differences that exist among educational establishments of any kind. 180 In this context see specifically Lewinski and Walter, supra n1, no 11.5.23, pp. 1027i.f.-1028, no 11.5.51, p. 1045, no 11.5.79, p. 1061; see also Papadopoulou supra n38, under heading 3.1.1; compare Gervais, supra n1, pp. 18, 38, 40, who supports that “. . .the changes brought about by the Internet require, once the three-step test is factored into the equation, the establishment of a compensation mechanism”, as well as, that the third step (of the respective test) seems to require compensation for exceptions which, while justified, cause a significant degree of harm to the rightholder.

130

A. Despotidou

examination.181 According to the first one, Art. 5 par. 5 of the InfoSoc Directive shall apply—among others—to the above exception or limitation, which means that the provisions that will be enacted by the national legislators pursuant to (i.e., “implementing”) Art. 5 of the CDSM Directive must additionally comply with the three requirements/criteria of the three-step test.182 Moreover, part of the complex provisions of Art. 6 par. 4 of the InfoSoc Directive (namely, the first, third, and fifth subparagraphs), through which the legal protection of technological measures (i.e., TPMs’ anti-circumvention provisions) is “transferred” to uses of works (or other subject matter) covered by specific E&Ls, would also apply to the teaching exception or limitation of the CDSM Directive.183 Since the rule contained in Art. 7 par. 2 of the latter is common to all the three E&Ls recently enacted by it (“horizontal” conditions) and due to the immense significance of as well as the abundant literature on the consequences that the application of both the three-test step and (of) the provisions regarding the protection of technological measures on E&Ls might generally have, this chapter does not intend to (and could not) provide a thorough analysis of the matters that usually arise in this context. Instead, it will be restricted in pointing out some “core” issues that might stimulate an interest for further research.

4.2

Compliance with the “Three-Step Test”

(a) The “three-step test” was funded in Art. 9 (2) of the BC and was originally provided for the right of reproduction.184 Gradually, though, it was “expanded” to other legislative texts (international, European, and national) as well as to other exclusive (copyright and related) rights.185 Having been designed to restrict the ability of national legislators to lay down E&Ls in their laws, the three-step test was long conceived as an order addressed to them to enact E&Ls only in certain special cases, pursuant to its first step, taking into account the different interests (e.g., of different categories of rightholders and users), expressed in the other two steps, when drafting the relevant provisions.186 Hence, the above norm has—in the meanwhile—

181

So Quintais, supra n15, p. 9. See Lewinski and Walter, supra n1, no 11.5.79, p. 1061. 183 Quintais, supra n15, pp. 9–10, Geiger et al. (2017), supra n11, pp. 9–10. 184 Lewinski and Walter, supra n1, no 11.5.77, p. 1060, Gervais, supra n1, p. 23, Xalabarder (2009), p. 23. 185 Gervais, supra n1, pp. 4, 25, 31, 35, 38, who notices that the “3-step test” has become the basis for almost all exceptions to all intellectual property rights in international law, Ricketson (2003), p. 65; see also Xalabarder (2009), pp. 22et seq, with reference to the international treaties, Lewinski and Walter, supra n1, no 11.5.77 – 11.5.78, pp. 1060–1061, who also refer to the test’s incorporation into EU Law and argue that Member States need not explicitly include its wording in their national law, although several countries (e.g., Greece, Estonia, France) have done so; compare Marinos (2003), pp. 103–104, Vagena, supra n2, p. 250. 186 See, e.g., Lewinski and Walter, no 11.5.78, p. 1060i.f.-1061, Xalabarder (2009), p. 23, Xalabarder (2010), pp. 247–248, Guibault, supra n3 p. 4, Gervais, supra n1, p. 1, Marinos (2003), p. 105, Vagena, supra n2, pp.251–252. 182

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

131

acquired a new meaning: national courts are obliged to interpret (and apply) such provisions in the light of the three-test step, i.e., to use/apply the specific test as a “hermeneutic” mechanism, when they are called upon to decide whether a particular use (in concreto) falls under the scope of a domestic exception or limitation and thus must be exempted or (it) is infringing.187 In this context, the CJEU adheres to the principle that E&Ls should be interpreted strictly,188 whereas a significant number of eminent copyright scholars have proposed a “flexible” reading of the three-step test so as to ensure that the correct balance between the private and public interests involved in each case will be achieved.189 (b) Since a detailed analysis of the three-step test lies well beyond the scope of this chapter, we shall shortly comment on the impact that its application to the new teaching exception or limitation—provided for in Art. 5 of the CDSM Directive— might possibly have. To start with, it must have already become apparent that the above exception or limitation, though mandatory in nature, contains various facultative elements; as a result, it is not actually precisely circumscribed. This means that it provides Member States with a considerable degree of discretion and ought to be transposed into the national legal systems by more precise descriptions of the cases that fall under its scope,190 e.g., of the permitted uses, the types and/or amounts of works (or other related subject matter) that may be used in particular instances, the categories of beneficiaries, the conditions under which contractual arrangements would prevail and compensation schemes would be established, etc. Nevertheless, since the exception or limitation in question, as clearly defined and purpose-oriented/ limited, would easily pass the first “step” of the respective test,191 the second and third ones demand careful consideration. In other words, in the process of implementation of Art. 5 of the respective Directive, national legislators would be obliged to “test”/examine the individual provisions (they are about to enact) as to their compliance with the above steps in order to ensure their conditions are met.192

187

Xalabarder (2009), p. 25, fn 58, Synodinou, supra n1, p.60, Vagena, supra n2, p. 252; see also Gervais, supra n1, p. 35, Lewinski and Walter, ibid. 188 More specifically see supra, under section 1 (b), fn 13, with references. 189 In this context, see—in particular—the “Declaration on “A Balanced Interpretation of the ‘Three – Step Test’ in Copyright Law” of 2008, prepared in a cooperation between the Max Planck Institute for Innovation and Competition (MPI) and the School of Law at Queen Mary University of London, available online at: https://www.ip.mpg.de/en/research/research-news/declaration-threestep-test.html; see also the Opinion of the ECS (2014), supra n13, Hugenholz and Senftleben, supra n14, pp. 24–25, Senftleben (2010), p. 67, Geiger, Gervais and Senftleben (2014), passim (with an emphasis on pp. 616-617, 625-626), Gervais, supra n1, pp. 35, 38, Geiger, Hilty and Griffiths (2008), pp. 489 et seq.; compare the “Instrument”, supra n7, which, as regards flexibility of the existing copyright-permitted uses, follows the “Declaration” and goes even a step further (see—in particular—pp. 3-4). 190 Similarly see Lewinski and Walter, supra n1, no 11.5.79, p. 1061. 191 Towards this direction see Lewinski and Walter, ibid; compare Gervais, supra n1, pp. 25–27. 192 Lewinski and Walter, ibid, Papadopoulou, supra n38, under heading 2.1.3; in length, see Gervais, supra n1, pp. 27ff.

132

A. Despotidou

However, it should not be neglected that such an analysis may be subject to different approaches and/or evaluations, reflecting the diversity of demands, needs (social, economic, and cultural), and regional situations, as well as legal traditions and perceptions, within the 27 EU Member States.193 Therefore, while the application of the three-step test may result in the drafting of national teaching limitations or exceptions that offer a good deal of legal certainty and predictability,194 it seems rather impossible to achieve complete harmonization in the field of digital education.195 Moreover, apart from protecting the rights and securing the interests of different categories of rightholders, it should be stressed that the three-step test (especially its third condition) undoubtedly paves the way for public policy considerations,196 which, without allowing the “extensive” interpretation of the teaching exception or limitation to be applied by courts in each individual case, may lead to more flexible and, thus, well-balanced solutions, in the light of its own specific—public policy— purpose, that serves as its normative justification.197

4.3

The Application of TPMs on E&Ls: A Problematic “Relationship” (?)

(a) The protection of technological measures (established in the InfoSoc Directive) remains essential to ensure the protection and effective exercise of the rights granted to authors and to other rightholders under EU law, especially in the digital, networked environment.198 Generally speaking, TPMs are used to prevent or restrict acts, in respect of works or other subject matter, which are not authorized by the rightholder of any copyright or any right related to the latter or (of) the sui generis right in databases.199 In the case under consideration, though, TPMs may also be used in order to restrict or prevent altogether acts (e.g., access to and use of works)

193

Lewinski and Walter, ibid. See Hugenholz and Senftleben, supra n14, p. 2. 195 Lewinski and Walter, supra n1, no 11.5.79, p. 1061; compare Gervais, supra n1, p. 35, according to whom the reference to the three–step test in the InfoSoc Directive [Art. 5 (5)] is to be seen as a “guiding principle” rather than an effective means to harmonize exceptions in the national laws of the 27 EU Member States; the same should be considered to hold true regarding the CDSM Directive [Art. 7 (2)]. 196 In this spirit see, among others, Gervais, supra n1, pp. 28–29, 30, 38; see also the Opinion of the ECS (2014), pp. 3, Hugenholz and Senftleben, supra n14, pp. 2–3, 25. 197 In this context see in particular, CJEU, Football Association Premier League v. QC Leisure, Cases C- 403/08 and C- 429/08, Judgement of 4 October 2011, par. 162-163; accordingly, see Hugenholz and Senftleben, supra n14, p. 25, Marinos (2014), p. 14; see also supra, under section 3.1 (c) and fn150, where the opinion that education is grounded on a strong public interest is held. 198 Recital 7, sentence 1, of the CDSM Directive; see, in particular, Vagena, supra n2, pp. 78–91. 199 Recital 47, sentence 1, of the InfoSoc Directive; see Synodinou, supra n1, p. 164. 194

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

133

that are otherwise permitted by law because they fall under the scope of the teaching exception or limitation, provided for in Art. 5 of the CDSM Directive.200 On the other hand, it should not be neglected that a circumvention of TPMs may be prohibited but—at the same time—(it) becomes necessary so that the beneficiaries of the specific exception or limitation, as “legitimate users,” may be able to enjoy the benefits of the exclusive right (or rights), which are limited in their favor. However, Art. 6 (4) of the InfoSoc Directive, which applies here, does not give beneficiaries the authority to perform an act of circumvention themselves, nor the liability for such an act would be limited.201 On the contrary, it creates an obligation for the rightholders to put in place measures in order to make sure that the uses permitted by the relevant exception or limitation are not hampered.202 In other words, rightholders should remain free to choose the appropriate means of enabling the beneficiaries of the teaching exception or limitation under examination (e.g., the educational establishments or the teachers/professors involved in a teaching activity) to take advantage of it.203 In the absence of such “voluntary” measures—including contractual agreements between rightholders and other parties concerned204—within a reasonable period of time, Member States are obliged to take appropriate measures to ensure that rightholders provide the beneficiaries of the above exception or limitation with the means of benefiting from it (e.g., by modifying or removing an implemented TPM), to the extent that is necessary for this purpose and as long as the latter have legal access to the respective work or the other protected subject matter.205 Whereas neither the InfoSoc nor the (recent) CDSM Directive defines what the criteria are for determining the appropriateness of the measures adopted by the rightholders, if and how long Member States must wait before taking action, and what kind of action they should take,206 it has been noticed that usually a

200

Geiger at al. (2017), supra n11, p. 10; see also Dreier (2015), p. 655, Synodinou, supra n1, p. 167; similarly, Guibault, supra n3, p. 35, who insists that the intersection between technological protection measures and E&Ls on copyright is undeniable the thorniest issue confronting lawmakers in the field of Copyright. 201 Geiger et al., ibid, with a reference to Guibault et al. (2007) and in conjunction with fn 20; see also Vagena, supra n2, p. 229 (and fn. 652). 202 Geiger et al., ibid, Vagena, supra n2, p. 224. 203 Recital 7, sentence 3, of the CDSM Directive. 204 See Guibault, supra n3, p. 39, who questions the effectiveness as well as the appropriate content of such contractual arrangements in the digital networked environment; to this direction see also Synodinou, supra n1, p. 170, Vagena, supra n2, pp. 124–125. 205 Recital 7, sentence 4, of the DSM Directive in conjunction with Art. 6 (4) subparagraph 1 (and Recital 51) of the InfoSoc Directive; see also Xalabarder (2010), p. 245, Vagena, supra n2, p. 264. 206 So, Guibault (2003), supra n3, pp. 38i.f.-39, who expresses the view that the provision of Art. 6 par. 4 of the InfoSoc Directive, which—also—applies to the teaching exception or limitation of Art. 5 of the CDSM Directive, raises more questions than it pretends to answer; see also Vagena, supra n2, pp. 226–227.

134

A. Despotidou

governmental mechanism (e.g., a court, an administrative body, or a specialized agency) is required to order that a TPM must be removed, in whole or in part, to allow “legitimate” users to exercise E&Ls on copyright and related rights, with respect of works or other subject matter protected by such a measure.207 In any event, whether the competent authority should be allowed to refuse the remedy and perhaps offer compensation (to users/ beneficiaries) instead is a delicate matter and requires careful consideration.208 (b) Equally important in the above context is the fact that, as derived from the wording of Art. 7 (2) of the CDSM Directive, the special rule (exception) on licensed interactive on-demand services, provided for in Art. 6 (4) subparagraph 4209 of the InfoSoc Directive, does not apply to the new teaching exception or limitation. Consequently, the new teaching exception or limitation cannot be automatically overridden as to works (or other subject matter) that have been made available (to the public) online, for interactive on-demand transmission, through contractual arrangements.210 (c) It is obvious that the provisions concerning the measures that are to be taken in order to ensure that the application of the new teaching exception or limitation will not be annulled by TPMs enforced on works (or other subject matter), the use of which is privileged by the former, are rather complicated and vague, providing Member States with quite a broad range of discretion. Accordingly, the danger of their inconsistent implementation across national jurisdictions, which could jeopardize not only the harmonized enjoyment of the above exception or limitation but also the proper functioning of the Digital Single Market, has been duly highlighted.211 In the this regard, some commentators have expressed the opinion that the CDSM Directive should simply state that TPMs cannot prevent uses of works (or other subject matter) covered by the mandatory E&Ls enacted therein and (should) provide users with the means to secure their removal.212 Although the application

207

Gervais, supra n1, p. 21; see also Xalabarder (2010), p. 245, who argues that appointing courts, as the mechanism to ensure the enjoyment of an exception or limitation, turns out to be a “too slow and far too expensive” solution; generally, for the solutions adopted, i.e., the measures/mechanisms that have been put in force by the various Member States, while implementing Art. 6 par. 4 of the InfoSoc Directive, see Vagena, supra n2, pp. 226–227, who underlines the broad discretion given to them, Gasser and Girsberger (2004), pp. 17 et seq. 208 So, Gervais, ibid, who specifically refers to cases where, removing the TPMs might cause harm to the rightholder, serious enough to outweigh the user’s interest in accessing/using the particular work for a given purpose. 209 According to it, where the provision of interactive, on-demand services online is governed by contractual arrangements, the first and second subparagraphs of Art. 6 (4) of the InfoSoc Directive should not apply; in other words, in such a case rightholders are not obliged to provide users with the means of benefiting from the E&Ls provided for in national laws, in accordance with this Directive; see also Recital 53 (of the same legislative text); Xalabarder (2010), p. 245, Dreier (2015), p. 655, Synodinou, supra n1, pp. 167i.f.–168. 210 Exactly so, Quintais, supra n15, p. 10, who believes that this carve-out is to be welcomed; see also Recital 7, sentence 4, of the CDSM Directive. 211 So, Geiger et al. (2017), supra n11, p. 10. 212 See, in particular, Geiger et al. (2017), ibid, Quintais, supra n15, p. 10.

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

135

of Art. 6 par. 4 of the InfoSoc Directive does not seem as the proper “solution” for the problems encountered here, the intersection between TPMs and E&Ls on copyright and related rights is—undoubtedly—a delicate as well as a controversial issue213 and could not be dealt with successfully by (simply) allowing users, who benefit from the above E&Ls, to circumvent TPMs that prevent their enjoyment.

5 As a Conclusion Due to the COVID-19 crisis, during the last year (2020–2021), the whole world resorted to the Internet’s digital environment in order to continue functioning. Likewise, the great majority of educational establishments of all levels, in most parts of Europe, moved urgently to distance and—mainly—online/“digital” teaching (and learning), to be able to keep providing their services to learners (e.g., pupils and students). Almost 2 (two) years ago, i.e. “just on time”, the benefits deriving from as well as the “dangers” posed by the extensive use of digital technologies for the purposes of education in general led the EU legislator to enact a new mandatory teaching exception or limitation in order to ensure that, on the one hand, the high level of protection of authors and other rightholders will not be diminished, whereas, on the other, the improvement of the learning experience as well as the dissemination of knowledge across EU Member States will not be unnecessarily hampered. As it has been elaborated, though, the wording of Art. 5 of the CDSM Directive—the transposition period of which has not yet expired—provides national legislators with a considerable degree of discretion in implementing the respective exception or limitation. In addition, the possibilities for contractual derogation as well as the partial grandfathering of TPMs rules214 (further) restrict the scope of the new teaching exception or limitation and prevent its smooth adaptability to the online and cross-border environment(s). As a result, the aim of full harmonization in the context of e-education seems difficult to be achieved, and thus fragmentation in the internal market might not—once more—be avoided. Apparently, a lot depends on the way national legislators will respond to the “challenge” that lies ahead of them; either they might proceed towards simple, clear, effective and largely harmonized exceptions or limitations in the field of digital education, or the enactment of Art. 5 of the CDSM Directive might end up as (another) missed opportunity.215

213

See supra, n186. Exactly so, Quintais, supra n15, p. 11. 215 Likewise, Quintais, ibid; compare, towards the same direction, Jütte, supra n19, p.3; Nobre, supra n27, passim. 214

136

A. Despotidou

References Chastanet S (2019) Directive of 17 April 2019 on Copyright and Related Rights in the DSM; Article 15 on Publishers’ Rights, Presentation at IFRO Mid-Year meetings in Dublin (European Working Group) on June 5, 2019 Congleton RJ, Yang SQ (2017) A comparative study of education exemptions to copyright in the United States and Europe. Athens J Law 3(1):47–60, available online at: athensjournals.gr/law/ 2017-3-1-4-Congleton.pdf. Accessed on 30 May 2020 Despotidou A (2003) The economic rights of the author pursuant to article 3 § 1 of Law 2121/1993. In: Marinos MT (ed), Information Society and Copyright – The Greek legal framework. Ant. N. Sakkoulas Publishers, Athens, pp. 11–54. (in Greek) Dreier T (2015) Überlegungen zur Revision des Schrankenkatalogs der Richtlinie 2001/29/EG. GRUR Int:648–657 Dreier T (2018) In: Dreier, Schulze (eds) Urhberrechtsgesetz (Kommentar), 6th edn. C. H. Beck, München Durantaye K (2017) Neues Urheberrecht für Bildung und Wissenschaft – Eine kritische Würdigung des Gesetzentwurfs. GRUR:558–567 Ernst S, Häusermann DM (2006) Teaching exceptions in European copyright law: important policy questions remain (August 2006), Research Publication No. 2006 – 10, Berkman Center for Internet & Society at Harvard Law School, pp. 1–21, available online at https://ssrn.com/ abstract¼925950 or https://doi.org/10.2139/ssrn.925950. Accessed 5 June 2020 European Copyright Society (2014) ECS’s Opinion on the judgement of the CJEU in Case C201/13 Deckmyn, of 1 November 2014, available online at: https:// europeancopyrightsocietydotorg.files.wordpress.com/2015/12/deckmyn-opinion-final-with-sig natures.pdf, as well as, at: https://ssrn.com/abstract¼2564772 under the title: “Limitations and exceptions as key elements of the legal framework for copyright in the European Union”. Accessed on 10 June 2020; also published in: IIC 2015, Vol. 46/1, 93ff ¼ EIPR 2015, 129ff European Copyright Society (2017) ECS’s general opinion on the EU copyright reform package, available online at: https://europeancopyrightsocietydotorg.files.wordpress.com/2015/12/ecsopinion-on-eu-copyright-reform.pdf. Accessed on 10 May 2020 Gasser U, Girsberger M (2004) Transposing the copyright directive: legal protection of technological measures in EU-Member States – A Genie Stuck in the Bottle? Berkman Publication Νo. 2004-1. Available online at: https://ssrn.com/abstract¼628007 or https://doi.org/10.2139/ssrn. 628007 Geiger C, Bulayenko O (2017) General report: scope and enforcement tools to ensure remuneration. In: Lewinski SV (ed) Remuneration for the use of works – Exclusivity v. Other approaches, ALAI 2015 International Congress. Walter De Gruyter GmBH, Berlin/Boston, pp 112–182 Geiger C, Gervais DJ, Senftleben M (2014) The three-step-test revisited: how to use the test’s flexibility in National Copyright Law (November 18, 2013). AUILR 29(3):581–626, available online at https://ssrn.com/abstract¼2356619 or https://10.2139/ssrn.2356619. Accessed on 3 June 2020 Gervais D (2008) Making copyright whole: a principled approach to copyright exceptions and limitations. Univ Ottawa Law Technol J 5(1 & 2):1–41, available online at: https://papers.ssrn. com/sol3/papers.cfm?abstract_id¼1825342. Accessed on June 15, 2020 Geiger C, Hilty R, Griffiths J (2008) Towards a balanced interpretation of the three-step test in copyright law. EIPR 2008:489–496 Geiger C, Frosio G, Bulayenko O (2016) Opinion of the CEIPI on the European Commission’s copyright reform proposal, with a focus on the introduction of neighbouring rights for press publishers in EU Law, CEIPI Research Paper No. 2016-01, available online at: https://papers. ssrn.com/sol3/papers¼2921334. Accessed on 25 June 2020 Geiger C, Frosio G, Bulayenko O (2017) Opinion of the CEIPI on the European Commission’s proposal to reform Copyright Limitations and Exceptions in the European Union, CEIPI

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

137

Research Paper No. 2017-09, available online at: www.papers.ssrn.com/sol3/papers.cfm? abstract_id¼3053983. Accessed on 20 May 2020 Gordon W (1982) Fair use as a market failure: a structural and economic analysis of the Betamax case and its predecessors. Columb law Rev 82:1601 et seq Guibault L (2003) The nature and scope of limitations and exceptions to Copyright and Neighbouring Rights with regard to general interest missions for the transmission of Knowledge: Prospects for their adaption to the digital environment, e-Copyright Bulletin, Oct.–Dec. 2003, pp. 1–44 Guibault L et al (2007) Study on the implementation and effect in Member States’ laws of directive 2001/29/EC on the harmonization of certain aspects of copyright and related rights in the information society. Report prepared for the European Commission, DG Internal Market, EDT/2005/IM/D1/91 Hilty R, Moscon V (2021) A proposal for an international agreement: the intrenational instrument on permitted uses in copyright law, Kluwer Copyright Blog. Available online at: http:// copyrightblog.kluweriplaw.com/2021/03/19/a-proposal-for-an-international-agreemet-the-inter national-instrument-on-permitted-uses-in-copyright-law/. Accessed on 26 March 2021 Höppner T, Kretschmer M, Xalabarder R (2017) CREATe public lectures on the proposed EU Right for Press Publishers, October 10, 2017. Available online at: https://papers.ssrn.com/ abstract¼3050575. Accessed on 29 April 2020 Höppner T (2018) EU copyright reform: the case for a publisher’s right. Intellectual property quarterly, 1/2018, pp. 1-21. Available online at: https://www.sweetandmaxwell.co.uk/ Catalogue/ProductDetails.aspx?productid¼6791&recordid¼380 or https://ssrn.com. abstract¼3081733, pp. 1-42. Accessed on 30 April 2020 Hugenholz B, Senftleben M (2011) Fair Use in Europe. In search of Flexibilities (Amsterdam, November 2011), available online at: https://ssrn.com/abstract¼2013239. Accessed on 10 June 2020 Jougleux P (2020) EU Intellectual Property Law. Sakkoulas Publications, Athens. (in Greek) Jütte B (2019) The new copyright directive: digital and cross-border teaching exception (Article 5), Kluwer Copyright Blog, 21 June 2019. Available online at: http://copyrightblog.kluweriplaw. com/2019/06/21/the-new-copyright-directive-digital-and-cross-borer-teaching-exception-arti cle-5/. Accessed 10 April 2020 Kallinikou D (2008) Copyright & related rights. In: Law & economy, 3rd edn. P. N. Sakkoulas, Athens. (in Greek) Lewinski SV (2008) International copyright law and policy. Oxford University Press, Oxford Lewinski SV, Walter M (2010) In: Lewinski, Walter (eds) European copyright law – A commentary. Oxford University Press, Oxford Marinos MT (2001) Absolute and exclusive rights as the object of harmonization pursuant to Directive 2001/29/EC. In: Marinos MT (ed) Information Society and Copyright – The new community legislation. Ant. N. Sakkoulas Publishers, Athens, pp 29–58. (in Greek) Marinos MT (2003) Limitations and exceptions to copyright – interpretation and the three – step test. In: Marinos MT (ed) Information Society and Copyright – The Greek legal framework. Ant. N. Sakkoulas Publishers, Athens, pp 93–117. (in Greek) Marinos MT (2004) Copyright, 2nd edn. Ant. N. Sakkoulas Publishers, Athens. (in Greek) Marinos MT (2014) The a priori restrictive interpretation of copyright limitations and the prohibition of applying them by analogy – two legal “myths”? In: Τhe Copyright Protection Union – A. L.A.I (ed) Law 2121/1993 on Copyright and Related Rights: 20 years of application. Nomiki Bibliothiki S.A., Athens, pp 7–22. (in Greek) Marinos MT (2020) Text and data mining in the new directive 2019/790/EU – among copyright law, big data and artificial intelligence. EEmpD 2020, pp. 787–817. (in Greek) Max Planck Institute (2008) A balanced interpretation of the “Three – Step Test” in copyright law, Published Sept. 1, available online at: https://www.ip.mpg.de/en/research/research-news/ declaration-three-step-test.html. Accessed on 10 June 2020. Published also in: IIC 2008, pp. 707–713

138

A. Despotidou

Merges R (1997) The end of friction? Property Rights and Contract in the “Newtonian” World of On-line Commerce. Berkeley Technol Law J 12:115et seq Nobre T (2019) The education exception was gutted during the Trilogues, pp. 1–3, available online at: https://www.communia-association.org/2019/02/27/education-exception-gutted-trilogues/. Accessed on 20 Apr 2020 Nordemann JB, Waiblinger J (2020) Art. 17 DSMCD: a class of its own? How to implement Art. 17 into the existing national copyright acts, including a comment on the recent German Discussion Draft – Part B, Kluwer Copyright Blog, July 17 2020. Available online at: http:// copyrightblog.kluweriplaw.com/2020/07/17/art-17-dsmcd-a-class-of-its-own-how-to-imple ment-art-17-into-the-existing-national-copyright-acts-including-a-comment-on-the-recent-ger man-discussion-draft-part-2/. Accessed on 26 July 2020 Papadopoulou MD (2010) Copyright limitations in E-education environment. Eur J Law Technol 1 (2)., available online at: http://ejlt.org/index.php/ejlt/article/view/38/56. Accessed on 21 April 2020 Pila J, Torremans P (2019) European intellectual property law, 2nd edn. Oxford University Press, Oxford Quintais JP (2019) The new copyright in the digital single market directive: a critical look (October 14), pp. 1–23, Available online at https://ssrn.com/abstract¼3424770 or https://doi.org/10. 2139/ssrn.3424770 Quintais JP (2019-2) The new copyright directive: a tour d’horizon – Part II (of press publishers, upload filters and the real value gap), Kluwer Copyright Blog, June 17 2019. Available online at: https://copyrightblog.kluweriplaw.com/2019/06/17/the-new-copyright-directive-a-tourdhorizon-part-ii-of-press-publishers-upload-filters-and-the-real-value-gap. Accessed on 24 April 2020 Quintais JP, Husovec M (2021) How to License Article 17? Exploring the Implementation Options for the New EU Rules on Content-Sharing Platforms under the Copyright in the Digital Single Market Directive. GRUR International (forhtcoming) Issue 4/2021, pp 1–52. Available online at: https://ssrn.com/abstract¼3463011 or https://doi:10.1093/GRURINT/IKAA200. Accessed on 30 March 2021 Raue B (2017) Das Urheberrecht der digitale Wissen(schaft)sgesellschaft. GRUR 2017:11–19 Ricketson S (1987) The Berne convention for the protection of literary and artistic works. Kluwer, London, pp 1886–1986 Ricketson S (2003) WIPO study on limitations and exceptions of copyright and related rights in the digital environment, Standing Committee on Copyright and Related Rights, Ninth Session – Geneva, June 23 to 27, 2003 (Document code: SCCR/9/7, April 5), available online at: https:// www.wipo.int/meetings/en/doc_details.jsp?doc_id¼16805. Accessed on 10 June 2020 Ricketson S, Ginsburg JC (2006) International copyright and neighbouring rights – the Berne Convention and beyond, 2nd edn. Oxford University Press, Oxford Ricketson S, Richardson M (1998) Intellectual property: cases, materials and commentary, 2nd edn. Butterworths, Sydney Senftleben M (2010) The international three - step test: a model provision of EC fair use legislation. Jipitec. pp. 67–82, Available online at: http://ssrn.com/abstract¼1723867. Accessed on 20 June 2020 Schack H (2016) Urheberrechtliche Schranken für Bildung und Wissenschaft. ZUM 2016:266–284 Stary C (2018) German reform on the use of copyright protected works in the fields of education and research will come into force soon, Kluwer Copyright Blog, January 15, 2018. Available online at: http:/copyrightblog.kluweriplaw.com/2018/01/15/german-reform-use-copyrightprotected-works-fields-education-research-will-come-force-soon/. Accessed on 10 May 2020 Synodinou TE (2008) Copyright & new technologies. Sakkoulas Publications, Athens. (in Greek) Ujhelyi D (2020) A third take on the Hungarian implementation of Art 5 of the CDSM Directive, Kluwer Copyright Blog, August 31, 2020. Available online at: http://copyrightblog. kluweriplaw.com/2020/08/31/a-third-take-on-the-hungarian-imlementation-of-art-5-of-thecdsm-directive/. Accessed on 15 October 2020

5 The New Mandatory Teaching Exception or Limitation (Article 5 of the CDSM. . .

139

Vagena E (2011) Technological protection and digital management of copyright. Nomiki Bibliothiki Group, Athens. (in Greek) Xalabarder R (2004) Copyright exceptions for teaching purposes in Europe [online working paper] IN3:UOC (Working Paper Series: WP04-004), pp. 1–32. Available online at: http://www.uoc. edu/in3/dt/20418/index.html. Accessed on 8 Apr 2020 Xalabarder R (2007) On-line teaching and copyright: any hopes for an EU harmonized playground? In Torremans P (ed) Copyright law - a handbook of contemporary research, Chapter 15, pp. 373–401, Edward Elgar Publishing, Cheltenham, UK - Northampton, MA, USA. Available online at: researchgate.net/publication/43669306_On-line_teaching_and_Copyright_Any_ Hopes_for_an_EU_Harmonized_Playground. Accessed on 10 May 2020 Xalabarder R (2009) Study on copyright limitations and exceptions for educational activities in North America, Europe, Caucasus, Central Asia and Israel (Document Code: SCCR/19/8, November 5), Standing Committee on Copyright and Related Rights (19th Session, Geneva, December 14 to 18, 2009), available online at: https://www.wipo.int/meetings/en/doc_details. jsp?doc_id¼130393. Accessed on 9 May 2020 Xalabarder R (2010) Digital libraries in the current legal and educational environment: towards a remunerated compulsory license or limitation?, Bently, Suthersanen and Torremans (eds), Global Copyright – Three Hundred Years Since the Statute of Anne, From 1709 to Cyberspace, Edward Elgar Publishing Inc., Cheltenham, UK - Northampton, MA, USA, pp. 230–251

Chapter 6

Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate Caterina Sganga

Abstract After years of controversial national decisions and the Court of Justice of the European Union’s (CJEU’s) dicta, the Grand Chamber’s ruling in the Tom Kabinet case (C-263/18) seems to have excluded once and for all—save for an ad hoc legislative intervention—the admissibility of digital exhaustion under Article 4 (2) InfoSoc. The CJEU’s rejection of an extension of the principle of exhaustion of the right of distribution from material to digital copies is based upon a strict literal and contextual interpretation of EU and international sources, which is relatively immune from critiques. However, with its simplistic answer, the Court has still failed to tackle the most important interpretative questions raised by the evolution of digital markets. In fact, the Tom Kabinet decision does not update the classificatory dichotomies on the basis of which the InfoSoc draws the borders between exclusive rights. It does not intervene in the tilt in the balance between copyright, competition, fundamental freedoms, and other conflicting fundamental rights triggered by new digital business models. Last, it does nothing to solve the systematic and teleological inconsistencies that have affected the judicial development of EU copyright in the field while suggesting through underdeveloped hints that digital exhaustion may still operate if specific technological solutions are put in place. This chapter provides an overview of the legislative (§2.1) and judicial debate (§2.2) that led to the Grand Chamber’s decision, analyzing the most relevant legal (§3) and economic (§4) arguments advanced in favor and against the extension of Article 4(2) InfoSoc to cover digital copies. Then it reflects on the Tom Kabinet ruling (§5), commenting on its strength and weaknesses (§6) to draw the path that should be followed in order to tackle the most dangerous pitfalls the decision has engendered (§7).

C. Sganga (*) Scuola Superiore Sant’Anna, Pisa, PI, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_6

141

142

C. Sganga

1 Introduction The principle of exhaustion represents one of the most consolidated, durable balancing tools developed by national copyright laws. Introduced to set the interplay between users’ property rights over material copies and authors’ exclusive rights over their creations, exhaustion soon turned into an instrument used to mediate between copyright protection and the need to guarantee access and affordability of protected works, foster competition and the rise of secondary market, facilitate innovation, and protect other rights and freedoms such as property, privacy, and the freedom of movement of goods.1 The principle was widely adopted without substantial challenges during the twentieth century. In the material world, in fact, the impact of exhaustion on the exploitation of the work has always been limited. Since tangible copies are subject to wear and tear, their marketability and value decrease over time, and a secondhand sale requires the original owner to surrender the possession of her copies, original and secondary markets of protected works do not stand in strong competition with each other.2 The legal boundaries of material exhaustion are also clear and well defined. The tangible nature of the support and its commercialization via implied sales contracts raise no question as to the qualification of the conduct as distribution and no confusion between support and intellectual creation and between the property right over the former and the copyright over the latter.3 On the contrary, in the digital environment, the quality of the copy does not deteriorate over time and its enjoyment is not rivaled, thus increasing the risk of privacy intrusion and the competition between original and secondary markets of the work.4 In addition, a literal interpretation of existing sources and the requirements they introduce for the operation of the principle also militate against the extension of exhaustion to digital copies.5 In fact, the intangibility of the copy and its commercialization via license, which does not formally transfer their ownership, cause its qualification as a service (while exhaustion is limited to goods) and the definition of its transfer as an act of communication to the public (whereas exhaustion is limited to distribution). These arguments have led the majority of scholars and national courts to reject the admissibility of digital exhaustion, adopting a strict positivistic and literal interpretation of the tangible-intangible dichotomy on which the WIPO

1 For a concise summary, with reference to US copyright law, see Perzanowski and Schultz (2011), p. 908 et seq. 2 On this comparison, maintaining that the differences between material and digital markets justify the ban of digital exhaustion, see Wiebe (2010), pp. 321–323. See also Reese (2002–2003), p. 57. 3 For a comprehensive analysis of the theoretical obstacles posed by the characteristics of the digital environment, see Karapapa (2014), p. 307 et seq. 4 Similarly, see Kerber (2016) p. 153 et seq. 5 See the cases commented on by Mezei (2015) paras 65–94, and related ample bibliography.

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

143

Copyright Treaty (WCT) and the InfoSoc Directive6 ground the definition of the boundaries between right of distribution and right of communication to the public. This approach has generally failed to consider and internalize the fact that when the WCT and the InfoSoc Directive were drafted, the digitization of protected works and the shift toward online market were still at the beginning, and their implications far from being understood.7 In other sectors of copyright law, however, when compelled to ensure that outdated acts could still fulfill their objectives, the Court of Justice of the European Union (CJEU) has adopted a much more flexible teleological interpretation, based on the notion of functional equivalence of tangible and intangible copies in light of new technological developments.8 In order to support the asymmetry in the methods of interpretation and conceptual definitions, the Court has made ample use of obiter dicta and the lex specialis argument. This has led to the construction of a system where the InfoSoc Directive remains a weak lex generalis, surrounded by a plethora of sector-specific acts that derogate from the tangible-only reading of terms such as “original” and “copy” and admit the stretching of exhaustion or exceptions to cover digital supports. Departing from the approach that characterized the judicial development of Community exhaustion, which intervened on national copyright laws to reconcile copyright and fundamental freedoms,9 the CJEU has neglected to consider how the digital environment presents shortcomings that could be effectively tackled only by digital exhaustion. More than in the material world, digital rightholders have the possibility to block the development of secondary markets, control the threats coming from potential competitors, and maintain the ability to price discriminate through market segmentation.10 Protected works could be put out of commerce in no time, and access and uses can be more tightly constrained and controlled by technological measures of protection, with a greater impact on users’ privacy and property rights and interests.11 Engaged in a strict literal interpretation of the InfoSoc Directive, the CJEU has not explored any alternative path, nor has it verified whether the protection of the specific subject matter of copyright requires the exclusion of exhaustion on digital copies.12 Most scholars have advocated for a legislative reform to introduce digital exhaustion under Article 4(2) InfoSoc, arguing that the language of the InfoSoc Directive and the WCT and the policy relevance of the matter make it a task for the EU 6

Directive 2001/29/EC of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ L167/10 (InfoSoc Directive). 7 Mezei (2015) paras 183 et seq. 8 Explained in economic terms by Rubi Puig (2013), p. 159 et seq. 9 See infra, para 2.2. 10 As highlighted, inter alia, by Maurer (2001–2002), p. 55 et seq.; Maurer (1997), p. 845 et seq.; Benkler (2000), p. 2063 et seq.; Boyle (2000), p. 2007 et seq.; Lunnedy (2008), p. 387 et seq.; Fisher (2007), p. 1 et seq. Perzanowski and Schultz (2011), pp. 901–907; with specific regard to software products, see Rubi Puig (2013), paras 43–71. 11 Perzanowski and Schultz (2011), pp. 906–907; already Cohen (1996), p. 981. 12 See also Benabou (2016), pp. 351–378.

144

C. Sganga

legislator rather than for courts.13 Unfortunately, after a brief mention in the public consultation on the modernization of EU copyright rules,14 the topic has disappeared from the focus of the Digital Single Market copyright reform,15 despite numerous doctrinal contributions evidencing how digital exhaustion is needed to ensure systematic consistency within EU copyright law, to reinstate its balance with conflicting rights and freedoms, and to achieve some of its economic, social, and cultural goals. In December 2019—a few months after the enactment of Directive 2019/710/EU on Copyright in the Digital Single Market (CDSM Directive)16 and following years of controversial rulings—the Grand Chamber’s decision in the Tom Kabinet case (C-263/18) seems to have excluded once forever, save for a future legislative intervention, the admissibility of digital exhaustion under Article 4(2) InfoSoc. The CJEU’s answer was, as expected, based upon a strict literal and contextual interpretation of EU and international sources. However, with its straightforward reading, the Court has still failed to tackle the most important interpretative questions raised by the evolution of digital markets. In fact, the Tom Kabinet decision does not update the classificatory dichotomies on the basis of which the InfoSoc draws the borders between exclusive rights. It does not intervene in the tilt in the balance between copyright, competition, fundamental freedoms, and other conflicting fundamental rights triggered by new digital business models. Last, it does nothing to solve the systematic and teleological inconsistencies that have affected the judicial development of EU copyright in the field while suggesting through underdeveloped hints that digital exhaustion may still operate if specific technological solutions are put in place. This chapter provides an overview of the legislative (§2.1) and judicial debate (§2.2) that led to the Grand Chamber’s decision, analyzing the most relevant legal (§3) and economic (§4) arguments advanced in favor and against the extension of Article 4(2) InfoSoc to cover digital copies. Then it comments on the Tom Kabinet ruling (§5), analyzing facts, the Advocate General’s Opinion, and the final decision. To conclude, it comments on the strength and weaknesses of the Grand Chamber’s decision (§6) to draw the path that should be followed in order to tackle the most dangerous pitfalls Tom Kabinet has engendered (§7).

13

E.g. Mezei (2015), paras 182, 191, 195, who highlights that a number of attempts of legislative amendment have already failed; see also Rosati (2015), pp. 680–681, but contra Karapapa (2014), p. 309. 14 Commission, ‘Public Consultation on the Review of the EU Copyright Rules’, pp. 13–14, and ‘Report on the responses to the Public Consultation on the Review of the EU Copyright Rules’, pp. 20–22. 15 Commission, ‘Communication a Digital Single Market Strategy for Europe’ COM(2015) 192 final, p. 3. 16 Directive (EU) 2019/790 of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC [2019] OJ L-130/92.

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

145

2 The Long Road Toward Tom Kabinet 2.1

Sources and Provisions at Stake

The first international reference to exhaustion can be found in the two World Intellectual Property Organization (WIPO) Internet treaties (Article 6(2) WCT and Article 8(2) of the WIPO Performances and Phonograms Treaty (WPPT)17), which similarly rule that “nothing in this Treaty shall affect the freedom of Contracting Parties to determine the conditions, if any, under which the exhaustion of the right [of distribution] applies after the first sale or other transfer of ownership of the original or a copy of the work with the authorization of the author.” Legislators are thus free to regulate the principle outside the borders set by the three-step test,18 but they should subordinate its application to the first lawful sale or other transfer of ownership.19 In addition, the Agreed Statement on Articles 6 and 7 WCT limits the scope of distribution and its exhaustion to “fixed copies that can be put into circulation as tangible objects,”20 seemingly excluding works in digital format,21 although some commentators have theorized that the wording of the Statement only requires the work to be potentially fixable on a material support and not to be already fixed.22 Until material and online forms of exploitation remained clearly distinct, the rigidity of the dichotomy adopted by the Statement did not cause significant problems. The right of communication/making available to the public covered transmissions of protected works that did not end up in possession of users and were originated either on demand (making available) or upon the rightholder’s initiative (communication); the right of distribution covered the commercialization of tangible copies in the material world.23 With the growth of online markets and the commercialization of digital files via permanent transfer, the question arose whether the functional and economic equivalence of such transactions with material sales justified their qualification as distribution. The EU legislator pondered long before regulating exhaustion, in the belief that the development of Community exhaustion by the CJEU case law had made

17 The Berne Convention and the TRIPs Agreement do not regulate exhaustion, leaving it to contracting parties due to lack of supranational consensus as to its national, regional or international nature. See Ficsor (2002), pp. 153–155, 210–226. Some aspects of the right of distribution, instead, were already regulated by the Berne Convention. See Ricketson and Ginsburg (2006), p. 660 et seq. 18 In the opinion of Mezei (2015) para 18, in line with von Lewinski (2008), para 17.65. 19 Reinbothe and von Lewinski (2015), p. 87. 20 See Agreed Statements concerning the WIPO Copyright Treaty, adopted by the Diplomatic Conference of December 20, 1996, Concerning Articles 6 and 7, . Accessed 13 June 2020. 21 See, e.g., Sterling (2015), p. 574 et seq. 22 More recently, see Ruffler (2007), p. 380. 23 Broadly Mezei (2015), paras 21–22, referring also to Ficsor (2002), pp. 205–206 and 249–250.

146

C. Sganga

superfluous any legislative intervention.24,25 It finally crystallized it in two legislative texts—Software Directive I (1991) and Rental Directive I (1992)26—using the distinction between sale-style and service-style rights to draw the borders of the principle and excluding it in case of rental and communication to the public rights.27 None of the directives mentioned the tangible nature of the copy as a requirement for exhaustion to take place. The distinction between tangible and intangible copies first emerged in the Commission’s report on the implementation of Software Directive I28 and later in the Follow-up to the Green Paper on Copyright in the Information Society, which defined as a service the online exploitation of a work.29 Along the same lines, the Database Directive (1996) built on the definitions used by the Software I and Rental I Directives,30 adding the exclusion of exhaustion in case of reutilization of materials extracted from online databases.31 When called to implement the WCT by the InfoSoc Directive, the EU legislator complemented the text of the Treaty with this construction. After copying almost slavishly Article 6 WCT to regulate the right of distribution and its exhaustion (Article 4), the Directive embedded the Agreed Statement’s limitation to tangible copies (Recital 28)32 and added, in line with previous directives, the exclusion of the right of communication to the public (Article3(3)) and of services and copies made from online services from the scope of the principle (Recital 29).33 With no further reflection compared to the 1996 WCT, the EU legislator did not provide any additional guidance to classify “grey” forms of exploitation such as the permanent alienation and transfer of digital files over the Internet, leaving in haze the boundaries between the right of distribution and the right of communication to the public.

24 Commission, ‘Green Paper on Copyright and the Challenge of Technology – Copyright Issues Requiring Immediate Action’, COM (1988) 172 final. 25 Ibid para 4.10.5, with reference to Case C-62/79 SA Compagnie générale pour la diffusion de la télévision, Coditel, and others v Ciné Vog Films and others (Coditel I) [1980] ECR I-0881 and Case C-262/81 Coditel v CinéVog Films II (Coditel II) [1982] ECR I-3381. 26 Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs, OJ L122/42 (Software Directive I); Council Directive 92/100/EEC of 19 November 1992 on rental right and lending right and on certain rights related to copyright in the field of intellectual property, OJ L346/61 (Rental Directive I). 27 Art 4(c) Software Directive I; Art 1(4) Rental Directive I. 28 Commission, Report on the implementation and effects of Directive 91/250/EEC on the legal protection of computer programs, COM(2000) 199 final, 17 (exhaustion “only applies to the sale of copies i.e. goods, whereas supply through on-line services does not entail exhaustion”). 29 Commission, ‘Follow-up to the Green Paper on Copyright and Related Rights in the Information Society’, COM(96) 568 final, Ch 2, 19, para 4. 30 Directive 96/9/EC of the European Parliament and the Council of 11 March 1996 on the legal protection of databases OJ L77/20 (Database Directive), Article 5(c). 31 Ibid Recital 43. 32 “Copyright protection under this Directive includes the exclusive right to control distribution of the work incorporated in a tangible article”. 33 “The question of exhaustion does not arise in the case of services and on-line services in particular”.

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

147

This inevitably triggered a number of interpretative problems with the fast evolution of new digital business models, bringing again back to the stage a principle whose judicial development traced back to the early 1970s.

2.2 2.2.1

Judicial Swings Early CJEU Case Law (1970s–1990s)

The debut of exhaustion in the EU traces back to the 1970s, when the CJEU introduced the doctrine of Community exhaustion in Deutsche Grammophon.34 The case revolved around the legitimacy of the plaintiff’s use of a licensing scheme based on a net of exclusive national distributors of sound recordings, which resulted in the segmentation of the internal market. The scheme was made possible by the territorial nature of copyright and the limitation of exhaustion to first sales that took place within national borders. Ruling that Article 36 EC (now Article 36 TFEU) allowed derogations to the freedom of movement of goods only “for the purpose of safeguarding rights which constitute the specific subject-matter” of industrial and commercial property,35 the CJEU barred the application of national exhaustion as “repugnant to the essential purpose of the Treaty”36 and tilting the balance between fundamental freedoms and copyright, beyond what was necessary to protect the subject matter of copyright.37 The notion of essential function helped the CJEU offering articulated axiological arguments to draw the borders of Community exhaustion.38 Yet the EU legislator embedded only the tangible construction and exclusion of services as criteria to delimitate the principle beyond what was requested by the WCT.39 The abandonment of the teleological argument as a criterion to identify the need and opportunity of implementing exhaustion could not but contribute to straightjacketing the system. As a result, the CJEU case law that directly or indirectly intervened on digital exhaustion in the years to follow could not ensure the systemic coherence and adaptation needed for 1990s–early 2000s sources to still perform their role vis-à-vis the evolution of digital business models.

34 Case C-78/70 Deutsche Grammophon Gesellschaft Gmbh v Metro-SB-Großmärkte GmbH & Co. KG. [1971] ECR I-499. 35 Ibid para 11. The Court ruled that the derogation introduced by Article 36 EC referred to the existence of the rights, id est their creation by national legislators, but not to their exercise, which could in no case violate the provisions of the Treaty (existence-exercise dichotomy). See, e.g., Fennelly (2003); Ubertazzi (2014), pp. 38–41; Strowel and Kim (2012), p. 121 et seq. On the development of the doctrine see Schovsbo (2012), pp. 174–178. 36 Deutsche Grammophon, paras 12–13. 37 Ibid. 38 See Coditel I and II (supra n 25). 39 Coditel II, para 43.

148

2.2.2

C. Sganga

UsedSoft (C-128/11)

Until December 2019, the only direct decision on digital exhaustion is UsedSoft v Oracle (2012)—one of the most criticized copyright ruling of the CJEU. The main question posed to the Court was whether under Article 4(2) Software II40 the right of distribution of a copy of computer software was exhausted by the transfer via download of a digital copy of the program for an unlimited period in exchange for a fee corresponding to the economic value of that copy, even if the related contract was framed as a license and not as a sale. The inquiry arose from the fact that also Article 4(2) Software II, exactly as Article 4(2) InfoSoc, links the exhaustion of the right of distribution to the first sale of the copy, thus excluding licenses. The CJEU introduced a functional definition of the notion of sale and requalified Oracle’s licensing scheme as a sale in light of its characteristics (permanent transfer, fee corresponding to the value of the copy), arguing that the format and medium through which the copy was delivered did not change the legal and economic substance of the operation.41 Opting for a formalistic interpretation of the contractual qualification as a “license”, without looking at the economic meaning of the transaction, would have allowed the rightholder to demand an additional remuneration after each transfer, even in those cases when the first sale had already granted him an appropriate return. The same would have happened if the decision on the application of exhaustion were based on the nature of the copy, whereas the functional and economic equivalence of tangible and intangible supports required to treat them equally vis-à-vis the principle.42 More generally, the control over secondary markets and restriction of fundamental freedoms ensuing from the disapplication of exhaustion would have gone beyond what was “necessary to safeguard the specific subjectmatter” of copyright43 and thus be unjustified.44 To complete its analysis and answer to Oracle’s objection that the download of software constituted an act of communication to the public, which is excluded from the scope of exhaustion, the Court emphasized the lex specialis nature of Software Directive II, ruled out the application of Article 3 InfoSoc, and qualified any transfer of the work, regardless of its form, as a distribution under Article 4 Software II. Despite the lex specialis shortcut, however, the CJEU took the opportunity to specify that under Article 6(1) WCT, which constitutes the basis of Articles 3 and 4 InfoSoc, the rights of distribution and communication to the public should be

40

Directive 2009/24/EC of 23 April 2009 on the legal protection of computer programs [2009] OJ L111/16 (Software Directive II). 41 Case C-128/11 UsedSoft GmbH v Oracle International Corp. EU:C:2012:407, paras 45–47. 42 UsedSoft, para 61. 43 Ibid para 62, referring to Case C-200/96 Metronome Musik GmbH v. Music Point Hokamp GmbH [1998] ECR I-01978, Case C-61/97 FDV [1998] ECR I-5171, para 13 and Joined Cases C-403/08 Football Association Premier League Ltd et al v QC Leisure et al and C-429/08 Karen Murphy v Media Protection Services Ltd [2011] ECR I-09083 (FAPL), para 106. 44 Ibid para 49.

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

149

distinguished on the basis of the type of transfer and use of the work, having distribution every time there is a transfer of ownership of the copy.45 UsedSoft looked at the objectives of exhaustion—to avoid the partitioning of markets while limiting the constraints to the distribution right to what was necessary to safeguard the specific subject matter of copyright—in order to redefine the borders of the principle. On this basis, it overcame the literal interpretation of the sale-license and good-service dichotomies in favor of a teleological reading of exhaustion and its systematic function, overstepping also the material-only reading of “copy,” “original,” and “object” in the context of the right of distribution. Although the revolutionary impact of the reading was weakened by the use of the lex specialis argument,46 the decision created a strong link with the early CJEU case law, channeling in the essential function of copyright to adjust its internal balance to changing circumstances. If generalized, this teleological reading could have helped reaching a more coherent evolution of EU copyright law. The Court, however, decided not to go down this road. 2.2.3

From Allposters (C-419/13) to VOB (C-174/15)

No cases ruled directly on digital exhaustion under the InfoSoc Directive before Tom Kabinet.47 Some indirect references nevertheless emerged in decisions where the Court tried to control the side effects of the tangible-intangible dichotomy in other areas of copyright law, building a patchwork of inconsistent responses. Although it is centered on tangible objects, Art & Allposters48 has been identified as the first resolute denial against digital exhaustion.49 The case concerns the legitimacy of the transfer of images of protected works from posters on which the distribution right was exhausted to canvas, later sold without the rightholder’s consent. Instead of qualifying the matter under the umbrella of the adaptation right, which is not harmonized by the InfoSoc Directive and thus not under the competence of the Court, the CJEU referred to Article 4 InfoSoc since both posters and canvas carried an image of the work.50 The question was, therefore, whether exhaustion could still apply when the medium was altered after the first sale. The 45

Ibid para 52, as also noted by the Opinion of AG Bot, EU:C:2012:234, para 73. A similar distinction could be already found in Case C-456/06 Peek & Cloppenburg [2008] ECR I-2731, para 30. 46 Ibid para 60. The Court underlined the different language used in the two acts, where Article 4 (2) Software II refers to the sale of a copy of the program, making no distinction as to its tangible or intangible form (para 55), and Article 1(2) Software II extends the scope of the Directive “to the expression in any form of a computer program”, with a clear assimilation of tangible and intangible copies (paras 57–58). 47 As maintained and evidenced by Galič (Savič) (2015), pp. 415–416. 48 Case C-419/13 Art & Allposters International BV v Stichting Pictoright [2015] EU:C:2015:27. 49 See, e.g., Rosati (2015), and Galič (Savič) (2015), pp. 390–391. 50 Allposters, paras 26–27.

150

C. Sganga

Court answered in the negative, arguing that the alteration created a new object and thus constituted an unlawful reproduction under Article 2 InfoSoc, regardless of whether the first medium was destroyed.51 The conclusion was grounded on a strict literal and contextual interpretation of the notion of “that object” under Article 4 (2) InfoSoc based on Recital 28 InfoSoc, Article 6 WCT, and the Agreed Statement,52 which according to the CJEU converge in proving the legislative intention to “give authors control over the initial marketing (. . .) of each tangible object incorporating their intellectual creation.”53 As a supporting teleological argument, the CJEU maintained that the high level of protection to be granted to copyright54 requires the exclusion of exhaustion for new supports since this would deprive rightholders of the possibility to extract an appropriate reward from new forms of exploitation of their works.55 In fact, digital exhaustion is never mentioned, and the reference to tangibility is a dictum rather than part of the main reasoning. However, the literal interpretation offered by the CJEU seemed to set quite a definite direction.56 Ranks57 confirmed UsedSoft, arguing that the lawful acquirer of a tangible copy of software, the original copy of which got destroyed, damaged, or lost, cannot be prevented from reselling it and be discriminated against the owner of an intangible copy for this would frustrate the goals of exhaustion.58 Yet the CJEU restricted the scope of the precedent by ruling out the application of the principle in case of backup and other nonoriginal copies, regardless of whether the original support was damaged or destroyed. With no trace of teleological argument and with a very concise reasoning, the Court excluded that exhaustion could broaden the scope of the backup exception (Article 5(2) Software I) and allow the commercialization of used backup copies since the Directive is clear in stating that reproductions are allowed only if “made and used to meet the sole needs of the person having the right to use that program.”59

51

Allposters, para 43. Ibid paras 34–35 and 38–39. 53 Ibid para 3.7 (emphasis added). 54 Ibid para 47. 55 Ibid para 47, where appropriate means “reasonable in relation to the economic value of the (. . .) work” (Ibid para 48, as also in FAPL, paras 107–109). 56 See particularly Rosati (2015), p. 680. 57 Case C-166/15 Aleksandrs Ranks and Jurijs Vasiļevičs v Finanšu un ekonomisko noziegumu izmeklēšanas prokoratūra and Microsoft Corp., EU:C:2016:762. 58 Ibid para 50. 59 Ibid 43. 52

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

151

In contrast to this approach, in VOB,60 the Court admitted the extension of the public lending exception (Article 6 Rental II61) to e-books, despite Article 3 Rental II defines the scope of rental and lending by referring to “originals” and “copies” and the Agreed Statement to Articles 6 and 7 WCT limits the two notions to tangible copies also in the case of rental. Asserting the need to ensure the effectiveness of the exception, the CJEU underlined that the WCT does not cover lending and argued that by using the plural “rights,” also the EU legislator assumed that rental and lending were meant to be regulated autonomously.62 Also, here, the ruling was limited to Rental Directive II as lex specialis,63 and the Court added as a side note that “object” and “copies” should otherwise be read as indicating tangible objects, in line with the Agreed Statement.64 However, the Luxembourg judges indulged in one additional specification, answering to the second question raised by the referring court. In fact, VOB stated that EU law does not preclude a Member State from subordinating the application of the public lending exception to the exhaustion of the distribution right over the copy under Article 4(2) InfoSoc.65 The argument could well be justified by the willingness to protect authors, to avoid the lending of works not put in circulation upon rightholders’ consent.66 Yet it is still striking that the Court seems to authorize the introduction of digital exhaustion as a precondition for the enjoyment of the new public e-lending exception,67 spending no words on the implication of this statement for the extension to digital copies of Article 4 (2) InfoSoc. The fact- and sector-specific approach adopted by the CJEU, forced by the strict literal interpretation of the InfoSoc Directive and the unclear relationship between its general principles and the provisions of other “vertical” copyright-related directives, has resulted in fragmented rulings. The Court’s decisions have all been framed as exceptions to the general rule (lex specialis argument),68 in contrast with the more traditional CJEU approach that strives to achieve horizontal uniformity in the terminology and principles used in a given area. The result was a lack of meaningful and coherent guidance in the much-needed contextual interpretation of the

60 Case C-174/15 Vereniging Openbare Bibliotheken v Stichting Leenrecht (VOB) [2016] EU: C:2016:856). 61 Directive 2006/115/EC of the European Parliament and of the Council of 12 December 2006 on rental right and lending right and on certain rights related to copyright in the field of intellectual property (Rental Directive II), OJ L376/28. 62 VOB, para 27. 63 Ibid para 56, with reference to Article 1(2)(b) InfoSoc. 64 Ibid paras 33–34. 65 Ibid para 60. 66 Ibid paras 61–63. 67 Ibid para 64. 68 See Leistner (2014), p. 595; van Eechoud (2012) paras 90 ff. (with reference to the autonomous interpretation). On the teleological rather than contextual interpretative method used by the CJEU see Favale et al. (2016), pp. 59–61.

152

C. Sganga

patchwork of EU copyright sources and no consistent application of similar economic or value-based considerations on fact patterns that triggered similar policy questions. It is quite telling how, on the contrary, the Court did not shy away from using exhaustion-like arguments in other areas, such as the definition of the boundaries of exclusive rights, and particularly of the right of communication to the public under Article 3 InfoSoc.69 From Svennson on,70 the CJEU has requested a new authorization from the rightholder every time the communication was directed to a “new public” not targeted by the first transmission or it uses a “new technical mean.”.71 Exactly as in the case of exhaustion of the right of distribution,72 the Court deems the rightholder’s control over the copy terminated upon the first voluntary making available of their work toward a certain public and through a specific technical means. This consideration is based on the presumption that the act was based on a pondered selection of the markets to exploit and produce an appropriate remuneration. Also, the rationale inspiring the choice seems to be the same, with a distinction between exploited and yet-to-be-exploited markets, based on the reward theory and the notion of appropriate remuneration. Once the remuneration goals are met and the control over the work is no longer necessary to ensure a high level of protection to rightholders, and for copyright to achieve its functions, other conflicting rights and freedoms may prevail over copyright if needed.73 While precedents on Article 3 InfoSoc have been relatively consistent and consequential, decisions in the field of digital exhaustion did not show the same attention toward the economic and systemic effects of the rulings. Unfortunately, the CJEU did not change its approach when it was finally called to rule directly on Article 4(2) InfoSoc and the admissibility of a horizontal principle of digital exhaustion in EU copyright law. In Tom Kabinet—as we will see in paragraph 6—the Court seemed to have denied once and forever the extension of Article 4(2) InfoSoc to cover digital copies, with a decision that is as historical as concise, dry, and orthodox

69

See, e.g., Mezei (2015), para 159, and Benabou (2016), pp. 351–378. Case C-160/15 Nils Svensson and Others v Retriever Sverige AB [2014] EU:C:2014:76, building on Case C-306/05 Sociedad General de Autores y Editores de España (SGAE) v Rafael Hoteles SA [2006] ECR I-11519; Case C-135/10 Società Consortile Fonografici (SCF) v Marco Del Corso [2012] EU:C:2012:140; Case C-607/11 ITV Broadcasting Ltd and Others v TVCatchUp Ltd [2013] EU:C:2013:147, and Case C-351/12 OSA – Ochranný svaz autorský pro práva k dílům hudebním os. v Lécˇebné lázně Mariánské Lázně as [2014] EU:C:2014:110. 71 After Svensson the various criteria have been reiterated by inter alia, Case C-466/12 GS Media BV v Sanoma Media Netherlands BV and Others [2016] EU:C:2016:644; Case C-117/15 Reha Training Gesellschaft für Sport- und Unfallrehabilitation mbH v Gesellschaft für musikalische Aufführungs- und mechanische Vervielfältigungsrechte eV (GEMA) [2016] EU:C:2016:379; Case C-527/15 Stitching Brein v Jack Frederic Wullems (Filmspeler) [2017] EU:C:2017:300. 72 Similarly, Benabou (2016), pp. 351–378. 73 Ibid, who emphasizes that the same arguments characterize the functional interpretation of the scope of exceptions in FAPL and Case C-201/13 Johan Deckmyn and Vrijheidsfonds VZW v Helena Vandersteen and Others [2014] EU:C:2014:2132 to Case C-117/13 Technische Universität Darmstadt v Eugen Ulmer KG [2014] EU:C:2014:2196, and VOB. 70

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

153

in its arguments. Before delving into the details of the Grand Chamber’s ruling, however, it may be useful to briefly analyze the legal and economic reasons that would have supported a decision in favor of digital exhaustion. Their discussion will help in tracing the interpretative questions still left unanswered by the Court, commenting on the soundness of the ruling, and drawing the possible paths ahead.

3 The Need for Digital Exhaustion in EU Copyright Law: Legal Arguments Introducing digital exhaustion under Article 4(2) InfoSoc could have brought consistency and order in the contextual interpretation of the plethora of EU copyright directives enacted from 1991 to date and a much more coherent teleological reading of their provisions. If Tom Kabinet had opened Article 4 InfoSoc to digital copies, the CJEU could have offered a more consistent teleological interpretation of EU copyright law provisions that, despite their fragmentation in different sources, largely share the same objectives, as in the case of Articles 4(2) InfoSoc and Software II. This would have been in line with the fulfillment of a series of goals of the InfoSoc Directive, such as the implementation of the four freedoms (Recital 3) and the nondistortion of competition in the internal market (Recital 1) in digital markets, which have taken over traditional markets for size and growth and are in this sense functionally similar to the latter vis-à-vis the necessity of exhaustion. From a systematic perspective, overstepping a strict literal interpretation of Article 4(2) InfoSoc could have solved a number of short circuits caused by the patchwork harmonization of EU copyright law. The reference goes to (i) the unclear definition of the borders between distribution and communication to the public, (ii) the confusion triggered by the evolving goods-services dichotomy, (iii) the uneven extension of the autonomous concept of sale and of the functional interpretation of the sale-license dichotomy, (iv) the lack of uniformity in the methods of interpretation of Article 4(1) and (2) InfoSoc, and more generally (iv) the negative effects of the lex specialis argument.

3.1

Updating the Borders Between Distribution and Communication to the Public

An opening toward digital exhaustion could have offered the opportunity to contextually rethink and update, in a teleologically grounded manner, the boundaries between right of distribution (Article 4 InfoSoc) and right of communication to the public (Article 3 InfoSoc), the latter not being subject to the principle.

154

C. Sganga

The CJEU intervened on the matter in UsedSoft,74 stating in an obiter dicta that Article 6(1) WCT distinguishes the two rights on the basis of the type of transfer and the use of the work and limits distribution to cases where there is a transfer of ownership, making no distinction as to the tangible or intangible nature of the copy.75 However, the Court severely limited the cogency of its argument by justifying the qualification of download as an act of distribution on the ground of the lex specialis nature of Directive 2009/24/EU, which (i) allows the nonapplication of Article 3 InfoSoc and (ii) does not contain a provision on the right of communication to the public, making it possible to qualify any transfer as a distribution regardless of its tangible or intangible nature.76 UsedSoft found inspiration in that scholarly opinion that characterizes the making available right as covering on-demand transmissions that do not entail the permanent reproduction or retention of the copy but only the possibility to access the work from a place and a time decided by the user.77 In this sense, what distinguishes distribution from the act of making available the work was the effect of the transfer—conveyance of ownership of a copy (tangible or intangible) in the first case and dematerialized transmission of a work upon user’s request, without retention of any copy, in the latter case. Recitals 23 and 24 InfoSoc, which emphasize the notion of “transmission” when defining the right of communication to the public, supports this interpretation. The same can be said for Article 8 WCT, which, when identifying the provisions of the Berne Convention left unprejudiced by the right of communication to the public, mentions only acts that presuppose the transmission of the work, such as recitation, public performance of cinematographic work, and broadcasting.78 The majority view has always opposed this reading, arguing that the Agreed Statement on Article 4 WCT clearly limits the right of distribution to the sale of tangible copies, thus distinguishing distribution and communication to the public on

74

Harshly criticized by Linklater (2014), Spedicato (2015), Vinje et al. (2012), p. 97 et seq.; Senftleben (2012), p. 2924; Dreier and Leistner (2013), p. 887 et seq.; Schulze (2014), p. 9 et seq; Stothers (2012), pp. 788–781. 75 UsedSoft, para 52, as also noted by the Opinion of AG Bot, EU:C:2012:234, para 73. A similar distinction could be already found in Case C-456/06 Peek & Cloppenburg [2008] ECR I-2731, para 30. 76 Although the obligations arising from the WCT would have suggested the need to cover the gap through the InfoSoc Directive, which allows it under Article 1(2)(a) InfoSoc. See Linklater (2014), p. 15 and Mezei (2015), paras 121–123. 77 Defined “digital interactive transmission” by one of the drafters of the Treaties, Ficsor (2002), p. 203. See Mezei (2015), para 122, supporting the CJEU’s conclusion in UsedSoft. See also Tjong Tjin Tai (2003), p. 208 et seq. 78 Article 8 WCT leaves unprejudiced Article 11(1)(ii) BC (public performance and communication to the public of the performance of a work), Article 11bis(1)(i) and (ii) BC (broadcasting and other wireless communications, public communication of broadcast by wire or rebroadcast, public communication of broadcast by loudspeaker or analogous instruments, and related compulsory licenses), Article 11ter(1)(ii) BC (right of public recitation and of communication to the public of a recitation), and Article 14(1)(ii) BC (public performance of cinematographic works).

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

155

the basis of the tangible/intangible nature of the copy.79 While this interpretation is in line with the text of the Treaty, however, it does not give any relevance to the difference in value and impact of the forms of exploitation covered by Articles 4 and 8 WCT nor to the fact that such differences lie not in the material or immaterial nature of the support but in the degree and duration of the user’s control of the work. This originalist reading has made it impossible to adapt the provision to the evolution of copyright markets through a technologically neutral, functional approach to the various forms of exploitations. It has also left uncovered—or improperly covered—an ample grey zone of conducts that fall between Articles 3 and 4 InfoSoc, such as the online transfer and retention of digital works as products, which represent a tertium genus within the traditional good-service dichotomy. The CJEU could have solved the hiatus and ensured the equal treatment of functionally similar transactions by classifying the act on the basis of the type of transfer and thus limiting Article 3 InfoSoc to transmissions that do not cause a transfer of ownership of the work. These revised criteria would have not clashed with the WCT since no form of exploitation would have remained uncovered,80 and they would have been in line with the Article 8 WCT “umbrella solution,” which leaves to state discretion the decision on how and under which right (or combination of rights) to classify acts of dematerialized transmissions.81 The reading would have also been consistent with the EU decision to qualify the making available right as a form of communication to the public and not—as in the United States82—as a form of distribution, which highlights their ontological distinction.83 Last, a classification of the conduct on the basis of the type of transfer and not on the basis of the nature of the support would have also been compatible with Recital 29 InfoSoc, which excludes from exhaustion online services and the copies made by their users and with a similar distinction made by the Commission in the occasion of the implementation of the 1991 Software Directive I,84 which defines the transmission of a work on demand and without a permanent transfer of the copy as a provision of service, and not as a transfer of good, as in the case of distribution.

79 See ALAI, Opinion on Case C-263/18, NUV/GAU v Tom Kabinet, Brussels, 12 September 2018, available at . Accessed 13 June 2020, pp. 3–4. 80 Ibid p. 4. 81 On the “umbrella solution” see, ex multis, Ficsor (2002), p. 145 et seq; Ricketson and Ginsburg (2006), pp. 741–748; Reinbothe and von Lewinski (2015), pp. 125–128. 82 Information Infrastructure Task Force, ‘Intellectual Property and the National Information Infrastructure: The Report of the Working Group on Intellectual Property Rights’, September 1995, pp. 212–214; see Pallante (2013), p. 326 et seq. Federal courts are split on the admissibility of the making available right under the US Copyright Act. Among the most recent landmark decisions, see Sony BMG Music Entertainment et al v Joel Tenenbaum, 663 F3d 487 (2011), while in favor Capitol Records Inc et al. v Jammie Thomas-Rassed, 692 F.3d 899 (2012). 83 But see, contra, Linklater (2014) para 22. 84 Explicitly in Answer by Commissioner Monti to Oral Question H-0436/95 by Arthur Newens, MEP (11.7.1995), Debates of the EP, No. 466, 175.

156

C. Sganga

This was not, however, the route that the CJEU decided to take in Tom Kabinet. By missing the opportunity to reconceptualize the boundaries between Articles 3 and 4 InfoSoc, the Court left unsolved a number of related systematic short circuits, strictly related to the communication to the public-distribution dichotomy.

3.2

Rethinking the Dichotomy Goods-Services in Line with the Evolution of EU Law

One of such short circuits is the problematic qualification of works as goods or services, which comes into play due to the exclusion of services from the scope of the principle.85 Goods and services are not defined in the Treaty and only fragmentedly defined in secondary sources, while the CJEU case law offers very fact-specific decisions and no general classificatory criteria. The Court qualifies goods as “products” or “objects” characterized by tangibility86 and tradability87 and services as a residual category,88 although also its rulings have been conflicting. Some decisions classify as service licenses, leasing of goods, and also tangible objects when they are offered as a step in the performance of a service contract.89 In other instances, instead, the CJEU has excluded the argument that to have tradability, and thus a good, it is necessary to have a transfer of ownership.90 In the field of intangible products, the distinction between goods and services has been based on the material/immaterial nature of the support and of the means of distribution rather than on the type of contract used for the transaction.91 This has been also the approach adopted by secondary sources.92 Recital 33 Database excludes online database from the scope of exhaustion since “unlike CD-ROM or CD-I, where the intellectual property is incorporated in a material medium, namely an item of goods, every on-line service is in fact an act which will have to be subject to authorization where the copyright so provides.” With a debatable choice, Recital 38 E-Commerce classifies as service also the online 85 Apart from the WCT, see already Commission, ‘Green Paper on Copyright and Related Rights in the Information Society’ COM(95) 382 final, p. 47, and Commission, Report on the implementation and effects of Directive 91/250/EEC on the legal protection of computer programs, COM(2000) 199 final, p. 17. 86 See the overview provided by Smith and Woods (2005). 87 As in Case C-7/68 Commission v Italy [1968] ECR I-0423, defining goods as products having a monetary value and being potentially object of a commercial transaction. From Case C-2/90 Commission v Belgium [1992] ECR I-04431, the Court eliminated the monetary value requirement. 88 Particularly in Case C-155/73 Sacchi [1974] ECR I-0409. 89 E.g. Case C-451/99 Cura Anlagen GmbH v ASL [2002] ECR I-3194 (long-lease of cars). 90 FAPL, para 83, commented by Dreier (2013), p. 137. 91 After Sacchi, Case C-52/79 Procureur du Roi v Debauve [1980] ECR I-0833. 92 As emphasized by Karapapa (2014), pp. 311–313.

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

157

sale of goods.93 The VAT Regulation circumscribed the supply of goods to “the transfer of the right to dispose of tangible property as owner”94—a circumstance that has led the Court to classify the online supply of e-books as a service,95 until harsh scholarly critiques96 and AG Opinions97 underlining the inadequacy and inconsistency of the approach with principles of tax neutrality and equality caused the EU legislator to specify that printed and electronic books should be subject to the same reduced VAT rate.98 More recently, however, the Consumer Rights Directive (CRD) has intervened in the problems triggered by the scope limitation to “goods” of several consumer law directives,99 offering a hybrid definition of digital content as “data which are produced and supplied in digital form (. . .) irrespective of whether they are accessed through downloading or streaming, from a tangible medium or through any other means.”100 Digital content supplied on a tangible medium is qualified as a good, while the CRD classifies contracts for digital content distributed on intangible supports as a tertium genus, that is, “neither as sales contracts nor as service contracts.” Against this fragmented background, the use by Recital 29 InfoSoc of the goodservice dichotomy to draw the borders of exhaustion has inevitably caused interpretative problems. AG Bot well emphasized them in UsedSoft, underlining the absurd results triggered by Recital 38 E-Commerce, which would exclude exhaustion in the case of an online sale of software delivered on CD-ROM, despite the fact that “the distinction as to whether the sale takes place remotely or otherwise is irrelevant for the purposes of applying that rule.”101 To tackle the short circuit, some commentators have proposed the introduction of judicial “meta-criteria” to decide whether

93 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, [2000] OJ L178/1. 94 Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax [2006] OJ L347/1, Article 14(1). 95 Case C-479/13 Commission v France [2015] EU:C:2015:141 and Case C-502/13 Commission v Luxembourg [2015] EU:C:2015:143. 96 See especially Gaubiac (2002), pp. 11–13. 97 See, e.g., the Opinion of AG Szpunar in Case C-174/15 Vereniging Openbare Bibliotheken v Stichting Leenrecht (VOB) [2016] EU:C:2016:856, para 61. 98 Directive (EU) 2018/1713 amending Directive 2006/112/EC as regards rates of value added tax applied to books, newspapers and periodicals, OJ L-286/20, Article 1. 99 Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, OJ L304/64 (Consumer Rights Directive). 100 Ibid Recital 19: “If digital content is supplied on a tangible medium, such as a CD or a DVD, it should be considered as goods within the meaning of this Directive. Similarly to contracts for the supply of water, gas or electricity, where they are not put up for sale in a limited volume or set quantity, or of district heating, contracts for digital content which is not supplied on a tangible medium should be classified, for the purpose of this Directive, neither as sales contracts nor as service contracts.” 101 Opinion of AG Bot in UsedSoft, para 76.

158

C. Sganga

works offered online should be qualified as goods or services102 or advocated for the legislative amendment of Recital 29 InfoSoc.103 In fact, while the rigidity of the legislative text would require an intervention of the EU legislator, an interim solution to the standstill could have still derived from a new systematic and teleological interpretation of existing sources. From a systematic perspective, a revised interpretation of the boundaries between Articles 3 and 4 InfoSoc as the one suggested above would have also required, for internal consistency, to qualify as goods the object of Article 4 InfoSoc and as services the object of Article 3 InfoSoc. From a teleological perspective, the abandonment of a good-service distinction based on tangibility should have derived from the simple consideration that, in light of the current dominance of online forms of commercialization, its adoption results in the expunction of exhaustion from the system, to the detriment of the copyright balance.104 To avoid the distortive results that could descend from treating similar transactions differently on the basis of the nature of the support and the delivery method, the Court should have offered an interpretation of the good-service dichotomy untangled from tangibility and adopted classificatory criteria that are more consistent with the internal goals of the copyright system, in line with what the CRD did in the field of consumer law. Tom Kabinet could have represented the opportunity for the CJEU to revise its reading of Article 4 (2) InfoSoc and intervene in the goods-services dichotomy by taking into full account the fact that the markets for tangible and intangible copies present similar shortcomings and thus a similar need for exhaustion, which has the goal to strike a balance between safeguarding the specific subject matter of copyright and avoiding an excessive partitioning and control of markets.105 Again, the Court omitted reflecting on the issue, leaving untied yet another interpretative knot.

3.3

Standardizing the Autonomous Concept of Sale Throughout EU Copyright Law and Streamlining the Functional Interpretation of the Sale-License Dichotomy

The autonomous EU notion of “sale” introduced by UsedSoft—an onerous transfer of ownership of a tangible or intangible object106—is consistent with the common core of Member States’ laws and doctrinal restatements such as the Draft Common 102

Dreier (2013), p. 138. Mezei (2015) para 195. 104 See Dreier (2013), p. 139, who defines the distinction between goods and services as no longer technology-neutral. 105 UsedSoft, para 62, referring to Case C-200/96 Metronome Musik GmbH v. Music Point Hokamp GmbH [1998] ECR I-01978, Case C-61/97 FDV [1998] ECR I-5171, para 13 and FAPL, para 106. 106 UsedSoft, para 42. 103

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

159

Frame of Reference (DCFR)107 but conflicts with the limitation to tangible objects imposed by Recital 29 InfoSoc. Similarly, Recitals 28 and 29 InfoSoc clash with UsedSoft’s functional requalification of licenses as sales in the presence of specific features. It could be argued that such divergences are justified by the fact that Article 4 Software II opens the right of distribution to any channel of commercialization, while the InfoSoc Directive grounds its structure on a bipolar system where tangible distribution via sale characterized the material world, while the online environment features intangible communication to the public/making available via license. This conclusion, however, fails to consider that while in 1991—the year of the first Software Directive—it was common knowledge that it was functionally and economically equivalent if a computer program was distributed on a tangible or intangible support, the same cannot be said for all protected works in 1996 (WCT) and 2001 (InfoSoc).108 In fact, the different structure of the InfoSoc Directive compared to the Software Directive is a product of the times of their enactment and not the consequence of a substantial difference in technological settings, business practices, and market structure between software programs and other categories of protected works. Also in digital markets, making a copy fully and permanently available to a customer in exchange “of a fee designed to enable the copyright holder to obtain a remuneration corresponding to the economic value of the copy of the work”109 is legally, functionally, and economically equivalent to transferring the ownership of the copy itself, id est to a sale, regardless of the medium of support and delivery.110 In this sense, also under the InfoSoc Directive, a narrow interpretation of the principle of exhaustion, not including “all forms of product marketing” having sale-like features, may severely undermine the effectiveness of the principle and its rebalancing role between copyright, fundamental freedoms, competition, and consumer welfare.111 The text of the InfoSoc Directive does not prevent the application of the same reasoning used in UsedSoft to interpret the notion of sale under Article 4(2) InfoSoc. Exactly as in the Software Directive II, in fact, the provision mentions the notion without referring to national laws, while the Preamble refers to the removal of obstacles to the correct functioning of the internal market as one of the goals of

See Von Bar et al. (2009), p. 278, IV. A. – 1:202: Contract for sale. Similarly, Mezei (2015) paras 142 ff. 109 Ibid para 45. 110 Ibid paras 45–47. 111 Ibid para 49. This was the opinion of AG Bot in UsedSoft, para 63, with reference to FAPL, paras 105–106. Mezei (2015) para 98. On the contractual circumvention of exhaustion by EULAs see Liu (2001), pp. 1339–1340; Reese (2002–2003), p. 581, 614; Perzanowski and Schultz (2011), pp. 901–907; Carver (2010), p. 1888 et seq. See also US Department of Commerce, Report to Congress: Study Examining 17 U.S.C. Sections 109 and 117 Pursuant to Section 104 of the Digital Millennium Copyright Act, March 21, 2001, http://www.copyright.gov/reports/studies/dmca/ dmca_study.html. Accessed 13 June 2020. 107 108

160

C. Sganga

harmonization112 and points to the need to strike a (fair) balance between copyright and conflicting rights and freedoms.113 These elements of similarity would have allowed excluding the applicability of the lex specialis argument114 and suggested instead an opportunity to provide under Article 4(2) InfoSoc the same functional classification proposed in UsedSoft, both to guarantee uniformity in the interpretation of sale as an autonomous concept of EU law and to avoid frustrating the balancing aims enshrined in the principle. Tom Kabinet, instead, skipped over this point, leaving now in EU copyright law two different notions of sale and two different approaches to the sale-license dichotomy.

3.4

Streamlining the Methods of Interpretation of Article 4(1) and (2) InfoSoc

An opening toward digital exhaustion would have also allowed streamlining the methods of interpretation used by the CJEU for the two paragraphs of Article 4 InfoSoc. Called to define the boundaries of the right of distribution, the Court has always proposed a flexible, teleological reading of the conducts covered by Article 4(1) InfoSoc, justifying the inclusion of preparatory acts such as offers to sell and advertisement, even if not materializing in actual sales, with the need to achieve a high level of protection of rightholders.115 On the contrary, Article 4(2) InfoSoc has been consistently subject to a strict literal interpretation that, by excluding intangible objects, has frustrated the pursuance of the goals of the provision. Adopting a similar teleological interpretation of the two paragraphs would have harmonized the approach to the provision and its axiological architecture, allowing the fulfillment of all and not only part of its objectives. This was, once again, not the route followed by the Grand Chamber in Tom Kabinet.

3.5

Tackling the Fragmenting Effects of the Lex Specialis Argument

To circumvent the obstacles created by the tangible-only literal reading of Article 4 InfoSoc and limit their side effects on other areas of EU copyright law, the CJEU

112

Recitals 1 and 3 InfoSoc Directive. Recital 17 Software Directive II; Recital 31 InfoSoc Directive. 114 This argument was used by national courts to rule out such conclusion and state, again, the non-applicability of Article 4(2) InfoSoc on licenses similar to those used by Oracle. See, e.g., the overview provided by Galič (Savič) (2015), p. 415 et seq. 115 E.g. Case C-516/13 Dimensione Direct Sales Srl, Michele Labianca v Knoll International SpA [2015] EU:C:2015:315, paras 33–34. 113

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

161

has made wide recourse to the lex specialis argument. The use of the theory in UsedSoft in order to exclude the application of Article 3 InfoSoc to the download of a software copy has been broadly criticized.116 Scholars have correctly noted that the WCT does not distinguish between categories of protected works but only requires an extension of copyright protection to software and databases.117 It could be argued that the EU legislator took into account the different features of software programs and their market and wanted to regulate the sector differently on this basis. Yet there are no textual and contextual elements that would back this assumption with certainty. The text of the 2009 Software Directive II, in fact, introduced only few amendments to the 1991 Software Directive I, and none of them in response to the enactment of the WCT in 1996, and its Preamble never mentions the intention to depart from the InfoSoc Directive. The lex specialis argument is based on Article 1 InfoSoc (“this Directive shall leave intact and shall in no way affect existing Community provisions relating to (. . .)”) and Recital 20 InfoSoc, which states that the Directive should not prejudice the application of previous copyright-related directives. However, Recital 20 also underlines that the InfoSoc Directive builds on existing principles and rules and develops them in the context of the information society, suggesting that it should be conceptualized as an updated lex generalis and general framework for other copyright-related acts, if not otherwise specified. This reading would explain why Software Directive II does not feature the communication to the public/making available right—a choice that would violate the WCT unless transmissions, retransmissions, and on-demand access to software programs were meant to be covered under the right of distribution.118 UsedSoft did not clarify the relationship between lex generalis and leges speciales, and subsequent cases have either tried to limit the scope of the decision (Nintendo,119 Ranks) or contributed to the fragmentation of the system by using the lex specialis argument also in other areas (VOB). If Tom Kabinet had opened the path toward digital exhaustion under Article 4(2) InfoSoc on the basis of the policy arguments advanced in UsedSoft, the Court could have renounced the lex generalis-lex specialis alibi and clarified the relationship between the InfoSoc Directive and all the numerous copyright-related directives, operating a thorough reordering of the CJEU case law. Digital exhaustion, however, was not only backed by numerous legal arguments. Strong economic considerations also advocated for its introduction, as much as— and in some instances more than—in the field of “material” copyright.

116

As in UsedSoft, para 51. See, e.g., Spedicato (2015), pp. 49–50, and Mezei (2015) para 179. 118 But contra Linklater (2014) para 27. 119 Case C-355/12 Nintendo Co. Ltd, Nintendo of America Inc., Nintendo of Europe GmbH v PC Box Srl and 9Net Srl [2014] EU:C:2014:25. 117

162

C. Sganga

4 The Economic Rationale of Digital Exhaustion In response to the steady shift toward new online digital business models, which have largely outgrown material forms of commercialization,120 exclusive rights have been adjusted to meet the needs of the new environment, while limitations have remained largely unharmonized and constrained in their application.121 Exhaustion followed this trend, despite economic evidence highlighting the positive impact the principle would have had by fostering opportunities and tackling distortions that are characteristic of the digital environment122 and the positive results it would have in fostering greater access and preservation of works, protecting privacy, and decreasing transaction costs.123 One of the main economic effects of exhaustion is the reduction of the social cost of copyright monopoly. When applied, the principle allows the creation of secondary markets, which helps consumers to recoup by resale the cost of acquisition of protected works, stimulates competition and the development of effective distribution models, and increases, as a result, the availability and affordability of copies.124 The increased competition incentivizes rightholders to decrease prices, cover more geographical markets, and engage in positive price discrimination to attract low-income consumers back from second-hand markets.125 The same happens in the digital environment, where copyright owners can exercise a much more pervasive control and discrimination over access and use of protected works. Rightholders have strongly opposed digital exhaustion, flaunting an increased risk of piracy and cannibalization of the original market of their works, which would ultimately make it impossible for them to price discriminate, thus decreasing affordability and accessibility of works and hitting consumer welfare.126 Yet none of these arguments have been supported by strong empirical evidence, while several economic studies have confuted them and identified technological measures capable of tackling these risks

See, e.g., Tweney (2010) ‘Amazon Sells More E-Books Than Hardcovers’, WIRED (July 19, 2010), . Cheng (2010) Forget the Box: Downloads Dominate Online Software Purchases, Ars Technica (May 28, 2010), . Accessed 13 June 2020. 121 See, among the earliest studies, Litman (2006), p. 46 et seq.; Mazziotti (2008), pp. 15–39, 77–109; Netanel (2008), pp. 54–80; Pistorius (2006), p. 47 et seq; Rimmer (2007); Lessig (2004), Boyle (2003), pp.33 e seq. 122 The most comprehensive being Perzanowski and Schultz (2011). 123 See Liu (2001), Reese (2002–2003), Shaffer Van Houweling (2008), p. 885 et seq. 124 As in Reese (2002–2003), p. 587. 125 See Douglas Lichtman, First Sale, First Principles, Media Institute (April 26, 2010) . Accessed 13 June 2020. 126 Perzanowski and Schultz (2011), p. 895; Davis (2009), pp. 370–371, but contra Tjong Tjin Tai (2003), p. 210; Ruffler (2011), p. 378; Kawabata (2014), p. 76. 120

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

163

and avoiding unfair competition.127 Hints of this reasoning emerge in UsedSoft, which points at the increased need for exhaustion in the digital environment and underlines the existence of technical solutions that can ensure the functional equivalence of tangible and digital copies. The rise of secondary market would also help in increasing access to out-ofcommerce and orphan works, with positive effects for the preservation of cultural heritage.128 This is particularly important in light of the pervasive control exercised by rightholders in the online environment, which may allow them to withdraw their works from the market very quickly.129 Also, privacy, secrecy, and competition would be protected and fostered by digital exhaustion. Severing rightholders’ control over subsequent transfers of the work, the principle makes it impossible to track and identify subsequent buyers.130 This prevents consumers’ profiling,131 reduces the impact that rightholders may have on competitive reverse engineering and product review,132 and avoids chilling effects on access that may rise if and when consumers are afraid of being tracked when “consuming” sensitive and/or controversial content. Such effects are particularly important in the digital environment, where the possibility of tracking, profiling, and controlling users’ and competitors’ behaviors are exponentially increased. Exhaustion may also reduce transaction costs. By severing rightholders’ control over the use of the work after the first sale, the principle makes any contrary contractual agreement unenforceable, thus standardizing by law the terms of use of protected works. In this sense, exhaustion would be ever more necessary in the digital environment, which features a great variety of complex end-user license agreements (EULAs)133 that dictate different rules depending on the types of work, prices, and business models involved. This increases information and transaction costs, generates greater market inefficiencies, and reduces consumer welfare by driving consumers’ behaviors toward nonrational or scarcely informed decisions.134 A partial standardization of EULAs’ terms would help in tackling this typical digital market failure, with undoubtedly positive results.

127 E.g. Gordon (1998), p. 1367 et seq., who demonstrates that secondary markets price-discriminate better than monopolistic markets M Ghose et al. (2006), p. 3, report data proving that 84 percent of used books sold on Amazon are purchased by buyers who would have not been able or willing to pay the price set for the original copy; see also Hess (2013), p. 1968. 128 Reese (2002–2003), pp. 594–595, 599. 129 Mulligan and Schultz (2002), p. 451 et seq., and the empirical evidence reported in Anna Vuopala, Assessment of the Orphan Works Issue and Costs for Rights Clearance (May 2010), . Accessed 13 June 2020. 130 See Cohen (1996), p. 993. 131 Ibid. 132 Perzanowski and Schultz (2011), p. 896. 133 As in Shaffer Van Houweling (2008), pp. 897–898. 134 Ibid, pp. 932–933, reporting empirical studies that evidence that consumers tend to ignore contractual terms unless they are essential to the purchase.

164

C. Sganga

Exhaustion may also carry further benefits by triggering innovation and platform competition.135 Copyright owners are incentivized to invest in the development of new versions, additional features, and premium content to remain attractive against secondary markets136 and to devise new business models to remain competitive toward the same audience.137 The severance of rightholders’ control over subsequent conveyances of the copy may help decrease consumer lock-in, which arises when the cost of switching from the current product to a new, more competitive one is too high, and creates high barriers to entry for newcomers and their innovation. By authorizing a resale in secondary markets, in fact, exhaustion allows consumers to recoup part of the sums spent in buying the copy, thus decreasing switch costs.138 At the same time, the availability of low-cost copies that are not under the control of copyright owners makes it possible for newcomers to innovate without risking being hindered by rightholders, who would use their exclusive rights to block new products competing with their works or forms of exploitation.139 The clear economic advantages that digital exhaustion could bring, together with the limited risks for the original market of the work and the possibility to control them through technological measures of protection, makes the Grand Chamber’s “nay” in Tom Kabinet ever harder to be explained.

5 The Last Act of the Digital Exhaustion Saga? The Grand Chamber Ruling in Tom Kabinet (C-263/18) Despite the plethora of legal and economic arguments that would have supported the admissibility of digital exhaustion under Article 4(2) InfoSoc, in Nederlands Uitgeversverbond and Groep Algemene Uitgevers v Tom Kabinet Internet BV and Others, the CJEU decided to opt for a traditional literal interpretation of existing sources and denied the extension of the principle to digital copies.

135

Broadly Perzanowski and Schultz (2011), p. 897 et seq. Ibid, p. 898. 137 The same effect of creating incentives to innovation is attributed to fair use. See von Lohmann (2008), p. 829 et seq. 138 Perzanowski and Schultz (2011), p. 990. 139 As Netflix, which used the first sale doctrine to commercialize titles which rightholders kept out from online distribution deals. See Transcript of Netflix, Inc. Q3 2009 Earnings Call (Oct. 22, 2009) (statement of Netflix CEO Reed Hastings), . Accessed 13 June 2020. 136

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

5.1

165

The Facts

The historical referral stemmed from a Dutch proceeding in front of the Rechtbank Den Haag (The Hague District Court) between the Dutch Publishers Association (Nederlands Uitgeversverbond (NUV)) and the General Publishers Group (Groep Algemene Uitgevers (GAU)), and Tom Kabinet, which operated from June 2014 a virtual market for second-hand e-books. This was only the last act of a much longer judicial saga, which started in July 2014, when NUV and GAV requested an injunction to stop Tom Kabinet’s activities on the ground of copyright infringement before the Rechtbank Amsterdam (Amsterdam District Court). The district court rejected their claims, arguing that closing the website would have been disproportionate compared to the uncertainty surrounding the applicability of the UsedSoft doctrine to e-books.140 Upon appeal, the Gerechtshof te Amsterdam (Amsterdam Court of Appeal) confirmed the first instance decision but enjoined Tom Kabinet not to allow the sale of unlawfully downloaded e-books.141 To comply with the judgment, from June 2015, the platform changed its business model and became a direct trader through the “Tom Leesclub” (Tom’s Reading Club), based on a closed membership structure. The club offered second-hand e-books for a fixed price (€1.75) to members, who paid a monthly subscription of €3.99. E-books were either bought by Tom Kabinet or donated by its members, who received in exchange a discount of €0.99 on the next monthly fee. In the latter case, members provided a link to download the copy, declaring that they did not keep a copy for themselves. Tom Kabinet uploaded on its platform the copy from the retailer’s website and watermarked it to certify its lawful origin. From November 2015, the monthly subscription was terminated, the e-book price was set to €2, and members were required to acquire credits in order to purchase an e-book, either by donating a copy or by buying one. NUV and GAV filed a request for injunction before the Rechtbank Den Haag to stop Tom Kabinet from communicating to the public their affiliates’ protected works. The court excluded the reasoning that the platform operated a communication to the public since its members were not an indefinite and large number of individuals,142 while it left open the question of whether or not the reproduction necessary to transfer the file between buyer and seller was legitimate.143 Only Tom Kabinet’s retention of the copy on its catalogue after its sale was judged in violation of the 140

Rechtbank Amsterdam, Nederlands Uitgeversverbond and Groep Algemene Uitgevers v Tom Kabinet Internet BV et al, C/13/567567/KG ZA 14-795 SP/MV (1 July 2014), NL: RBAMS:2014:4360. 141 Gerechtshof Amsterdam, Nederlands Uitgeversverbond and Groep Algemene Uitgevers v Tom Kabinet, Case 200.154.572/01 SKG (20 January 2015), NL:GHAMS:2015:66. The Court proposed a broader reading of Article 4(2) InfoSoc under §62 of the UsedSoft judgment, which suggests that the principle of exhaustion should be limited only if necessary, to protect the essential function and specific subject matter of copyright (Ibid para 3.5.3–4). 142 Ibid paras 5.11–5.17. 143 Ibid paras 5.20–5.21.

166

C. Sganga

reproduction right.144 The Court believed that the UsedSoft doctrine could be applied by analogy to Article 4(2) InfoSoc, but admitted the uncertainty surrounding the matter in the CJEU case law,145 and argued that the case could not be solved without the help of the highest EU court. On this basis, it referred the case to the CJEU, asking—in line with UsedSoft—(i) whether the right of distribution and its exhaustion under Article 4 InfoSoc covers also the making available of the file via download for an unlimited period and for a price that corresponds to the economic value of a copy of the work, (ii) whether and under which conditions the transfer of a legally obtained copy implies also consenting to reproductions necessary for the lawful use of the copy (Article 2 InfoSoc), and (iii) whether Article 5 InfoSoc would in any case authorize acts of reproduction of a lawfully obtained copy on which the right of distribution has been exhausted.

5.2

AG Szpunar’s Opinion

To address the questions, AG Szpunar followed three lines of reasoning—legislative, case-law based and teleological.146 The core legislative argument centered on the qualification of the download of digital copies as an act of communication to the public (Article 3 InfoSoc) or distribution (Article 4 InfoSoc). The Opinion pointed to the fact that the drafters of the WCT purposefully offered an “umbrella solution” to classify downloading, in light of its mixed nature, favoring the right of communication to the public but offering to contracting parties the possibility to opt for the distribution right.147 Since, however, the WCT provides only a minimum level of protection, the AG maintained that legislators choosing distribution would need to cross out exhaustion in order to offer the same degree of protection granted under the right of communication to the public, which does not contemplate the principle.148 The Opinion mentioned only briefly the Agreed Statement on Articles 6–7 WCT and its limitation of the notions of “original” and “copy” to tangible objects, qualifying it as a text of weak cogency.149 It focused, instead, on Recitals 24, 25, 28, and 29 InfoSoc, which the AG identified as illustrative of the position adopted by the EU legislator when implementing the WCT.150 While admitting the ambiguity and inappropriateness of Recital 29’s qualification of online sales as services, the AG

144

Ibid para 5.22. Ibid paras 5.26–5.27. 146 Opinion of AG Szpunar in Nederlands Uitgeversverbond and Groep Algemene Uitgevers v Tom Kabinet Internet BV et al [2019] EU:C:2019:697. 147 Ibid para 33. 148 Ibid para 34. 149 Ibid para 35. 150 Ibid para 37. 145

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

167

had no doubt that the InfoSoc preamble places “all forms of online exploitation of the works” under Article 3 InfoSoc.151 He also noted that Article 4 InfoSoc, which connects distribution to the sale or other transfer of ownership, backs this interpretation since (a) digital files are intangible, thus not subject to the right of property, (b) parties’ rights and obligations with regard to the making available of works online are regulated by conventions, and (c) parties’ freedom of contract cannot be limited by exhaustion.152 In any event—he added—digital exhaustion could not be admitted since the reproduction needed to transfer the “used” file would run counter to Article 2 InfoSoc and would not be authorized by any exception under Article 5 InfoSoc.153 The Opinion also discarded the objection that Article 3 InfoSoc would cover only transmissions directed to more individuals and would thus not apply to Tom Kabinet’s business model. Consolidating the CJEU’s precedents on the notion of public, the AG noted that “[w]hat matters is not the number of persons to whom the communication is made but the fact that the person at the origin of that communication addresses his offer to persons not belonging to his private circle. In that case, a single acquirer may therefore constitute a public.”154 The Opinion felt also the need to distinguish Tom Kabinet from UsedSoft. The AG underlined how software programs need to be run on a computer to be used, and this makes the nature of the medium of distribution irrelevant.155 At the same time, he noted that the fact that they are always commercialized via license since they need maintenance and updates justifies the functional equivalence that UsedSoft drew between sale and license.156 The Opinion also highlighted that downloads could be qualified as distribution since Software Directive II does not regulate the right of communication to the public and referring to Article 3 InfoSoc would have undermined the lex specialis nature of Directive 2009/24.157 Furthermore, the Software Directive does not exclude exhaustion in case of intangible copies and provides for an exception (Article 5(1)) that allows all reproductions necessary for the use of the program by the lawful acquirer. The AG deemed the distinction between software and other works also justified by the reduced impact that exhaustion has on the original market of software programs since software is used longer than traditional works and is subject to a quicker obsolescence and loss of value.158 To clarify the doubts triggered by VOB, the Opinion limited its reach by referring to the lex specialis nature of Directive 2006/115, the public policy objective of the exception, and the fact that the WCT does not mention lending.159 The AG admitted

151

Ibid para 38. Ibid paras 43–44. 153 Ibid para 49. 154 Ibid para 42. 155 Ibid paras 57–58. 156 Ibid para 59. 157 Ibid para 63. 158 Ibid para 62. 159 Ibid paras 68–70. 152

168

C. Sganga

that by stating that Member States can subordinate the exception to the lawful first sale of the digital copy, the CJEU has implicitly accepted digital exhaustion but minimized the obiter as irrelevant for the Tom Kabinet case. The Opinion also showed full awareness of the heated debate on the teleological arguments favoring digital exhaustion.160 Yet, it underlined that they could not justify a disregard toward the letter of the law, both because they are counterbalanced by similarly strong economic arguments and because they would request a general policy reform, which remains within the competence of the legislator.161 In any event—the AG stated—permanent downloads are forms of exploitation destined to be “relegated to the past”; thus, any decision admitting digital exhaustion would only “resolve a problem that does not really need to be resolved” anymore.162

5.3

The Grand Chamber Decision

The Grand Chamber, from the pen of Rapporteur Ilešič, followed to a large extent the arguments of AG Szpunar, albeit with a much more concise reasoning and several omissions. The CJEU believed that a mere literal interpretation of the InfoSoc Directive could not be sufficient to address the questions raised by the referral and proceeded instead with a contextual and teleological reading of the provisions, supporting them with scant economic considerations. Inspired by Recital 15 InfoSoc, which explains that Directive 2001/29/EC is (also) a tool to implement the WCT, the Court designed the boundaries between Articles 3 and 4 InfoSoc in line with Articles 8 and 6(1) WTC and the related Agreed Statement, which, read together, limit the scope of the distribution right to tangible objects.163 To support the argument, the CJEU referred (a) to the explanatory memorandum to the InfoSoc Directive, which includes under Article 3 InfoSoc on-demand transmissions and any communication “other than the distribution of physical copies,”164 and (b) to a number of InfoSoc Recitals (4, 9, 10, 23, 28, 29), which require a broad interpretation of the right of communication to the public, exclude exhaustion in case of online services, and limit distribution to tangible copies.165 In the opinion of the Court, UsedSoft would not run counter to this reading for it concerns the application of a lex specialis, where, differently than in the

The AG devotes all his final remarks to “balancing the interests involved”, summarizing the main arguments raised in the literature in support of digital exhaustion (ibid paras 78–87) and against it (paras 88–97). 161 Ibid para 98. 162 Ibid para 95. 163 Tom Kabinet, para 39. 164 Ibid para 44. 165 Ibid paras 49–51. 160

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

169

InfoSoc Directive, the EU legislator wanted to explicitly assimilate tangible and intangible copies of computer programs.166 The CJEU used a similar distinguishing argument when comparing the economic justifications supporting the UsedSoft decision with the features of traditional works and their markets. Sharing the AG Opinion, the Court noted that differently than software, the sale of a printed book is not functionally equivalent to the transfer of an e-book since digital files are not subject to deterioration by use and the exchange of used copies does not entail additional effort or cost.167 These characteristics cause the second-hand market of digital copies to have a greater impact on the original market of the work and thus on rightholders’ ability to obtain an appropriate reward.168 Implicitly, the CJEU seemed to assume that digital exhaustion would hamper the fulfillment of the essential function of copyright, as defined by its early case law,169 that is granting to rightholders an appropriate remuneration from the exploitation of their works. Once it ruled out the applicability of Article 4 InfoSoc, the Court had to verify whether Tom Kabinet’s transfer of digital copies could amount to an act covered by Article 3 InfoSoc, that is whether the conduct (a) represented an act of communication and (b) was directed to a public. The CJEU considered both requirements met. As to the first requirement, Tom Kabinet’s conduct was qualified as a communication since the platform made works available for on-demand transmission, and according to the Explanatory Memorandum to the InfoSoc Directive, “it is not relevant whether any person actually has retrieved [the work] or not.”170 As to the second requirement, the Court considered both its precedents and the Explanatory Memorandum, which clarify that a “public” is present also when “several unrelated persons (. . .) may have individual access (. . .) to a work” and when their number is not too small, considering not only “the number of persons able to access the work at the same time, but also how many of them may access it in succession.”171 On this basis, it ruled that Tom Kabinet directed its offer to a “public” since any interested person could enroll in the reading club, while no technical measure ensured that e-books were downloaded only by one user at a time and that users lost access to copies once they sold them back to the platform.172 The fact that EULAs often excluded the possibility of resale was also considered enough to qualify Tom Kabinet’s members as a new public not envisioned by rightholders when they first commercialized their works.173

166

Ibid para 55. Ibid para 57. 168 Ibid para 58. 169 As seen supra, n. 170 Ibid paras 63–64. 171 Ibid paras 67–68. 172 Ibid para 69. 173 Ibid para 71. 167

170

C. Sganga

6 Neglected Inconsistencies and a New Question Mark By reducing the questions posed by the referring court to the mere alternative between Articles 3 and 4 InfoSoc to classify Tom Kabinet’s conduct, the CJEU could avoid facing the most pressing interpretative problems triggered by the digital exhaustion debate. In this way, the Grand Chamber left us with a number of neglected inconsistencies and new question marks on the extent to which Article 3 InfoSoc may really cover all forms of digital distribution of protected works. By asking the same questions raised in UsedSoft, the Rechtbank Den Haag wanted to push the Court to clarify also under the InfoSoc Directive the conceptual distinction between sale and licenses and goods and services when applied to new formats and channels of exploitation. The reasoning in Tom Kabinet completely skipped over this point, regardless of its key systematic importance to define the conceptual structure of Directive 2001/29/EC. In fact, the ambiguities triggered by Recital 29’s reference to “services” to draw the borders of exhaustion, together with the limitation of distribution to “sale and other transfers of ownership,” would have required the CJEU to clarify whether digital copies offered online and transferred permanently for a price corresponding to their full value should be qualified as goods subject to a sale or services subject to a license. Instead, the Court opted for a blind reference to the WCT, reducing the distinction between distribution and communication to a mere separation between material and online forms of exploitation and, thus, completely disregarding as irrelevant the link that the InfoSoc Directive traces between distribution-sale-good and communication-license-services. Similarly, it did not verify whether its interpretation was still in line with systematic changes in EU law, such as the CRD qualification of digital content as tertium genus between goods and services or the treatment of e-books as equal to books for VAT purposes. More generally, by not giving enough weight to the link between its early case law and the “sale-like vs service-like rights” dichotomy used by Recital 29 InfoSoc, the CJEU missed the opportunity to link the teleological interpretation of Article 4 (2) InfoSoc to the essential function doctrine, on which the Court built its doctrine of Community exhaustion. This would have made the application of the principle dependent on the characteristics of the work, excluding it every time control over subsequent exploitations was needed to ensure that rightholders obtained an adequate remuneration, thus helping in the achievement of more teleological consistency, systematic coherence, and legal certainty in EU copyright law. The Grand Chamber has also introduced additional inconsistencies within the tangles of CJEU’s copyright doctrines. Just to mention a few, the limitation of the functional reading of the sale-license dichotomy to software produces a de facto fragmentation of the notion of sale in different copyright areas. It also remains a systematic mystery how Tom Kabinet can coexist with VOB, where the Court stated that Member States may introduce digital exhaustion as a precondition for the lawful enjoyment of the public lending exception on e-books. Should this not be enough, the decision instills yet another question mark in the CJEU case law.

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

171

When explaining why the platform’s conduct should be understood as a communication to the public under Article 3 InfoSoc, the Court hinted at the fact that there might be cases where the online distribution of protected works could fall outside the scope of the provision, as if a grey zone might exist between Articles 3 and 4 InfoSoc. Paragraph 69 of the judgment, if read a contrario, seems to suggest that in case of a communication protected by technological measures which ensure that (a) only one copy of the work could be downloaded at a time and that (b) a user could not access the copy once she has alienated it, the number of persons who have access to the same work would not be substantial enough to meet the requirements set by the CJEU’s case law to amount to a “public”. Said otherwise, the presence of technological measures having specific characteristics may exclude the application of Article 3 InfoSoc to conducts such as the one performed by Tom Kabinet. In such cases, the nonapplicability of Article 4 InfoSoc would leave these forms of online distribution of digital works unclassified. In the future, this may require the Court either to broaden the notion of public beyond its current borders or to change its interpretation of the notion of distribution in order to make sure that no conducts remain outside the scope of InfoSoc’s exclusive rights.

7 Conclusions: The Road Ahead After years of heated scholarly exchanges, the Grand Chamber’s ruling in Tom Kabinet seems to have put an end to the digital exhaustion debate, ruling out its admissibility under Article 4(2) InfoSoc. The decision did not come unexpected for it was in line with the literal interpretation of the InfoSoc Directive, the WCT, and its Agreed Statement, which the Court had already favored in a number of decisions that indirectly touched upon the matter. Yet Tom Kabinet left unanswered most of the challenges and shortcomings triggered by the digital revolution and by the massive changes in the forms of commercialization of protected works, now heavily tilted toward online distribution and consumption. While the construction of WCT and InfoSoc Directive could still work in 2001, new types of exploitation of protected works have soon challenged its functioning. When digital copies are fully and permanently transferred online, the transfer is functionally closer to a sale/distribution than to a communication to the public, and the copy is enjoyed as a product and not as a service. This triggers the same protection and balancing needs that a material distribution would engender. Yet a tangible-only reading of Article 4 InfoSoc forces the classification of such acts under Article 3 InfoSoc. The digital environment is thus deprived of exhaustion; its positive effects in terms of access, availability, and affordability of works; and its balancing role vis-à-vis competition, innovation, and a set of conflicting rights and freedoms—chiefly property, privacy, and the freedom of movement of goods. The CJEU has tried to minimize the short circuits created by the tangibleintangible dichotomy in other areas of copyright law with an ample recourse to

172

C. Sganga

teleological and systematic arguments to carve out exceptions to the InfoSoc and WCT, as in UsedSoft and VOB. This has created a fragmented system where the InfoSoc Directive remains a weak lex generalis against a plethora of leges speciales, featuring different boundaries between exclusive rights and different definitions of key concepts. Tom Kabinet constituted the opportunity to set things right and provide a systematic reordering that could clarify the degree of standardization introduced by the WCT, the role of the InfoSoc as lex generalis, the borders between Articles 3 and 4 InfoSoc, the good-service dichotomy, and the requirements to assess the functional equivalence of sale and license and of tangible and intangible supports. Instead, with its simplistic answer, the CJEU has neglected to tackle the contextual, conceptual, and teleological inconsistencies created by its case law and by EU directives and introduced additional question marks as to the grey zone between Articles 3 and 4 InfoSoc. The most appropriate solution to the stalemate would still be a legislative intervention on the InfoSoc Directive, which, however, does not feature among the priorities of the EU legislator. Absent a move from the EU legislator, a judicial solution to temporarily bridge the regulatory gap could come from two different paths. The first path may be pursued in the context of a new referral to the CJEU on Article 4(2) InfoSoc. In fact, while Tom Kabinet promised to close the debate on digital exhaustion, its omissions and pitfalls may well justify the opening of a new chapter in the judicial saga on the principle. This solution would aim at stepping over the rigidity of Article 4(2) InfoSoc through its contextual and teleological interpretation, guided by the horizontal application of treaty provisions. This latter move would be justified by the fact that, in its current form, Article 4(2) InfoSoc leaves digital markets short of measures balancing copyright with competition, freedom of movement of goods, cultural policy objectives, and fundamental rights such as property and privacy. Along with the implementation of UsedSoft teleological arguments to state the functional equivalence of tangible and intangible copies and of sale and license in the presence of specific requirements, two arguments would support overcoming the tangibility requirement of Recital 28 InfoSoc when drawing the borders of exhaustions and the boundaries between Articles 3 and 4 InfoSoc. The first is that all conducts that cannot be put under Article 3 InfoSoc need to be “hosted” under another right in order to ensure that rightholders are offered effective protection. This would justify the extension of the distribution right to cover digital works if, for instance, (i) the license commercializing the work is judged functionally equivalent to a sale/other transfer of ownership or (ii) technological measures are put in place in a manner that the work itself is not communicated to a number of people that is substantial enough to constitute a public under Article 3 InfoSoc. The second argument is grounded on the observation that a literal interpretation of Article 4 (2) InfoSoc hinders the realization in the digital environment of those treaty provisions that have underlined the principle of exhaustion since its CJEU origins in the 1970s (freedom of circulation of goods and protection of competition in the internal market) and other treaty objectives, such as those related to cultural policies and to

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

173

the protection of fundamental rights. This circumstance justifies the horizontal application of the treaty provisions to interpret EU law in a manner that leads to the realization of treaty goals, which in the case of Article 4(2) InfoSoc would entail the introduction of digital exhaustion, provided that the first sale of the work ensures an appropriate remuneration for the rightholder. The reproduction necessary to finalize the transfer of the work could be covered by either Article 5(1)(b) InfoSoc or the FAPL and Ulmer doctrine, which allows extending the scope of an exception or limitation when needed to ensure that they can still perform their functions. Should this path prove unsuccessful, the second interpretative option would be for a national court to revert to a claim of invalidity of Article 4(2) InfoSoc under Article 51(2) CFREU for disproportionate restriction of the right to property (Article 17 CFREU), the right to respect one’s private life (Article 7 CFREU), and, in specific cases, the freedom to conduct a business (Article 16 CFREU) of the buyers of digital works, caused by the restriction of the scope of Article 4(2) InfoSoc to tangible copies only. The proportionality assessment, focused on the appropriateness and necessity of the limitation of exhaustion to tangible copies in order to effectively protect copyright, would be based on the model drawn by precedents such as Digital Rights Ireland174 and would test the appropriateness of the measure on the basis of the principle of equal treatment of comparable situations and its necessity on the basis of the essential function and specific subject matter of copyright.175 The debate on digital exhaustion, in fact, is everything but exhausted. The question is now how long it will take for national courts to spot the omissions and flaws in Tom Kabinet and revert to the CJEU to get them solved—this time, hopefully, with more useful systematic results.

References Benabou VL (2016) Digital exhaustion of copyright in the EU or shall we cease being so schizophrenic? In: Stamatoudi IA (ed) New developments in EU and international copyright law. Wolters Kluwer, The Hague, pp 351–378 Benkler Y (2000) An unhurried view of private ordering in information transactions. Vand Law Rev 53:2063 Boyle J (2000) Cruel, Mean, or Lavish? Economic analysis, price discrimination and digital intellectual property. Vand Law Rev 53:2007 Boyle J (2003) The second enclosure movement and the construction of the public domain. Law Contemp Probs 66:33 Carver BW (2010) Why license agreements do not control copy ownership: first sales and essential copies. Berkeley Technol Law J 25(4):1887

174

Joined Cases C-293/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and C-594/12 Kärntner Landesregierung and Others [2014] EU: C:2014:238, paras 38 and 47. 175 I elaborate on these solutions in more details in Sganga (2019) paras 84–99.

174

C. Sganga

Cohen J (1996) The right to read anonymously: a closer look at copyright management in cyberspace. Conn Law Rev 28:981 Davis N (2009) Reselling digital music: is there a digital first sale Doctrine? Loyola Entertain Law Rev 29(3):363 Dreier T (2013) Online and its effect on the ‘goods versus ‘services’ distinction. IIC 44(2):137 Dreier T, Leistner M (2013) Urheberrecht im Internet: die Forschungsherausforderungen. Gewerblicher Rechtsschutz und Urheberrecht 9:887 Favale M, Kretschmer M, Torremans PC (2016) Is there a EU Copyright Jurisprudence? An empirical analysis of the workings on the European Court of Justice. Mod Law Rev 79(1):31 Fennelly N (2003) Rules and exceptions: freedom of movement and intellectual property rights in the European Union. In: Hansen HC (ed) International intellectual property law & policy, vol 5. Juris, New York, pp 33–34 Ficsor M (2002) The law of copyright and the internet. The 1996 WIPO treaties, their interpretation and implementation. OUP, Oxford Fisher W (2007) When should we permit differential pricing of information. UCLA Law Rev 55:1 Galič (Savič) M (2015) The CJEU allposters case: beginning of the end of digital exhaustion. Eur Intellect Property Rev 37:389 Gaubiac Y (2002) The exhaustion of rights in the analogue and digital environment. Copyright Bull 4:9 Ghose A, Smith MD, Telang R (2006) Internet exchanges for used books: an empirical analysis of product cannibalization and welfare impact. Info Sys Res 17:3 Gordon W (1998) Intellectual property as price discrimination: implications for contracts. Chi-Kent Law Rev 73:1367 Hess E (2013) Code-ifying copyright: an architectural solution to digitally expanding the first sale Doctrine. Fordham Law Rev 81:1965 Information Infrastructure Task Force (1995) Intellectual Property and the National Information Infrastructure: The Report of the Working Group on Intellectual Property Rights, September 1995, 212–214 Karapapa S (2014) Reconstructing copyright exhaustion in the online world. IPQ 4:307 Kawabata BM (2014) Unresolved textual tension: capitol records v. ReDigi and a digital first sale Doctrine. UCLA Entertain Law Rev 21(1):33 Kerber W (2016) Exhaustion of digital goods: an economic perspective. Zeitschrift fuer Geistiges Eigentum/Intellect Property J 8(2):149 Leistner M (2014) Europe’s copyright law decade: recent case law of the European Court of Justice and policy perspectives. Common Mark Law Rev 51(2):559 Lessig L (2004) Free culture: how big media uses technology and law to lock down culture and control creativity. Penguin, New York Linklater E (2014) UsedSoft and the big bang theory: is the e-exhaustion meteor about to strike. JIPITEC 5(1):15 Litman J (2006) Digital Copyright. Prometheus Books, New York Liu JP (2001) Owning digital copies: copyright law and the incidents of copy ownership. William Mary Law Rev 42:1245 Lunnedy GS Jr (2008) Copyright’s price discrimination Panacea. Harv J Law Technol 21:387 Maurer SM (1997) Price discrimination, personal use and piracy: copyright protection of digital works. Buff Law Rev 45:845 Maurer SM (2001–2002) Copyright and price discrimination. Cardozo Law Rev 23:55 Mazziotti G (2008) EU digital copyright law and the end-user. Springer, Berlin Mezei P (2015) Digital first sale Doctrine Ante Portas – exhaustion in the online environment. JIPITEC 6:23 Mulligan DK, Schultz JM (2002) Neglecting the national memory: how copyright term extensions compromise the development of digital archives. J App Prac Process 4:451 Netanel NW (2008) Copyright paradox. OUP, Oxford

6 Digital Exhaustion After Tom Kabinet: A Nonexhausted Debate

175

Pallante MA (2013) The next great copyright act. Columbia J Law Arts 38(3):324 Perzanowski A, Schultz J (2011) Digital exhaustion. UCLA Law Rev 58:889 Pistorius T (2006) Copyright in the information age: the Catch-22 of digital technology. North Cult Media Stud 20:47 Reese RA (2002–2003) The first sale doctrine in the era of digital networks. Boston College Law Rev 44:57 Reinbothe J, von Lewinski S (2015) The WIPO treaties on copyright. A commentary on the WCT, the WPPT, and the BTAP. OUP Ricketson S, Ginsburg JC (2006) International copyrights and neighboring rights. Berne convention and beyond, 2nd edn. OUP, Oxford Rimmer M (2007) Digital copyright and the consumer revolution: hands off My iPod. Elgar, Cheltenham-Northampton Rosati E (2015) Online copyright exhaustion in a post-Allposters world. J Intellect Property Law Pract 10(9):673 Rubi Puig A (2013) Copyright exhaustion rationales and used software: a law and economics approach to Oracle v UsedSoft. JIPITEC 4(2):159 Ruffler F (2007) Is trading in used software an infringement of copyright? The perspective of European law. EIPR 6:380 Ruffler F (2011) Trading in used software an infringement of copyright? The perspective of European Law. EIPR 6:378 Schovsbo J (2012) The exhaustion of rights and common principles of European intellectual property law. In: Ohly A (ed) Common principles of European intellectual property law. Mohr Siebeck, Tubingen, pp 169–188 Schulze EF (2014) Resale of digital content such as music, films or eBooks under European law. EIPR 36:9 Senftleben M (2012) Die Fortschreibund des urheberrechtlichen Erschopfungsgrundsatzes im digitalen Umfeld. Neue Juristische Wochenschrift 40:2924 Sganga C (2019) A plea for digital exhaustion in EU copyright law. JIPITEC 9(3):211 Shaffer Van Houweling M (2008) The new servitudes. Georgia Law J 96:885 Smith F, Woods L (2005) A distinction without a difference: exploring the boundary between goods and services in the World Trade Organization and the European Union. Columbia J Eur Law 12 (1):1 Spedicato G (2015) Online exhaustion and the boundaries of interpretation. In: Caso R, Giovanella F (eds) Balancing copyright law in the digital age - comparative perspectives. Springer, Berlin, pp 27–64 Sterling JAL (2015) World copyright law, 4th edn. Sweet and Maxwelk, London Stothers C (2012) When is copyright exhausted by a software license? UsedSoft v Oracle. EIPR 11:788 Strowel A, Kim HE (2012) The balancing impact of general EU law on European Intellectual Property Jurisprudence. In: Pila J, Ohly A (eds) The Europeanization of intellectual property law: towards a European legal methodology. OUP, Oxford, pp 121–142 Tjong Tjin Tai E (2003) Exhaustion and online delivery of digital works. EIPR 25:208 Ubertazzi B (2014) The principle of free movement of goods: community exhaustion and parallel imports. In: Torremans P, Stamatoudi I (eds) EU copyright law – a commentary. Elgar, Cheltenham-Northampton, pp 38–51 van Eechoud M (2012) Along the road to uniformity – diverse readings of the Court of Justice judgments on copyright work. JIPITEC 1:83 Vinje T, Marsland V, Gartner A (2012) Software licensing after Oracle v UsedSoft. Comput Law Rev Int 4:97 Von Bar, C, Clive E, Schulte-Nolte H et al (eds) (2009) Principles, definitions and model rules of European Private Law – draft common frame of reference, Outline edn. Sellier, Munchen von Lewinski S (2008) International copyright law and policy. OUP, Oxford

176

C. Sganga

von Lohmann F (2008) Fair use as innovation policy. Berkeley Technol Law J 23:829 Wiebe A (2010) The economic perspective: exhaustion in the digital age. In: Bently L, Suthersanen U, Torremans P (eds) Global copyright three hundred years since the statute of Anne, from 1709 to cyberspace. Elgar, Cheltenham, p 321

Chapter 7

Does Copyright Support Musical Creativity in a Remix Era? Giorgos D. Vrakas

Abstract Advancements of technology in music, the popularisation and ease of access to home recording software and hardware, and the creation of user-generatedcontent-orientated websites, and their subsequent proliferation, have resulted in a move from users exhibiting a mere passive role toward having a more active role in the creation and dissemination of music. As a result, we have witnessed the rise of prosumers of music and a remix culture. This phenomenon has been accused of giving rise to a remix era, and it is contested that remixing has created new avenues for musical creativity. However, the term creativity is ambiguous and thus requires further clarification since different perceptions of creativity lead to different results regarding whether musical remixes are in fact creative. Furthermore, EU copyright and related enforcement regimes not specifically attuned toward regulating musical remixes apply concurrently. Could they ultimately be stifling creativity? This chapter views copyright through the lens of different perceptions of creativity and examines whether musical remixes in today’s digital era are in fact creative and, in doing so, answers the question of whether EU copyright law supports musical creativity in a remix era by drawing upon inferences from UK case law and beyond.

1 Introduction John Philip Sousa, one of America’s favourite composers, had once argued that new methods of distributing and creating music, referred to as “mechanical music”, translated to easier access to musical works.1 Nevertheless, he argued that composers of songs that were being accessed did not share in the wealth stemming from

1

Lessig (2008).

G. D. Vrakas (*) The University of Edinburgh, Scotland, Old College, Edinburgh, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_7

177

178

G. D. Vrakas

mechanical music.2 Furthermore, John Philip Sousa feared that mechanical music would result in cultural emptiness.3 He argued that the emergence of machines in music would result in a society exhibiting a lack of musical participation, and as a result, amateurism, which is correlated with a love for music, would be destroyed.4 It was predicted that we would no longer engage in the production of music but would merely hear what we wanted to hear on demand.5 Consequently, the role of producers in music would disappear. As such, John Philip Sousa feared that we would have a musical culture dominated by consumers, which Lessig refers to as a ReadOnly culture.6 Consequently, creativity in music would be destroyed. Despite expectations, through the advancement of technology in music, the popularisation and ease of access to home recording software/hardware and the creation of user-generated-content (UGC) orientated websites, and their subsequent proliferation, we have witnessed a move from users exhibiting a mere passive role toward having a more active role in the creation and dissemination of music. As such, we have witnessed the rise of prosumers of music,7 i.e. users who recreate versions of songs they have listened to and share those recreations online. Today’s technological advances allow for what is being referred to as the creation of a Read-Write culture.8 What this means is that we, as a society and as prosumers of music, are not only consuming musical works but are also producing derivative works based upon those works that we have “read”. As per Eric Kleptone, a United Kingdom (UK)-based mashup producer: Everything is breaking down in a good way . . . Once upon a time . . . there was a line. You know, the edge of the stage was there. The performers are on one side. The audience is on the other side, and never the twain shall meet. . . Now, being an artist is not the same as-you’re not necessarily giving people a finished product. You’re giving people an unfinished product. A platform that they can do stuff on.9

These technological advances have progressively led to the creation of a remix culture that is defined as “a practice enabled by widespread access to sophisticated computer technology whereby existing works are rearranged or combined to create a new work”.10 Hence, unlike John Philip Sousa’s predictions, it is suggested that 2

Ibid. Ibid. 4 Ibid, 27. 5 Ibid. 6 Ibid, 28. 7 The term prosumer is often attributed to Alvin Toffler who argues that over time we have witnessed the progressive distortion of the once distinctive roles of consumers and producers. It is posited that the same phenomenon is taking place in the realm of music. Musical remixes are not the only form of music prosumption. For instance, cover songs would also be categorised as works of music prosumption. However, the focus of this chapter is on musical remixes and not on all works of music prosumption. Toffler (1980). 8 Lessig (2008), p. 58. 9 Sinnreich (2010). 10 Ferguson (2015) Everything is a Remix. 3

7 Does Copyright Support Musical Creativity in a Remix Era?

179

technological advances in music have not destroyed amateurism but have facilitated the creation of a participatory culture and a remix era11 and ultimately led to the creation of prosumers of music. As a result, it is argued that this remix culture has created a surge in levels of creativity since old works are essentially recycled.12 As such, elements of already existing songs are given new life in the form of a remix, arguably creating new avenues for musical creativity. Nevertheless, there are a wide variety of interpretations as to what creativity is. Consequently, determining the effect the remix era has had on levels of creativity will differ depending upon the perception of creativity which is adopted. Furthermore, it is contested that both copyright and other enforcement regimes such as those regulating online platforms, not specifically attuned toward regulating prosumers’ activities, apply concurrently and could either support or act as barriers to musical creativity in a remix era.13 Similarly, depending upon what one perceives as creativity will determine how current copyright and related enforcement regimes interact with musical remixes and consequently determine whether they support or stifle musical creativity in a remix era. As aforementioned, the rise of UGC orientated websites has had an active role in the creation of, and popularisation of a remix era for prosumers of music. The most prominent UGC-orientated website is YouTube with 1.3 billion users worldwide and approximately 300 h of UGC uploaded every minute.14 Content on YouTube ranges from “beauty” and “unboxing” to “gaming” and “comedy.”15 However, YouTube’s most prominent form of content is music.16 Furthermore, there are countless remixes freely available on YouTube.17 Hence, YouTube unarguably acts as a prominent distribution platform for musical remixes. Moreover, YouTube has created its own way of implementing and enforcing copyright and related enforcement regimes on its platform. As a result, the way in which YouTube has implemented current copyright and related enforcement regimes also acts as a determinant of whether copyright and related enforcement regimes support musical creativity in a remix era. This chapter aims to demonstrate whether EU copyright and related enforcement regimes support musical creativity in a remix era by drawing inferences from UK case law and beyond. It does so, using two sections. The first section of this chapter defines what a remix is and makes distinctions between different forms of musical 11

Cabay and Lambrecht (2015). Cheliotis (2007). 13 Lessig (2008). 14 ‘These Are the World’s Most Popular Websites’ (World Economic Forum) accessed 14 February 2020. 15 (2017) The 20 Most Popular Types Of YouTubers: Genres, Examples. In: Mediakix. https:// mediakix.com/blog/most-popular-types-of-youtubers/. Accessed 6 March 2020. 16 Hugh McIntyre, ‘Report: YouTube Is the Most Popular Site for On-Demand Music Streaming’ (Forbes) accessed 14 February 2020. 17 Searching for the term “remix” on YouTube returns 813,000,000 results. 12

180

G. D. Vrakas

remixes. The second section of this chapter views copyright through the lens of three different perceptions of creativity and looks at whether musical remixes can be regarded as creative works under each of those perceptions. In doing so, it looks at how copyright and related enforcement regimes interact with musical remixes under each of those perceptions and ultimately determines whether EU copyright and related enforcement regimes support or act as barriers to musical creativity in a remix era.

2 What Is a Remix? The term “remix” applies to a wide range of creative works from appropriation art to film. Nevertheless, remixing seems to be most prominent in the music industry.18 Nowadays, remixing primarily translates to songs gaining widespread recognition and, as such, has become the norm for mainstream artists.19 However, the act of remixing is not a new phenomenon. Most cultures that exist today are the result of a history of mixing and merging of different cultures.20 Moreover, as aforementioned, the public has progressively had an active role in creating and recreating culture and has consequently been referred to as a “Read Write” culture.21 These same characteristics exist throughout the music industry. One of the first known “remixes” of the music industry can be traced back to the 1940s, where Pierre Schaeffer remastered pre-recorded sounds by manipulating the speed of songs, adding delay effects and looping various parts of songs.22 The earliest example of popularised remixing was Rappers Delight by Sugarhill Gang in 1979, which had incorporated the bass riff from Good Times by Chic.23 This form of borrowing paved the way for the remix culture that exists today in the music industry. Despite the popularisation of remixing in the music industry, there does not seem to be an appropriate definition of remixing that could encompass all forms of musical remixes, whether that be purely doctrinal or legal. For instance, Lessig defines remixing as “an essential act of Read Write creativity. It is the expression of a freedom to take the songs of the day or the old songs and create with them”.24 Furthermore, Indian courts have defined the act of remixing as “a sound recording

18

Hellweg (2004). McIntyre (2016). Also, a recent example is provided by Despacito by Luis Fonsi & Daddy Yankee which managed to reach number one on global charts after it had been remixed by Justin Bieber. Also see—SAINt JHN—“Roses” (Imanbek Remix). 20 Rostama (2015). 21 Lessig (2008). 22 Patrick (2016). 23 Daly (2005). 24 Lessig (2008). 19

7 Does Copyright Support Musical Creativity in a Remix Era?

181

made of an already published song by using another voice or voices and with different musicians and arrangers”.25 Nevertheless, such definitions do not differentiate between forms of remixing that exist in the music industry, and as is discussed in greater detail below, different forms of remixing translate to different levels of borrowing. Consequently, the way in which copyright regimes treat different forms of remixing will differ, making the aforementioned definitions of remixing devoid of merit. There are two main forms of musical remixes. The first form of remixing is often referred to as sampling. Sampling is defined as “taking part of a song such as the beat or underlying melody and using it in the sonic fabric of a new musical work”.26 Moreover, United States (US) courts have defined sampling as “the actual physical copying of sounds from an existing recording for use in a new recording, even if accomplished with slight modifications such as changes to pitch or tempo”.27 More recently, the Court of Justice of the European Union (CJEU) defined sampling as consisting of a user “taking a sample from a phonogram, most often by means of electronic equipment, and using the sample for the purposes of creating a new work”.28 The example provided above of the Sugarhill Gang, which popularised the act of remixing in the music industry, would fit within this form of remixing. The second form of remixing is often referred to as “mashup”. However, in the absence of an authoritative definition of the term “mashup”, whether that be legal or doctrinal, one must attempt to define the term themselves.29 A mashup can be understood as the merging of already existing songs together without much editing involved. This form of remixing is also referred to as A+B remixing.30 A mashup could involve a certain degree of sampling. One may sample the beat of a song and the melody of another and merge them together. This form of remixing would still be considered as a mashup. An example of such a remix is provided by DJ Earworm’s “Shape of Now”, where nine different songs are sampled and layered to create a mashup.31 However, there is no limit on the number of songs that can be used in mashups. For instance, Gregg Gills, a famous mashup artist more commonly known as Girl Talk, had used over 300 in a single album.32 This form of mashups has been characterised by music scholars as resembling an “audio collage”.33 Nevertheless,

25

Gramophone Co. of India v Super Cassettes Industries Ltd., (1996) PTC (16), at 47. Sunder (2006). 27 Newton v Diamond, 388 F.3d 1189, at 1192 (9th Cir. 2004); VMG Salsoul, LLC v Ciccone, No. 13-57104 (9th Cir. 2016). 28 Case C-476/17 Pelham GmbH, Moses Pelham and Martin Haas v Ralf Hutter and Florian Scheider-Esleben [2019] para 35. 29 Bernd Jütte Justin (2014). 30 McAvan (2006). 31 DJ Earworm Mashup—Shape of Now—YouTube. https://www.youtube.com/watch?v¼NRJho65CUQ. Accessed 30 July 2020. 32 Eble (2013). 33 Sexton (2007), p. 7. 26

182

G. D. Vrakas

the existence of a mashup does not necessarily imply that sampling has taken place. Songs may be merged in their entirety as a medley and still be classed as a mashup. Also, artists who sample may add original lyrics and/or melodies to sampled tracks, and hence, sampling may in certain circumstances involve a lower degree of borrowing than that of mashups. Consequently, as will be discussed in greater detail in sections that follow, sampling may be treated more favourably by copyright regimes as opposed to mashups. Therefore, as aforementioned, it is useful to think of samples and mashups as two distinct forms of musical remixes.

3 What Is Creativity? The recycling of musical works whether that be through sampling or a mashup has arguably created a new avenue for creativity since already existing songs are given new life in the form of a remix.34 However, the term “creativity” is ambiguous and thus requires further clarification. As illustrated in Fig. 7.1, this section aims to critically analyse three different perceptions of creativity, thereby determining whether musical remixes can be regarded as creative under each of these perceptions. The way in which copyright and related enforcement regimes interact with musical remixes under each perception will also be critically analysed. Doing so will ultimately allow for the identification of whether EU copyright and related enforcement regimes support or act as barriers to musical creativity in a remix era.

Fig. 7.1 Diagram of all arguments made in this chapter

34

Cheliotis (2007).

7 Does Copyright Support Musical Creativity in a Remix Era?

3.1

183

Originality Is Equivalent to Creativity

The first perception of creativity explored views the existence of copyright protection as a sign that something is creative. Hence, under this perception of creativity, the threshold for copyright protection i.e. originality, is equivalent to creativity. This perception of creativity is most common in empirical studies that associate an increase in the number of copyright-protected works with a surge in levels of creativity.35 But what determines when a work can be protected by copyright? For a work to be protected by copyright in the European Union (EU), it must meet the threshold for originality. The CJEU’s decision in Infopaq v Danske Dagblades Forening36 has largely resulted in the harmonisation of the standard of originality throughout the EU.37 This is evident in the fact that subsequent rulings of the CJEU have followed the decision in Infopaq.38 Thus, a work is deemed as surpassing the threshold of originality if it demonstrates the “author’s own intellectual creation”.39 This standard for assessing originality has been interpreted by legal scholars as requiring both a subjective and objective assessment of a given work.40 Subjectively, an original work must reflect the “author’s personality”.41 Objectively, originality is assessed based on the author’s “creative freedom” in creating the work.42 Given the lack of existing case law, determining whether a musical remix could be awarded copyright protection in the EU would be on a case-by-case basis. Mashups, as aforementioned, are the combination of multiple pre-existing songs. This could take on the form of a medley. In that case, it is unlikely that copyright protection would be awarded. The CJEU in Infopaq did not provide the exact parameters of creativity that would be deemed sufficient in order for a work to amount to the “authors own intellectual creation”. However, if the choice, sequence

35

Ku et al. (2009). One criticism of this view, is that it can only be applied to jurisdictions which have a registered copyright system such as the US which has a voluntary registration system. 36 Case C 5/08 Infopaq International A/S v Danske Dagblades Forening [2009] ECDR 16. 37 Rosati (2013). 38 Case C-393/09 Bezpečnostní softwarová asociace – Svaz softwarové ochrany v Ministerstvo kultury [2011] ECDR 3, para 45; Cases C-403/08 and C-429/08 Football Association Premier League Ltd and Others v QC Leisure and Other, Karen Murphy v Media Protection Services [2012] CMLR 29 para 97, Case C-145/10 Eva-Maria Painer v Standard Verlags GmbH [2012] ECDR 6, para 87; Case C-355/12 Nintendo Co. Ltd and Others v PC Box Srl and 9Net Srl [2012] ECDR 6, para 21. 39 Infopaq (2009) at 37. 40 Jacques (2017); Mendis (2019). 41 C-145/10 Eva-Maria Painer v Standard VerlagsGmbH and Others [2011] ECR I-12533, at 88. 42 Ibid, at 94.

184

G. D. Vrakas

and combination of 11 works in a newspaper is sufficient for the granting of copyright protection, then it is argued that this threshold is not necessarily high. Furthermore, in Painer, even a realistic portrait was sufficient to amount to copyright protection based on the creative choices made during the entire creative process, including the choice of background in the preparatory stage of production. Hence, in assessing whether a mashup in the form of a medley meets the subjective test of originality, a court would most likely take all pre-production choices made by its creator into account. Whether the choices made by the medley’s creator are sufficient, however, to meet the subjective test for originality is debateable. Using the example of a mashup that was provided above—DJ Earworm’s Shape of Now—one could argue that the author’s personality would be evident. This is due to the fact that DJ Earworm has reworked the original musical works to the extent that new meaning is given to not only the lyrics but also the composition of the derivative work,43 thereby evidencing sufficient creativity beyond the arrangement, combination and sequencing of 11 words. Whether the author is still afforded sufficient creative freedom, thereby surpassing the objective threshold for originality, is also debateable. The remixer’s creative freedom would be restricted by the pre-existing works used in the medley in question, thus most likely failing to meet the objective assessment of originality. In accordance with the decisions in BSA, Football Dataco, Cofemel and Brompton Bicycle Ltd, where the choices made by the “author” would be determined by the existence of pre-determined rules, then the objective test of originality will not be met. Consequently, the limits placed on a mashup artist’s choice, by reusing already existing works, may result in such works not qualifying for copyright protection. However, once again using the example of DJ Earworm’s Shape of Now, which is a mashup that encompasses elements of sampling, translates to endless possibilities, in the sense that its creator has an endless library of extracts and snippets to choose from. This could be sufficient in terms of surpassing the objective threshold for originality. Consequently, under this perception of creativity, a few extreme mashups such as the one described above could possibly be awarded copyright protection and thus be regarded as creative. Nonetheless, it can be deduced that in general, it is unlikely that mashups will be protected by copyright and thus be regarded as creative. Samples, on the other hand, would most likely surpass the threshold of originality. Applying the subjective test to a remix in the form of a sample, it is likely that the remixer’s personality would be embodied in their remix. This is due to the fact that, typically, a sample would only be a small snippet of an already existing song being used in the creation of a remix; i.e., the drum beat or bass line would be reused, whereas the underlying melody or sonic fabric of the remix would emanate from the creator. A remix in the form of a sample would also most likely surpass the objective

43

DJ Earwork’s mashups are mashups with elements of sampling. As such, the way in which the mashup is structured i.e. the lyrics and sound recording are rearranged, results in a completely new meaning being given to the songs being reused.

7 Does Copyright Support Musical Creativity in a Remix Era?

185

test for awarding copyright protection. As aforementioned, the remixer has an endless library of extracts and snippets to choose from and is free to choose any length of a sample they wish from any already existing song. As such, it is likely that a remixer creating a sample will be regarded as having sufficient creative freedom, meaning that the subjective assessment could be surpassed. In Sawkins v Hyperion Records Ltd, a UK Court of Appeal decision, it was held that editing a musical work through the insertion of additional notes and alteration of original notes translated to copyright protection being awarded to the editor.44 In Sawkins, a determining factor of what constituted sufficient alterations, thereby awarding protection, was expert evidence that had stated that without the editing that had been conducted, the work could not be performed in a modern recording session.45 Thus, the music that could be heard on the recording in question originated from Sawkins’ alterations.46 As a result, one could argue that a remix in the form of a sample would have to contain a sample that was transformed to the extent that it is no longer recognisable in order to be awarded copyright protection. However, it is argued that such excessive editing takes away from the essence of remixing. Arguably, remixing owes its popularity to the fact that it hints toward an already familiar musical work but brings in new life into an old song.47 Nonetheless, this is purely hypothetical, and the question of whether or not to award copyright protection to a remix in the form of a sample would require in-depth analysis on a case-by-case basis. Although above it was argued that the originality threshold has largely been harmonised throughout the EU, some have characterised the CJEU’s decision in Infopaq as being “vague”.48 This may to a certain degree be true and can be seen by looking at the UK approach to awarding copyright protection, which assesses originality based on the author’s expenditure of skill, labour and judgement.49 However, as will be seen below, although the UK has a different process in place for assessing originality, the results will most likely be the same. Moreover, one could argue that, in reality, the EU and UK tests, although may seem different, are in fact the same.50 This is evident in the fact that since the CJEU’s decision, UK courts have used the terms “author’s own intellectual creation” and “skill labour and judgement” interchangeably.51

44

Sawkins v Hyperion Records (2005) RPC 32. Ibid, at 25. 46 Robinson (2005). 47 Ferguson (2015) Everything is a Remix. 48 Cabay and Lambrecht (2015), p. 360. 49 Macmillan & Co Ltd v K & J Cooper (1923) 93 LJPC 113. 50 Rahmatian (2013). 51 Forensic Telecommunications Services Ltd v Chief Constable of West Yorkshire (2011) EWHC 2892; Temple Island Collections Ltd v New English Teas Ltd (2012) FSR 9. 45

186

G. D. Vrakas

Originality in the UK is set at a very low threshold. As per Peterson J, all that is required is that the work was not copied.52 Traditionally, UK courts have tested originality by looking at the amount of skill, labour and judgement that has been expended by the potential rightsholder and is judged on a case-by-case basis.53 However, the amount of skill, labour and judgment expended should be more than minimal or negligible.54 Consequently, the act of copying something would not be regarded as meeting the threshold of originality.55 Thus, bearing in mind the fact that both sampling and mashups require that at least a part of a previous sound recording is copied, and the fact that copying does not amount to originality,56 it is unlikely that remixes will be awarded copyright protection in the UK despite the low threshold for originality. Taking a synoptic view of the above mentioned, it can be deduced that remixing will typically not be granted copyright protection in the EU. Consequently, adopting this perception of creativity, which views the existence of copyright protection as a measure of creativity, most commonly encountered in empirical studies that associate an increase in the number of copyright-protected works with a surge in levels of creativity, most remixes will likely not be regarded as creative. If, on the other hand, copyright protection was awarded to all musical remixes, then under this perception of creativity, all remixes would be seen as being creative. Nonetheless, as will be discussed in greater detail below, copyright protection actually restricts the dissemination of musical remixes. Consequently, an appropriate balance should be struck between the provision of copyright protection and the ability of follow-on creators to reuse musical works.57

3.2

Quality Is Equivalent to Creativity

It is argued that creativity should be correlated with the quality of a work.58 As such, works that exhibit high levels of creativity should also exhibit high quality levels and vice versa. However, it is contested that the assessment of quality is subjective. Consequently, under this perception of creativity, the determination of whether a remix is to be considered as being creative will also be subjective. Nonetheless, it is argued that the way the market reacts to a creative work could act as a determinant of

52

University of London Press v University Tutorial Press (1916) 2 Ch. 601, at 608. Macmillan (1923). 54 Ladbroke v William Hill (1964) 1 WLR 273; Express Newspapers plc v News (UK) Ltd (1990) FSR 359. 55 Interlego AG v Tyco Industries Inc. (1989) AC 217, at 262–263. 56 Interlego AG v Tyco Industries Inc. (1989) AC 217. 57 Abrams (1992). 58 Kretschmer (2012). 53

7 Does Copyright Support Musical Creativity in a Remix Era?

187

the quality of a work.59 If the general public enjoys a creative work, then this will translate to that work being considered as a “bestseller”, and bestselling works are works that could be regarded as exhibiting high-quality levels.60 Thus, under this perception of creativity, the number of sales of a work is directly correlated with how creative it is. It could be argued that over the years, remixing has gained widespread popularity.61 Countless remixes are uploaded to YouTube on a daily basis,62 and YouTube is primarily made up of UGC, most of which is unauthorised.63 However, it is argued that the current copyright framework acts as an obstacle toward musical remixes reaching the market. Hence, using the theory that equates market success with quality, copyright and related enforcement regimes restrict musical remixes’ quality and, therefore, creativity from being shown. This section aims to demonstrate how copyright and related enforcement regimes restrict remixes from reaching the market consequently, limiting musical remixes’ opportunity of being regarded as creative. It does so by analysing whether musical remixes amount to copyright infringement and whether any exceptions apply. This section then looks at how the right clearance process may act as a barrier to creativity for musical remixes. Despite this, the way in which platforms like YouTube have operationalised such regimes may create new avenues for creativity. Hence, this section then looks at how platforms like YouTube have implemented existing copyright and related enforcement regimes. 3.2.1

Copyright Infringement

Unauthorised musical remixes most often amount to copyright infringement. Bearing in mind the definitions of remixing provided in section 1, and provided that no prior consent is given to reuse a work, it is highly likely that remixing will be seen as infringing the original author’s exclusive right to reproduce the work, which is protected under Article 2 of the InfoSoc Directive.64 In the UK, this can be found under s16(1) and s17 of the Copyright, Designs and Patents Act 1988 (CDPA). Furthermore, under s16(3)(a) of the CDPA, the reuse of a work will have infringed copyright if a substantial part of the original work is taken. Bearing in mind the fact that mashups most commonly reuse a large portion of

59

Ibid. Ibid. 61 As aforementioned, authorised remixing has become the norm for mainstream artists. A relatively recent example is provided by Despacito by Luis Fonsi & Daddy Yankee which managed to reach number one on global charts after it had been remixed by Justin Bieber. 62 Searching for the term “remix” on YouTube returns 813,000,000 results. 63 This is discussed in more depth below where the pseudo-pathway to right clearance is introduced. 64 Directive on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ 2 167/10. 60

188

G. D. Vrakas

original works, it is highly likely that they will be seen as infringing copyright. However, substantiality is not only assessed quantitatively65 but mostly judged on a qualitative basis.66 Consequently, in a dispute involving a remix, UK courts will have to look beyond literal note-for-note copying but more toward the overall impression that the remix creates.67 Nevertheless, it is unlikely that a mashup would be seen as reusing an insubstantial part of an original song both quantitatively and qualitatively since, apart from a change in tempo or a transposition of notes, it is unlikely that any further editing will have taken place in a mashup. Consequently, the essence or “quality” of the original song will typically be reproduced in a mashup and as such will likely be treated as a copyright infringement. Moreover, bearing in mind the definition of mashups that has been provided, they will most likely be seen as committing multiple copyright infringements since the whole or parts of multiple songs are reused. For samples, on the other hand, would the reuse of one original element such as a single rhythmic pattern or guitar riff translate to the reproduction of a substantial part? Courts may be able to rely on expert evidence. However, to avoid subjectivity, evidence provided is merely persuasive.68 Nevertheless, technological advances in music have not only created a remix era but allow for modern forensic evidence to be used in court.69 For example, a claimant may ask to see the original files that were created in recording software such as ProTools. This would allow for the easy identification of whether any copyright-protected works were reused. However, what about the actual amount of the song that is copied? Australian courts have held that the length of the song from which a sample is taken could be a determining factor.70 In a case, involving a dispute over Men at Work’s song entitled “Down Under” and its alleged reuse of a short Australian song entitled “Kookaburra Sits in the Old Gum Tree”, two bars of a four-bar song had allegedly been reproduced.71 The fact that half of that song had been reused in the final work translated to an infringement being found, even though the amount copied was only two bars. In the US, there is a de minimis threshold whereby if the sample taken is too small, no infringement will be found. For example, a single note or chord would not be seen as an infringement, but beyond that, courts will have to undergo a qualitative analysis of the sample taken.72 However, in Bridgeport Music, Inc. v Dimension Films, it was held that the de minimis threshold does not apply to sound

65

Hawkes & Sons (London) Ltd v Paramount Film Services Ltd (1934) Ch. 593, at 604. Ladbroke v William Hill (1964) 1 WLR 273; University of London Press Ltd v University Tutorial Press Ltd (1916) 2 Ch. 601, at 610. 67 Ladbroke v William Hill (1964) 1 WLR 273, at 276. 68 Produce Records Ltd v BMG Entertainment UK and Ireland Ltd Unreported, January 19, 1999. 69 McLeod and DiCola (2011). 70 EMI v Larrkin (2011) 276 ALR 35, at 54. 71 Ibid. 72 McLeod and DiCola (2011). 66

7 Does Copyright Support Musical Creativity in a Remix Era?

189

recordings.73 Thus, in the US, any amount reused in a sample will be treated as giving rise to copyright infringement. However, a recent case seems to have overruled Bridgeport, and thus the de minimis threshold may equally apply to sound recordings.74 Nevertheless, the UK does not have a de minimis threshold.75 Consequently, any amount copied in the UK will most likely be regarded as an infringement of copyright. This has been confirmed in the CJEU’s recent decision in Pelham, where a 2-second sample was regarded as amounting to infringement.76 In this case, a sample of approximately 2 seconds from a song entitled “Metall auf Metall” released in 1977 by the band Kraftwerk was reused by hip hop producer Moses Pelham in the song entitled “Nur Mir,” which he produced for Sabrina Setlur. The sample from “Metall auf Metall” was slowed down in “Nur Mir” and was on a continuous loop throughout the song. The band Kraftwerk sued Pelham for the reuse of their work. At first instance, Pelham attempted to rely on an exception found under paragraph 24 of the German Act on Copyright and Related Matters, which states that “an independent work created in the free use of the work of another person may be published or exploited without the consent of the author of the work used”.77 In 2016, the German Constitutional Court ruled that interpreting this provision narrowly would not allow for sufficient consideration of artistic freedom, as guaranteed by German Basic Law.78 This case eventually reached the German Federal Supreme Court, which referred six questions to the CJEU. The first question asked whether the 2-second sample amounted to a “reproduction in part” under Article 2(c) of the InfoSoc Directive.79 In response to this first key question, the CJEU made a distinction between the reuse of a work without modifications thereby being recognisable to the ear and those that are modified to the extent that they are no longer recognisable. The CJEU explained that the latter would fall outside the scope of rightsholders’ exclusive rights protected under Article 2(c) of the InfoSoc Directive.80 The court used the same reasoning used by Advocate General Szpunar in reaching this decision, adopting an interpretation that views every partial reproduction as a copy of that work. As such, a de minimis threshold regarding the quantitative amount copied in the EU is rejected.81 73

Bridgeport Music, Inc. v Dimension Films, 410 F.3d 792 (6th Cir. 2005). VMG Salsoul, LLC v Ciccone, No. 13-57104 (9th Cir. 2016). 75 Hawkes & Sons (London) Ltd v Paramount Film Service Ltd (1934) Ch. 593. 76 Pelham (2019). 77 § 24 Copyright Act of 9 September 1965 (Federal Law Gazette I, p. 1273), as last amended by Article 1 of the Act of 28 November 2018 (Federal Law Gazette I, p. 2014), see https://www. gesetze-im-internet.de/englisch_urhg/englisch_urhg.html accessed 10 June 2020. 78 Bernd Jütte Justin (2019), p. 827. 79 Directive on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ 2 167/10. 80 Directive on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ 2 167/10. 81 AG Szpunar, Opinion in Pelham GmbH v Hutter EU:C:2018:1002; [2019] E.C.D.R. 3 at [28]– [33]. 74

190

G. D. Vrakas

Taking a synoptic view of the above mentioned, it can be deduced that remixes in the form of both a mashup and a sample will most often amount to an infringement of the original authors’ exclusive right to reproduce the work that is protected under Article 2 of the InfoSoc Directive. Consequently, rightsholders are able to enforce their right through mechanisms discussed in greater detail below, thereby restricting remixes from reaching the market, which accordingly, under this perception of creativity, translates to remixes falling outside the scope of what would be regarded as creative. 3.2.2

Copyright Exceptions

Copyright regimes typically also allow for certain exceptions and when applicable will permit the otherwise illegal dissemination of an unauthorised musical remix. However, Article 9(2) of the Berne Convention, often referred to as the “three-step test”, states that Union members may “permit the reproduction of [literary and artistic] works in certain special cases, provided that such reproduction does not conflict with a normal exploitation of the work and does not unreasonably prejudice the legitimate interests of the author”. The three-step test can be found under Article 5(5) of the InfoSoc Directive, whereby it is stated that copyright exceptions shall only be applied in certain special cases which do not conflict with a normal exploitation of the work or other subject-matter and do not unreasonably prejudice the legitimate interests of the rightholder. Consequently, remixing may not fall under any exceptions due to national courts’ narrow interpretations. Moreover, courts are also under an obligation to take fundamental rights into consideration.82 This may further dampen the chances of remixing falling under a copyright exception. However, this is dependent upon how national courts chose to balance competing rights. The only exceptions that could potentially apply to musical remixes are the quotation and parody exceptions found under Articles 5(3)(d) and 5(3)(k) of the InfoSoc Directive, respectively.83 Article 5(3)(d) of the InfoSoc Directive states that an exception will apply for quotation purposes provided that the sole purpose of the reusing of a copyrightprotected work meets four requirements: 1. “The reuse must relate to a work or other subject-matter which has already been lawfully made available to the public, . . . unless this turns out to be impossible, 2. the source, including the author’s name, [must be] indicated, and that 3. the reuse is in accordance with fair practice, and 4. to the extent required by the specific purpose; [. . .]”.84

82

Deckmyn and Vrijheidsfonds VZW v Vandersteen (C-201/13) [2014] Bus. L.R. 1368, at 27; Eva-Maria Painer v Standards Verlags GmbH (C-145/10) [2011] E.C.D.R. 13 at 134. 83 Cabay and Lambrecht (2015). Jacques (2015a). 84 Directive on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ 2 167/10.

7 Does Copyright Support Musical Creativity in a Remix Era?

191

The InfoSoc Directive does not limit its application to literary works. As such, the meaning of quotation and, hence, its boundaries are not limited by the typical qualities of literary quotations most commonly associated with the academic publishing sector.85 The CJEU has consequently held that the quotation exception could equally apply in cases involving photography.86 Therefore, it could potentially also apply to musical works. It is thus contested that provided a remix fulfils the abovementioned requirements, it could potentially qualify for an exception for the purposes of quotation. Bearing in mind the definitions of a remix provided in section 1, it can be deduced that the first requirement will always be fulfilled where a work is reused for the purpose of creating a musical remix since for a remix to be created, the source must already exist. Additionally, successful remixes reproduce an already familiar musical work, meaning that remixes will most likely draw upon an already existing work that is well known.87 The CJEU gave further guidance on the application of this exception in EvaMaria Painer v Standards Verlags GmbH.88 In this case, it was held that there is no need for the quoting work, i.e. the remix, to be protected by copyright itself.89 Bearing in mind the analysis of the way in which originality is tested discussed earlier, this decision could potentially be beneficial for remixes since they typically will not qualify for copyright protection. Hence, this further enhances the chances of this exception applying. Furthermore, the CJEU in Painer placed a significant amount of emphasis on the requirement of sufficient acknowledgement by arguing that it is still a requirement even when the author is unknown.90 It is argued that remixers typically acknowledge the artists whose work they are reusing in order to create their remix.91 Hence, it is contested that musical remixes will typically meet the second requirement of this exception. Moreover, in determining the applicability of this exception, significant emphasis is placed on the amount that is copied. Hence, it can be deduced that mashups will most likely not qualify for this exception since, as demonstrated above, they typically reuse a significant proportion of the original. Thus, it is contested that the quotation exception is best suited for remixing in the form of sampling. However, the Attorney General (AG) seems to have interpreted this exception in the case of Painer very narrowly by stating that the original work must be reproduced without

85

Bently et al. (2018), p. 246. Eva-Maria Painer v Standards Verlags GmbH (C-145/10) [2011] E.C.D.R. 13. 87 Ferguson (2015) Everything is a Remix. 88 Eva-Maria Painer v Standards Verlags GmbH (C-145/10) [2011] E.C.D.R. 13. 89 Ibid, 136. 90 Ibid, 139–149. 91 A quick search on YouTube for the term “remix” reveals that more often than not, the original artists name and song title which are being remixes are quoted in the title of the video. However, this is something which requires more in-depth research. 86

192

G. D. Vrakas

modification.92 Adopting this view makes it impossible for the exception for quotation to apply to all forms of remixing in the music industry. It is however, contested that the AG’s opinion is not legally binding. This means that courts could potentially go against the AG’s opinion in a case involving the applicability of the quotation exception. Thus, although this exception seems promising at first instance, there is uncertainty over its applicability and in turn whether it could support musical creativity in the remix era. As aforementioned, the second potentially applicable exception for musical remixes is the exception for the “purpose of caricature, parody or pastiche” found under Article 5(3)(k) of the InfoSoc Directive.93 In Deckmyn v Vandersteen, the CJEU held that a parody should be regarded as an autonomous concept of EU law.94 Consequently, the concept of a parody should be harmonised throughout the EU. Furthermore, the CJEU held that the term parody should be determined by taking its everyday meaning into account.95 Therefore, in order for this exception to apply, two essential characteristics must be fulfilled. A potentially exempt work must evoke an existing work while being noticeably different from it and must constitute an expression of humour or mockery.96 Thus, this exception could only apply to certain types of musical remixes. In order for the first requirement to be fulfilled, more than minimal editing would have to be involved. For instance, it is unlikely that this exception could apply to a mashup in the form of a medley since no alteration will have been made to the original work. Thus, provided that editing has taken place to produce a remix, then the first requirement will be fulfilled. However, the second condition that requires that an element of humour or mockery exists may cause significant issues for remixes. Nevertheless, an empirical study that had been undertaken on behalf of the UK Intellectual Property Office indicated that a large number of pop parodies sample earlier works.97 Thus, it is contested that a proportion of remixes in the form of samples could constitute an expression of humour or mockery, consequently fulfilling the second requirement for the parody exception. However, apart from certain mashups that are intentionally created so as to invoke a certain aspect of humour, such as “Psychosocial Baby,” which combined two antipode forms of music,98 it is unlikely that a large proportion 92 Opinion of AG Trstenjak in Eva-Maria Painer v Standards Verlags GmbH (C-145/10) [2011] E.C.D.R. 13, at 208–209. 93 Directive on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ 2 167/10. 94 Deckmyn and Vrijheidsfonds VZW v Vandersteen (C-201/13) (2014) ECDR 21, at 15. 95 Ibid, at 20. 96 Ibid. 97 Erickson, K. (2013) Evaluating the impact of parody on the exploitation of copyright works: an empirical study of music video content on YouTube. Project Report. Intellectual Property Office UK, Newport, UK. 98 Justin Bieber vs Slipknot -Psychosocial Baby. In: YouTube. https://www.youtube.com/watch? v¼NPtJt4A7iOA&ab_channel¼bullet4sum. Accessed 30 July 2020.

7 Does Copyright Support Musical Creativity in a Remix Era?

193

of mashups could be seen as fulfilling this requirement. Thus, only under certain circumstances could remixes invoke an element of humour or mockery, thereby fulfilling the second requirement of the parody exception. It is, however, for national courts to determine whether a remix constitutes an expression of humour or mockery. Nonetheless, it is contested that they are ill equipped to do so.99 Humour in music might be different from the traditional meaning of the term.100 It may, for instance, be a change in rhythm where that change of rhythm would not traditionally apply to that genre of music. Courts are now asked to assess whether such changes would constitute an element of humour or mockery. UK judges already struggle with copyright cases relating to music and adding another criterion to be considered would make it harder for cases to be “fairly” decided.101 Moreover, it is unclear as to how this exception would apply in the case of mashups. As aforementioned, mashups will often be committing multiple copyright infringements. Would this exception be seen as exempting all such infringements? Based on the fact that for a remix in the form of a mashup it would be the combination of the songs or parts of songs that would create the element of mockery or humour,102 then the exception should apply to all infringements that would have been committed. However, due to a lack of case law, it is unclear as to how this exception would apply. Furthermore, it is also unclear as to whether this exception could apply to cases where a remix is created for commercial purposes. Traditionally, copyright exceptions have not applied where a work has been reused for commercial purposes due to the fact that this form of reuse is regarded as unfair.103 However, as aforementioned, fundamental human rights have an influential role in the determination of when copyright exceptions apply. This is even more prevalent in the case of the parody exception and is exemplified by the fact that a number of EU Member States have not implemented Article 5(3)(K) of the InfoSoc Directive (the parody exception) since they believe it is covered by the freedom of expression.104 Moreover, the European Court of Human Rights has held that freedom of expression extends to cover commercial speech as well.105 Consequently, it is contested that the parody exception should also cover commercialised remixes which fulfil the aforementioned requirements. However, national courts are afforded a greater margin of appreciation, and as such it will depend on how national courts interpret a given case. Nevertheless, in a typical remix scenario, courts will have to balance the rights of the remix artists against those of the original rightsholder, albeit on the basis of

99

Jacques (2015c). Jacques (2015b). 101 Stuart v Barrett (1994) EMLR 448; Hadley v Kemp (1999) EMLR 589. 102 See for instance, Psychosocial Baby mentioned above (n 98). 103 Ashdown v Telegraph Group Ltd (2001) EWCA Civ 1142, at 72. 104 Triaille (2013). 105 Krone Verlag GmbH & Co. KG v Austria (No.3) (2006) 42 EHRR 28. 100

194

G. D. Vrakas

existing copyright exceptions and their autonomous meaning and not directly on the basis of human rights since the CJEU’s trilogy in Pelham, Spiegel Online and Funke Medien. Hence, the commercialisation of a remix may tip the balance in favour of the original rightholder.106 However, this may involve courts having to analyse the impact a remix has had on the original song’s market.107 It is argued that a remixed work often creates a new market rather than impeding upon the original song’s market.108 Furthermore, as mentioned above, disseminating platforms like YouTube have created new avenues for generating revenues for original artists. This is achieved through YouTube’s revenue sharing option whereby the rightsholder is given the opportunity to share in the revenues generated by a user-generated remix. This is the result of YouTube’s use of digital fingerprinting mechanisms—Content ID—discussed in greater detail below. Upon uploading a remix to YouTube, and Content ID picking up on an alleged infringement, the rightsholder will be notified of this and be given the option to earn some of or all revenues generated by the remix. Thus, it is argued that the commercialisation of a remix will not in fact negatively impact the original author economically, thereby tipping the balance in favour of the remix artists. However, this still is dependent upon the way in which national courts choose to analyse such a case. Although Article 5(3)(k) of the InfoSoc Directive provides exemptions for works that could be regarded as either caricature, parody or pastiche, scholars seem to interpret this as giving rise to one exception—parody. For instance, Sabine Jacques argues that “it is also worth noting that in this decision [Deckmyn], the court implicitly indicates that “parody”, “pastiche” and “caricature” are overlapping, rather than impervious terms. While it is possible to highlight characteristics of each genre, it may be impossible to delineate each term completely. Ultimately, parody must be understood as a “multivalent” term which operates at different levels and comprises many genres, such as satire, pastiche and caricature.”109 However, Emily Hudson argues that these terms are in fact distinct and should be interpreted that way.110 Namely, the author argues that the exception found in Article 5(3)(k) of the InfoSoc Directive “is far more significant than has been appreciated thus far owing to the inclusion of pastiche”.111 A pastiche has been defined as “a musical or other composition made up of selections from various sources or one that imitates the style of another artist or period”.112 Although often perceived as an “imitation of style”, it is also defined as including “any work incorporating different styles, or

106

Jacques (2015a). HM Government (2012). 108 (2016) Remix Culture vs Copyright Laws. In: Atavist. https://beingbela.atavist.com/remixculture-vs-copyright-laws. Accessed 30 July 2020. 109 Jacques (2015c), p. 136. 110 Hudson (2017). 111 Ibid., p. 368. 112 Adebiyi (2014). 107

7 Does Copyright Support Musical Creativity in a Remix Era?

195

made up of parts drawn from a variety of sources” and can thus be understood as going beyond a mere imitation of style.113 We have, however, no official guidance on how such an exception should be interpreted and applied. Emily Hudson, however, argues that guidance should in fact be taken from Deckmyn, thereby adopting the “everyday meaning” of pastiche, meaning that it should be interpreted broadly and should not require an element of humor since “in contrast with caricature and parody, pastiche includes uses that are neutral towards, or celebrate, the referent”.114 Hence, if the inclusion of the term pastiche in Article 5(3)(k) of the InfoSoc Directive is indeed interpreted as giving rise to a copyright exception similar to that described by Emily Hudson, then one could argue that both forms of remixing could avoid copyright infringement. However, given the lack of official guidance, it is posited that the view adopted by Sabine Jacques which views the term parody as a multivalent is more appropriate at the moment, meaning that Article 5(3)(k) of the InfoSoc Directive is unlikely to apply to all forms of musical remixes. The European Copyright Society (ECS) has, however, posited the notion that Article 17 of the Digital Single Market Directive (DSM), discussed in greater detail below, could potentially allow for Member States to “take a fresh look at the concept of ‘pastiche’ and clarify that the exemption of pastiches is intended to offer room for user generated content”.115 Furthermore, the ECS proposes that Emily Hudson’s interpretation of how such an exception would apply be used as “guidelines for a sufficiently flexible application of the pastiche exemption in the light of the underlying guarantee of free expression”.116 Hence, if Article 17 of the DSM does indeed result in Member States actively recognising a pastiche exception similar to that described by Emily Hudson, then as above mentioned both forms of remixing could potentially avoid being regarded as amounting to copyright infringement, thereby providing remixes with access to markets and consequently creating a gateway toward supporting musical creativity under this perception of creativity. However, how Member States implement Article 17 of the DSM remains to be seen. Finally, the CJEU in Pelham v Hutter stated that “where a user, in exercising the freedom of the arts, takes a sound sample from a phonogram in order to use it, in a modified form unrecognisable to the ear, in a new work, it must be held that such use does not constitute ‘reproduction’ within the meaning of Article 2(c) of Directive 2001/29”. Hence, if a sample is no longer recognisable, the remix itself is no longer recognised as a remix. It can thus be deduced that provided a remix in the form of a sample is essentially no longer recognised as a remix, it may avoid being regarded as amounting to copyright infringement. However, successful remixes owe their success to the fact that they build upon a recognisable song.117 Hence, using the CJEU’s analysis, it is unlikely that any remixes will be exempt from infringement.

113

Miranda Branco Tomé Quintais (2017), p. 204. Hudson (2017), p. 364. 115 Metzger and Senftleben (2020), p. 13. 116 Ibid. 117 Ferguson K (2015) Everything is a Remix. 114

196

3.2.3

G. D. Vrakas

Right Clearance and Notice and Takedowns

Right clearance refers to the process of obtaining permission to reuse another artist’s work. Having established that without prior consent both sampling and mashups will most likely be treated as infringing copyright and that it is unlikely that any exceptions apply, one could argue that if the process for acquiring permission is accessible, then the aforementioned hurdles are surpassed. However, the rights clearance process has been characterised as both expensive118 and extremely lengthy.119 In order to get a license to reuse a work, a remix artist must first identify the copyright owner of the song intended to be reused. This may in itself prove to be complicated since copyright is not a registered right.120 For instance, Girl Talk, a mashup artist who reuses vast amounts of songs to create remixes, demonstrated a willingness to compensate artists whose songs he reuses but an inability to do so due to elaborate rights clearance processes.121 When a remix artist has identified the copyright owner, a license may be acquired directly either from the copyright owner or through a collecting society, thereby further complicating this process since a prosumer may have to search a number of sources in order to find the respective rightsholders and attempt to seek permission to reuse an aspect of their work. There may also be co-ownership over any aspect of an original song. Co-ownership is commonplace in music since collaboration is common in song writing.122 This further complicates the right clearance process for prosumers, who may have to seek permission to reuse a single aspect of a work (e.g. the lyrics) from multiple copyright owners, their respective labels/publishers and/or their respective collecting societies. Furthermore, even if rights are allegedly cleared, due to the intricate process of acquiring rights, it may still result in infringement claims.123 Consequently, it is contested that the right clearance process also stifles creativity since it acts as a barrier toward remixes reaching the market. Nevertheless, as a result of the rise of UGC-orientated websites like YouTube and their interpretation and subsequent implementation of copyright and related enforcement regimes such as the so-called safe harbour provisions, prosumers of music nowadays have the option of disseminating their works on platforms like YouTube without the need for prior permission. This is what one could refer to as the “pseudopathway to right clearance”. This ultimately shifts the burden of right clearance from 118

Jackson B (2012) Why Remix Culture Needs New Copyright Laws. In: BuzzFeed NEWS. https://www.buzzfeed.com/benjaminj4/why-remix-culture-needs-new-copyright-laws?utm_ term¼.ex4ym407Jm#.wvYRExKN8E. Accessed 14 May 2017. 119 Jacques (2015a). Lessig (2008). 120 Harcourt et al. (2015). 121 Hartrell (2009). 122 Harcourt et al. (2015), p. 26. Also see s10A CPDA 1988. 123 Confetti Records & Others v Warner Music UK Ltd (2003) EWHC 1274; For a US case see: Estate of James Oscar Smith v Cash Money Records, Inc., et al. No. 1:14-cv-02703 (S.D.N.Y. May 30, 2017).

7 Does Copyright Support Musical Creativity in a Remix Era?

197

prosumers of music to website operators. This pathway is not traditionally thought of as acting as a “pathway” to right clearance since there is no pursuit for obtainment of authorisation. Bearing in mind the fact that copyright is a private right, meaning that unless a rightsholder enforces their right, no infringement claims will be brought to light, and due to the fact that UGC-orientated platforms have made it easier for prosumers to disseminate their works without prior permission, a method of policing musical remixes online had to be developed. Platforms like YouTube developed what are known as digital fingerprinting mechanisms, which are essentially databases that track every individual work that is uploaded to the platform against a database of copyright-protected works. Consequently, upon uploading an unauthorised remix to YouTube, Content ID124 will pick up on any alleged infringements—provided the copyright-protected work has been registered to YouTube’s Content ID database— and notify the relevant rightsholders of this. The rightsholders then have the option to either “(1) Take the video down; (2) Leave the video up and monetize it via advertisement; or (3) Leave the video up without an advertisement”.125 Content ID has not only made it easier for prosumers of music to circumvent the rights clearance process but has also made it easier for rightsholders to track and take action against alleged copyright infringements.126 YouTube’s Content ID was born out of a need to comply with the aforementioned “safe harbour” regimes. Provided an online platform complies with these lex specialis, then they can avoid liability for copyright infringements committed on their platform by their users. The EU’s safe harbour provisions are found under Articles 12–14 of the E-Commerce Directive and are applicable to an information society service provider (ISSP) that does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent or if upon the acquisition of knowledge the provider acts expeditiously to remove such content. This is what essentially creates what is more commonly referred to as a “notice and takedown” regime, whereby a platform must act expeditiously to remove allegedly infringing works that it has obtained knowledge of. In Google France Sarl v Louis Vuitton Malletier SA, the CJEU held that an ISSP could rely on the hosting defence only if it has not played an active role of such a kind as to give it knowledge of, or control over, the data stored.127 When considering this issue further in L'Oreal SA v eBay International AG, the CJEU held that eBay would have played an active role if it provided assistance, including “optimising the presentation of the offers for sale. . . or promoting those offers”.128 If so, eBay would not be able to rely on the hosting exemption. Hence, upon YouTube’s Content ID picking up on an alleged

YouTube’s own digital fingerprinting mechanism. Heald (2014). 126 Erickson and Kretschmer (2018), p. 7. 127 (C-236/08) [2011] Bus. L.R. 1. 128 (C-324/09) [2012] Bus. L.R. 1369. 124 125

198

G. D. Vrakas

infringement committed by a prosumer, it will be regarded as having obtained knowledge of that infringement and must act expeditiously to remove such content. It is contested, however, that platforms like YouTube have chosen to follow the US provisions for avoiding liability found under s512(c) of the DMCA. This is evident in the implementation of counter-notices that are a direct requirement of the DMCA but not of the EU’s counterpart. The aim of the counter-notice is that the “alleged infringers are to be protected from mistaken takedowns and misuse of this rather remarkable extra-judicial process principally through a counter notice procedure”.129 Hence, following the notice and takedown procedure, YouTube is under an obligation to notify the alleged infringer, who then has the option to file a counterclaim. YouTube’s implementation of the DMCA, is however, still in line with the EU notice and takedown regime. Taking a synoptic view of the above mentioned, it can be deduced that existing copyright regimes may be restricting musical remixes from reaching the market, which under this perception of creativity translate to them not being regarded as creative works. However, the way in which platforms like YouTube have operationalised such regimes may have created new avenues for musical remixes to reach the market through the “pseudo-pathway” to right clearance and, thus, have the opportunity of being regarded as creative. However, in an attempt to modernise EU copyright law, on the 17th of May 2019, the DSM was published.130 This new directive contains a number of lex specialis, which may potentially alter the landscape for UGC-orientated platforms like YouTube. The DSM “is one of the longest acquis communautaire with 86 Recitals and 32 Articles”.131 However, the most notable and arguably most controversial change will likely be brought about by the second chapter of Title IV, namely Article 17 of the DSM. Article 17 of the DSM, which is primarily aimed at addressing the so-called value gap,132 aims to do so by imposing strict liability rules on UGC-orientated platforms, for their users’ copyright infringements. Namely, Article 17(1) of the DSM states that online content-sharing service providers (OCSSPs) perform “an act of communication to the public or an act of making available to the public for the purposes of this Directive when it gives the public access to copyright-protected works or other protected subject matter uploaded by its users”.133 As a result, platforms like

129

Urban and Quilter (2006). Directive on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC [2019] OJ 2 130/92. 131 João Quintais (2019). 132 João Quintais (2019), p. 37; Samuelson (2020), p. 218; Trapova (2019), p. 276. The value gap is a term coined in this respect by the music industry, and essentially purports that there is an unfair imbalance between the revenue generated from unauthorised content by UGC orientated platforms and the amount of revenues returned to the rightsholders whose works are being reused without authorisation. 133 Directive on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC [2019] OJ 2 130/92, Article 17(1). 130

7 Does Copyright Support Musical Creativity in a Remix Era?

199

YouTube can now be held liable for any infringements committed by their users, and Article 17(3) removes the ability of such platforms to rely on any of the safe harbour provisions found under the E-Commerce Directive. Consequently, it is posited that, in theory, platforms like YouTube will now have to alter the way they operate to comply with the DSM and avoid liability for their users’ copyright infringements. But whether this will substantially change the landscape for such platforms remains to be seen. For instance, the DSM has been characterised as creating a new safe harbour for OCSSPs.134 Platforms like YouTube can still escape liability for their users’ infringements, provided that they have made their best effort to obtain authorisation in the form of a license which covers the actions of a platform’s users135 or, where authorisation is not possible, the platform has “made, in accordance with high industry standards of professional diligence, best efforts to ensure the unavailability of specific works and other subject matter for which the rightholders have provided the service providers with the relevant and necessary information”136 and “acted expeditiously, upon receiving a sufficiently substantiated notice from the rightholders, to disable access to, or to remove from their websites, the notified works or other subject matter, and made best efforts to prevent their future uploads in accordance with point (b)”.137 Hence, this essentially builds upon the existing safe harbour provisions and allows for prosumers to continue to utilise the “pseudopathway” to right clearance as an avenue to reaching the market and thus have the opportunity of being regarded as creative. 3.2.4

Moral Rights

Moral right infringement claims may also restrict remixes from reaching the market. Moral rights have not yet been fully harmonised throughout the EU but have received a degree of harmonisation through Article 6bis of the Berne Convention for the Protection of Literary and Artistic Works.138 This article provides that: . . . the author shall have the right to claim authorship of the work and to object to any distortion, mutilation or other modification of, or other derogatory action in relation to, the said work, which would be prejudicial to his honour or reputation.

In the UK, the respective moral rights of “paternity” and “integrity” are protected under sections 77 and 80 of the CDPA, respectively. The paternity right could be regarded as an attribution right. It is the right to be identified as the author of a work when that work is communicated to the public. The integrity right allows for the 134

Hansson (2020), p. 96. Directive on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC [2019] OJ 2 130/92, Article 17(2), Article 17(4)(a). 136 Ibid, Article 17(4)(b). 137 Ibid, Article 17(4)(c). 138 Cabay and Lambrecht (2015), p. 366. 135

200

G. D. Vrakas

original author of a work to object to any derogatory treatment, thereby granting them with a certain degree of control as to how their works are exploited. With regard to mashups, it is common practice to refer to the original authors.139 Hence, mashups will commonly not encounter any issues with regard to infringement of paternity rights. Additionally, it is common practice for contracts in the music industry to ask of artists to waive their paternity right,140 meaning that even if a mashup artist failed to attribute an original artist whose song they reused in the creation of a mashup, it is unlikely that the original artist would be able to make a claim. Moreover, the paternity right is easily satisfied.141 Hence, provided sampling artists correctly attribute their works, it is unlikely that they will face any issues with paternity right infringements either. However, the integrity right is not as straightforward. Moreover, there is little UK case law relating to remixing and moral rights infringement.142 However, to establish whether remixing could amount to “derogatory” treatment, it is first necessary to establish whether a “treatment” exists. Section 80(2)(a) of the CDPA states that any “addition or deletion” will amount to a treatment of the work. In Morrison Leahy Music Limited and Another v Lightbond Limited, the sampling of a song amounted to a treatment. The definition of “treatment” is, however, narrower in the UK when compared to the wording of Article 6bis of the Berne Convention, which allows for an author to object to “any [. . .] derogatory action”. As such, in the UK, merely changing the context in which a song is heard will not amount to a treatment, but it would under the Berne Convention. Bearing in mind the definitions provided in section 1, it is evident that a remix will give rise to a treatment of a work for the purposes of section 80(2)(a) of the CDPA. Nevertheless, it is unlikely that remixing will be seen as amounting to “derogatory” treatment. This can be deduced by taking a synoptic view of UK decisions relating to moral rights. They seem to imply that the mere reproduction of a musical work in good faith without, for instance, changing the lyrics will not amount to an infringement of an original author’s right of integrity.143 Hence, it can be deduced that it is unlikely that moral rights have an impact on creativity stemming from musical remixes.

139

Potter (2013). Ibid. The Berne Convention does not expressly mention whether or not waiving of moral rights is prohibited or alternatively, permitted and this is left as a matter of contract law. As a result, there are variations between signatories to the Berne Convention regarding the matter. 141 Jacques (2015a). 142 Ibid. 143 Harrison v Harrison (2010) ECDR 12, at 84–85; Sainsbury (2007). 140

7 Does Copyright Support Musical Creativity in a Remix Era?

3.2.5

201

Summary of How Copyright and Related Enforcement Regimes Restrict Remixes from Reaching the Market

It can be concluded that musical remixes amount to copyright infringement and that it is unlikely that any of the existing copyright exceptions will apply. Furthermore, intricate right clearance processes make it harder to authorise musical remixes. However, platforms like YouTube have made it easier for prosumers of music to disseminate their works through the “pseudo-pathway” to right clearance. The implementation of digital fingerprinting mechanisms has also made it easier for rightsholders to track and take action against unauthorised musical remixes. Finally, it is unlikely that moral rights infringement claims, at least in the UK, will stop musical remixes from reaching the market. Hence, although copyright itself acts as a barrier to musical remixes reaching the market, the operationalisation of copyright and related enforcement regimes by platforms like YouTube has opened up new avenues to creativity, by allowing for certain musical remixes that rightsholders deem appropriate, to reach the market.

3.3

Everything Is a Remix

The final perception of creativity that will be explored argues that everything “new” that is created is based upon past experiences.144 As such, no creative works are ever truly original since “potential authors” are influenced by already existing works.145 This is to a certain extent true and is to a certain extent exemplified by the continuous introduction of new subgenres of music that are based upon already existing traditional genres. For instance, under the genre of blues, there are a number of subgenres such as acoustic blues, Chicago blues and classic blues, which are different variations of blues but build upon the traditional “blues” genre. Moreover, music follows specific rules such as chord progression formulas. Consequently, unless someone thinks outside of the box, they will not truly be novel.146 Nevertheless, most western music that is based upon the same rules is still considered as being creative.147 As per Keith Richards “there’s only one song, and Adam and Eve wrote it”.148 Hence, Kirby Ferguson, an American filmmaker, argues that creativity is made up of three constituent elements: copy, transform and combine.149 Copying refers to the past experiences that artists build upon. Transforming refers to the “creative process” 144

Ward (1995), Finke (1995), Nickerson (1999), Rahmatian (2011). Litman (1990), p. 966. 146 Rahmatian (2005). 147 Steel (2015). 148 West (2009). 149 Ferguson K (2015) Everything is a Remix, 6:15. 145

202

G. D. Vrakas

in which the initial work is edited. This could be seen as the stage at which editing takes place in the musical remix process. Finally, Ferguson argues that creative leaps can be achieved by merging already existing ideas since it hints toward something that is already familiar.150 Thus, under this perception of creativity, all forms of musical remixes are regarded as being creative, irrespective of whether or not they are protected by copyright or if they amount to infringement. Nonetheless, above, it was demonstrated that musical remixes are often not awarded copyright protection and that copyright and related enforcement regimes often restrict musical remixes from reaching the market. Why are some forms of music treated differently by copyright and related enforcement regimes? It is thus posited that although under this perception of creativity all forms of musical remixes are regarded as being creative, irrespective of their interactions with copyright, stringent copyright and related enforcement regimes not specifically attuned toward regulating musical remixes apply concurrently and ultimately result in stifling creativity.

4 Conclusion The first perception of creativity that was explored draws a parallel between copyright protection and creativity. The way in which originality is tested in the EU and UK creates the impression that musical remixes are not creative. The second perception of creativity explored correlates quality and creativity. Quality is assessed on the basis of market success, and overly restrictive copyright and related enforcement regimes act as barriers to musical remixes reaching the market. However, the operationalisation of such regimes by platforms like YouTube has opened up new avenues for musical remixes to reach the market and thus have the opportunity of being regarded as creative. The final perception of creativity argues that everything is a remix. Hence, under this perception of creativity, all forms of musical remixes are regarded as being creative, irrespective of whether or not they are protected by copyright or if they amount to infringement. Nonetheless, stringent copyright and related enforcement regimes not specifically attuned toward regulating musical remixes apply concurrently and ultimately result in unfairly stifling creativity.

150

Ibid.

7 Does Copyright Support Musical Creativity in a Remix Era?

203

References Abrams HB (1992) Originality and creativity in Copyright law. Law Contemp Probl 55:3–44 Adebiyi O (2014) ‘Law imitating life’: will the day ever come? Parody, caricature, and pastiche. Entertain Law Rev 25:243–245 Bently L, Sherman B, Gangjee D, Johnson P (2018) Intellectual property law, 5th edn. OUP, New York Cabay J, Lambrecht M (2015) Remix prohibited: how rigid EU copyright laws inhibit creativity. J Intellect Prop Law Pract 10:359–377. https://doi.org/10.1093/jiplp/jpv015 Cheliotis G (2007) Remix culture: an empirical analysis of creative reuse and the licensing of digital media in online communities. Submission to the First Interdisciplinary Research Workshop on Free Culture Daly S (2005) The sole track that launched commercial Hip-Hop in 1979. Vanity Fair Eble K (2013) This is a remix: remixing music copyright to better protect mashup artists. Univ Ill Law Rev 2013:661–694 Erickson K, Kretschmer M (2018) ‘This Video is Unavailable’: analyzing copyright takedown of user-generated content on YouTube. J Intell Prop Info Technol Electr Commer Law 9:75 Ferguson K (2015) Everything is a remix. Vimeo Finke RA (1995) Case studies of creative thinking: reproduction versus restructuring in the real world. In: Creative cognitive approach. MIT Press, pp 53–72 Hansson S (2020) The digital services act: upgrading liability, responsibility and safety online. Entertain Law Rev 31:94–97 Harcourt A, Edwards A, Malt A et al (2015) Dissecting the digital dollar part one. Music Managers Forum Hartrell D (2009) IP Osgoode Panel: Copyright in the Remix Era Part 2 – An Emerging Consensus Heald PJ (2014) How notice-and-takedown regimes create markets for music on YouTube: an empirical study. SSRN Electron J. https://doi.org/10.2139/ssrn.2416519 Hellweg E (2004) Mix and mash: the mashup is born from a blend of two songs. Edutopia HM Government (2012) Modernising copyright: a modern, robust and flexible framework. The Intellectual Property Office Hudson E (2017) The pastiche exception in copyright law: a case of mashed-up drafting? Intellect Prop Q 4:346–368 Jacques S (2015a) Mash-Ups and mixes: what impact have the recent copyright reforms had on the legality of sampling? SSRN Electr J https://doi.org/10.2139/ssrn.2893261 Jacques S (2015b) Are the new ‘fair dealing’ provisions an improvement on the previous UK law, and why? Part of a wider reform. J Intellect Prop Law Pract 10. https://doi.org/10.1093/jiplp/ jpv137 Jacques S (2015c) Are national courts required to have an (exceptional) European sense of humour? Eur Intellect Prop Rev 37:134–137 Jacques S (2017) Is it original? New French decision on Mankowitz’s famous portrait of Jimi Hendrix. Entertain Law Rev 28:251–253 Jütte Justin B (2014) The EU’s trouble with mashups - from disabling to enabling a digital art form. J Intellect Prop Law Inform Technol E-Commer 172 Jütte Justin B (2019) CJEU permits sampling of phonograms under a de minimis rule and the quotation exception. J Intellect Prop Law Pract 14:827–829. https://doi.org/10.1093/jiplp/ jpz120 Kretschmer M (2012) Does copyright law matter? An empirical analysis of creators’ earnings. SSRN Electr J. https://doi.org/10.2139/ssrn.2063735 Ku RSR, Sun J, Fan Y (2009) Does copyright law promote creativity? An empirical analysis of copyright’s bounty. Vanderbilt Law Rev 63:1669–1746 Lessig L (2008) Remix: making art and commerce thrive in the hybrid economy. A & C Black Litman J (1990) The public domain. Emory Law J 39:965–1023 McAvan E (2006) Boulevard of broken songs: mash-ups as textual re-appropriation of popular music culture. J Media Cult 9

204

G. D. Vrakas

McIntyre H (2016) More and more, it’s the remix that’s actually the hit. Forbes McLeod K, DiCola P (2011) Creative license: the law and culture of digital sampling. Duke University Press Mendis S (2019) Can a digitised version obtain copyright protection Within the EU? In: Mendis S (ed) A copyright gambit: on the need for exclusive rights in digitised versions of public domain textual materials in Europe. Springer, Berlin, pp 121–193 Metzger A, Senftleben M (2020) Comment of the European Copyright society on selected aspects of implementing Article 17 of the Directive on copyright in the digital single market into national law. European Copyright Society Miranda Branco Tomé Quintais JP (2017) Copyright in the age of online access: alternative compensation systems in EU copyright law Nickerson RS (1999) Enhancing creativity. In: Handbook of creativity. Cambridge University Press, pp 392–394 Patrick J (2016) A guide to Pierre Schaeffer, the godfather of sampling. FACT:1–11 Potter W (2013) Music mash-ups: the current australian copyright implications, moral rights and fair dealing in the remix era. Deakin Law Rev 17:349. https://doi.org/10.21153/ dlr2012vol17no2art84 Quintais J (2019) The New Copyright in the Digital Single Market Directive: A Critical Look. https://doi.org/10.2139/ssrn.3424770 Rahmatian A (2005) Music and creativity as perceived by copyright law. Intellect Prop Q 3:267–293 Rahmatian A (2011) Copyright and creativity: the making of property rights in creative works. Edward Elgar Pub Rahmatian A (2013) Originality in UK copyright law: the old ‘skill and labour’ Doctrine under pressure. IIC - Int Rev Intellect Prop Compet Law 44:4–34. https://doi.org/10.1007/s40319012-0003-4 Robinson A (2005) Hyperion Records Ltd v Dr Lionel Sawkins: it’s like that and that’s the way it is. Entertain Law Rev 16:191–195 Rosati E (2013) Originality in EU copyright: full harmonisation through case law. Edward Elgar Publishing Rostama G (2015) Remix culture and Amateur creativity: a copyright Dilemma. WIPO Magazine Sainsbury M (2007) Parody, Satire, Honour and reputation: the interplay between economic and moral rights. Aust Intellect Prop J 18:149 Samuelson P (2020) Regulating technology through copyright law: a comparative perspective. EIPR: Eur Intellect Prop Rev 42:214–222 Sexton J (2007) Introduction. In: Sexton J (ed) Music, sound and multimedia: from the live to the virtual. Edinburgh University Press, pp 1–14 Sinnreich A (2010) Mashed up: music, technology, and the rise of configurable culture. University of Massachusetts Press Steel E (2015) Original sin: reconciling originality in copyright with music as an evolutionary art form. Eur Intellect Prop Rev 37:66 Sunder M (2006) IP3. Stanford Law Rev 59:257 Toffler A (1980) The third wave. Morrow Trapova A (2019) Reviving collective management – will CMOs become the true mediators they ought to be in the digital single market? Europ Intellect Prop Rev 42:5 Triaille J-P (2013) Study on the Application of Directive 2001/29/EC on Copyright and Related Rights in the Information Society (The INFOSOC Directive). https://doi.org/10.2780/90141 Urban J, Quilter L (2006) Efficient process or ‘chilling effects’? Takedown Notices Under Section 512 of the Digital Millennium Copyright Act Ward TB (1995) What’s old about new ideas? In: Creative cognitive approach. MIT Press, pp 157–178 West JP (2009) What would Keith Richards do? daily affirmations from a rock ‘n’ roll survivor. Bloomsbury

Chapter 8

Directive on Copyright in the Digital Single Market and Freedom of Expression: The EU’s Online Dilemma Sevra Guler Guzel

Abstract This chapter focuses on one of the most heavily disputed legislative acts in the EU history, the Directive on Copyright in the Digital Single Market. When it comes to the online enforcement of the IP rights, it is essential to strike the fair balance between fundamental rights in the Charter of Fundamental Rights of the European Union, in particular, the freedom of expression, and the right to property, including intellectual property. Thus, this will paper will investigate the negative outcomes of Article 17 by examining the incompatibilities of content recognition and filtering technologies with the freedom of expression under Article 10 of Charter. Also, it will critically examine the safeguards introduced by the CDSM Directive against Article 17’s obligations and suggest a number of necessary safeguards. This paper is based on the in-depth analysis of primary sources like EU legislation: Article 17 of the CDSM Directive with its Recitals 61 and 70; Article 15 of the E-Commerce Directive with its Recitals 47 and 48, Recital 59 and Articles 8 and 15 of The InfoSoc Directive; Article 11 and Article 52 of the EU Charter of Fundamental rights; Article10 of the European Convention on Human Rights (ECHR); and relevant case law of the CJEU and ECtHR, along with recent academic sources.

1 Introduction Enforcement practice of injunctions has gained popularity in recent years to enforce intellectual property rights both in the EU and the UK.1 However, there is a delicate balance between user’s and platform’s fundamental rights, like user’s freedom of expression, platform’s freedom to conduct a business and on the other hand, creative market’s intellectual property rights. The Internet and digital technologies have

1

Husovec (2017) and Roy and Marsoof (2016).

S. G. Guzel (*) University of Hertfordshire De Havilland Campus, Hatfield, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_8

205

206

S. G. Guzel

expanded the possibilities of individuals and media to exercise the right to freedom of expression and free access to online information.2 Every minute, on average Snapchat shares 527,760 photos, users watch 4,146,600 YouTube videos, 456,000 tweets are sent on Twitter, and Instagram users post 46,740 photos. These platforms of the online world play a key role in the freedom of expression and communication of people worldwide. As a matter of course, both groups are expecting legal protection in the hectic digital environment. Using injunctions against intermediaries for online enforcement of the rightholders’ intellectual property rights seems convenient since determining the identity of primary infringers is usually challenging and as a business entity, intermediaries are more capable of paying the damages. However, this focus on the non-wrongdoer intermediaries is open to upset the fair balance by disrespecting various fundamental rights.3 Especially, where a trend towards ever-stronger IP protection has been rising in the EU, the adverse outcomes of the property protection of copyright for the balancing exercise with freedom of expression claims should not be underestimated.4 The disproportionate injunctions against intermediaries cause a violation of freedoms under the Charter while enforcing or protecting IP rights, and this can strip citizens of their fundamental rights. Both the InfoSoc Directive5 and the E-Commerce6 directives, as well as their interpretation by the Courts, are failing to give a clear guideline for finding the liability of online content-sharing service providers (OCSSPs) for online IP rights infringement. Therefore, the legal framework does not provide for the checks and balances necessary to achieve a proper balance of all fundamental rights and freedoms involved. This ambiguous framework affects the balancing exercises. The different applications of the principles to balance the fundamental rights fail to set the desired fair balance between IP protection and the freedoms; subsequently, this non-homogenous practice caused more legal uncertainty. The fact that some gaps cannot fill with the harmonisation at the EU level made the new specialised framework on the issue a crucial need. To achieve that specialised framework and comply with the growing need of reform the framework for the injunctions against intermediaries, the European Parliament adopted one of the most heavily disputed legislative acts in the EU

2 Council of the European Union, EU Human Rights Guidelines on Freedom of Expression Online and Offline, Foreign Affairs Council meeting (2014). 3 Riordan (2016). 4 Communication from The Commission to The European Parliament, ‘Towards a renewed consensus on the enforcement of Intellectual Property Rights: An EU Action Plan’ COM/2014/0392 final. 5 Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society (‘The InfoSoc Directive’), OJ L 167. 6 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (‘The E-Commerce Directive’), OJ L 178.

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

207

history, the Directive on Copyright in the Digital Single Market on 26th March 2019. Unfortunately, this new Directive failed to achieve the objective of solving the problems with striking the fair balance between conflicting fundamental rights. This Directive’s notorious Article 13 (which in the final text became Article 17) regulates the use of the copyrighted content by the service providers and lays down filter obligations for them which are intended to prevent future copyright infringements. According to this article, content must be reviewed by online content providers before it can be uploaded by the users and made available to the public which means the exception of the liability provided by the safe harbours for hosting providers shall no longer apply to these cases. Also, when the large volume of uploaded content considered, it would be challenging to apply Article 17 in practice without using the upload filters since a content review on that scale would be only possible with those filters. However, the use of filter systems will lead to over-blocking of legitimate use as upload filter systems are not yet capable of detecting the important copyright exceptions like memes, GIFs, parody or pastiche and not capable of distinguishing between lawful and unlawful content in this context.7 This incapability will naturally constitute a restriction of the freedom of expression by violating Article 10 European Convention on Human Rights (ECHR) and Article 11 Charter of Fundamental Rights of the European Union (the EU Charter), which is one of the biggest concerns about Article 17. In addition to this critical incompatibility, the implementation of the ‘upload filters’ by the online platforms to comply with the obligations of Article 17 will lead to general monitoring which causes a serious clash with other EU Directives as well as with the General principles of the European Union law as it stated in many decisions by the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR).8 This situation leaves the online platforms with the obligation of meeting the conflicting requirements; on the one hand, the prevention of future infringements; protection of IP and related rights and on the other, the prohibition of general monitoring obligations for hosting providers; protection of freedom of expression, privacy and related rights. Ultimately, these undesirable results are raising the importance of the safeguards on a critical level to protect the fundamental rights in the online environment.

7

Cambridge Consultants (2019), p. 34. Article 15 of E Commerce Directive, CJEU, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), C-70/10; CJEU, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog, C-360/10.; L’Oréal SA and Others v eBay International AG and Others, C-324/09. 8

208

S. G. Guzel

2 Literature Review The European Union law prescribes its Member States to provide injunctions against intermediaries in respect of infringements of the intellectual property rights,9 even if the intermediaries themselves are not so liable, the plaintiffs can apply for injunctions against Internet access providers who are not liable under tort law.10 As a matter of course, subject matter injunctions against intermediaries must comply with a number of legislative sources and principles.11 While applying these injunctions, as the primary source for the EU law, the EU Charter12 should expressly be recognised. Because of this status of Charter, the CJEU has developed various tools to ease the tension between intellectual property rights and the principles of the Charter.13 In its continuous struggle for moderating private IP disputes via human rights,14 the CJEU has already examined the conflicts between the protection of intellectual property (Article 17) and the other fundamental rights: the rights to private and family life (Article 7)15 secrecy of communications (Article 7),16 personal data (Article 8),17 freedom to conduct a business (Article 16)18 and right to property (Article 17)19 and most importantly, freedom of expression and information (Article 11).20 In addition to CJEU, the European Court of Human Rights also examined the conflict between fundamental rights in many cases and applied the principle of proportionality of the EU copyright to the lightly regulated areas like online copyright enforcement procedures.21 In the landmark case of Ashby Donald

9 Recital 59 and Article 8(3) of The InfoSoc Directive; Article 11(III) of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (‘The Enforcement Directive’), OJ L 157. 10 Husovec (2014), pp. 631–634. 11 Rosati (2017), p. 340. 12 Charter of Fundamental Rights of the European Union OJ C 326, (hereinafter: ‘Charter’). 13 Strowel and Kim (2014), pp. 121–142. 14 Husovec (2017). 15 CJEU, Promusicae v Telefónica de España (Promusicae), Case C-275/06, Judgement of 29 January 2008; CJEU, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Scarlet Extended), Case C-70/10 Judgement of 24 November 2011, Opinion of AG Villalon, par. 71. 16 Scarlet Extended, Opinion of AG Villalon, para 71. 17 CJEU, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV (Netlog), Case C-360/10, Judgement of 16 February 2012, par. 49; Scarlet Extended, para 50; Scarlet, Opinion of AG Villalon, par. 71. 18 Scarlet Extended, par. 46; Netlog, para. 44; CJEU, UPC Telekabel Wien GmbH v. Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH, Case C-314/12 Judgement of 27 March 2014, par. 47; UPC Telekabel, Opinion of AG Villalon, par. 83. 19 Scarlet Extended, Opinion of AG Villalon, par. 71. 20 Scarlet Extended, Opinion of AG Villalon, par. 71.; Netlog, par. 50; UPC Telekabel, Opinion of Advocate General Cruz Villalón, par. 86. 21 Teunissen (2018), p. 583.

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

209

and others v. France,22 ECtHR clarified, for the first time in a judgment, that a conviction which restricts freedom of expression based on copyright law must be relevantly motivated as being necessary in a democratic society, in addition to being prescribed by law and pursuing a legitimate aim.23 Correspondingly, the Council of the European Union issued new guidelines on freedom of expression in 2014 underlining that the principles of obligations to respect human rights’ apply equally in the online and offline environments by stating ‘Any restriction that prevents the flow of information offline or online must be in line with permissible limitations as set out in international human rights law’. Any restraints on the rights of others must be appropriate,24 necessary and proportionate25 and must not conflict with civil liberties and human rights.26Also, the injunctions must be effective, dissuasive, equitable, proportionate and safeguarded to ensure a fair balance between protection of the intellectual property rights and the other relevant fundamental rights.27 Hence, the Member States are not entirely at liberty to design the injunctions at their own discretion.28 To achieve the fair balance between conflicting fundamental rights, the remedies against Internet intermediaries also should be subject to safeguards and fair processes.29 To ensure the desired level of efficiency on the Internet, legislators prescribed the limitation of the liability of the intermediaries in the cases of infringements as a safeguard and regarding users, these appropriate safeguards adopted for the protection of the non-wrongdoing subscribers’ fundamental rights.30 However, as it can be seen from the case law, the safe harbour provisions were neither effective nor efficient.31 It is not surprising that those provisions did not meet the needs of intermediaries, proprietors and Internet users since safeguard policies drafted around the turn of the millennium, at the time when social media and the auctions on the Internet were just an inexperienced sensation, and electronic commerce was observed as ‘embryonic and fragile’.32 The current case law is also failing to

22

ECtHR, Ashby Donald and others v. France, App. no. 36769/08, 10 January 2013. Voorhoof and Høedt-Rasmussen (2013). 24 Promusicae, para. 49; Promusicae, Opinion of AG Kokott, para. 54; Telekabel Wien, Opinion of AG Villalón, paras. 94–103. 25 Article 52(1) of Charter; Recital 58 and Article 8 of The InfoSoc Directive; Article 3(2) of The Enforcement Directive. 26 Riordan (2016). 27 Article 3(2) of The Enforcement Directive; CJEU, L’Oréal SA and Others v eBay International AG and Others, C-324/09, Judgment of 12 July 2011, paras. 138–141.; CJEU, Tommy Hilfiger Licensing LLC and Others v DELTA CENTER a.s, C-494/15, Judgment of 7 July 2016, para 34. 28 UPC Telekabel, Opinion of Advocate General Cruz Villalón para 73. 29 Riordan (2016). 30 Ibid. 31 Friedmann (2014), p. 148. 32 Wyckoff and Colecchia (1999), p. 12. 23

210

S. G. Guzel

illuminate the place that fair balance lies and the balancing scales for the case by case weighing of the fundamental rights are missing.33 This lack of guidance related to the notion of ‘fair balance’ between fundamental rights with the injunctions against intermediaries which clashes in different ways with legal mechanisms like the fair balance fed the need for comprehensive legislative reform in the scope of the EU. To fulfil this need, after the two-year-long process, the European Parliament adopted the Directive on Copyright in the Digital Single Market (The CDSM Directive).34 Following a debate, 348 Members of the European Parliament (MEPs) voted in favour of the Directive, while 274 voted against it and 36 abstained. With 86 Recitals and 32 Articles, the CDSM Directive is one of the longest in the copyright acquis. Although this Directive announced as a significant step towards a modern, more European copyright framework by the European Commission,35 some academics described it just a rebranding the same old approach.36 The Directive has become notorious in time. Mainly because of its Article 17, which regulates the use of the copyrighted content by the service providers. This article is part of a wide-ranging policy push in the EU towards increased responsibility of OCSSPs. The definition of the OCSSPs can be found in Article 2(6) of the Directive as platforms with main (or one of the main) purposes of to store and give the public access to a large amount of copyright-protected works or other protected subjectmatter uploaded by its users, which organises and promotes this works and uploaded content for profit-making.37 Unfortunately, this policy push comes at the expense of the individuals’ online freedom of expression. The incompatibility of the preventive obligations of the CDSM Directive with the Charter of Fundamental Rights of the EU has been underlined by many academics during the legislative process.38 Article 17 tried to rule out some criticism that it received during its proposal stage with introducing the following requirements in its final version for the hosting services’ liability for the filtering obligations: If the subject matter service has been available in the EU for less than three years and has an annual turnover below 10 million Euro, then as an OCSSPs only need to: (1) Make the best efforts to secure a licence

33

Angelopoulos (2015), pp. 72–96. Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market (‘CDSM Directive’) and amending Directives 96/9/EC and 2001/29/EC, OJ L 130, pp. 92–125. 35 European Commission, Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions Towards A Modern, More European Copyright Framework COM/2015/0626 Final. 36 Farrand (2019a, b). 37 Angelopoulos and Quintais (2019). 38 For a critical approach on CDSM Directive see Stalla-Bourdillon et al. (2016), Angelopoulos (2017), Frosio and Mendis (2019), Quintais et al. (2019) for more possitive approach see Visser (2019) and Leistner (2020). 34

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

211

(2) Act expeditiously upon receiving a sufficiently sustained notice to disable access to or remove content. However, if the average number of monthly unique visitors exceeds 5 million, then OCSSPs also need to make the best effort to prevent future uploads.39 Nevertheless, these exemptions are responses to concerns about the business and competitive harms associated with the requirements of the article, namely licensing and implementation of technical measures, are not enough and not practical. The exceptions for new businesses in the article are quite limited so only a very spesific types of platforms can benefit from these exceptions. Thus, they are not enough to eliminate the risk of disruption of the EU start-ups against leading actors of the Internet like Facebook and YouTube. The ineffectiveness of this exceptions introduced for the start-ups causes from the Directive’s ‘quantity-quality’ confusion: Directive confuses hosting ‘large amounts of content’ with hosting large amount of infringing content but smaller OCSSPs with diverse uploaded content should not be required to meet the same standards as tech giants.40 Another reason for their ineffectiveness is the high possibility for the start-up incubation of small OCSSPs to last way longer than three years since OCCSP market is a highly monopolised one.41 Thus, the effect of these exemptions on the concerns about freedom of expression will be none or little. The topic of this chapter and the most concerning point about the Article 17 is how it upsets the balance between IP protection and other fundamental rights, especially, freedom of expression with its requirements for the IP enforcement.

3 Licensing While the question of ‘whether an online video sharing platform, such as YouTube, performs an act of communication to the public within the meaning of Article 3 InfoSoc Directive when its users upload copyright-infringing content to its platform’ is still in front of CJEU,42 Article 17(1) of the CDSM Directive changed the existing law instead of clarifying it by separating the act of communication to the public from act of making available. With the recent case law,43 CJEU made it clear that the right of communication to the public also covers digital matters like hyperlinking to infringing content with GS Media ruling and operating a platform

39

Article 17(6) of CDSM Directive. Frosio (2020), p. 20; Metzger et al. (2020), p. 8. 41 Frosio (2020), p. 14. 42 In the pending cases of CJEU, Youtube, C-682/18 and CJEU, Elsevier, C-683/18. 43 CJEU, SGAE, Case C-306/05, Judgement of 7 December 2006, paras. 33 and 34, and CJEU, Football Association Premier League and Others, Case C-403/08 and C-429/08, Judgement of 4 October 2011, paras. 184 and 185. 40

212

S. G. Guzel

on which copyright infringing content is shared with The Pirate Bay ruling.44 However, the area of the online content sharing service provider platforms like YouTube is still blurred, since they do not have an intention of providing their platform to infringers of third parties’ copyright while Pirate Bay encourages its users to upload infringing content. On the contrary, YouTube prohibits its users from uploading videos that infringe copyright with their technical precautions like Content ID. Article 17(1) states that when an OCSSP gives the public access to copyrightprotected works or other protected subject-matter uploaded by its users, it performs an act of communication to the public. Consequently, OCSSPs should get an authorisation to communicate the user-generated content that fills their platform and the Internet with life. User-generated content (UGC) relies heavily on existing digitalised works like text, images and pictures, music and music videos, films etc.45 Thus, according to Directive, to avoid direct liability, OCSSPs should obtain licences for a wide spectrum of works. In connection with this requirement, Directive also highlights its goal of promoting the growth of the licencing market between OCSSPs and rightholders in its Recital.46 However, keeping these licensing agreements fair and reasonably balanced between both parties, as stated in the Directive is a real challenge.47 Although the content which users upload is unpredictable, the required license should include the whole range of potential posts. Undoubtedly, obtaining an all-embracing licensing deal which would cover the entire possible uploaded content is a challenging task to accomplish even with recourse to voluntary or extended collective licensing.48 This kind of ‘umbrella licences’ would be costly and disproportionate for many platforms.49 On the extent of the required licensing agreements, Article 17(2) states that licenses taken accordingly to the Directive shall only cover private acts of user of the OCSSPs where their activity does not generate significant revenues. This leaves the user protection entirely depending on the extent of the licensing agreement in the situation where obtaining authorisation is troublesome and the way for that is not clear.50 This brings the risk of a significant loss of freedom of expression and information. As long as the licensing deals cover only a limited selection of the content, EU citizens will no longer take an active part in the creation

44

CJEU, GS Media, Case C-160/15, Judgement of 8 September 2016; CJEU, The Pirate Bay, Case C-610/15, Judgement of 14 June 2017. 45 Jütte (2015), p. 11. 46 Recital 61 of the CDSM Directive. 47 Ibid. 48 Angelopoulos and Quintais (2019), p. 38. 49 For mid-sized streaming companies, Audible Magic is quoting on average USD 30,000 to 60,000 per month of licensing fees. Masnick (2016). 50 Leistner (2020).

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

213

of online content since they will not be able to enjoy the freedom of uploading remixes and mash-ups of all kinds of pre-existing material. Also, one should keep in mind that collective rights management is not well established for types of content other than online music, which forms only a section of the user-generated content. Moreover, the provision gives only one example on how to obtain the required authorisation, which is direct licensing from the copyright holder. Where OCSSPs fail to get direct licensing, to meet the best efforts obligation of the Article 17, OCSSPs may have to generally monitor to proactively search for the all copyright protected material and its rightholder and offer suitable licensing conditions which would cause a conflict with Article 17(8) CDSM, and Article 15 E-Commerce Directive and the fundamental rights.51 Another related problem under this licensing obligation is the impoverishment of user-generated content. It is quite likely for the platforms that hostthe user-generated content to focus on mainstream works and the most significant language groups since obtaining licenses that would make providing access to the wide variety of content is difficult, as mentioned above.52 Consequently, this will reduce the possibility of EU citizens to express themselves for a wider audience and to learn about views and expressions of users with diverse social, cultural and ethnical backgrounds. And where these licencing agreements are absent, filtering becomes the norm.53

4 Filtering Technologies The language of the Directive suggests that OCSSPs must filter all types of content proactively, and mandates platforms to comply with these requirements by using technical measures, without specifying them.54 Although filtering technologies have been at the heart of the European debate about Article 17, the Article 17’s wording nor Recitals 61–71 does not use the term ‘upload filters’; instead, the language is generic and technology-natural.55 However, there is an agreement in the literature that the preventive measures mentioned can only be achieved realistically with an obligation to filter and block these specific works with the use of filtering technology, namely with the ‘upload filters’.56 The highly debated Article 17 requires a review of the uploaded content before it can be made available to the public which

51

Metzger et al. (2020), p. 5. Senftleben (2019), p. 5. 53 Frosio (2020). 54 Abecassis and Gann (2018). 55 Metzger et al. (2020), p. 7. 56 Urban et al. (2017), Engstrom and Feamster (2017), Curto (2019), Frosio (2020), Romero Moreno (2020), Senftleben (2019) and Spoerri (2019). 52

214

S. G. Guzel

means the exception of the liability provided by the safe harbours for hosting providers shall no longer apply to these cases. According to Article 17, OCSSPs are required to actively attempt to locate as many illegal content as possible instead of waiting for the report of the unlawful content.57 This change is turning the established notice-and-takedown principle on its head.58 Article mandates Member States to provide that online content-sharing service providers make ‘best efforts’ to ensure the unavailability of copyrightprotected works59 and lays down filter obligations for hosting providers which are intended to prevent future copyright infringements to meet the ‘best efforts’ obligation.60 Although Article 17 avoids mentioning upload filters or technical measures, this ‘best efforts’ obligation constructively requires OCSSPs to implement automatic content recognition systems capable of blocking any claimed content where a rightsholder declines to license.61 This argument recently brought on to CJEU by the Republic of Poland where they pointed out that the imposition of point (b) of Article 17(4) and point (c) of Article 17(4) make it necessary for the service providers to carry out prior automatic verification of content uploaded online by users, and therefore make it necessary to introduce preventive control mechanisms to avoid liability.62 This conclusion has also been conceded by some EU officials and national governments like France and Germany. France’s Minister for Culture, Franck Riester, gave a speech in which he admits that Article 17 requires upload filters. Similarly, German government stated that algorithmic measures would have to be taken in connection with large volumes of data for practical reasons and they suggest that upload filters can only be prevented ‘as far as possible’.63 This concern also pointed out by the Poland government in their recent action: ‘The risks of being held liable will push platforms to carry out prior automatic verification (filtering) of content uploaded online by users, and therefore make it necessary to introduce preventive control mechanisms’.64 Moreover, as an initial challenge, the Directive does not define the concept of ‘best efforts’, although it is the key concept for assessing the liability. There are already different versions of the concept of best efforts in the translations of different Member States for the concept like ‘greater efforts’, ‘all efforts’ and ‘greatest 57

Angelopoulos et al. (2015), p. 9. Engeler (2019). 59 Art. 17 para. 4b of CDSM Directive. 60 Art. 17 para. 4c of CDSM Directive. 61 Bridy (2019). 62 CJEU, Republic of Poland v European Parliament and Council of the European Union, Case C-401/19. 63 Although Steffen Seibert said that the new Directive doesn’t require upload filters, Konstantin Kuhle, provoked the following answer by state secretary (in the Federal Ministry of Justice) Christian Lange (SPD): ‘In the federal government’s view it appears likely that algorithmic measures will have to be taken in connection with large volumes of data for practical reasons alone’. 64 Republic of Poland v European Parliament and Council of the European Union, C-401/19. 58

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

215

efforts’.65 This lack of clear definition will likely result in challenges at different levels, like compliance, judicial interpretation and application of resulting national provisions.66 Thus, Article 17 leaves vagueness and the negative outcomes of the unpreventable upload filters behind.

4.1

Challenges With Filtering Technologies

There are many problems and shortcomings with the required filtering systems as enforcement mechanisms for the identification and removal of online content. As mentioned before, at the current level of technological sophistication, automated content recognition systems are often unable to correctly appreciate the nuances between unauthorised uses of copyright-protected content and uses that are permissible by reason of falling within the ambit of copyright exceptions and limitations.67 All the automated systems currently available to locate potentially infringing material are subject to severe limitations with respect to their accuracy and adaptability.68 Although self-regulated and privatised enforcement tools by online intermediaries considered as a solution, these tools are historically faulty and often lead ‘false positives’ and over-enforcement.69 False positives occurs where the content has been erroneously identified as an infringing material and get removed, which causes over-enforcement.70 Also, removal of the content which is not infringing results in undermining users’ freedom of expression like in the YouTube example, where the platform removed videos which included public domain recordings as a background noise.71 While Article 17 CDSM Directive requires the application of the upload filters to any ‘copyright-protected works or other protected subject-matter uploaded by its users’, most of the current upload filters are narrowly designed for a certain type of copyrighted works such as audio or audio-visual which constitute only a small subsection of the many types of copyrighted content available online.72 Even for this certain type of copyrighted works, they are not able of determining whether or not the actual use of the work constitutes an infringement.

65

Rosati (2019). Ibid. 67 Frosio (2011). 68 Engstrom and Feamster (2017). 69 Sefidari Huici (2018). 70 Erickson and Kretschmer (2018). 71 Bode (2018). German music professor Ulrich Kaiser posted a video where he explained his efforts to provide digitised copies of public domain recordings to students, with some of the copyright-free music in question playing in the background and YouTube’s upload filter, Content ID, had flagged and took down the music for a copyright violation—despite no copyright actually being violated. 72 Spoerri (2019). 66

216

S. G. Guzel

The CJEU recognised these issues cause from upload filters’ limited technological nature in many cases like Scarlet and Netlog. The Court stated that content filtering requirements implicate the expressive rights of Internet users because automated content recognition systems are unable to distinguish between lawful and unlawful content.73 Despite this, the second paragraph of Article 17(7) states that copyright exceptions shall be respected by offering the cooperation between rightholders and OCSSPs shall not result in the prevention of the availability of non-infringing works including the ones which covered by a copyright exception or limitation.74 However, in practice, Article 17(7) is not likely to function. The article does clear how the Member States shall ensure this protection and the lack of harmonisation on the EU level regarding copyright exceptions and limitations is not helping with these filters’ effectiveness. Safeguarding the interests of free expression and information which under the protection of Charter is highly important. This crucial role of the fundamental guarantee of the freedom of expression on users’ copyright exceptions can be seen clearly in CJEU’s decisions like Painer75 and the Deckmyn,76 where CJEU referred to quotations and parodies as user ‘rights’ rather than mere user ‘interests’ and underlined the necessity of ‘fair balance’ between the rights and interests of authors on the one hand, and the rights of users of protected subject-matter on the other, and this importance of the copyright exceptions is repeated in Article 17(7).77 Therefore, while the importance of the copyright exceptions under the EU law underlined many times both by the EU legislation and by the Court in various cases,78 the high risk of failure of the automated systems to determine whether the particular use of a given file is infringing or not (considering the context within which the given file was being used) where the statutory copyright exceptions permit the use of that copyright protected content is not something to turn a blind eye. These filtering systems would drastically restrict the narrow copyright exception regime in the online world and infringe the fundamental rights of creators who benefit from a copyright exception and take away the users’ freedom of expression that follows from statutory copyright exceptions, specifically the quotation right and the right to

73

CJEU, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), C-70/10, para 52.; CJEU, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog, C-360/10, para 50.; L’Oréal SA and Others v eBay International AG and Others, C-324/09. 74 Art. 17(7) of CDSM Directive. 75 CJEU, Eva-Maria Painer v Standard VerlagsGmbH and Others, Case C-145/10, Judgment of 1 December 2011 par. 132. 76 CJEU, Johan Deckmyn v Helena Vandersteen and Others, Case C-201/13, Judgment of 3 September 2014, par. 35. 77 Geiger and Izyumenko (2018). 78 The CJEU has already interpreted the concepts of ‘parody’ and ‘quotation’ in the InfoSoc Directive as autonomous concepts of the EU law in a number of judgments: Painer (C-145/10), Deckmyn (C-201/13), Funke Medien (C-469/17), Pelham (C-467/17) and Spiegel Online (C-516/ 17).

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

217

parody.79 A dataset of user-generated parody videos hosted on YouTube shows how dramatic the amount of false positives done by upload filters: the overall takedown rate across the whole four-year period was 40.8% of videos, with 32.9% of all takedowns attributable to copyright requests.80 Thus, in practice ensuring the protection of the copyright exceptions is not easy since these exceptions are not likely to be programmed into an algorithm,81 and automated detection of statutory copyright exceptions like parody, quotes or criticism is highly dependent on knowledge about the circumstances of the upload.82 So, undoubtedly, Article 17(7) CDSM Directive does not provide full immunity from filtering obligations in practice.83 Another related problem is the industry reliance; by referring to ‘high industry standards of professional diligence’84 in Article 17, CDSM Directive relies on industry cooperation to prevent excessive content censorship which is quite concerning considering the high risk of a direct effect on the right to freedom of expression. Furthermore, the guidance provided by Article 17(5) focuses on the cost and efficiency factors.85 Thus, the adoption of filtering tools that lead to excessive content blocking seems the reasonable option for UGC platforms which seek to avoid the liability.86 So, there is no doubt that OCSSPs will have clear incentives to implement rather extensive filtering mechanisms to fulfil Article 17’s obligations. These obligations will tempt OCSSPs to over-block since filtering the uploaded content too much is safer than filtering too little in this situation and this will create a ‘shoot-first-ask-questions-later’ atmosphere online.87 Thus, requiring private entities to implement automatic recognition technologies to determine what unauthorised use is an infringement will likely harm the freedom of expression in the online environment. This transfer of the regulation and adjudication of Internet rights to private actors will cause restrictions on the access to information and chilling effects and ultimately threaten freedom of information, freedom of expression and many other fundamental rights. Even more worrying, in the qualitative study of Urban, Karaganis and Schofield where they interviewed 29 OCSSPs, some OCSSPs admitted that the fear of liability might lead them to over-enforce.88 Rightholders are also unconcerned about the limits of these technologies when it comes to analysing exceptions and limitations

79

Art. 5(3)(k) of Information Society Directive. Erickson and Kretschmer (2018). 81 Burk and Cohen (2000). 82 Engeler (2019). 83 Metzger et al. (2020), p. 16. 84 Article 17(4)(b) of CDSM Directive. 85 Article 17(5) CDSM Directive. 86 Bar-Ziv and Elkin-Koren (2018). 87 Spoerri (2019). 88 Urban et al. (2017). 80

218

S. G. Guzel

because over-claiming is revenue-positive for them.89 Therefore, it is predictable that the results favour commercial interests, and fail to consider the public interest, freedom of expression and free flow of information.90 An additional problem related to the implementation of the filtering technologies obligation is the inefficient safeguards introduced by the CDSM Directive. As the algorithms become smarter, the reliance on human decision replaced by the adaptability of the algorithms. However, this ability to learn from previous scenarios is not a fit for copyright law since it is established based on that context is essential, and outcomes depend on facts. Because of this nature of Copyright Law, infringement must be determined on a case-by-case basis. Thus, to ensure users who are relying on copyright exceptions and limitations, a decision by a human on a case by case basis is needed as a safeguard. To deliver this decision, Recital 70 of the CDSM Directive states: Online content-sharing service providers should also put in place effective and expeditious complaint and redress mechanisms allowing users to complain about the steps taken with regard to their uploads, in particular where they could benefit from an exception or limitation to copyright in relation to an upload to which access has been disabled, or that has been removed.

However, it remains to be seen on which level these mechanisms would meet the expectations of effectiveness in practice, as the volume of requests will be high in addition to the cost of the task since the appeals under Article 17 require human review.91 Also, leaving the important task of responding to complaints to OCSSPs as private companies which are not qualified to replace courts of law constitutes an ‘inappropriate transfer of juridical authority to the private sector’.92 This dependence on the private companies is quite concerning for the future of freedom of expression on the online environment since responses to complaints have a direct effect on the right to freedom of expression as they can lead to the removal of content from the Internet. Far worse, there is a great possibility of these proactive monitoring and filtering mechanisms to result in general monitoring which would conflict with Article 15 of the E-Commerce Directive and CJEU case law.93 The strict obligation of preventing the availability of works is likely to encourage OCSSPs to adopt filtering systems incompatible with the E-Commerce Directive’s no monitoring obligations since

89

Bridy (2019). Jacques et al. (2017), p. 25. 91 Recital 70 of CDSM Directive: ‘Any complaint filed. . .should be processed without undue delay and be subject to human review’. 92 European Commission, Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC), http://ec.europa.eu/internal_market/consultations/ (2010). 93 Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), C-70/10; Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog, C-360/10; L’Oréal SA and Others v eBay International AG and Others, C-324/09. 90

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

219

there is no other practical way for OCSSPs to meet their obligations and qualify for the Directive’s ‘new safe harbour’ without engaging in general monitoring.94 Article 17 is neither limited in scope, nor in time nor in the specific type of uploaders to be profiled.95 Any obligation to monitor all content uploaded by users for the purpose of identifying specific works would constitute a general monitoring obligation. The CJEU has defined this classification in the cases Scarlet, Netlog and L’Oreal and made it clear that active monitoring of all data uploaded by users to prevent any future infringements would be precluded by the EU law.96 On the other hand, a duty extending to information with equivalent content did not identify as general monitoring obligation by CJEU in the Eva Glawischnig-Piesczek v Facebook97 case. However, the countless potential problems the possibility of ‘removing or blocking the access to “identical” and “equivalent” content even worldwide’ would bring already pointed out by many academics.98 It is clear that the removal of the ‘equivalent’ content would cause more false positives and harm the online freedom of expression. In addition to that, the international application of the removal orders seems problematic, especially from a policy standpoint since they based on unharmonised national rights.99 Concerning hosting providers, in Netlog, CJEU held that the EU law should be interpreted as precluding an injunction made against a hosting service provider which requires it to install a system for filtering: (1) information which is stored on its servers by its service users; (2) which applies indiscriminately to all of those users; (3) as a preventative measure; (4) exclusively at its expense; (5) for an unlimited period; and (6) which is capable of identifying electronic files containing musical, cinematographic or audio-visual works.100 Thus, to distinguish general from specific monitoring obligations, both the scope and the number of infringements that can be rationally expected to be identified must be sufficiently narrow, it must be clear which materials constitute an infringement, and most importantly, specific monitoring obligations must be interpreted narrowly.101 However, the description of ‘works or other subject-matter identified by rightholders’ of the article would make the line between a monitoring obligation of ‘general nature’ and one of ‘specific nature’ quite blurred.102 94

Article 15 of the InfoSoc Directive; The ECD is supplemented by Directive 2001/29/EC of the European Parliament and the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, OJ L167/10. 95 Romero Moreno (2020), p. 17. 96 L’Oréal SA and Others v eBay International AG and Others, C-324/09, para. 139. 97 CJEU, C-18/18, Eva Glawischnig-Piesczek v Facebook Ireland Limited, Judgment of 3 October 2019. 98 Rosati (2019), Romero Moreno (2020) and Moore and Clayton (2009). 99 Rosati (2019), p. 673. 100 Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog, C-360/10, para 26, 52. 101 Van Eecke (2011), p. 1486. 102 Lillà Montagnani and Yordanova Trapova (2018), p. 303.

220

S. G. Guzel

Under the E-Commerce Directive, Member States can impose duties of care on hosting providers ‘to detect and prevent certain types of illegal activities.’103 However, according to the CJEU’s established case law, the result can never be a general monitoring obligation.104 Unfortunately, in practical terms, Article 17 implicitly requires general monitoring of the content by requiring OCSSPs to make their ‘best efforts’ to ensure the unavailability of specific unauthorised content over services provided by them.105 When the required high-level duty of care is taken into account, it is natural to assume that many OCSSPs would engage in general monitoring as a safeguard against costly copyright infringement suits.106 In sum, filtering technologies cannot realistically be expected to accurately identify all infringing content or otherwise eliminate online copyright infringement; they are at best capable of merely identifying the contents of a file.107 As examined above, it is clear that Article 17(4)(b) de facto culminates in a comprehensive filtering obligation that corresponds with the filtering measures which conflict with the main principles of the EU law.108

4.2

Adverse Effects of Filtering Technologies on Freedom of Expression

In this day and age most of the creative communications take place over platforms that host user-generated content owned by private companies, and because of the global nature of the Internet, anyone can express themselves online by sharing numerous other types of content with the world.109 Because of this nature of the Internet, freedom of expression is potentially affected by every copyright enforcement. Most of the time, the injunctions against OCSSPs cause filtering not only the infringing content but also the content that is legal, and that legal content might form part of communications that are worthy of protection under Article 10 ECHR or Article 11 of the Charter.110 Introduction of the automated content recognition systems is the outcome of voluntary private initiatives. These technologies built upon agreements between rightholders and intermediaries, which increase the rightholder’s control over works that shared online by third parties and often disturb the balance between

103

Recital 47 of E-Commerce Directive. Netlog, C-360/10; Scarlet Extended, C-70/10. 105 Frosio and Mendis (2019), p. 24. 106 Ibid, p. 25. 107 Engstrom and Feamster (2017). 108 Senftleben (2019). 109 Netlog, para 50. 110 Jütte (2015), p. 10. 104

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

221

freedom of expression and information of the users and the IP protection of rightholders.111 Hence, as private initiatives, these technologies have often been characterised as going beyond what is prescribed under the regulatory framework as mentioned above.112 The increased use of these systems that involve filtering for the purpose of monitoring the content uploaded to their services by the OCSSPs raise concerns relating to the protection of users’ freedom of expression and information. The lack of transparency in the design, implementation and use of filtering technologies intensified these concerns that user-generated content platforms fail to respect fundamental rights compared to other cases where the judiciary, or other accountable public authority, would be involved in the decision-making process.113 From the early rulings like Promusicae, Scarlet and Netlog to more recent ones like UPC Telekabel,114 McFadden,115 CJEU stressed the importance of the fundamental rights and the principle of proportionality. In the twin judgments Scarlet and Netlog, the question was whether an intermediary could be ordered to install a filtering system that would monitor all data relating to customers to prevent copyright infringements. By following L’Oréal v eBay, CJEU stated that ‘the contested filtering system may also infringe the fundamental rights of that ISP’s customers, namely their right to protection of their personal data and their freedom to receive or impart information, which are rights safeguarded by Articles 8 and 11 of the Charter respectively’.116 Following that, CJEU conducted an assessment in light of fundamental rights and proportionality in UPC Telekabel and noted that for blocking injunctions to be compatible with the EU law, a fair balance to be struck between the copyright protection (Art. 17(2)) and freedom of expression and information (Art. 11).117 In addition to the CJEU, ECtHR also addressed these problems with balancing the fundamental rights online. In the landmark decision of Yildirim v Turkey, Court stated that ‘. . .any preliminary restriction to the expression on the Internet is related to a heavy presumption of incompatibility with the Convention’ and while Article 10 does not afford absolute protection, restrictions on freedom of expression do require strict judicial investigation.118 At a time when governments around the world progressively pursue control on the Internet, this decision was seen as a victory for online freedoms.119 The fundamental right of freedom of expression and freedom of speech play a crucial role in a democratic society, and many societies hold freedom of expression and freedom of speech to be the core cultural value. This way, they are making the

111

Bridy (2019). Jacques et al. (2017), p. 3. 113 Ibid. 114 CJEU, C-314/12, UPC Telekabel, Judgement of 27 March 2014, p. 63. 115 CJEU, McFadden, Judgement of p. 100. 116 CJEU, Scarlet Extended, p. 50; Netlog, pp. 40 and 48. 117 Rosati (2019), p. 674. 118 ECtHR, Yildirim v Turkey, 3111/10, Judgement of 18 December 2012. 119 Global Freedom of Expression (2013). 112

222

S. G. Guzel

creativity a fundamental matter to the community. However, to achieve that digital creativity, there should not be solid boundaries between users and creators.120 While freedom of expression is at the heart of diversity within cultural expression, creativity and innovation, such mechanisms undermine the essence of this right and entail a risk to the core of the Internet.121 Nonetheless, the way the filtering technologies work is not so parallel to this core. For example, if the views of groups of online users are poorly or misrepresented in AI training data, AI algorithms of the filtering technologies may learn to treat them ‘unfairly’, and this could potentially affect the freedom of speech of smaller online communities and minority groups.122 As previously mentioned, in the absence of a robust independent control mechanism, these filtering obligations are likely to lead to excessive content blocking since they are raising a spectre of content censorship following the maxims of cost and efficiency considerations of the content and platform industry.123 Article 17’s filtering regime would pose grave dangers to the viability of the Internet ecosystem in exchange for minimal effects on online infringement. The enforcing of these filtering technologies are infringing the users’ right to freedom of expression, including the freedom to receive and impart information protected by the Charter of Fundamental Rights of the European Union.124 One of the adverse effects of filtering technologies on freedom of expression is generating from their abusable nature.125 Malicious actors could use the copyright claims to remove content they find politically disagreeable, or for other arbitrary reasons unrelated to copyright.126 These technologies are open to abuse by parties who wish to repress unpopular and dissenting speech, by using the copyright infringement claim as an excuse to force intermediaries to remove the content that they want to be put down because of personal motives.127 This fitness to the misuse leads the disproportionate fundamental rights limitations. As a recent example of this abuse, on one of the biggest online platforms, companies with ‘striking teams’ has been accused of attacking the small creators and some creators started to abuse those privatised enforcement systems by making false claims to use them for ‘taking revenge.’128 Like in all those scenarios explained above, technological enforcement repeatedly harms fundamental guarantees since these technologies are known to limit fair uses of content online and silence speech according to the mainstream ethical

120

Frosio (2020), p. 23. CJEU, Republic of Poland v European Parliament and Council of the European Union, C-401/ 19. 122 Cambridge Consultants (2019), p. 43. 123 Senftleben (2019). 124 Article 11 of Charter of Fundamental Rights of the European Union. 125 Angelopoulos et al. (2015), p. 86. 126 Erickson and Kretschmer (2018). 127 Erickson and Kretschmer (2018). 128 Asarch (2019), Dodgson (2020). 121

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

223

discourse.129 Although Article 17 contains provisions intended to address the freedom of expression related challenges associated with automated enforcement,130 the implementation of required complaint and redress mechanisms for false positives is not easy in practice. The facts that the existing filtering technology is not advanced enough and human moderation is practically impossible are making the CDSM Directive’s ideals to exist only on the paper. On top of these, the lack of safeguards against those adverse effects of filtering technologies on freedom of expression for users creates a big concern. Thus, it is clear that Directive has failed to follow even its own Recital by lacking fair balance between the fundamental rights of the Charter131 and despite the safeguard obligation for the ‘fair balance of rights and interests’,132 it has strengthened rightholders’ exclusive rights and freedom of contract, and multiplied the occasions of possible misuses of copyright, without providing suitable tools to prevent them and to counterbalance the opposing rights and interests.133 Internet users and amateur creators do not seem like that they are the winners under the new regime of Article 17 since it is subjecting their creative production to stiff and pervasive algorithmic enforcement.134 These outcomes of the CDSM Directive cause a bad scenario where we should consider both freedom of expression and copyright complementary concepts rather than in conflict.135

4.3

Future Is Now: Content ID as A Current Example

The problems of YouTube’s Content ID constitute a present example of the possible problems with the Article 17’s implementation obligations and the upload filters. One of the most sophisticated136 automated content recognition systems (ACRs) is Content ID, which put into effect in 2007 is the result of US$100 million of investment.137 This system is using the fingerprinting algorithm to detect any part of audio or video by crosschecking all content during their uploading process rather than waiting until the content has gone live with its database of copyright-protected

129

Frosio (2018), p. 32. Art. 17(9) of CDSM Directive. 131 Rendas (2017), p. 45. 132 Recital 10 of Directive 2004/48/EC of 29 April 2004 on the enforcement of intellectual property rights, OJL 157, p. 17. 133 Ghidini (2018). 134 Bridy (2019). 135 Torremans (2015), p. 224. 136 ‘. . .in view of the significant number of YouTube users, the massive amount of content uploaded to the platform, and YouTube’s efforts and investments in its filter, there are many reasons to believe, “Content ID” may well be the most sophisticated upload-filter’. (Spoerri 2019). 137 Manara (2018). 130

224

S. G. Guzel

works that have been submitted by content owners. To make the system efficient, the reference files keep parts of the content. However, while this technology helps the Content ID being fast and efficient, it disturbs the fair balance that struck by legislators between the protection granted to rightholders to control uses of their works and the freedoms of the individuals and creators uploading content. Because of its inability to consider the lawful uses of the protected, like other ACRs, Content ID is not able to respect the copyright exceptions and only way to undeniably determine the permission of the uploaded content is to wait to be sued by the rightholder for infringement and to run the copyright exception defence before the court. There are many infamous examples of these false positives and over-blocking where the Content ID blocked public domain recordings of copyright-free music pieces and even of a ten-hour video of white noise.138 Thus, despite being one of the most advanced filtering technologies on the market, Content ID’s manner in which operates is heavily criticised as it is not providing any effective means for users to exercise their freedom of expression in the event of a dispute.139 When the system finds a match, an automated notification being sent to the relevant rightholders. They are given the options of doing nothing, adding advertising and collecting the revenue, monitoring its viewing statistics, blocking its content, and lastly, issuing a manual takedown request. The automated system is deciding what is and what is not legitimate use without human oversight and the usage policy chosen by the claimant is automatically applied without any consideration of lawfulness which is placing all control in the hands of rightholders.140 However, these options are not available for all rightholders: To be eligible and benefit from the Content ID’s protection, users ‘must own exclusive rights to a substantial body of original material that is frequently uploaded by the YouTube user community’.141 This limitation makes Content ID to work only for the needs of major audio-visual and media groups, not for individual creators or small rightholders. Content ID’s suitability of nurturing creativity is also a big question when it comes to examining its effects on the freedom of expression and information. Within the Content ID system, just like other automated content recognition systems, overblocking and false positives are the most significant threats against creativity and ultimately against freedom of expression as explained above. Although Google suggests that freedom of expression is allowed to flourish while permitting rightholders’ to accumulate a fair share of any revenue which results from the use of a protected work,142 the way the algorithms work only helps to strengthen the market power of the rightholders and to create a chilling effect on creativity and

138

Bode (2018). Jacques et al. (2017). 140 Boroughf (2015), p. 109. 141 Google mentions its ‘partners’ enjoys this status in the post where they explain how Content ID works: https://support.google.com/youtube/answer/2797370. 142 Oyama (2016). 139

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

225

innovation by presenting various challenges for the protection of freedom of expression and the promotion of culture.143

5 Conclusion By looking at the situation, it is clear that the EU responded the reform call of the Digital Single Market with the wrong answer and there is no doubt about Directive will mark a significant shift from the currently dominant copyright policy and significantly impact the way the Internet works within the EU and beyond. Instead of changing the law so that it is legal and more accessible for users ‘to do something commonplace’, legislators have engineered the law towards giving many incentives to OCSSPs to prevent, block and filter the content proactively which harmfully affects the commonplace digital creativity.144 Rather than redistributing resources to creators, Article 17 is imposing enhanced liability on UGC platforms with its obligation of automated filtering implementation and monitoring which will inherently cripple users’ fundamental rights and incentivise proactive censorship. Lastly, instead of highlighting users’ rights, Article 17 of the CDSM Directive emphasises rightholders’ ‘value gap’. As an outcome, Article 17 harms smaller OCSSPs and creates a bigger market for third-party filtering technology services which is the complete opposite what the EU Commission promised with this reform. That is why in discussing the future of the copyright in the light of the CDSM Directive, it is crucial to stress the need to strike a fair balance between protection and freedoms.145 This Directive does not seem to help with this endless challenge of striking the fair balance since the application of the filtering exercise would possibly encourage a rigorous ‘safety first’ culture at the expense of Internet freedom and the Directive does not strike the right balance between the protection of rights holders and the interests of EU citizens. The article fails to reach the fair balance by not leaving any practical solution other than harmful upload filters which already acknowledged as ‘not a good idea’ even by the many Member States too.146 All these problems are making the cost of expansion of copyright claims a heavy one; the trend of ACRs pushed the freedom of expression on the backseat although every individual’s right to impart, receive and seek information and ideas freely depends heavily on that right.

143

Jacques et al. (2017), p. 24. Frosio (2020), p. 23. 145 Geiger (2015), p. 12. 146 In the Joint statement by the Netherlands, Luxembourg, Poland, Italy and Finland, these Member States stated that ‘the final text of the Directive fails to deliver adequately on the good functioning of the internal market and to stimulate innovation, creativity, investment and production of new content, also in the digital environment. We believe that the Directive in its current form is a step back for the Digital Single Market rather than a step forward’. 144

226

S. G. Guzel

Although the CDSM Directive presents new challenges for the protection of freedom of expression and the promotion of culture by failing to provide the necessary incentives and remedies to hold stakeholders despite the promise of promoting and protecting creativity and culture, the ultimate impact depends on how specific the final version of the legislation and how literally they will be applied. This dependence makes the implementation of Article 17 even more critical.147 Member States are at liberty to implement more detailed versions of the procedural conditions in Union Law, which means that there is a freedom to reform the existing framework to get rid of its criticised parts and this burden on the legislator to specify further requirements and tools underlined by both the CJEU and the ECtHR. Thus, it is highly important to find the most appropriate way to implement Article 17 by finding ways of making them sufficient for reaching the fair balance with the necessary safeguards and most importantly, to protect and promote the freedom of expression in the online environment.

References Abecassis D, Gann A (2018) The impact of a content-filtering mandate on online service providers. . Accessed 14 July 2020 Angelopoulos C (2015) Sketching the outline of a ghost: the fair balance between copyright and fundamental rights in intermediary third party liability. https://www.emerald.com/insight/ content/doi/10.1108/info-05-2015-0028/full/html. Accessed 11 June 2020 Angelopoulos C (2017) On online platforms and the Commission’s New Proposal for a Directive on Copyright in the Digital Single Market. SSRN. 2947800. https://doi.org/10.2139/ssrn.2947800 Angelopoulos C, Quintais JP (2019) Fixing copyright reform: a better solution to online infringement. JIPITEC 10(2) urn: urn:nbn:de:0009-29-49137 Angelopoulos C, Brody A, Hins W et al (2015) Study of fundamental rights limitations for online enforcement through self-regulation. Institute for Information Law Research Reports or Papers. . Accessed 14 July 2020 Asarch S (2019) Will changes to YouTube’s copyright system be enough? (Newsweek, 16 August 2019). Accessed 9 Mar 2021 Bar-Ziv S, Elkin-Koren N (2018) Behind the scenes of online copyright enforcement: empirical evidence on notice & takedown. Conn Law Rev 50(2017) Bode K (2018) This music theory professor just showed how stupid and broken copyright filters are. Available via VICE. https://www.vice.com/en_us/article/xwkbad/this-music-theory-professorjust-showed-how-stupid-and-broken-copyright-filters-are. Accessed 14 July 2020 Boroughf B (2015) The next great YouTube: improving content ID to foster creativity, cooperation, and fair compensation. Alb Law J Sci Technol 25:104–130 Bridy A (2019) EU copyright reform: grappling with the Google effect. Vanderbilt J Entertain Technol Law 22:323–358. https://doi.org/10.2139/ssrn.3412249 Burk DL, Cohen JE (2000) Fair use infrastructure for copyright management systems. Georgetown Public Law Research Paper No. 239731

147

Eleonora Rosati, a lawyer and copyright expert at the University of Southampton, said the ultimate impact depends on how specific the final version of the legislation is and how it is interpreted (Kottasová 2018).

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

227

Cambridge Consultants (2019) Use of ai in online content moderation (Ofcom 2019) Curto AN (2019) EU Directive on Copyright in the Digital Single Market and ISP liability: what’s next at international level? SSRN Scholarly Paper ID 3434061. https://doi.org/10.2139/ssrn. 3434061 Dodgson L (2020) YouTube channels are being held hostage with false copyright claims, but the platform’s hands are tied (Insider). Accessed 29 October 2020 Eecke P (2011) Online service providers and liability: a plea for a balanced approach. 48:1455–1502 Engeler DM (2019) Copyright Directive: does the best effort principle comply with GDPR?. Available via Telemedicus. http://www.telemedicus.info/article/3402-Copyright-DirectiveDoes-the-best-effort-principle-comply-with-GDPR.html. Accessed 14 July 2020 Engstrom E, Feamster N (2017) The limits of filtering: a look at the functionality and shortcomings of content detection tools. Available via Engine. http://www.engine.is/the-limits-of-filtering/. Accessed 14 July 2020 Erickson K, Kretschmer M (2018) “This Video is Unavailable”: analyzing copyright takedown of user-generated content on YouTube analyzing copyright takedown of user-generated content on YouTube. JIPITEC 9(1):2190–3387 Farrand B (2019a) Digital copyright and human rights: a balancing of competing obligations, or is there no conflict? In: Wagner B, Kettemann M, Vieth K (eds) Research handbook on human rights and digital technology. Edward Elgar Publishing, Northampton, pp 53–71 Farrand B (2019b) “Towards a modern, more European copyright framework”, or, how to rebrand the same old approach? Eur Intellect Prop Rev 41(2):65–69 Friedmann D (2014) Sinking the safe harbour with the legal certainty of strict liability in sight. JIPLP 9(2):148–155. https://doi.org/10.1093/jiplp/jpt227 Frosio G (2011) Communia Final Report On The Digital Public Domain (Report Prepared for the European Commission on Behalf of the COMMUNIA Network and the NEXA Center). Available via Communia. http://communia-project.eu/final-report/defining-public-domain. html. Accessed 14 July 2020 Frosio G (2018) To filter or not to filter? That is the question in EU copyright reform. Cardozo Arts Ent Law J 36:331 Frosio G (2020) Reforming the C-DSM reform: a user-based copyright theory for commonplace creativity. IIC 51(6):709–750. https://doi.org/10.1007/s40319-020-00931-0 Frosio G, Mendis S (2019) Monitoring and filtering: European reform or global trend. SSRN Electron J. https://doi.org/10.2139/ssrn.3450194 Geiger C (2015) Implementing intellectual property provisions in human rights instruments: towards a new social contract for the protection of intangibles. In: Geiger C (ed) Research handbook on human rights and intellectual property. Edward Elgar Publishing, Northampton, pp 661–689 Geiger C, Izyumenko E (2018) Freedom of expression as an external limitation to copyright law in the EU: the advocate general of the CJEU shows the way. EIPR 41(3):131–136 Ghidini G (2018) Rethinking intellectual property: balancing conflicts of interests in the constitutional paradigm. Edward Elgar Publishing, Cheltenham Global Freedom of Expression (2013) Yildirim v. Turkey. https://globalfreedomofexpression. columbia.edu/cases/ahmed-yildirim-v-turkey. Accessed 14 July 2020 Husovec M (2014) CJEU allowed website blocking injunctions with some reservations. JIPLP 9 (7):631–634. https://doi.org/10.1093/jiplp/jpu101 Husovec M (2017) Injunctions against intermediaries in the European Union: accountable but not liable? Cambridge University Press, Cambridge Jacques S, Garstka K, Hviid M et al (2017) The impact on cultural diversity of automated antipiracy systems as copyright enforcement mechanisms: an empirical study of Youtube’s content Id digital fingerprinting technology. https://doi.org/10.13140/RG.2.2.14443.54560 Jütte BJ (2015) The beginning of a (happy?) relationship: copyright and freedom of expression in Europe. EIPR 38(1):11–22

228

S. G. Guzel

Kottasová I (2018) ‘Europe Just Approved New Copyright Rules That Could Change the Internet’. Available via CNNMoney. https://money.cnn.com/2018/09/12/technology/eu-copyright-law/ index.html. Accessed 14 July 2020 Leistner M (2020) European copyright licensing and infringement liability under Art. 17 DSM-Directive compared to secondary liability of content platforms in the U.S. – can we make the new European system a global opportunity instead of a local challenge?. ZGE/IPJ (forthcoming) Lillà Montagnani M, Yordanova Trapova A (2018) Safe harbours in deep waters: a new emerging liability regime for internet intermediaries in the Digital Single Market. Int J Law Inf Technol 26 (4):294–310 Manara C (2018) Protecting what we love about the internet: our efforts to stop online piracy. Available via Google. https://www.blog.google/outreach-initiatives/public-policy/protectingwhat-we-love-about-internet-our-efforts-stop-online-piracy. Accessed 14 July 2020 Masnick M (2016) Why is your bigoted, Luddite Uncle Crafting Internet Policy in Europe? Available via Techdirt. https://www.techdirt.com/articles/20161103/17540835964/why-isyour-bigoted-luddite-uncle-crafting-internet-policy-europe.shtml. Accessed 14 July 2020 Metzger A, Senftleben M, Derclaye E et al (2020) Selected aspects of implementing Article 17 of the Directive on Copyright in the Digital Single Market into National Law – Comment of the European Copyright Society. SSRN Electron J. https://doi.org/10.2139/ssrn.3589323 Moore T, Clayton R (2009) The impact of incentives on notice and take-down. In: Johnson ME (ed) Managing information risk and the economics of security. Springer, New York Oyama K (2016) Continuing to create value while fighting piracy: an update. Available via Google. https://blog.google/topics/public-policy/continuing-to-create-value-while. Acessed 14 July 2020 Quintais J, Frosio G, Gompel S et al (2019) Safeguarding user freedoms in implementing Article 17 of the Copyright in the Digital Single Market Directive: recommendations from European academics. SSRN Electron J. https://doi.org/10.2139/ssrn.3484968 Rendas T (2017) Form and substance in the value gap proposal. Paper presented at the Better Regulation for Copyright, European Parliament, 6 September 2017 Riordan J (2016) The liability of internet intermediaries. Oxford University Press, Oxford Romero Moreno F (2020) “Upload Filters” and Human Rights: implementing Article 17 of the Directive on Copyright in the Digital Single Market. Int Rev Law Comput Technol 34 (2):153–182 Rosati E (2017) Intermediary IP injunctions in the EU and UK experiences: when less (harmonization) is more? JIPLP 12(4):338–350 Rosati E (2019) Material, personal and geographic scope of online intermediaries’ removal obligations beyond Glawischnig-Piesczek, C-18/18 and Defamation. EIPR 41(11):672–682 Roy A, Marsoof A (2016) The blocking injunction: a comparative and critical review of the EU, Singaporean and Australian Regimes (June 29, 2016). EIPR 38(2):9. Available at SSRN: https:// ssrn.com/abstract=2802037 Sefidari Huici M (2018) Your internet is under threat. Here’s why you should care about European Copyright Reform. Available via Medium. https://medium.com/freely-sharing-the-sum-of-allknowledge/your-internet-is-under-threat-heres-why-you-should-care-about-european-copy right-reform-7eb6ff4cf321. Accessed 14 July 2020 Senftleben M (2019) Bermuda Triangle – licensing, filtering and privileging user-generated content under the New Directive on Copyright in the Digital Single Market. SSRN Electron J. https:// doi.org/10.2139/ssrn.3367219 Spoerri T (2019) On upload-filters and other competitive advantages for Big Tech Companies under Article 17 of the Directive on Copyright in the Digital Single Market. JIPITEC 10(2):173–186 Stalla-Bourdillon S, Rosati E, Turk K et al (2016) A brief exegesis of the proposed Copyright Directive. SSRN. https://doi.org/10.2139/ssrn.2875296

8 Directive on Copyright in the Digital Single Market and Freedom of. . .

229

Strowel AM, Kim H-H (2014) The balancing impact of general EU law on European intellectual property jurisprudence. In: The Europeanization of intellectual property law: towards a European legal methodology. Oxford University Press, Oxford, pp 121–142 Teunissen P (2018) The balance puzzle: the ECJ’s method of proportionality review for copyright injunctions. EIPR 40(1):579–593 Torremans P (ed) (2015) Intellectual property and private international law. Edward Elgar Publishing, Cheltenham Urban JM, Karaganis J, Schofield B (2017) Notice and takedown in everyday practice. SSRN. https://doi.org/10.2139/ssrn.2755628 Visser D (2019) Trying to understand Article 13. SSRN. https://doi.org/10.2139/ssrn.3354494 Voorhoof D, Høedt-Rasmussen I (2013) ECHR: Copyright vs. Freedom of Expression. Available via Kluwer Copyright Blog. http://copyrightblog.kluweriplaw.com/2013/01/25/echr-copyrightvs-freedom-of-expression/?doing_wp_cron¼1594656500.8975579738616943359375. Accessed 14 July 2020 Wyckoff A, Colecchia A (1999) The economic and social impact of electronic commerce: preliminary findings and research agenda. Organisation for Economic Co-operation and Development, Paris

Part II

AI Law in the Digital Single Market

Chapter 9

AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of AI at International and European Level Cristina Vanberghen and Alexandra Vanberghen

Abstract The governance of Artificial Intelligence (AI) is one of the hottest topics in contemporary institutional debate. No matter how AI governance will be finally designed, the way it will be done must be easy to understand by the average citizen, business, and even practising lawyer confronted with a plethora of initiatives at all levels. This chapter explains the importance of bringing AI to the next level, by increasing the EU digital prowess of European citizens, fixing the rules for market power of tech giants and understanding that transparency is essential to build trust in AI. Then, at global level it is crucial to constantly cooperate strategically with partners within the framework of the Global Partnership on AI (GPAI). This chapter considers that the AI capacity to achieve transformational change and support the implementation of this specific political priority will require addressing cross-cutting global policies. Failure to provide a regulatory framework will not only generate an economic disadvantage, but will additionally have a negative impact on the EU’s ability to protect its strategic interests which is also justified by the fact that commercial innovation already outpaces military R&D in many areas making it a AI a long-term principal for a geopolitical Europe. Finally, the authors support the idea that a regulatory approach should be formulated from a strategic foresight perspective on how the market is expected to develop over the next 10–15 years in various AI sectors. There is an important need for far-sighted EU legislation and policy multidisciplinary coordination.

C. Vanberghen Institute of European Studies, Brussels, Belgium e-mail: [email protected] A. Vanberghen (*) European School of Brussels, Brussels, Belgium e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_9

233

234

C. Vanberghen and A. Vanberghen

1 Introduction The term of Artificial Intelligence (AI) is not new, its emergence has led to such applications that profoundly affect our lives.1 It focuses on replicating and modifying human intelligence via artificial technologies to invent intelligent machines. AI has multiple applications in healthcare, health surveillance, trade, bank sector, public safety, transportation, telecommunication, defence, humanitarian and civil protection etc. In general terms, AI refers to a technique that enables machines to mimic human intelligence, and to a broad field of science encompassing not only computer science but also psychology, philosophy, linguistics and other areas.2 AI is concerned with getting computers to do tasks that would normally require human intelligence. All these definitions include the concept of intelligence or the ability to plan, reason and learn, sense and build some kind of perception of knowledge and communicate in natural language. From a practical perspective, AI utilises machine learning and other types of data analytics methods to achieve functional capabilities. Machine Learning is an AI method based on the continuation of the concepts around predictive analytics. An algorithm identifies spam in emails, and this algorithm “learns” to provide patterns, combinations of words, that allows to identify an email as being spam. In 2004, Google launched a “predictive search” practice to generate search results as we type. As this chapter is being written, the authors know that later on, online searches will be recommending many eye-catching articles on AI. Or maybe a suggestion to watch a documentary on “Machine Learning: Living in the Age of AI” will appear. It is clear AI impacts our viewing time, our activity, and our online choices. However, these translate to offline choices and in real-life behaviour, as we develop habits and evolve. All technologies are inevitably rising forward, blending our physical and virtual worlds, and our job is to understand it. To fully understand it, computer algorithms shall be traced back to its origin. The world’s first published computer algorithm was widely regarded to be Ada Lovelace’s algorithm equation which was specifically tailored for implementation on a computer. Lovelace suggested the data input that would program the machine to calculate Bernoulli numbers, which is now considered the first computer program, allowing her to predict programming processes that would grant computers to implement orders correctly. We build our next inventions based on our past mistakes, developing our old ideas into brighter, better ones. We use algorithms to find other algorithms. In a sense, the past process is an algorithm itself, learning and advancing to a new AI era. With the pandemic international context, it becomes clear that the governance of artificial intelligence is one of the hottest topics in contemporary institutional debate. Around the globe, institutions, governments, non-profits and businesses are attempting to anticipate AI consequences, whether positive or negative, addressing 1 2

Deep Sharma et al. (2020). Van Duin and Bakhshi (2018).

9 AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of. . .

235

questions about the future of the “Good AI Society.” No matter how AI governance will be finally designed, the way it will be done must be easier to understand by the average citizen, businesses, and even practising lawyers confronted with a plethora of initiatives aiming all at creating a sort of legal modus vivendi at national, regional, European Union (EU), United Nations, or Organisation for Economic Co-operation and Development (OECD) level. At EU level, if Member States bear the principal responsibility for achieving clarity and efficiency in AI’s governance at national level, the EU institutions have the responsibility for taking AI to the next level, by increasing the EU digital prowess of Europeans, fixing the rules for the market power of tech giants, understanding that transparency is essential to build trust in AI. Then, at global level it is crucial to constantly cooperate strategically with partners within the framework of the Global Partnership on AI (GPAI). Running quickly through the von der Leyen Political’ Guidelines,3 one realises that AI is in the middle of the EU political radar. AI is part of von der Leyen’ six pillars for a Europe that strives “for more by grasping the opportunities from the digital age within safe and ethical boundaries. Digital technologies, especially Artificial Intelligence (AI), are transforming the world at an unprecedented speed. They have changed how we communicate, live and work. They have changed our societies and our economies.”4 Now this political commitment must go hand-in hand with an overall responsibility for enabling a comprehensive, better regulatory approach, based on the best practices and processes in the regulatory intervention, allowing companies to compete with big companies while preserving consumers’ privacy, considering substantive compliance costs, promoting a tailored regulatory approach for different types of risk, addressing the legislative holes and barriers, articulating the implication of opaqueness and the lack of transparency of AI, prioritising a collaborative approach to regulation, and supporting companies, governments, and citizens to benefit from responsible AI in their daily life. This chapter examines in a nutshell, AI governance from an institutional and regulatory perspective at international and EU level. It approaches AI governance outlining the importance of drawing up its legal definition and briefly explores some of the challenges of AI in the military sector and the need of an EU strategic approach in its governance.

3

Von der Leyen, A Union that strives for more. My agenda for Europe” 2019 available at: https://ec. europa.eu/commission/sites/beta-political/files/political-guidelines-next-commission_en.pdf, Accessed on August 28, 2020. 4 Ibid., p. 13.

236

C. Vanberghen and A. Vanberghen

2 The Global Partnership on AI: From an Institutional Approach The economic potential of artificial intelligence has been outlined by innumerable studies. A study on the macroeconomic impact of artificial intelligence estimates that global Gross domestic product(GDP) may increase by up to 14% (the equivalent of US$15.7 trillion) by 2030 as a result of the AI use and development, anticipating a new digital revolution due to the data generated from the Internet of Things (IoT).5 AI revolution is going to happen quickly compared to the industrial revolution, and its innumerable challenges relating to its ethical use, to respect of fundamental rights standards, to legal liability for self-driving or autonomous vehicles (AVs), to the impact of “big data” will require a decisive action for a good EU? AI governance. In the amid of pandemic COVID-19, the die is finally cast and the debate about the ethics and law of AI becomes internationalised by the launch of the Global Partnership on AI (GPAI), on June 5, 2020 as an international and multi-stakeholder partnership, aiming to provide guidance on the responsible use of AI, based on the respect of human rights and democratic values, on economic growth, inclusion and innovation.6 The GPAI’ stakeholders are coming from the industry, civil society, governments and academia with the common mission to promote a responsible and human-centric development and use of AI in a manner consistent with human rights, fundamental freedoms, and our shared democratic values, as elaborated in the OECD AI Principles.7 The OECD’s AI Principles are now endorsed by more than 42 countries. It refers to five values-based principles for the responsible deployment of AI and five recommendations for international co-operation and policy. These principles provide real guidelines for designing and running AI systems by taking into consideration the people’s best interests first while promoting the accountability of AI system designers and operators for the proper functioning of AI. From the perspective of its institutional governance, the GPAI initiative is supported by a Secretariat8 hosted by

5

A Study of PWC, Sizing the prize PwC’s Global Artificial Intelligence Study: Exploiting the AI Revolution, What’s the real value of AI for your business and how can you capitalize, (2018) available at: https://www.pwc.com/gx/en/issues/analytics/assets/pwc-ai-analysis-sizing-the-prizereport.pdf, Accessed on August 28, 2020. 6 Joint Statement from founding members of the Global Partnership on Artificial Intelligence available at the https://www.canada.ca/en/innovation-science-economic-development/news/2020/ 06/joint-statement-from-founding-members-of-the-global-partnership-on-artificial-intelligence. html, Accessed on August 28, 2020. 7 The GPAI founding countries are as follows: Australia, Canada, France, Germany, India, Italy, Japan, Mexico, New Zealand, the Republic of Korea, Singapore, Slovenia, the United Kingdom, the United States. The European Union is also a founding member of GPAI initiative supported by a Secretariat hosted by the OECD. The OECD Principles were endorsed by the G20 at the Osaka Summit in June 2019. 8 GPAI will include a Council and a Steering Committee, would be supported by the OECD. The OECD would also be a Permanent Observer to GPAI’s governing bodies and its experts participate

9 AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of. . .

237

the OECD in Paris, as well as by two Centres of Expertise in Montreal9 and Paris10 that will provide research support for the multidisciplinary Working Group experts. To conclude, the GPAI’s mission to bridge the gap between theory and practice on AI by supporting cutting-edge research and activities, to investigate in priority how AI technology can better contribute in managing effectively current or future pandemics, all these activities are complementary to the European Commission work in the area of AI. Meantime, by joining GPAI as a founding member, the EU has the opportunity to actively participate in the global governance of AI, leveraging its leadership experience as reflected in its White Paper on AI11 and supporting the dissemination of EU standards and practices in many AI areas at international level.

3 Towards an EU Regulatory Governance AI is one of the most transformative forces of our life,12 a global policy in the context of a global race for technological leaderships which requires sound stakeholders participation and cultural awareness on the legal definition of AI in various sectors, a good understanding to technical specifications and requirements relating to its implementation and enforcement. In the current context, the EU has a particular responsibility on the use of AI not only in relation with the single market, from a consumer’s perspective to help them

in the working groups and plenary meetings. The GPAI Secretariat would work jointly with Centres of Expertise in Montréal and Paris. The Montréal centre is focused on responsible AI and data governance. The centre in Paris will be in charge of the future of work and innovation and commercialisation. In addition, the OECD operates an online platform—the OECD AI Policy Observatory, or OECD.AI. The platform includes data and information on AI trends and policies in around 60 countries and material from experts. 9 Official launch of the International Centre of Expertise in Montréal for the Advancement of AI on July 9, 2020 available at https://www.montrealinternational.com/en/news/official-launch-of-theinternational-centre-of-expertise-in-montreal-for-the-advancement-of-ai/ Accessed on August 28, 2020. 10 The Centre of Expertise in Paris piloted by Inria (National Institute for Research in Digital Science and Technology. Ecosysteme) will support two working groups of experts on 3) future of work and 4) innovation & commercialisation. It will work in cooperation with the Centre of Expertise in Montréal, July 9, 2020, information available at: https://www.diplomatie.gouv.fr/en/ french-foreign-policy/digital-diplomacy/news/article/launch-of-the-global-partnership-on-artifi cial-intelligence-by-15-founding; Accessed on August 28, 2020. 11 White Paper on Artificial Intelligence - A European approach to excellence and trust Brussels, 19.2.2020. COM(2020) 65 final available at https://ec.europa.eu/info/sites/info/files/commission-whitepaper-artificial-intelligence-feb2020_en.pdf; Accessed on August 28, 2020. 12 High Level Expert Group on Artificial Intelligence. In December 2018, the group issued Draft Ethics Guidelines for Trustworthy AI, stating: “Artificial intelligence is one of the most transformative forces of our time, and is bound to alter the fabric of society.”

238

C. Vanberghen and A. Vanberghen

make reasonable choices when buying products or services, but also from the perspective of a EU rule of law driven approach. The rule of law requires a coordinated approach and it is essential for the very functioning of the EU: for the effective application of EU law, for the proper functioning of the internal market, for maintaining an investment-friendly environment and for mutual trust. Therefore, the rule of law is an additional argument to strengthen EU governance of AI and keep it high on the EU political agenda to avoid unexpected risks of weakening the whole European political ecosystem and its single market. Similarly to the EU’s landmark General Data Protection Regulation (GDPR)13 that set a new gold standard for data protection, with a considerable positive impact for consumers at EU and international level, the EU has a golden opportunity to guide the responsible evolution of AI, to show its leadership in boosting people’s confidence in AI, by building its own normative predictable framework, projecting a shared approach in its work with the GPAI and other international partners. To strategically contribute to the AI international governance, the EU will have to come with a stable, predictable and coherent regulatory framework able to ensure coherence between policies in different portfolios as well as between the implementation of industrial policies at EU and national level. The EU institutions and the Council of Europe have undertaken various initiatives to assess the impact of AI in different domains. For example, the European Commission’s High-Level Expert Group on AI published “Ethics Guidelines for trustworthy AI”14 and the European Commission15 for the Efficiency of Justice (CEPEJ) of the Council of Europe has adopted the first European text setting out ethical principles relating to the use of artificial intelligence in judicial systems.16

13 See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119; This text includes the corrigendum published in the OJ of the EU of 23 May 2018. The regulation can be considered as an essential step to strengthen individuals’ fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. A single law will also do away with the current fragmentation in different national systems and unnecessary administrative burdens. The regulation entered into force on 24 May 2016 and applies since 25 May 2018. For more information, see https://ec.europa.eu/info/law/law-topic/data-protection/dataprotection-eu_en; Accessed on August 28, 2020. 14 On 8 April 2019, the High-Level Expert Group on AI presented Ethics Guidelines for Trustworthy Artificial Intelligence available at: https://ec.europa.eu/digital-single-market/en/news/ethicsguidelines-trustworthy-ai; Accessed on August 28, 2020. 15 The aim of the CEPEJ is the improvement of the efficiency and functioning of justice in the Member States, and the development of the implementation of the instruments Accessed on August 28, 2020 adopted by the Council of Europe to this end. available at: https://www.coe.int/en/web/ cepej/about-cepej. 16 The Council of Europe’s European Commission for the Efficiency of Justice (CEPEJ) adopted a European Ethical Charter on using artificial intelligence in judicial systems available at https://rm. coe.int/ethical-charter-en-for-publication-4-december-2018/16808f699c; Accessed on August 28, 2020.

9 AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of. . .

239

In its effort to provide adequate governance and keep the pace with the AI dynamic, the European Commission has launched the White Paper on “A European approach to excellence and trust.”17 This document is advocating a common European approach to AI that reach sufficient scale and avoid the fragmentation of the single market. The European Commission considers that the introduction of national initiatives risks endangering legal certainty and weaken citizens’ trust and to prevent the emergence of a dynamic European industry. Therefore, it supports both a regulatory and investment oriented approach with the twin objective of promoting the uptake of AI and of addressing the risks associated with certain uses of this new technology while supporting a European governance structure on AI in the form of a framework for cooperation of national competent authorities. This would allow to avoid fragmentation of responsibilities, increase capacity in Member States, and make sure that Europe equips itself progressively with the capacity needed for testing and certification of AI-enabled products and services.18 The European governance is based on the respect of subsidiarity,19 encompassing multiple levels of governance, increasing capacity in Member States to support competent national authorities to fulfil their mandate where AI is used. The White Paper allows Member States to enable the enforcement through the existing agencies or by creating new national agencies. A European governance is based on a sector-specific approach: “The governance structure relating to AI and the possible conformity assessments at issue here would leave the powers and responsibilities under existing EU law of the relevant competent authorities in specific sectors or on specific issues (finance, pharmaceuticals, aviation, medical devices, consumer protection, data protection, etc.) unaffected.”20 Its view of governance is based on “a variety of tasks, as a forum for a regular exchange of information and best practice, identifying emerging trends, advising on standardisation activity as well as on certification.”21

Supra n11; The White Paper on Artificial Intelligence, 19.2.2020, COM(2020) 65 final, was preceded by a Strategy on AI adopted in April 2018 and a Coordinated Plan—prepared together with the Member States—to foster the development and use of AI in Europe, based on 70 joint actions for closer and more efficient cooperation between Member States, and the Commission in key areas, such as research, investment, market uptake, skills and talent, data and international cooperation. The plan is scheduled to run until 2027, with regular monitoring and review. 18 Supra n11. 19 The principle of subsidiarity is defined in Article 5 of the Treaty of the European Union. It aims to ensure that decisions are taken as closely as possible to the citizen and that constant checks are made to verify that action at EU level is justified in light of the possibilities available at national, regional or local level. It is the principle whereby the EU does not take action (except in the areas that fall within its exclusive competence), unless it is more effective than action taken at national, regional or local level. It is closely bound up with the principle of proportionality, which requires that any action by the EU should not go beyond what is necessary to achieve the objectives of the Treaties. 20 Supra n11. 21 Ibid. 17

240

C. Vanberghen and A. Vanberghen

To put it in a nutshell, EU’s governance, at least in theory, is based on maximum stakeholders’ participation; all consumer organisations and social partners, businesses, researchers, and civil society organisations will be consulted on the development and implementation of a future AI framework. It will need to establish close links with competent authorities on an EU, national and multidisciplinary basis to complement existing expertise, support through monitoring and the oversight of the activities of economic operators involving AI systems and AI-enabled products and services. If this model of governance will prevail, then carrying out conformity assessments will be the responsibility of notified bodies designated by Member States. The mission of testing centres would be to undertake the independent audit and assessment of AI-systems in accordance with the regulatory requirements. While AI model of regulatory governance is based on the principle of subsidiarity, in the current global context, one thing is certain, no EU Member State has the real potential to reach the critical mass that is needed to influence global standards to ensure its ethical use and development at international level. If the EU would like to shape its strategic future based on its EU goals and values to avoid a world shaped by the authoritarian regimes, its practical guidance and participation to the AI governance at international level remains indispensable. Moreover, whereas the Member States’ authorities have started to establish their own national AI strategy to facilitate the ethical use and development of AI, there is a need for the EU to start moving more quickly if it is to gain the benefits of the single market and to provide a framework that extends beyond the logic of national boundaries. The gradual integration of national AI Strategy at EU level could lead to a better co-ordinated governance, a less duplicative AI landscape to better serve the political objectives of the EU and inspire the EU Member States to implement the EU’s AI vision. AI is high on the Agenda of the European Commission and it is a key to the EU future development. In a globally competitive environment, a reliable AI framework represents a major competitive challenge for EU industries, infrastructures and territories, any delays in having a predictable legal framework may prove impossible to catch up.

4 The Various Definitions of AI and the Challenge of Its Legal Personality Simply stated, AI models and machine learning come into our lives to provide clarity and efficiency. They are rapidly incorporated through all public and private sectors, in many decision-making processes relating to traffic control, health sector, judicial area, financial loans, urban infrastructure, law enforcement, humanitarian aid, and defence area. At the same time, AI entails a number of potential risks, such as opaque decision-making, gender-based or other kinds of discrimination, intrusion in our private lives or being used for criminal purposes.

9 AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of. . .

241

Currently, there is no common accepted definition of AI. As stated at the outset of this chapter, AI is applied in many sectors ranging from production, finance and transport to healthcare and security, from telecommunication to defence, humanitarian, and civil protection. Probably the most common definition of AI as suggested by the European Commission’s White Paper refers to a “hardware or to systems that display intelligent behaviour by analysing their environment and taking actions – with some degree of autonomy – to achieve specific goals.”22 AI-based systems can be purely: software-based, acting in the virtual world (e.g. voice assistants, image analysis software, search engines, speech and face recognition systems) or hardware devices (robots, autonomous cars, drones, and Internet of Things applications). This encompassing definition includes systems that use statistical analysis such as machine learning as well as systems that use statistical techniques. The OECD in its work on Artificial Intelligence and rationale for developing the OECD Recommendation on Artificial Intelligence defines AI as “a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.”23 In the authors’ view, a definition of AI shall refer to some technical peculiarities: Firstly. autonomy: AI operates without the direct intervention of humans or others, and has some kind of control over their actions and internal state. Secondly, social ability: AI interacts with other agents (and possibly humans) via some kind of agentcommunication language. Thirdly, reactivity: AI perceives the environment (which may be the physical world, a user via a graphical user interface, a collection of other agents, the Internet, or perhaps all of these combined), and responds in a timely fashion to changes that occur in it; 4. proactiveness: AI does not simply act in response to its environment, it is able to exhibit goal-directed behaviour by taking the initiative. AI regulatory approach shall start with a legal definition of AI. In the authors’ view, the biggest challenge will be to provide a neutral definition of AI that does not differ significantly from a discipline to another. While accepting that a legal definition of AI will follow a sectoral risk-based approach and that the enforcement authorities will also have the opportunity to clarify and determine the legal attributes of AI, a legal definition will have to include technical requirements such as those four peculiarities described above. A legal definition should be complemented by clarification about the legal personality of AI.24 In legal doctrine, legal personality refers to the particular device See “Ethics Guidelines for Trustworthy AI” of the High-Level Expert Group on AI (AI HLEG) available at https://ec.europa.eu/digital-single-market/en/news/trustworthy-ai-brochure; Accessed on August 28, 2020. 23 OECD (2019), Artificial Intelligence in Society (Summary), OECD Publishing, Paris, https://doi. org/10.1787/9f3159b8-en.; Accessed on August 28, 2020. 24 For more information about the legal personality of AI, see Turner (2019), Solum (1992), Koch (2019). 22

242

C. Vanberghen and A. Vanberghen

by which the law creates or recognises units to which it ascribes certain powers and capacities. Conferring legal personality in the AI environment means entitling a legal patrimony composed of three active legal issues—rights, powers and options—and three passive legal situations—obligations, burdens and duties. It includes all and only the legal situations susceptible to economic assessment, with, therefore, the exclusion of so-called individual rights or, in any case, personal rights. In a nutshell, it is important to understand the legal personality of AI and know whether the AI robots that are going to replace human intervention, could and should be held responsible, as a human would. Already in 2017, the European Parliament adopted a resolution to the European Commission on civil law rules that recommends conferring a legal status to sophisticated autonomous robots: “so that at least the most sophisticated autonomous robots could be established as having the status of electronic persons responsible for making good any damage they may cause, and possibly applying electronic personality to case where robots make autonomous decisions.”25 Clarifying the legal definition of AI or its legal personality, is finally about creating trust for consumers, business, and public authorities. It is about promptly answering to the challenges of national legal systems which are by their nature mostly not familiar with a borderless environment.

5 Transformative Challenges of AI in the Military Sector Today, the EU is not to be judged solely by its ability to remove barriers to trade or to complete an internal market; its legitimacy today depends on its strategic governance based on intervention and feedback, networks and involvement from policy formulation to implementation at all levels. All the six “headline ambitions” (“European Green Deal; an economy that works for people; a Europe fit for the digital age; protecting our European way of life; a stronger Europe in the world; a new push for European democracy”) included on the Political Agenda of the President of the European Commission, Ursula von der Leyen26 are directly connected to the issue of AI governance. To secure a reliable governance for AI, it will be important to analyse AI in a wider political context. Working with an outcome matrix around the AI and the five remaining political priorities will help to identify different level of approaching AI from a regulatory, policy or geopolitical perspective, to approach cross-cutting

25

See the European Parliament Resolution of 16 February 2017 with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)) P8_TA(2017)0051 Civil Law Rules on Robotics. 26 Supra n3.

9 AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of. . .

243

sustainable development policy areas which have closely intertwined economic, social, security and environmental interconnections. The political priority on a “A stronger Europe in the world,” aiming to strengthen the European Defence Fund, to support research and capability development, to open major new opportunities for our high-tech industries, to promptly answer to the EU Security challenges in the context of serious and acute hybrid threats—is strictly connected to the issue of AI. The AI capacity to achieve transformational change and support the implementation of this specific political priority will require seriously addressing cross-cutting global policies. In the defence sector,27 the EU’s ability to defend and promote its interests, as well as its credibility as a strong foreign policy actor, will largely depend on its ability to address the need for strategic autonomy in the defence industry and AI. In the military area, the international forums have tended to focus on the potential development of lethal autonomous weapons systems (LAWS). In a certain way, valid concerns about LAWS have marginalised the debate on the ethical implications of AI in the military sector. LAWS do not exist at present and a preventive ban would hinder a response to the legal and ethical challenges raised by AI in the military sphere. Therefore, regulating at EU level is necessary, it will accelerate the development of robotics in Europe compare to countries without regulations while acting locally will lead to inequalities between countries. Even more, it will lead to developing a vision of the future of AI in the military sphere that will put in place the values and instruments they need to have a degree of control over the overall development of emerging technologies and setting-up a reliable basis. AI requires that the EU legislative framework contains the relevant elements to ensure that emerging technologies and AI systems, in particular, integrate safety and security-by-design. It requires a predictable technology-neutral approach based on sectoral and national assessments. The standardisation work is focused on the robustness of the algorithm, on methods for preparing learning bases, on developing and testing AI software engineering processes and applications but it is not applicable for AI technologies such as neutral networks. The EU shall actively consider how these standards can support the development and enforcement of further global governance efforts. In the past, standards have been incorporated into international treaties, supported by informed government policies as well as procurement contracts, however, today, standards offer the first step to dominate the international and market competition for AI. The increased politicisation of standards bodies would complicate this mode of AI governance, including for military purposes. For this reason, the EU should exert appropriate influence in international standardisation processes; and do more to jointly represent European interests in international standardisation bodies.

27

For more information on the implication of the AI in the military sector, see Hachey et al. (2020), Libel (2016), Kim et al. (2019).

244

C. Vanberghen and A. Vanberghen

The North Atlantic Treaty Organization (NATO) or EU Member States are themselves in the process of integrating AI into their military system and that interoperability must be preserved employing common standards, which are essential for the conduct of operations between allies.28 Moreover, the capacity to counter the effects of adversary AI will also be a decisive factor of strategic dominance, which requires the skills and the technologies necessary for controlling the overall development of emerging technologies. Even if AI enables military capabilities to operate with a certain degree of autonomy, it is essential to have controlled and responsible AI systems which can be trusted to assist service personnel and commanders, dispelling any “black-box” warning, combining human judgment with the power of algorithms to make decisions while retaining military commanders’ responsibility for the use of weapons. The failure to address the need of examining the impact of AI as a strategic enabler for the EU’s Common Security and Defence Policy (CSDP), especially concerning military and civilian missions and operations and EU capability development—could affect the EU’s capability to defend and promote its interests, acting as a coherent and credible foreign policy player. It is also important to encourage assessing and demonstrating the added-value of AI-supported defence research and technology (R&T) in defence and security. From this perspective, the EU needs a better rationalisation of dispersed and uncoordinated institutional initiatives across various technological domains such as AI, autonomous systems, drones, and robotics to meet the stated ambitions to become a world leader in these sectors. The EU also needs a common vocabulary framework, systems architectures, and the establishment of a comprehensive work program and even more a political leadership breaking down national silos and sustaining European values and prosperity in a global digitalised world. We need comprehensive arrangements designed to inform its thinking and its ethical stance transparently and explicitly.

6 Conclusion AI will have significant development in many areas which ranges from automated mobility that diminishes emissions, congestion or traffic accidents to digital factories that enhances the capacity of production, from digitisation that enables a climatefriendly energy system to the healthcare system with its new diagnostic or medical monitoring and digitalisation in education. The governance of the AI at EU and international level is an ongoing process. Currently, the international governance is based on a puzzle of soft law recommendations, on somewhat unclear or unexplored self-regulatory framework and guidelines.

28

Hillison (2018).

9 AI Governance as a Patchwork: The Regulatory and Geopolitical Approach of. . .

245

There is a joint responsibility of national and EU regulatory authorities to support a culture of awareness. The institutional governance is based on coordination at international level through GPAI, and in this multicultural context it will be important to ensure the mutual understanding of regulations, in terms of purpose and content such as the potential impact of AI on the respect of Human Rights, the rule of law crossing traditional boundaries. A predictable AI framework will be a key element to ensure the attractiveness of the European business environment especially due to its impact on the main socio-economic drivers, companies, public administrations, hospitals, universities, transport platforms, public service providers— despite their localisation, in the rural or urban areas of Europe. Within the AI ecosystem, the choice of operators, infrastructures and their suppliers bring also risks relating not only to business opportunities and costs but also relating to the ethical use of AI and the respect of their security of data flows. In the past, the EU regulatory instruments had specific objectives such as setting up a basis for a custom union or creating conditions for the single market. Now, with the complexity of AI, people are tempted to lose their confidence in a poorly understood system. Failure to consider the importance of AI at EU level could lead third countries to reap the benefits of globalisation and increase the risk of serious damage to national economies as well as to the achievement of a digital single market. A predictable technology-neutral approach could be based on sectorial assessments and it will require efficient Member State coordination, cooperation with all stakeholders and adequate investments to cope with the challenges of AI. The ability of the EU in the international world to shape the future world, set priorities, promote the interests of citizens, businesses and societies, and decide in foreign policy and security depends on the ability of providing an efficient regulatory framework on AI that prevent potential attacks, malware, software, platform vulnerabilities, network vulnerabilities. The failure to provide a regulatory framework not only will generate an economic disadvantage, but it will have a negative impact on the EU’s ability to protect its strategic interests which is also justified by the fact that the commercial innovation already outpaces military R&D in many areas making it a AI a long-term principal for a geopolitical Europe. A regulatory approach should be formulated from a strategic foresight perspective on how the market is expected to develop over the next 10–15 years in various AI sectors. There is an important need for far-sighted EU legislation and policy multidisciplinary coordination. AI represents a new source of power and influence since corporations can develop digital services that are becoming essential to functions pertaining to public order and national security itself, eroding the traditional power of the nation state. Therefore, approaching AI with constant attention for the quality of its regulatory approach will support the EU to remain a strategic digital actor at international level.

246

C. Vanberghen and A. Vanberghen

References Deep Sharma G et al (2020) Artificial intelligence and effective governance: a review, critique and research agenda. Sustain Futures 2:1–6 Hachey K et al (2020) The impact of artificial intelligence on the military profession. In: Hachey K et al (eds) Rethinking military professionalism for the changing Armed Forces. Springer, Switzerland Hillison JR (2018) The relevance of the European Union and the North Atlantic Treaty Organization for the United States in the 21st Century. Strategic Studies Institute, US Army War College Kim S et al (2019) A leading cyber warfare strategy according to the evolution of cyber technology after the fourth industrial revolution. Int J Adv Comput Res 9(40):72–80 Koch BA (2019) Product Liability 2.0 – mere update or new version. In: Lohsse S et al. (eds) Liability for artificial intelligence and the internet of things. Hart, Oxford Libel T (2016) European military culture and security governance: soldiers, scholars and national defence universities. Routledge, London OECD (2019) Artificial Intelligence in Society (Summary). OECD Publishing, Paris, https://doi. org/10.1787/9f3159b8-en. Accessed 20 Aug 2020 Solum L (1992) Legal personhood for artificial intelligences. NC Law Rev 70:1231 Turner J (2019) Legal personality for AI. In: Robot rules. Palgrave Macmillan, London Van Duin S, Bakhshi N (2018) Whitepaper: Existing Artificial Intelligence-techniques explained https://www.deloitteforward.nl/en/artificial-intelligence/artificial-intelligence-whitepaper/. Accessed 20 Aug 2020

Chapter 10

Unboxing the Black Box of Artificial Intelligence: Algorithmic Transparency and/or a Right to Functional Explainability Apostolos Vorras and Lilian Mitrou

Abstract The major challenge is how to safeguard the right to informational selfdetermination and prevent harms to individuals caused by algorithmic activities and algorithm-driven outcomes. In the light of the growing impact of artificial intelligence on both society and individuals, the issue of ‘traceability’ of automated decision-making processes arises. In a broader perspective, the transparency obligation is articulated as a need to face ‘the opacity of the algorithm’, an issue that not only end users, but also the designers of a system, cannot deal with in a sufficient way. The ability to look inside the ‘black box’ of machine learning algorithms, in the obscure rationale of algorithm classifying new inputs or predicting unknown correlations and variables, protecting simultaneously commercial secrets and intellectual property rights, has provoked a significant debate between industry, data protection advocates, academics and policymakers. This chapter discusses the application of transparency and explainability principles to artificial intelligence, considering the nature, the inherent obstacles and the risks associated with such application, in the light of the new regulatory framework, and provides a pragmatic explanation as to why and how the black box will not become another Pandora’s Box.

1 Introduction The Fourth Industrial Revolution is ante portas and we are already witnessing the emergence of new technologies that are fusing the ‘analog’ and digital worlds, impacting all disciplines, economies and industries, the society and the state functions. In this new digital ecosystem, the modus operandi of decision-making centres is being transformed from traditional models to fully automated and intelligent ones, based on computer systems that process huge volumes of data and are therefore able to learn from their own experiences and solve complex problems in different

A. Vorras · L. Mitrou (*) Department of Information and Communication Systems Engineering, University of the Aegean, Karlovasi, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_10

247

248

A. Vorras and L. Mitrou

situations—abilities we previously thought were unique to mankind.1 This innovative decision-making process triggers risks for individuals’ fundamental rights, whereas it might also undermine the trust on lawfulness and fairness of the respective decisions. The major challenge, thus, is how to safeguard the right to informational selfdetermination and prevent harms to individuals caused by algorithmic activities and algorithm-driven outcomes. In the light of the growing impact of artificial intelligence on both society and individuals, the issue of ‘traceability’ of these automated decision-making processes arises. In a broader perspective, transparency obligation is articulated as a need to face ‘the opacity of the algorithm’, an issue that not only end users, but also the designers of a system, cannot deal with in a sufficient way.2 The ability to look inside the ‘black box’ of machine learning algorithms, in the obscure rationale of algorithm classifying new inputs or predicting unknown correlations and variables, protecting simultaneously commercial secrets and intellectual property rights, has provoked a significant debate between industry, data protection advocates, academics and policymakers.3 A preliminary issue concerns the applicable framework. As far as artificial intelligence systems involve or result in processing of personal data, the General Data Protection Regulation (GDPR)4 applies, providing for basic principles and the respective tools, such as data protection impact assessments (DPIAs) to achieve compliance including explicit provisions on the transparency principle. In particular, the GDPR obliges data controllers to inform data subjects about the key elements of processing, and the ‘existence of automated decision-making and to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing’.5 The latter is interpreted as the capacity to understand the general logic underpinning the way the algorithm works, which must therefore be explained in words rather than in lines of code.6 However, does this obligation include a right to an explanation of a solely automated decision? In other words, can the data subject request an explanation of the decision-making process once a decision has been reached, namely an explanation of how the artificial

1

See Norwegian Data Protection Authority (2018), p. 5. As underlined by the Commission Nationale de l’Informatique et des Libertés (‘CNIL’) ‘algorithms are not only opaque to their end users, the designers themselves are also steadily losing the ability to understand the logic behind the results produced’. For more information on the ‘engineering principles’, i.e. intelligibility, accountability and human intervention, see CNIL (2017), p. 51. 3 See Mitrou (2019), p. 54, as well as Wischmeyer (2020), p. 76 for a comprehensive list of policy papers, national planning strategies, expert recommendations, and stakeholder initiatives on AI transparency. 4 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 5 See Articles 13(2)(f) and 14(2)(g) respectively. 6 Supra n2. 2

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

249

intelligence model arrived at its result? And, if yes, what kind of information such an explanation might include? As it will be shown, the answer to these questions is controversial. This chapter discusses the application of the transparency principle in artificial intelligence, considering the nature, the inherent obstacles and the risks associated with such application, in the light of the new regulatory framework, and provides with a pragmatic explanation why and how the ‘black box’ will not become another ‘Pandora’s Box’.

2 The Black Box Artificial intelligence is an umbrella term7 embracing many different types of systems that display intelligent behaviour by analysing their environment and taking actions—with some degree of autonomy—to achieve specific goals.8 Such systems are allowed to think by creating mathematical algorithms based on accumulated data independently of human input. Deep learning techniques, built on the same principles as the brain’s neural network, can also feed these systems with a known set of training data, containing patterns or similarities that helps the self-learning process of algorithms. The end product is the generation of a model that can identify the patterns that emerge when new data is processed by the model.9 In the era of Big Data, due to the volume, velocity and variety of data,10 it is almost impossible to identify how these techniques are internalising massive

7 There is a lot of discussion and no consensus on the definition of artificial intelligence. One of the most commonly used definitions is the one provided by the EU High-Level Expert Group on Artificial Intelligence (2018), i.e. ‘systems designed by humans that, given a complex goal, act in the physical or digital world by perceiving their environment, interpreting the collected structured or unstructured data, reasoning on the knowledge derived from this data and deciding the best action (s) to take (according to pre-defined parameters) to achieve the given goal. AI systems can also be designed to learn to adapt their behaviour by analysing how the environment is affected by their previous actions’. Pursuant to the EU High-Level Expert Group on Artificial Intelligence, ‘AI as a scientific discipline includes several approaches and techniques, such as machine learning (of which deep learning and reinforcement learning are specific examples), machine reasoning (which includes planning, scheduling, knowledge representation and reasoning, search, and optimization), and robotics (which includes control, perception, sensors and actuators, as well as the integration of all other techniques into cyber-physical systems)’. For more information on AI definition and taxonomy see also Samoili et al. (2020). 8 See Communications from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions (2018). 9 Supra n1, p. 6. 10 Big Data deem to be the evolution of existing data analytics technologies. There is no clear difference between big data and traditional analytics. However, the following three characteristics are usually associated with the big data trend: Volume, i.e. the data generated are usually produced in large volumes, Velocity, i.e. data is generated at a high-speed pace and Variety, i.e. the data generated usually takes various formats or types. See European Commission (2017).

250

A. Vorras and L. Mitrou

amounts of data or/and how a trained program is arriving at its decisions or predictions.11 Artificial intelligence that relies on machine-learning algorithms, such as deep neural networks, can be as difficult to understand as the human brain, whereas rationalisation of the model generation is characterised as the ‘equivalent of neuroscience to understand the networks inside the brain’.12 It seems impossible to map out the decision-making process of these complex networks of artificial neurons. We can observe its inputs and outputs, but we cannot demonstrate why and how one becomes the other or/and which features, or which combinations of features, were critical to the final outcome. A model will often reach a conclusion without any explanation. This is the reason artificial intelligence decision-making process has been labelled as ‘black box’, a metaphor indicating a system, whose inner workings are mysterious.13 The mystery of ‘black box’ becomes today of utmost importance, since it is undisputable that we are moving towards an ‘Algorithmic Society’, a society organised around social and economic decision-making, supported or even solely based on algorithms, robots, and AI agents.14 Artificial intelligence has moved from the research lab to become part of our daily lives, which are affected more and more by decisions taken based on an algorithm. Algorithmic systems used as part of decision-making processes can have potentially significant consequences for individuals, organisations and societies. When used appropriately, with due care and assessment of its impacts on people’s lives, algorithmic systems may have great potential to improve human rights and democratic society.15 On the other hand, artificial intelligence systems might give rise to a host of unwanted, and sometimes serious, consequences. The most visible ones include discrimination, manipulation, unfair treatment, as well as disastrous repercussions, such as the loss of human life. An optimist would expect artificial intelligence to perform more objective analyses and therefore reach better decisions than human beings. And yet algorithms and models are no more objective and fair than the people who devise and design them, and choose the personal data sets that are used for training. Algorithms may be easily biased or limited and the outcome may be incorrect or discriminatory if the training data renders a biased picture reality, or if it has no relevance to the area in question.16 Therefore, it is crucial for data subjects to understand why and how a decision was reached and on the same side it is also a significant challenge for organisations, authorities and policymakers to understand these opaque systems and ensure a fair and legitimate treatment of individuals. In this respect transparency is a cornerstone of artificial intelligence and a prerequisite of fair decision-making.

11

See Bathaee (2018), p. 891. See Castelvecchi (2016), p. 20. 13 This term has been commonly used to describe the data-monitoring systems in planes. See Pasquale (2015), p. 320. 14 See Balkin (2017), pp. 1217 and 1219. 15 See Council of Europe (2017). 16 Supra n2, p. 16. 12

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

251

3 A Right to Explanation The transparency principle is also a key pillar of the GDPR,17 referring to the obligation of the controller to take any appropriate measure to keep the data subjects informed about how their data is being used. The underlying reasoning is that data subjects should be aware of any processing operations of their data and consequently the potential risks, to preserve control over their data, take their own decisions and exercise the rights granted to them. Article 13 and Article 14 of the GDPR deal with the right of data subjects to be informed, either in situations, where personal data was collected directly from them, or in situations where the data was not obtained from them, respectively. On automated decision-making, Articles 13(2)(f) and 14(2)(g) oblige data controllers to inform data subjects about the ‘existence of automated decision-making’ and to provide ‘meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing. . .’. One step further, Article 15 (1)(h) provides data subjects with a right to access to their personal data and to the aforementioned information. In addition, Article 22(3) sets an obligation to data controllers in the case of automated decision-making ‘. . .to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision’. Finally, Recital 71 GDPR provides for necessary guarantees given in cases of automated processing shall include ‘specific information . . . and the right to . . . obtain an explanation of the decision reached after such an [automated] assessment’. It derives from the aforementioned provisions, that [only] the preface states explicitly that the data subject is entitled to an explanation of how the model arrived at the result, in other words how the data was weighted and considered in the specific instance. However, the right to an explanation is not included as such in the text of the Regulation. The implications of the linguistic differences between the preface and the wording of the articles are unclear, but the preface itself is not legally binding and cannot of itself grant the right to an explanation. Is therefore a legitimate basis in the GDPR rendering the right to information into a ‘right to explanation’? Before examining whether the GDPR lays down a right to explanation, it is necessary to examine what is meant by ‘explanation’ of automated decision-making.18 Wachter, Mittelstadt and Floridi distinguish between the explanation of a system’s general functionality, and the explanation of specific decisions taken through or by an artificial intelligence system. According to this group of authors, explaining an automated decision-making system’s functionality means explaining

17 For an analysis of transparency principle, see Article 29 Working Party Guidelines on transparency under Regulation 2016/679, adopted on 29 November 2017 as last revised and adopted on 11 April 2018. 18 Other synonyms or related terms to ‘explainability’ used by scholars are ‘explicability’, ‘intelligibility’, ‘comprehensibility’, ‘understandability’ and ‘foreseeability’.

252

A. Vorras and L. Mitrou

its ‘logic, significance, envisaged consequences, and general functionality’. On the other hand, explaining specific decisions means explaining the rationale, ‘reasons, and individual circumstances of a specific automated decision, e.g. the weighting of features, [or] machine-defined case-specific decision rules’.19 Furthermore, one can also distinguish between explanations in terms of their time sequence in relation to the decision-making process: an ex ante explanation occurs prior to an automated decision-making taking place and to this end it can logically address only system functionality, as the rationale of a specific decision cannot be known before the decision is made; an ex post explanation occurs after an automated decision has taken place and it can address both system functionality and the rationale of a specific decision.20 Therefore, a meaningful right to explanation could only be related to the latter type of ex post explanation of specific decisions. A right to explanation has been heavily criticised by part of the legal theory.21 Opponents have placed the purposeful omission of such a right in the final draft version of GDPR at the forefront. Looking at previous drafts of the GDPR and commentary from the trilogue negotiations it seems that although the initial versions of the draft Regulation had strict safeguards in place on automated decision-making and profiling, these were eventually dropped, including a legally binding right to explanation of specific decisions.22 Furthermore, the normative status of recitals has been challenged. As Klimas and Vaitiukait explain, ‘Recitals have no positive operation of their own’ and ‘cannot cause legitimate expectations to arise’,23 whereas Baratta adds to this argumentation by underlying that ‘in principle the ECJ does not give effect to recitals that are drafted in normative terms. Recitals can help to explain the purpose and intent behind a normative instrument. They can also be taken into account to resolve ambiguities in the legislative provisions to which they relate, but they do not have any autonomous legal effect’.24 Finally, emphasis was given to ECJ’s case law, to enhance the argument that the remit of data protection law is not to assess the accuracy of the reasoning behind decisions and assessments, or the accuracy of decisions and assessments themselves.25 All this

19

See Ferretti et al. (2018), p. 322. See Wachter et al. (2017), pp. 76 and 78. 21 It seems that criticism was mostly intense prior to the issuance of Article 29 Working Party 251 Guidelines on Automated individual decision-making and profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, as last revised and adopted on 6 February 2018. 22 For a detailed analysis of the legislative process see Wachter et al. (2017), p. 81. 23 See Klimas and Vaitiukait (2008) p. 73. 24 See Baratta (2014). 25 See Wachter and Mittelstadt (2019), p. 499. The authors state further ‘this situation is not accidental. In standing jurisprudence, the European Court of Justice (ECJ; Bavarian Lager, YS. and M. and S., and Nowak) and the Advocate General (AG; YS. and M. and S. and Nowak) have consistently restricted the remit of data protection law to assessing the legitimacy of input personal data undergoing processing, and to rectify, block, or erase it. Critically, the ECJ has likewise made clear that data protection law is not intended to ensure the accuracy of decisions and decision-making processes involving personal data, or to make these processes fully transparent’. 20

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

253

argumentation has been heavily supported by the inherent nature of artificial intelligence systems, i.e. explaining the functionality of complex algorithmic decisionmaking systems and their rationale in specific cases is a technically challenging problem and most probably such explanations would offer little meaningful information to data subjects, raising questions about their value. However, today most scholars seem to agree that the reasoning is erroneous. Dismissing the possibility of the existence of the right to explanation altogether because recitals are not legally binding is too formalistic, in particular in the light of the ECJ’s case law, which regularly perceives recitals as an interpretative aid.26 According to Kaminski, ‘recitals are supposed to cast light on the interpretation to be given to a legal rule and though they cannot in themselves constitute such a rule, recitals are given a liminal legal status: they are not binding law, but they are often cited as authoritative interpretations where the GDPR is vague. . . In this context recitals can clarify how the GDPR’s standards should be applied and they often contain language that goes well beyond what is in the GDPR itself, reflecting the result of political compromise during negotiations. . . Recitals indeed cannot create new legal requirements, but the line between valid interpretation and invalid creation of new law can be hard to draw’.27 Having this in mind, Recital 71 is not deemed to be meaningless, but it has a clear role in assisting interpretation and co-determining positive law.28 Therefore, when scholars challenge the normative nature of the Recitals, ‘they are not only insisting on a technicality—distinguishing between harder and softer legal instruments—they are also disregarding the fundamentally collaborative, evolving nature of the GDPR, and removing important sources of clarity for data subjects as the law develops’.29 A similar perception on Recital 71 GDPR and its objective appears also in the Article 29 Working Party Guidelines that refer to Recital 71 as a conditio sine qua non for the effective protection of data subjects’ rights.30 Furthermore, the

26

See Brkan (2019), p. 13 and Wischmeyer (2020), p. 83 for respective case-law. See Kaminski (2019), p. 194. 28 See Selbst and Powles (2017), p. 235. 29 Kaminski (2019), p. 195. 30 WP29 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 make explicit references to Recital 71 and its purpose. In particular Recital 71 appears within the Guidelines three times: in page 19 ‘Recital 71 says that such processing should be “subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.”’ In page 27 ‘Recital 71 highlights that in any case suitable safeguards should also include: . . . specific information to the data subject and the right . . . to obtain an explanation of the decision reached after such assessment and to challenge the decision. The controller must provide a simple way for the data subject to exercise these rights. This emphasises the need for transparency about the processing. The data subject will only be able to challenge a decision or express their view if they fully understand how it has been made and on what basis’. And in Page 31 ‘Article 22 (3) and Recital 71 also specify that even in the cases referred to in 22(2)(a) and (c) the processing should be subject to suitable safeguards’. 27

254

A. Vorras and L. Mitrou

Guidelines make it clear that the GDPR establishes a version of individual algorithmic due process by creating an opportunity to be heard.31 In this context, the Guidelines require controllers to implement suitable measures to safeguard data subjects’ rights freedoms and legitimate interests,32 including inter alias ‘a mechanism for human intervention in defined cases, for example providing a link to an appeals process at the point the automated decision is delivered to the data subject, with agreed timescales for the review and a named contact point for any queries’. This human-in-the-loop approach has been also raised by the data protection authorities. The Information Commissioner’s Office (ICO) in the United Kingdom acknowledges that the rights to obtain human intervention and explanation set new challenges to industry and developers and requires from ‘Big Data organisations to exercise caution before relying on machine learning decisions that cannot be rationalised in human understandable terms’.33 The French Commission Nationale de l’Informatique et des Libertés (CNIL) gives precedence to algorithm explicability or intelligibility over transparency: ‘What would seem to matter . . . . is the capacity to understand the general logic underpinning the way the algorithm works. It should be possible for everyone to understand this logic, which must therefore be explained in words rather than in lines of code. The key thing is not that the code be transparent, but that we understand what goes in and comes out of the algorithm and its objective. This is what must be transparent’.34 At institutional level, the European Parliament acknowledges in its Resolution on automated decision-making processes35 the potential of these processes to deliver innovative and improved services to consumers, including new digital services such as virtual assistants and chatbots. However, the Parliament clarifies that ‘when interacting with a system that automates decision-making and in light of the significant impact that it can have on consumers, one should be properly informed about

31

Kaminski (2019), p. 204. Pursuant to the Guidelines, safeguards related to Art. 22 GDPR and Recital 71 include indicatively: ‘Regular quality assurance checks of the systems to make sure that individuals are being treated fairly and not discriminated against, whether on the basis of special categories of personal data or otherwise; algorithmic auditing—testing the algorithms used and developed by machine learning systems to prove that they are actually performing as intended, and not producing discriminatory, erroneous or unjustified results; for independent ‘third party’ auditing auditors shall be provided with all necessary information about how the algorithm or machine learning system works; obtaining contractual assurances for third party algorithms that auditing and testing has been carried out and the algorithm is compliant with agreed standards; specific measures for data minimisation to incorporate clear retention periods for profiles and for any personal data used when creating or applying the profiles; using anonymisation or pseudonymisation techniques in the context of profiling; ways to allow the data subject to express his or her point of view and contest the decision; and a mechanism for human intervention in defined cases, for example providing a link to an appeals process at the point the automated decision is delivered to the data subject, with agreed timescales for the review and a named contact point for any queries’. 33 See ICO (2017), p. 54. 34 See CNIL (2017), p. 51. 35 See European Parliament (2020). 32

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

255

how it functions, about how to reach a human with decision-making powers, and about how the system’s decisions can be checked and corrected’. To this end, the Resolution highlights the importance for these systems ‘not only to use high-quality and unbiased data sets but also to use explainable, transparent and unbiased algorithms, whereas review structures should be set up to remedy possible mistakes in automated decisions’. As per the Parliament’s positioning, ‘humans must always be ultimately responsible for, and able to overrule, decisions that are taken on the basis of automated decision making processes’. In a similar, but more direct approach, the Joint Research Centre recently issued a Technical Report emphasising the need of an ‘explainability-by-design approach’ for AI systems with potential negative impacts on fundamental rights of users.36 By virtue of this Report, human supervision can only be effective if the person reviewing the process can be in a position to assess the algorithmic processing carried out, which in turn, implies that such processing should be understandable. Beyond the GDPR, it is worthy to mention that other contemporary legislative acts have also addressed algorithmic transparency and accountability towards the direction. It is indicative, that the French Loi pour une Republique numerique (‘Digital Republic Act’)37 provides for a right to an explanation of administrative algorithmic decisions made about individuals, specifying that in the case of decisions based on algorithmic treatment, the rules that define that treatment and its ‘principal characteristics’ must be communicated upon request of the affected individuals. Furthermore, administrative authorities are requested to provide information about the degree and the mode of contribution of the algorithmic processing to the decision-making, the treatment parameters and, where appropriate, their weighting, applied to the situation of the person concerned.

4 Algorithmic Transparency: A Pragmatic Issue Adopting the approach that the GDPR indeed provides for an individual right to explanation, a pragmatic issue arises, namely, how a decision-making process based on artificial intelligence can be explained in simple words and what kind of information this should include. The difficulties of artificial intelligence’s rationalisation process, particularly unsupervised models,38 have been particularly pointed out in theory. A commonly acknowledged, intrinsic difficulty is the complexity linked to the scale of data, the modularity of algorithms, iterative processing and randomised

36

See Hamon et al. (2020), p. 25. Loi n
2016-1321 du 7 octobre 2016 pour une République numérique. 38 Unsupervised learning forms one of the three main categories of machine learning, along with supervised and reinforcement learning. It is a type of machine learning that looks for previously undetected patterns in a data set with no pre-existing labels and with a minimum of human supervision. 37

256

A. Vorras and L. Mitrou

tiebreaking, which may represent a major challenge for human cognition.39 In addition, the dynamic nature of many algorithms is apparently contradictory to the static nature of transparency. Algorithms are continuously updated and changed, whereas any transparency disclosure only concerns the algorithm as it is being used at a given moment.40 Decontextualisation is also a technical barrier, where algorithmic models originally used for one purpose are then re-used in a different context and for a different purpose.41 However, machine learning is not a monolithic concept, but it comprises a variety of techniques, which range from traditional linear regression models and decision tree algorithms to different types of neural networks. The difficulty to establish a causal nexus ex post between a specific input and a specific output differs considerably between these techniques.42 Machine learning algorithms, such as decision trees, Bayesian classifiers, additive models, and spare linear models seem to be more likely to generate interpretable models, in the context that each model component (e.g. weight of a feature in a linear model, a path in a decision tree, or a specific rule) and its role in the whole process can be identified. These algorithms use a reasonably restricted number of internal components (i.e. paths, rules, or features), which could provide traceability and transparency in their decision-making. In contrast, deep learning algorithms, such as those employed to develop applications based on highdimensional inputs, speech recognition, image recognition, and natural language processing, apply complex connections across layers of the network that yield highly nonlinear associations between inputs and outputs.43 In such cases, it seems that the more parameters—in a nonlinear connection—a system considers during the decision-making process, the less comprehensible for human minds becomes the model. Apart from the technical limitations, deriving from the dynamic and unpredictable nature of algorithms, we should not also ignore the legal and regulatory barriers set to algorithmic transparency. Transparency about models and processes could infringe intellectual property rights or/and trade secrets, which in turn constitute a valid argument for the restriction of information to be provided.44 Competition and security obligations of data controllers could also provide limitations on access to algorithms.45 Businesses are quite reluctant to provide information on their assets, since it constitutes a competitive advantage that cannot be shared. In 39

See Lipton (2018), p. 13. An increasing number of AI-based systems possesses in-built feedback loops, which allow them to constantly adjust the weight of their variables depending on the effects of their algorithms on the users. See Wischmeyer (2020), p. 82. 41 See Donovan et al. (2018), p. 7. 42 Supra n40, p. 81. 43 See Rai (2020). 44 Recital 63 GDPR explicitly states ‘That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software’. 45 See Veale et al. (2018). 40

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

257

a similar context, privacy and security experts warn over the risks and threats of publishing information related to internal systems and structures that might lead to enhanced cyberattacks.46 State secrets and pursue of public interests present another legal ground for restricting to right to information as they cannot be revealed to the public.47 Finally, the lack of access to information regulation, which would require the operators of AI-based systems to grant supervisory authorities and other third parties, including auditors, access to the code, the databases, the statistical models, the IT infrastructures, has been identified as a regulatory barrier.48 Serious concerns have also been expressed with respect to the impact of this new right on AI industry as well as on AI development in general. Pure access to algorithms does not deem to be a sufficient parameter to explain and understand a decision-making process. Therefore, businesses need resources in terms of time and skills to perform this kind of analysis.49 According to Mittelstadt et al., ‘explainability may prove particularly disruptive for data intensive industries. . . . [given the connectivity and dependencies of algorithms and datasets in complex information systems, and the tendency of errors and biases in data and models to be hidden over time]’. Other authors argue that the GDPR’ extensive protection of data privacy rights restrains the use of AI’s most useful features: autonomy and automation ‘risking to impair one of AI’s most useful purposes: automated decisions and forecasts’.50

5 Towards a Qualified Transparency A right to explanation does not necessarily mean to open the ‘black box’. As discussed, the information provided must enable the data subject to understand why a particular decision was reached to provide grounds to contest adverse decisions and, what could be changed to receive a desired result in the future based on the current decision-making model.51 Therefore, in this context, access to a full scale algorithmic analysis and technical information might be of little or even of no value for data subjects.52 To the contrary, there are in fact a number of elements Wischmeyer refers to ‘the legitimate interests of the system operators in AI secrecy which make individual access to information rights in this field a delicate balancing act’. See Wischmeyer (2020), p. 79. 47 See Burrell (2016), p. 3. 48 Supra n3, p. 82. 49 See Ananny and Crawford (2016), p. 7. 50 See Mitrou (2019), p. 72. 51 See Wachter et al. (2018). The authors introduced the concept of ‘counterfactual explanations’, according to which only those factors of an AI-based decision-making process must be disclosed that would need to change to arrive at a different outcome. 52 Recital 58 GDPR acknowledges that the principle of transparency is ‘of particular relevance in situations where the proliferation of actors and the technological complexity of practice makes it 46

258

A. Vorras and L. Mitrou

of the algorithmic process that could be disclosed ad hoc to data subjects in the context of meaningful transparency.53 Τhese are especially information about human involvement, [information about] the type of input data and the expected output, quality of data (e.g. information about how training data have been collected and labelled, reliability of sources, accuracy and timeliness), the model and architecture of the algorithm, its variables and their weight and the inferencing (including the margin of error predicted).54 Moreover, explainability and transparency shall not be limited to or related with an information obligation towards data subjects to enable them to contest a decision. These rights are paramount to ensuring that artificial intelligence systems are not biased or faulty and are directly correlated to the principles of fairness and accountability. Algorithmic transparency is, therefore, part of algorithmic accountability, i.e. the principle that an algorithmic system should employ a variety of controls to ensure the operator can verify it acts in accordance with its intentions, as well as identify and rectify harmful outcomes.55 In broad terms, the principle of accountability places upon data controllers the burden of implementing within their organisations specific measures to ensure that data protection requirements are met. Such measures could include the implementation of data protection impact assessments or employing a privacy-by-design system architecture. It is necessary for data controllers to establish clear governance frameworks for algorithmic transparency and accountability and to make sure that the risk and benefits are equitably distributed in a way that does not unduly burden or benefit particular individuals or sectors of society. Otherwise, there is growing concern that—unless appropriate governance frameworks are put in place—the opacity of algorithmic systems could lead to situations, where individuals are negatively impacted, without having the opportunity to recourse to meaningful explanation or/and a correction mechanism.56 This far-reaching requirement means that an explanation should be available, traceable and auditable;57 an explanation on how artificial intelligence systems influence and shape the decision-making process, on how they are designed, and difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him are being collected, such as in the case of online advertising’. Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 on the other side states that ‘It has to be noted that complexity is no excuse for failing to provide information to the data subject’ (2018). 53 The Council of Europe (2019) makes use of a similar definition, i.e. ‘effective transparency’, in the context that the underlying goal of increasing transparency shall not always apply in parallel with the demand for ‘more data’. 54 See Kamarinou et al. (2017), pp. 23f. 55 See New and Castro (2018), p. 4. 56 See European Parliament, European Parliamentary Research Service (2019a) EU guidelines on ethics in artificial intelligence: Context and implementation. 57 An algorithmic auditing has been heavily supported in theory. The Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 provides for safeguards, including quality assurance checks, algorithmic auditing, independent third-party auditing.

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

259

on what is the rationale for deploying them. The Article 29 Working Party Guidelines envision ongoing testing and feedback into an algorithmic decision-making system to prevent errors, inaccuracies, and discrimination. Individuals might not have access to source code, datasets or purely technical information, but other parties, such as the regulatory authorities, do.58 This happens since transparency can take several different meanings, based on the specific circumstances. It can mean public posting of information, access upon request to the public or authorised people, results reported to regulatory bodies, direct inspection of internal processes, the outcome of the manufacturer’s or operator’s tests of the system for accuracy and fairness, delivery of complete subsystems and their data for testing by authorised people, access to computer scientists and managers to explain algorithmic or operational processes.59 Transparency is therefore not a single property to be applied blindly to every element of every algorithmic system. It should be applied differently to different systems depending on the nature of the algorithmic system, the complex circumstances that lead to the need for governance, and the goals of that governance.60 Kaminski aptly notes that ‘it seems that the GDPR comes closest to creating what Frank Pasquale has called qualified transparency: a system of targeted revelations of different degrees of depth and scope aimed at different recipients. Transparency in practice is not limited to revelations to the public, but it includes putting in place internal company oversight, oversight by regulators, oversight by third parties, and communications to affected individuals. Each of these revelations may be of a different depth or kind; an oversight board might get access to the source code, while an individual instead might get clearly communicated summaries that she can understand’.61

58

This requirement derives from the perspective that individuals do not necessarily possess—nor do they need to develop—the competence to evaluate complex matters on their own. To this end, they can and should rely on experts and public institutions, especially the courts, to which they can bring their complaints and which can exercise their more far-reaching investigatory powers. 59 In other words, different groups of stakeholders, including citizens, consumers, the media, parliaments, regulatory agencies, and courts are entitled to access to different degrees of information. 60 New and Castro (2018), p. 18. Wischmeyer, indicatively, suggests that regulators have to perform a balancing test regarding AI secrecy and AI transparency considering the following factors: (1) The criticality of the sector in which the system is employed; (2) the relative importance of the system operator for this sector; (3) the quality and weight of the individual and collective rights which are affected by the deployment of the system; (4) the kind of data concerned; (5) how closely the technology is integrated into individual decision-making processes; (6) and, finally, whether and how it is possible to protect the legitimate interest of the system operators in AI secrecy through organisational, technical or legal means. For more information supra n2, Wischmeyer (2020) p. 94. 61 Kaminski (2019), p. 210.

260

A. Vorras and L. Mitrou

6 The Way Forward It is undisputable that this conversation over transparency and explainability will be ongoing, since there are still several open challenges for artificial intelligence systems. The main challenge remains, how to convert ‘black box’ to ‘glass box’ models, without stifling innovation. Each actor, either private or public, has its own significant role in this process. There are currently numerous scientific projects in progress in the field of Explainable AI (XAI).62 Much recent work of computer scientists focuses on analysing root causes of artificial intelligence-based decisions, exploring techniques, developing in-built analytical tools able to perform such tasks and present them in a way that is comprehensible for human beings. At the same time, data controllers or/and processors, are already requested to apply, in terms of accountability, certain technical and organisational measures63 to ensure compliance with GDPR principles. One of these measures that is expected to have further implications for artificial intelligence development and applications is the execution of data protection impact assessments (DPIAs) for high-risk activities.64 DPIAs form part of a more general ‘risk-based approach’ to data protection, intended to turn regulation of data processing towards risk management practices.65 Despite the uncertainty of ‘high risk threshold’, it is highly likely that most artificial intelligence/machine learning applications fall into the category of processing for which a DPIA should be conducted.66 Therefore, it is of major importance, both in the private and the public sector, DPIAs to be conducted on the development and application of artificial intelligence systems and automated decision-making, to assess the risks and impacts on individuals and to identify possible mitigation measures. It is equally critical to see, how data controllers in various business sectors perceive the notion of transparency and explainability and embed them in the respective DPIAs and what will be the rules and findings of the national supervisory authorities or/and the courts on these DPIAs accordingly.

62 See indicatively, Norwegian Data Protection Authority (2018), p. 27 and European Parliament, European Parliamentary Research Service (2019c) Understanding algorithmic decision-making: Opportunities and Challenges, p. 1. 63 E.g. implementation of privacy by design and by default principles for any personal data related projects, designation of data protection officers with the required technical skills to ensure compliance with the privacy legal and regulatory framework etc. 64 ‘High risk’ data processing activities are indicatively listed in the GDPR (Art. 35 and Recitals 75 and 91 GDPR), further clarified by Article 29 Working Party Guidelines and complemented by the national data protection authorities. 65 Mitrou (2019), p. 61. 66 AI applications deem to meet several of the criteria set above (supra n63), since they (a) involve novel technologies, (b) process personal data on a large scale, (c) produce legal effects on data subjects based on a systematic and extensive evaluation of personal aspects. The ICO in its report on big data, artificial intelligence, machine learning, and data protection (ICO 2017) notes firmly that ‘potential privacy risks’ have already been identified with ‘the use of inferred data and predictive analytics’.

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

261

Regulators and policymakers, on the other hand, are also expected to play a key role in the development of artificial intelligence. It has to be noted that already there are calls—among others—for policy-making involvement and technology specific legislation; for the creation of a regulatory body for algorithmic decision-making tasked with defining criteria that can be used to differentiate acceptable algorithmic decision-making systems and systems that should be prohibited; for strict and explicit obligations falling on algorithmic decision-making system providers (such as the obligation to make their systems auditable) and for the establishment of certifications regimes.67 In this context, regulation is a pivotal parameter for the future of artificial intelligence, since it is expected to increase openness and transparency, limit flaws and inequalities and provide for legal certainty in society. On the other side, a heavy regulation or an advanced oversight could also increase bureaucracy, hinder the technological development and increase time to market for the commercial exploitation of artificial intelligence products. To this end, policymakers are requested to find a balance between fostering innovation and digital transformation, protecting individuals’ rights, and addressing any potential unintended consequences. To achieve this objective and as emerging technologies evolve, policymakers will have to leave behind traditional regulatory models to rethink their approaches and to explore hybrid, collaborative, outcome-based co-regulation and self-regulation models. Finally, it is of utmost importance that these models adopt a human-centric approach to artificial intelligence, able to ensure that human values are central to the way in which artificial intelligence systems are developed, deployed, used and monitored. These systems shall ensure respect for all fundamental human rights, all of which are united by reference to a common foundation rooted in respect for human dignity, in which the human being enjoys a unique and inalienable moral status.68 Within such a regime, and in view of any new technological developments with unknown or opaque effects on both society and individuals, it is our legal and moral obligation to find the way to shed light upon ‘black boxes’, in a Protagorian human-centric perspective holding that ‘πάντων χρημάτων μετρoν ἐστὶν ἄνθρωπoς’ (‘man is the measure of all things’).

67

See European Parliament, European Parliamentary Research Service (2019c) Understanding algorithmic decision-making: Opportunities and Challenges, p. 73. 68 European Parliament, European Parliamentary Research Service (2019b) EU guidelines on ethics in artificial intelligence: Context and implementation, p. 3.

262

A. Vorras and L. Mitrou

7 Synopsis Transparency is a key notion and principle of the personal data protection performed based on machine learning techniques, since it safeguards the right to informational self-determination and prevents harms to individuals caused by algorithmic activities and algorithm-driven outcomes. GDPR, the landmark for privacy legislation worldwide, sets the framework and enhanced transparency obligations for data controllers at the forefront. Data protection authorities, European Union institutions and the majority of legal theory acknowledge that GDPR provisions provide also for a ‘right to explanation’ of automated decision-making processes. In practice, this implies a qualified transparency mechanism, i.e. the relevance of an explanation shall be subject to the targeted audience: explaining the decision to an end user, to a technical engineering team, to a certification body or to a supervisory authority requires different tools and approaches, and shall be performed considering the technical limitations of AI interpretability, the underlying legal and regulatory barriers, as well as the legitimate expectations of stakeholders. Algorithmic transparency and explainability are not a standalone obligation but form an integral part of an overall algorithmic accountability regime, by virtue of which data controllers are required to employ a variety of controls and mechanisms to achieve compliance of algorithmic systems and data processing with the privacy framework. As technology evolves, the challenge of ‘black box’ will be also transformed and ongoing, whereas regulators and policymakers will have to face the dilemma, how to ensure privacy in the life cycle of artificial intelligence systems, without stifling innovation.

References Ananny M, Crawford K (2016) Seeing without knowing: limitations of the transparency ideal and its application to algorithmic accountability. New Media Soc 20(3):973–989 Article 29 Data Protection Working Party (2018) Guidelines on automated individual decision making and profiling for the purposes of regulation 2016/679 (wp251rev.01) Article 29 Working Party Guidelines on transparency under Regulation 2016/679, adopted on 29 November 2017 as last revised and adopted on 11 April 2018 Balkin J (2017) The three laws of robotics in the age of big data. Ohio State Law J 78:1217–1241. https://ssrn.com/abstract¼2890965. Accessed 30 Mar 2020 Baratta R (2014) Complexity of EU law in the domestic implementing process. In the 19th Quality of Legislations Seminar “EU Legislative Drafting: Views from those applying EU law in the Member States” Brussels, 3 July 2014. https://ec.europa.eu/dgs/legal_service/seminars/ 20140703_baratta_speech.pdf. Accessed 30 Mar 2020 Bathaee Y (ed) (2018) The artificial intelligence black box and the failure of intent and causation. Harv J Law Technol 31:2 Brkan M (2019) Do algorithms rule the world? Algorithmic decision-making in the framework of the GDPR and beyond. Int J Law Info Technol 1:13–20

10

Unboxing the Black Box of Artificial Intelligence: Algorithmic. . .

263

Burrell J (2016) How the machine ‘thinks’: understanding opacity in machine learning algorithms. Big Data Soc 2016:1–12. https://doi.org/10.1177/2053951715622512 Castelvecchi D (2016) Can we open the Black Box of AI? Nature 538(7623):20–23 Commission Nationale de l’Informatique et des Libertés (CNIL) (2017) How can humans keep the upper hand? The ethical matters raised by algorithms and artificial intelligence. https://www. cnil.fr/sites/default/files/atoms/files/cnil_rapport_ai_gb_web.pdf. Accessed 30 Mar 2020 Communications from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions, Artificial Intelligence for Europe, SWD(2018) 137 final Council of Europe (2017) Study on the human rights dimensions of automated data processing techniques (in particular algorithms) and possible regulatory implications, Prepared by the Committee of Experts on Internet Intermediaries (MSI-NET). https://rm.coe.int/study-hrdimension-of-automated-data-processing-incl-algorithms/168075b94a. Accessed 30 Mar 2020 Council of Europe (2019) Consultative Committee of the Convention or the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), Report on Artificial Intelligence, Artificial Intelligence and Data Protection: Challenges and Possible Remedies. https://rm.coe.int/artificial-intelligence-and-data-protection-challenges-and-possi ble-re/168091f8a6. Accessed 30 Mar 2020 Donovan J, Matthews J, Caplan R, Hanson L (2018) Algorithmic accountability: a primer. https:// datasociety.net/output/algorithmic-accountability-a-primer/. Accessed 30 Mar 2020 EU High-Level Expert Group on Artificial Intelligence (2018) A definition of AI: main capabilities and scientific disciplines. EU Commission. https://ec.europa.eu/digital-single-market/en/news/ definition-artificial-intelligence-main-capabilities-and-scientific-disciplines Accessed 30 Mar 2020 European Commission, Digital Transformation Monitor (2017) Big data: a complex and evolving regulatory framework. https://ec.europa.eu/growth/tools-databases/dem/monitor/sites/default/ files/DTM_Big%20Data%20v1_0.pdf. Accessed 30 Mar 2020 European Parliament, European Parliamentary Research Service (2019a) Governance framework for algorithmic accountability and transparency. https://www.europarl.europa.eu/RegData/ etudes/STUD/2019/624262/EPRS_STU(2019)624262_EN.pdf. Accessed 30 Mar 2020 European Parliament, European Parliamentary Research Service (2019b) EU guidelines on ethics in artificial intelligence: context and implementation. https://www.europarl.europa.eu/RegData/ etudes/BRIE/2019/640163/EPRS_BRI(2019)640163_EN.pdf. Accessed 30 Mar 2020 European Parliament, European Parliamentary Research Service (2019c) Understanding algorithmic decision-making: opportunities and challenges. https://www.europarl.europa.eu/RegData/ etudes/STUD/2019/624261/EPRS_STU(2019)624261_EN.pdf. Accessed 30 Mar 2020 European Parliament Resolution of 12 February 2020 on automated decision-making processes: ensuring consumer protection and free movement of goods and services. https://www.europarl. europa.eu/doceo/document/TA-9-2020-0032_EN.html. Accessed 30 Mar 2020 Ferretti A, Schneider M, Blasimme A (2018) Machine learning in medicine: opening the new data protection Black Box. Eur Data Prot Law Rev 4:320–332. https://doi.org/10.21552/edpl/2018/ 3/10 Hamon R, Junklewitz H, Sanchez I (2020) Robustness and explainability of artificial intelligence from technical to policy solutions, Publications Office of the European Union, Luxembourg. https://doi.org/10.2760/57493 Information Commissioner Office (ICO) (2017) Big data, artificial intelligence, machine learning and data protection Kamarinou D, Millard C, Singh J (2017) Machine learning with personal data. In: Leenes R, Brakel R, Gutwirth S, De Hert R (eds) Data protection and privacy: the age of intelligent machines. Hart, Oxford Kaminski M (2019) The right to explanation, explained. Berkeley Technol Law J 34:189–218. https://doi.org/10.15779/Z38TD9N83H

264

A. Vorras and L. Mitrou

Klimas T, Vaitiukait J (2008) The law of recitals in European Community legislation. ILSA J Int Comp Law 15(1):65–93 Lipton ZC (2018) The mythos of model interpretability. In machine learning, the concept of interpretability is both important and slippery. ACMQueue 16(3). https://queue.acm.org/ detail.cfm?id¼3241340. Accessed 30 Mar 2020 Mitrou L (2019) Data protection, artificial intelligence and cognitive series. Is the General Data Protection Regulation (GDPR) “Artificial Intelligence-proof”? https://ssrn.com/ abstract¼3386914 or https://doi.org/10.2139/ssrn.3386914. Accessed 30 Mar 2020 New J, Castro D (2018) How policymakers can foster algorithmic accountability. Information Technology and Innovation Foundation, Washington DC Norwegian Data Protection Authority (2018) Artificial intelligence and privacy. https://www. datatilsynet.no/globalassets/global/english/ai-and-privacy.pdf. Accessed 30 Mar 2020 Pasquale F (2015) The Black Box Society: the secret algorithms that control money and information. Harvard University Press, Massachusetts Rai A (2020) Explainable AI: from black box to glass box. J Acad Mark Sci 48:137–141 Samoili S, López Cobo M, Gómez E, De Prato G, Martínez-Plumed F, Delipetrev B (2020) AI Watch. Defining Artificial Intelligence. Towards an operational definition and taxonomy of artificial intelligence, EUR 30117 EN, Publications Office of the European Union, Luxembourg Selbst A, Powles J (2017) Meaningful information and the right to explanation. Int Data Privacy Law 7:233–242 Veale M, Reuben B, Edwards L (2018) Algorithms that remember: model inversion attacks and data protection law. Philos Trans R Soc A Math Phys Eng Sci 376(2133). https://doi.org/10. 1098/rsta.2018.0083 Wachter S, Mittelstadt B (2019) A right to reasonable inferences: re-thinking data protection law in the age of big data and AI. Columbia Bus Law Rev 2019(2):494–620 Wachter S, Mittelstadt B, Floridi L (2017) Why a right to explanation of automated decisionmaking does not exist in the General Data Protection Regulation. Int Data Private Law 7:76–99 Wachter S, Mittelstadt B, Russell C (2018) Counterfactual explanations without opening the Black Box: automated decisions and the GDPR. Harv J Law Technol 31:841–887 Wischmeyer T (2020) Artificial intelligence and transparency: opening the Black Box. In: Wischmeyer T, Rademacher (eds) Regulating artificial intelligence. Switzerland, pp 75–101

Chapter 11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration? Theodoros Chiou

Abstract Human inspiration process is not copyright-restrained. Indeed, contours of copyright protection are based on the “traditional” creativity process paradigm, where the access to previous—even copyrighted—works and their “use” as source of inspiration, e.g., reading a book or contemplating a painting, is outside copyright law coverage. In these cases, any “copy” of accessed work(s) takes place only in the brain and memory of the (human) creator. Besides, creative “data” contained in copyrighted works, including patterns, concepts, styles and other creative features are simple “ideas” that lie outside the realm of copyright protection. In our days, a new creativity paradigm is rising. AI systems may emulate several types of human behavior in terms of computational processes, among which, the creation of a big variety of artistic works. In a nutshell, machines “learn” how to be creative through Machine Learning, i.e., a computational learning process implying the use of specifically designed learning algorithms that employ as training material a corpus composed by thousands of existing works, such as texts, images, musical compositions and other, which may also be copyrighted. By repeated training, the machine detects creative features and patterns within the corpus of data and extracts a robust set of creation rules (model), based on which it produces a machinegenerated creative output, namely, an algorithmic creation. This process could be characterized as “algorithmic creativity.” However, machine learning is a copy-reliant technology and “algorithmic inspiration” involves the realization of genuine (digital) copies of any work used as training material within the algorithmic creativity process. This, in principle, triggers copyright law application and, consequently, “inspirational” copying of works requires—in principle—prior authorization from rightholders, unless if copyright exceptions apply. The present paper aims to assess whether “algorithmic inspiration” is out of monopolistic control under the current European Copyright Law and attempts to express some reflections in order to make EU copyright rules cope with the raising new creativity paradigm, without monopolizing inspiration.

T. Chiou (*) University of Athens, School of Law, Department of Private Law Α, Athina, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_11

265

266

T. Chiou

1 Introduction The present chapter could be introduced by the reminder of two tenets and one fact that characterize copyright law and its development: (1) there is not parthenogenesis in art and science,1 (2) copyright protection scope is inherently limited, meaning that some uses of protected works are not and cannot fall under the realm of copyright monopoly,2 and (3) evolution of copyright law is shaped by the interaction between technological advances and normative adaptation thereto.3 The advent of Artificial intelligence (AI) brings again the above considerations at the forefront. AI is a significant technological advance which is described as “the new electricity” to depict the significant change that is expected to bring in the development of human civilization, along with the so-called “4th Industrial Revolution.”4 AI refers to the development of machines that can learn and achieve autonomous decision making, with limited or no human involvement. Among the vast number of AI applications, AI applies also to the artistic world and the creation of works. Indeed, “intelligent” and “creative” machines5 are able to produce—autonomously to some extent—creative and artistic output, such as translated texts,6 musical compositions,7

1 Compare the quote of T.S. Eliot: “Immature poets imitate; mature poets steal; bad poets deface what they take, and good poets make it into something better, or at least something different.” See also the famous quote: Nanos gigantumhumerisinsidentes [Standing in the shoulders of giants], which means “Using the understanding gained by major thinkers who have gone before in order to make intellectual progress” (see https://en.wikipedia.org/wiki/Standing_on_the_shoulders_of_ giants) (Accessed 5 May 2020). The phrase, in its first western metaphor from Greek Mythology, is attributed to Bernard of Chartres. It has been used in the field of scientific discoveries and employed also by Isaac Newton. 2 Cf. Mezei (2020), p. 1: “copyright law is not a limitless fiction.” 3 Cf. Recital 3 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. OJ L 130/92 (hereinafter: the DSM Directive): “Rapid technological developments continue to transform the way works and other subject matter are created, produced, distributed and exploited.” 4 On that topic, from a legal perspective see among others, Skilton and Hovsepian (2018), passim. Cf. Committee on Legal Affairs of the EU Parliament (2020), p. 4, C: “[. . .] recent developments in artificial intelligence (AI) represent a significant technological advance that is generating opportunities and challenges for European citizens, businesses and creators.” 5 For the connection between intelligence and creativity see among others Schönberger (2018), pp. 3–4 and references mentioned therein. 6 See for instance Google translate (https://translate.google.com/) (Accessed 5 May 2020) and DeepL Translator (https://www.deepl.com) (Accessed 5 May 2020). 7 See for instance AIVA (www.aiva.ai), titled as “The Artificial Intelligence composing emotional soundtrack music.”

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

267

paintings,8 or even poems9 and novels.10 The term “Generative art”11 or “algorithmic art”12 or simply “AI Art”13 is coined for artistic productions created by means of intelligent machines, while algorithmic artists are often called “algorists.”14 The creation of self-standing algorithmic art by means of intelligent machines may be implemented either by the programmers that developed the machine themselves, or by users who interact with the machine.15 Alternatively, intelligent machines may be used by creators (users of the machine) as a dynamic creative tool that offers the advantages of the so-called “augmented creativity”: the generative output of the machine will be used as source of inspiration and/or will be incorporated by the creator as part of the final work.16 AI systems are based on software that is programmed to learn how to mimic human behavior.17 This is mainly achieved by means of a method called machine learning (ML).18 In a nutshell, the basic idea behind ML is to train the machine by implementing a training algorithm through the processing and analysis of thousands of examples of a given phenomenon that relates with the learning objectives. These examples take the form of corpora of (big) training data sets (so-called training data) that are abundant in today’s big data-driven era.19

8 See for instance the Edmond de Belamy portrait (2018), a painting printed on canvas and created by algorithm. For more information see: https://en.wikipedia.org/wiki/Edmond_de_Belamy. The painting in question was the first artwork created using Artificial Intelligence to be sold at a Christie’s auction. See https://www.christies.com/features/A-collaboration-between-two-artistsone-human-one-a-machine-9332-1.aspx. Accessed 5 May 2020. 9 See the interesting website http://botpoet.com/ (Accessed 5 May 2020), which implements a Turing test for poetry and the user is called to guess whether the poem is written by a human or by a computer. 10 See for instance the novel “1 The Road” (Jean Boîte Editions 2018), with “Writer of writer” Ross Goodwin. More information at: https://en.wikipedia.org/wiki/1_the_Road (Accessed 5 May 2020) and https://jean-boite.fr/products/1-the-road-by-an-artificial-neural (Accessed 5 May 2020). 11 See https://en.wikipedia.org/wiki/Generative_art (Accessed 5 May 2020). 12 See https://en.wikipedia.org/wiki/Algorithmic_art (Accessed 5 May 2020), although mentioning that the term mainly refers to visual (algorithmic) art. 13 See: https://en.wikipedia.org/wiki/Artificial_intelligence_art (Accessed 5 May 2020). 14 See Verostko (n.d.). 15 See the distinction between “fully-generative machines” and “partially generative machines” at Ginsburg and Budiardjo (2019), pp. 411 ff. 16 For this type of AI system in the field of musical composition, see e.g., FlowMachines (http:// www.flow-machines.com) (Accessed 5 May 2020), which is titled as “AI Assisted Composing System”. Recently the service Flow Machines Professional has been launched, see https://www. sonycsl.co.jp/press/prs20200324/ (Accessed 5 May 2020). 17 Researchers acknowledged that it is easier to program a computer to learn to be intelligent rather than programming a computer to be intelligent, see Schönberger (2018), p. 11. Some argue that ML will cause “the end of code.” See Tanz (2016). For a critical approach, see Vogan (2016). 18 Machine learning is a subfield of AI that blends mathematics, statistics and computer science. For a technical description, see among others Drexl et al. (2019), pp. 4 ff. 19 See on that topic Gervais (2019b).

268

T. Chiou

In the context of Al Art, training of AI systems is naturally based on data sets that consist of the type of works relevant to each project and to the desired output, such as texts, photographs, musical compositions, and the like. Therefore, the training dataset for AI Art systems corresponds typically to a set of digital copies of “training works.” For example, for the “creation” of the “SKYGGE” pop album “Hello World,”20 the first pop album composed by AI, several copyrighted musical works have been used as training data (“inspirations”) for the AI to generate novel output: “Ballads, Pop of the 60s, Brit Pop of the 2010s, Bossa novas of the 60s, Caribbean songs, Soul Music from the 80s, Musicals of the 60s, French Pop from the 80s, Purcell.”21 Similarly, the AI system “AIVA” has been trained by reading a large collection of music partitions of works composed by Mozart, Beethoven and Bach.22 In the field of AI literature, for the creation of the novel “1 The Road,” the machine has been trained “with three different text corpora, each with about 20 million words one with poetry, one with science fiction, and one with ‘bleak’ writing.”23 The analytical processing of training works leads to the abstraction of trained “mental” models, which contain a set of rules that reflect the (artistic and creative) knowledge that the machine discovered within the training works.24 The trained model constitutes the direct output of machine learning.25 However, the ultimate purpose is the production of novel creative machine outputs:26 the machine will employ the trained “creative” model to produce translations, musical compositions, visual art works and the like, when triggered to do so through the submission of new data input, by the programmers themselves or, at a dissociated moment,27 by the user of the machine. Accordingly, the process that leads to the production of an algorithmic “work” as machine/computer-generated output comprises several stages: the coding of the system and the formulation of the training algorithm, the training of the

The “Hello World” album started as a research project, namely the Flow-Machines project, conducted at Sony Computer Science Laboratories and University Paris 6, and funded by the ERC. See https://www.helloworldalbum.net/. 21 See the album pitch at: https://www.facebook.com/pg/flowSKYGGE/about/ (accessed 5 May 2020). Adde the description for song “Daddy’s Car,” a song composed in the style of Beatles by Sony CSL Research Lab: “The researchers have developed FlowMachines, a system that learns music styles from a huge database of songs.” Cf. Rosati (2019), p. 3: “How could it be possible for AI to create a song in the style of The Beatles if it did not also have access to The Beatles repertoire?”. 22 See Iglesias et al. (2019), p. 13. 23 See https://en.wikipedia.org/wiki/1_the_Road (Accessed 5 May 2020). 24 See Surden (2019), p. 92; Rosati (2018), p. 6. 25 Drexl et al. (2019), p. 9. 26 Cf. Committee on Legal Affairs of the EU Parliament (2020), p. 9, referring to secondary creations in contrast to the “works data,” i.e., the training works. 27 Indeed, in the case of “partially-generative machines” (see supra n15), the command for the creation of a computer-generated work (last stage of the algorithmic creativity process) is given by the user (who has not developed and trained the system), independently and not successively from the other stages. However, even in this case, the creative process for producing the novel output is integral, as it traces back to the coding, training of the machine and abstraction of the model. 20

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

269

machine, which will lead to the internal model abstraction, and the submission of new data input that will trigger the production of the novel output, i.e., the algorithmic (or machine/computer-generated) work. The above process corresponds to the creativity process of AI Art or what we call in the present paper as the “algorithmic creativity process.” Naturally, from a copyright law perspective, the primary question that arises, relates with authorship and proprietary status of the output of such creativity process: who owns the AI-generated work?28 However, apart from downstream interrogations, the present contribution aims at illuminating a copyright-law-related question, connected with the process of algorithmic creativity itself,29 which does not affect the “traditional” (human) creativity process. In fact, to create, humans observe the world and nature, use knowledge relevant to the artistic domain and employ memories which are connected with variable influences and stimuli that may originate, among other things, from works of art (copyrighted or not) accessed by the creator until the initiation of the process of creation of a forthcoming work. Consequently, accessed pre-existing works (copyrighted or not) constitute domain-relevant knowledge of the creator, which is stored and processed in the human brain, as part of its cognitive function.30 In a parallel reasoning, as seen above and will be further explained below, AI systems produce novel output by reference to the training works to which they are exposed, during the algorithmic creativity process. Obviously, it is highly likely31 that many of these training works are protected by copyright law.32 However, ML, as a technique of automated data analysis, implies the deployment of Text and Data Mining methods—TDM33 which, in turn are copy-reliant and implicate the

28 Τhe bibliography on this issue is abundant. On EU institutional level see the DRAFT REPORT on intellectual property rights for the development of artificial intelligence technologies (2020). At WIPO level, see WIPO (2019), Issue 6. 29 Cf. Sartor et al. (2018), p. 8, distinguishing between process issues and outcome issues related with the use of preexisting works within the ML process. 30 On the connection between cognitive functions and creativity process, see Rachum-Twaig (2017), passim. 31 Levendowski (2018), p. 582. 32 Schönberger (2018), p. 1; Geiger et al. (2018b), p. 109; WIPO (2019), p. 5; Flynn et al. (2020), p. 3. 33 In fact, TDM is the essential tool for implementing ML techniques. Therefore, the TDM-related problems and rules apply equally to ML and, in turn, to the algorithmic creativity process of AI Art projects. On that topic, see among others Schönberger (2018), pp. 17–18: “[A] relationship might be seen between ML and text and data mining (TDM) although ML is much further down the line than TDM, which ultimately aims at the expressive elements of a work creating output derived from such elements.” For the importance of TDM within ML context, see e.g., Holder et al. (2019), p. 27; Geiger et al. (2018b), p. 97: “Text and data mining (TDM) thus serves as an essential tool to navigate the endless sea of online information [. . .] and p. 109: “TDM has been a fundamental technique to make machine learning possible by copying or crawling massive datasets and empowering artificial intelligence autonomous decision –making and creativity.”; Rosati (2019), p. 2; Hugenholtz (2019).

270

T. Chiou

realization of one or more reproductions of the training works. That being so, one crucial question arises: Is algorithmic creativity process copyright-restrained, insofar training of AI systems relies on copyrighted training pre-existing works? The present chapter aims at answering this question through the lens of EU copyright law. The approach of copyright system towards the traditional creativity process will be discussed first, before the examination of the application of EU reproduction right and its exceptions on the algorithmic creativity process and the formulation of some concluding remarks.

2 The Story So Far: Unrestricted Intellectual Processing of Pre-Existing Works From a cognitive science perspective, the “traditional” (human) creativity process presents two main stages: (a) the formation of abstract ideas, i.e., the conception of the work34 and (b) the production of a concrete creative product,35 i.e., the materialization of the work in a concrete expression.36 The implementation of the creative process pre-requires domain-relevant knowledge and memory, along with a blend of skills and gift that characterize each creator. Within this context, the creator obtains relevant (declarative37) artistic knowledge, among others, by contemplating, admiring and studying pre-existing works. Both the expressions of pre-existing works as such,38 as well as artistic insights and elements embedded thereto, such as styles, themes, patterns, and concepts and extracted by the creator through intellectual processing of such works, are “stored” in carbon long-term39 memory40 of the human brain. Then the creator recalls them during the creativity process. Thus, pre-existing works as such and the insights deriving therefrom offer the necessary creative background and function as source of inspiration for creators. It is under the light of the above, one may argue that there is no parthenogenesis in art production (and beyond).41 This is referred also as “mental step” for the creation, see Ginsburg and Budiardjo (2019), abstract. 35 This is referred also as “physical step for the creation, see Ginsburg and Budiardjo (2019), abstract. 36 For the above division, see Rachum-Twaig (2017), pp. 25 ff. 37 See on that topic, Rachum-Twaig (2017), p. 31: “Declarative knowledge, on the other hand, refers to factual information stored in the author’s memory.” 38 See Rachum-Twaig (2017), p. 43: “The use of knowledge structures is not limited to ideas (in copyright terms); it also includes the explicit use of expressions.” 39 Rachum-Twaig (2017), p. 31. 40 See Burk (2020), p. 37. 41 See e.g., Burk (2020), p. 3: “As a practical matter, no expression can or does originate entirely with any particular author. A considerable amount of recent scholarship has gone toward refuting the romantic notion that expression arises ex nihilo from the mind of a creative genius. Artists 34

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

271

The above attributes of creativity process (intellectual access and processing of preexisting works and extraction of artistic and esthetic elements) have shaped the external formal boundaries of copyright protection in two ways: (a) On the one hand, intellectual access and processing of works is not covered per se by exclusive powers of the rightholder.42 Indeed, exclusive rights do not encompass acts such as contemplating, observing, or studying and understanding a work. In general terms, the ways in which one can use or experience normally a work are not copyright-restrained.43 These acts allow the internal transposition of a response to stimuli into memory, and lead to the creation of “visionary copies” of these works.44 However, it is evident that none of these acts corresponds to reproduction in copyright law terms. Because the mere intellectual access and processing that takes place in the human brain of the user and eventual future creator does not entail copying of the expression of the work in a medium allowing its communication to the public.45 In fact, copyright law was never about controlling the cognitive functions of human brain. (b) On the other hand, copyright protects the concrete expression of the work and leaves free the ideas, procedures, methods of operation or mathematical concepts as such that may be embedded within the work. This is the outcome of the application of the idea/expression dichotomy, which constitutes positive law46

influence, learn, and borrow from one another, from their surroundings, from the cultural milieu in which they are embedded. Ideas and concepts, and the expression of those ideas and concepts at various levels of abstraction can be traced to a wide network of influences.” 42 They may, however, offer indirect control to intellectual access and processing, to the extent that the person that intellectually process a work will be bound to copyright limits with regard to copying of the work (even for private use) and lawful access. See on that topic Grimmelmann (2016), p. 659. 43 In that sense, Hilty and Richter (2017), § 13: “[. . .] reading corresponds to the normal use of analogue written works (this awareness of contents does not conflict with copyright), p. 4. Cf. Grimmelmann (2016), n1 and p. 659, with reference to “ordinary acts of reading.” 44 Probably the “most private” copy of a work. . . Unless if in the future, brain hacking allows transformation of biological brain into a digital storage medium. See Barfield (2015), pp. 157 ff. 45 Cf. art. L. 122-3 French Intellectual Property Code. See Pollaud-Dullian (2005), §710. 46 This principle is not deprived of criticism, see for instance Kawohl and Kretschmer (2009). However, we think that its utility in the algorithmic environment remains.

272

T. Chiou

also in the EU.47 The field of unprotected ideas48 comprises any abstract features, styles, themes, patterns, concepts and other creative elements and information that are embedded in a specific work or that are circulating49 within the common creative background and cultural reserve and are repeatedly present in various expressions. This means that the mere unprotected aspects of pre-existing works may be extracted and incorporated into new works without the need of prior authorization from rightholders. Thus, the preexisting works are considered as ideas in copyright law terms when used as source of inspiration and pool of creative elements that will be embedded in new works.50 Besides, copyright protection is attributed to the creator of a work, to the extent that her personal touch is reflected within the (original for that reason) work, as a result of their own free and creative choices,51 which also includes the combination of common cultural reserve abstract ideas contained thereto in a new way. In sum, intellectual access and processing of preexisting works, as well as their use as source of inspiration for creators in case of “traditional” human creativity paradigm are not copyright restricted. The above are valid even when access to pre-existing works is not lawful (e.g., contemplation and intellectual processing of a work that has been accessed illegally by the creator). Indeed, lawful and unlawful access allow for the same type of experiencing and intellectual processing of a work. On the contrary, copyright protection is activated at the output level, i.e., at the level of the expressed new work, to the extent that the new work reproduces the concrete

47 See Art. 2 of the WIPO Copyright Treaty and Article 9(2) of the Agreement on Trade-Related Aspects of Intellectual Property Rights, to which EU has adhered. See also CJEU, Levola Hengelo BV v. Smilde Foods BV, Case C-310/17, Judgment of 13 November 2018, para 39. The idea/expression dichotomy principle underpins expressly the protection of software within the Computer Program Directive 2009/24 of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs (Codified version), OJ L 111/16, Art. 1(2) and Rec. 11: “For the avoidance of doubt, it has to be made clear that only the expression of a computer program is protected and that ideas and principles which underlie any element of a program, including those which underlie its interfaces, are not protected by copyright under this Directive. In accordance with this principle of copyright, to the extent that logic, algorithms and programming languages comprise ideas and principles, those ideas and principles are not protected under this Directive.”; CJEU (Grand Chamber), SAS Institute Inc. v World Programming Ltd, Case C-135/10, Judgment of 2 May 2012, para. 33. 48 Cf. Gervais (2019a), p. 24: “TDM is looking, if anything, for ideas embedded in copyright works.” 49 Cf. the famous quotation of H. Desbois: “Les idées sont de libre parcours”. 50 This is the basic distinction between emulation and imitation of a work, that underpins idea/ expression dichotomy. 51 See esp. Painer decision (CJUE Eva-Maria Painer v. Standard Verlags GmbH, case C-145/10, judgment of 1st December 2011) para. 92 and 99 as well as a concise overview of the question in Mezei (2020), p. 15 and ftnote 107. We regret that the JURI committee in the recent report (Committee on Legal Affairs of the EU Parliament 2020, p. 9) affirms (with surprising ease) that “[. . .] the general trend with regard to that condition is towards an objective concept of relative novelty [. . .]”.

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

273

exteriorized expression of a work, like in case of plagiarism (slavish or imitative reproduction) or cumulative creativity, derivative works, and the like.

3 The Algorithmic Twist: Restricted Use of Pre-Existing Works for Algorithmic Creativity Purposes As already mentioned,52 the key stage of the algorithmic creativity process, i.e., the one that shapes the “creative ability” of the machine, relates with the analysis of pre-existing works as training material. In fact, the abstraction of the trained creative model of the machine is based on computational and statistical analytical processing/ “mining” of the training data (i.e., pre-existing works). In general, during this domain-relevant knowledge acquisition stage, the machine “reads the works” (a process also called “machine or robot reading”) and implements the ML algorithm to recognize and extract from the (labeled or unlabeled)53 training dataset empirical observations and detect and extract trends and correlations,54 such as patterns, styles or other micro-elements.55 In the field of algorithmic art in particular, these trends correspond to technical and esthetic elements or other creative aspects embodied in the training works.56 Therefore, the use of training (pre-existing) works leads to the acquisition of domain-relevant knowledge which allows the abstraction of the creative mental model of the machine.57 In turn, the attributes of the novel output (s) of the trained model reflect the algorithmic influences and stimuli that have been discovered during the training stage and transposed in creative model rules. This means that the “inspiration” of the machine during the algorithmic creativity process is connected with training works and the knowledge derived therefrom.58

See above § 8. On that distinction, see Drexl et al. (2019), pp. 7–8 and Infra n69. 54 See Hilty and Richter (2017), § 1, p. 1. 55 In this case, the training data will correspond to the experience needed for the machine to be turned into knowledge. See Shalev-Shwartz and Ben-David (2014), p. 19. 56 Cf. Guadamuz (2017), p. 1, referring to the “Next Rembrandt Project,” a Project that led to the creation of a Rembrandt-styled painting, created using deep learning algorithms and facial recognition techniques (www.thenextrembrandt.com) (accessed 5 May 2020). 57 Deltorn and Macrez (2018), p. 4, footnote 8: “Machine learning techniques, by identifying statistical correlations present in a training set [. . .] can model the characteristic features inherent to the training data [. . .].”; Gervais (2019a), p. 7: “[. . .] the AI machine uses its own insights to create.” 58 One may argue that the inspiration for the machine is based on the input submitted, eventually at a later stage, by the user. This is, however, not valid, to the extent that the new data will trigger the production of an output, whose attributes cannot exceed the insights from training data. Cf. Deltorn and Macrez (2018), p. 17 (regarding musical works): “The selection of a specific training set is therefore intimately related to the nature of the musical productions that can be derived from a machine learning models.” 52 53

274

T. Chiou

The main difference, however, with “traditional” human creativity process is that algorithmic creativity process and especially the algorithmic inspiration and domainrelevant knowledge acquisition stage rely mainly in the implementation of computational procedures. This difference leads to the “algorithmic twist” from an EU copyright law perspective: the computational nature of algorithmic creativity process requires extended copying of the expressions of pre-existing works used for training purposes (A). Besides, the implementation of the comprehensive definition of reproduction right by the EU acquis renders these copies copyright-significant (B),59 unless if an exception applies (C).

3.1

Algorithmic Creativity Process Is Copy-Reliant

Algorithmic creativity process is inherently copy-reliant and implicates the realization of digital copies of training works, in various ways and occasions by means of “silicon memory.”60 Independently of the ML technique and type of algorithm used,61 the digital copying of training works is generally indispensable and unavoidable within the stage of analytical processing/“mining” of the training examples,62 similarly to any computational analytical processing of works in digital form. Indeed, training works need to be copied (for technical purposes) in the memory of the machine that trains the ML algorithm and/or by computers of a network that is eventually used for the analytical processing of the works (e.g., in case of an analysis implemented using an ML cloud server). In addition to that, creation and storing of copies of the training works (in plain or edited form) is also required in some preparatory steps of the above-described computational analysis. We mainly refer to the corpus compilation stage,63 which comprises the identification and collection of appropriate preexisting works, relevant

59 The question is relevant equally for both copyright and related rights field. For simplicity reasons, we limit our analysis to copyright law interrogations. 60 Burk (2020), p. 37. 61 There is one scenario where the machine, through repeated training and practice becomes able to label the patterns, features and characteristics within the dataset by itself. These training algorithms are known as discriminative algorithms. Cf. Surden (2019), p. 91: “After analyzing several such examples, the algorithm may detect a pattern and infer a general “rule.” [. . .] In general, machine learning algorithms are able to automatically build such heuristics by inferring information through pattern detection in data.” In different scenario, the machine predicts patterns or features attached to a certain label within the training works. In this case, training algorithms are known as Generative Algorithms or Generative Adversarial Networks. See among others Goodfellow et al. (2014). 62 See among others Schönberger (2018), p. 16: “Copying the works is indispensable to the training process”; De Meeûs d’Argenteuil et al. (2014), p. 29: “technically speaking, it is often considered that data analysis involves, at some stage (particularly in steps 2 and 4 mentioned above), the copying of all or part of the data under investigation.” 63 Cf. from a NLP approach, Margoni (2018), section II.

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

275

to the AI project saved in digital form64 in a server or other tangible medium (s) accessible to the programmers of the project. In the same vein, the works included in the corpus may be subject to copying during the so-called preprocessing stage.65 During this stage, the aggregated training works will be transformed into a machine readable and understandable version (e.g., conversion of a PDF document in plain text format66) which fits operational needs of the project67 and they will typically be assembled in a database (collection or library), known as the training dataset of the project, which will eventually be stored in a remote location, implying again reproduction of the training works.68 Besides, during this stage, the training works may (also) be subject to manual verification and annotation (labeling).69 In this scenario, a similar (and eventual more genuine) adaptive use of the training works would take place, deriving from the alterations made by the programmers on the training works (i.e., manual additions of labels and annotations within a text, a painting etc.). On the contrary, the abstracted internal “mental” model is independent from training works.70 Besides, these works or some of their protected elements are not usually identifiable in their initial or in an altered form within the training output (i.e., the stored model). Consequently, the final stage of the creativity process, which involves the mere use of the trained model, through the submission of new input or command of creation, does not entail copying of preexisting (training) works.

64 For instance, in the Next Rembrandt Project (www.thenextrembrandt.com. Accessed 3 December 2019), the machine has been trained to produce Rembrandt-style painting on 346 Rembrandt’s paintings, that have been previously 3D scanned in high resolution, see Kreutzer and Sirrenberg (2020), p. 219. 65 Cf. Hilty and Richter (2017), § 14, p. 4. Cf. Geiger et al. (2018a), p. 5 (referring to TDM): “copying substantial quantities of materials which encompasses: a. preprocessing materials by turning them into a machine readable format and analyzed directly from their source [. . .]”. 66 See e.g., Margoni (2018), section II. 67 For an example of preprocessed musical compositions, see Hadjeres and Pachet (2016), pp. 4–5. 68 Cf.Geiger et al. (2018b), p. 98. 69 This is a feature of the so-called supervised (machine) learning. For a concise presentation on that topic, see https://en.wikipedia.org/wiki/Supervised_learning (Accessed 5 May 2020); Surden (2019), p. 93. 70 Drexl et al. (2019), p. 8: “Training data is not stored within the model during the training process, and once the training process is completed, the model is fully usable independently of the data”; De Meeûs d’Argenteuil et al. (2014), p. 49 (referring to TDM output): “Normally, the output does not contain any of the original works that were mined, the works have been analysed and only some information were kept.” Cf. Geiger et al. (2018b), p. 99: “[. . .] the TDM output should not infringe any exclusive rights, as it merely reports on the results of the TDM quantitative analysis, typically not including parts or extracts of the mined materials.”

276

3.2

T. Chiou

Algorithmic Creativity Process Is Copyright-Significant

In copyright terms, copying of works relates to the concept of reproduction. Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society (hereinafter: “Infosoc Directive”) introduces a broad definition of copyright-significant reproductions.71 More precisely, reproduction right is defined as the “exclusive right to authorise or prohibit direct or indirect, temporary or permanent reproduction by any means and in any form, in whole or in part.”72 In addition, this definition has been interpreted in a broad way by the ECJ.73 Following the above, any digital copy of a work, temporary or permanent, direct or indirect, has the potential to infringe copyright, irrespective of how transient, short or irrelevant from an economic perspective may be,74 provided that it reproduces the creative expression ( forme) of the initial work, even in part.75 Besides the reproduction right covers also some transformative uses of works,76 to the extent that the alterations undertaken give rise to further (mere) reproductions of previous works (without creative additions or modifications).77 In any event, all copies of works that may be considered as “genuine” (creative) adaptations under national law are (or imply) acts of reproduction covered by EU acquis.78 Given the contours of the reproduction right,79 the digital copies of training works made within the algorithmic creativity process, as explained above, are a priori copyright significant. Consequently, algorithmic creativity process falls, in principle, into the realm of copyright, and the use of training works for inspirational purposes is copyright-restricted80 in the EU territory, if made without prior (contractual)

71

This is justified, according to the European legislator and Court of Justice, by the need to ensure legal certainty within the internal market Cf. Recital 21 Infosoc Directive; CJEU, Infopaq International A/S v Danske DagbladesForening, Case C-5/08, Judgment of 16 July 2009, (“Infopaq I”), para. 41. 72 This definition is much more sophisticated than Article 9(1) of the Berne Convention, which also refers to an exclusive reproduction right in any manner or form. 73 See Infopaq I, para. 43. 74 Margoni (2018), section IV. 75 Infopaq I, para. 39. 76 See Von Lewinski and Walter (2010), pp. 967 and 968. 77 Indeed, according to the decision of the CJUE, Allposters International BV v. StichtingPictoright, Case C-419/13, Judgment of 22 January 2015, para. 26, there is no equivalent right of adaptation right in the InfoSoc Directive. 78 De Meeûs d’Argenteuil et al. (2014), p. 32. 79 Not mentioning the moral rights interrogations, such as those connected with the integrity right. 80 Rosati (2019) p. 3: “[C]opyright law poses potential restrictions to the training of AI for the purpose of creative endeavours, even if the copies made of pre-existing content are only used internally and are instrument to the creation of something else”; Sartor et al. (2018), p. 8.

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

277

authorization by rightholders,81 unless if a (mandatory) exception and limitation of the reproduction right contained in the EU acquis applies and eludes copyright control.

3.3

The Applicability of Exceptions and Limitation in Algorithmic Creativity Process Is Not All-Encompassing

Although there is no explicit exception and limitation covering the reproductions of copyrighted works for background ML or AI purposes, there are, however, at least two existing mandatory82 exceptions, whose application could possibly be relevant for copies undertaken within the algorithmic creativity process. These are (1) the exception for temporary acts of reproductions and (2) the exception(s) for Text and Data Mining (TDM). 3.3.1

Exception for Temporary Acts of Reproduction and Algorithmic Creativity Process

The exception of temporary acts of reproduction provided in Art. 5(1) of the Infosoc Directive is relevant to ML context83 and, in turn, to algorithmic creativity process,84 given its horizontal scope and technologically neutral approach. The exception covers acts of reproduction that are transient (ephemeral) or incidental to an integral and essential part of a technological process and do not present independent economic significance. A reproduction act is transient only if its duration is limited to what is necessary for the proper completion of the technological process in question, it being understood that the process must be automated so that it deletes that act automatically, without human intervention.85 In addition, the technological process

81 Besides, Infosoc Directive establishes the general principle of prior authorization of any reproduction of a protected work by rightholder, see CJEU Order of the Court, Infopaq International A/S v Danske DagbladesForening, Case C-302/10, Judgment of 17 January 2012 (“Infopaq II”), para. 27. 82 Non-mandatory exceptions could also be applicable, such as private copying under certain circumstances (Art. 5(2)(b) of the Infosoc Directive), however they remain unharmonized at the EU level. Besides, only the mandatory exception shape the effective EU acquis. 83 Cf. Recital 9 of the DSM Directive: “acts of reproduction provided for in Article 5(1) of Directive 2001/29/EC, which should continue to apply to text and data mining techniques.” 84 This exception has been conceived for web browsing and caching, i.e., the technological advances of the late 90s. See Recital 33 Infosoc Directive. 85 Infopaq I, para. 64. See also Margoni (2018), section IV.2.

278

T. Chiou

in question should enable lawful use of works (i.e., authorized by the rightholder or not restricted by law).86 Given the contours defined above, the copies that are realized during the analytical processing of training works (such as those made in the memory of the machine that trains the ML algorithm) would possibly be the only copies susceptible to be eventually covered by the exception in question, to the extent that these copies are temporary and incidental to the ML process and they usually do not need to be retained once they are run through the AI system.87 However, the analytical processing (and copying) of training works is not selfstanding, since it requires several prior acts of reproduction of the analyzed training works within the preparatory stages of the algorithmic creativity process, which are not covered by this exception.88 In fact, the acts of reproduction that are likely to take place during the corpus compilation phase or the reproductions made during the preprocessing/annotation stage of the training material or the abstraction of the internal model would probably not be transient.89 True, the deletion of copies in these stages is dependent on the will of the responsible for the ML workflow of the AI Art project.90 Besides, it is not at all certain that she will wish to dispose these reproductions, which means that there is a risk that the copies will remain in existence for a longer period, according to their needs (e.g., for further development of the AI project or even for trade of these copies).91 For the same reasons, these copies would not be incidental with regard to the main purpose of use of the work, i.e., the implementation of the learning algorithm and the training of the machine.92 In addition, the independent economic significance of acts of reproductions undertaken within the algorithmic creativity process cannot be excluded. For instance, corpus compilation of training works might have separable and independent economic significance (if traded in the form of a database), which is distinct to the

86

See also Recital 33 Infosoc Directive. Besides, the exception is interpreted restrictively and its requirements need to be cumulatively met. See Infopaq I, para. 55–56; Infopaq II, para. 26; Schönberger (2018), p. 16; Geiger et al. (2018a), p. 11. 87 See Schönberger (2018), p. 16: “[T]he copies do not need to be retained once they are run through the neural network.” 88 Cf. Hilty and Richter (2017), § 5, p. 2: “In fact, TDM usually requires a not merely temporary reproduction, for which Article 5(1)(a) InfoSoc Directive would not apply.” 89 Cf. De Meeûs d’Argenteuil et al. (2014), p. 46 (referring to data mining): “[. . .] is further unlikely that a temporary copy used to mine data is transient, the work mostly being available for a certain period of time to be transformed, loaded and/or analyzed.” More favorable in exception coverage, Schönberger (2018), p. 16, stating that “the copies do not need to be retained once they are run through the neural network.” 90 Cf. Geiger et al. (2018a), p. 11 re: the application of the temporary reproduction exception to TDM process. 91 Cf. Infopaq I, para. 69–70. 92 Cf. Infopaq II, para. 22, referring to the Infopaq I ruling, on the absence of transient or incidental character of copies made within a data capture process.

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

279

economic significance of the algorithmic creativity process and output,93 as the dataset in question may be used in further AI projects. In fact, the use of works as training material and parts of datasets intended for AI Art projects is already the object of licensing agreements.94 All in all, the exception of temporary copying would not offer much relief in the application of reproduction right, as it does not cover comprehensively the copying of training works undertaken within all stages of the algorithmic creativity process.95 3.3.2

TDM Exceptions and Algorithmic Creativity Process

Algorithmic creativity process relies in machine learning techniques, which, in turn, as seen above, involve implementation of TDM activity. Accordingly, the legal regime applying to TDM will also cover TDM activities undertaken within the ML context of algorithmic creativity process.96 Thus, the assessment of the applicability of mandatory TDM exceptions introduced by the DSM Directive on Articles 3 and 4

Cf. Margoni (2018), section IV.2.: “The requirement of absence of independent economic significance is probably harder to assess. Independent economic significance is present if the author of the reproduction is likely to make a profit out of the economic exploitation of the temporary copy. This profit has to be distinct from the efficiency gains that the technological process allows.”; De Meeûs d’Argenteuil et al. (2014), p. 47 (referring to data mining): “It seems that every acts involved in the data mining process can have a great economic value. Potentially, we can imagine that the first extraction can have an independent/separate economic significance, but it depends on what the “miner”/”copy-maker” does with the result of the first extraction (e.g., if he sells or licenses the results of the extraction). It is thus a question of fact.” 94 See for instance the licensing terms of AIVA, a service that allows algorithmic creation of musical compositions, https://www.aiva.ai/legal/1 (Accessed 5 May 2020): “Licensee is not permitted to use the Audio and/or MIDI Composition as part of a training dataset for any Machine Learning, Deep Learning or statistical algorithm. If the Licensee wishes to use the Audio and/or MIDI Composition as part of a training dataset, this use case would be ruled by a separate Licensing Agreement, to be negotiated and signed between the parties.” Cf. Hilty and Richter (2017), § 26, p. 7: “the provision of normalized data solely for the purpose of TDM is a business model.” 95 Margoni (2018), section IV.2. Cf. De Meeûs d’Argenteuil et al. (2014), p. 50: “It means that this exception will not provide much relief (or really rarely) for data analysis activities.” From a TDM perspective, Geiger et al. (2018a), p. 11. Cf. Geiger et al. (2018b), p. 100, referring to the application of this exception for TDM purposes, mentioning that “application of temporary reproduction exception remains limited to residual cases for the large number of specific requirement that must be fulfilled, apparently in a cumulative manner according to the CJEU.”; Schönberger (2018), p. 16: “It is quite obvious that the legislator did not have ML in mind when drafting the said provision. Hence some legal uncertainty remains and the related jurisprudence of the CJEU is not without ambiguity.” See however Rec. 9 of the DSM Directive, which explicitly refers to the application of this exception in the context of TDM, but most probably, only to the analytical processing per se. 96 Cf. Holder et al. (2019), p. 27: “the legal regime applying to TDM can have an impact on the future development of AI [. . .]. The development of AI leads to a growing relevance of TDM regime and of its possible weaknesses.” 93

280

T. Chiou

on acts of reproduction undertaken within the algorithmic creativity process (independently or jointly except for temporary acts of reproduction) seems pertinent.97

3.3.2.1

TDM Exception Introduced by Article 3 of the DSM Directive

Article 3 of the DSM Directive introduces a new mandatory exception on the reproduction right of rightholders for TDM purposes. The exception covers any reproduction or extraction of work made for TDM purposes, including non-temporary reproductions, and cannot be overridden by contract (Art. 7(1) of the DSM Directive). Thus, in the algorithmic creativity context, it would cover reproductions and extractions that are necessary both for the (lawful) access to training works, their retention (e.g., corpus compilation and preprocessing) and their mining. However, its scope is very limited as it covers the TDM activities that are carried out (1) by a specific category of beneficiaries,98 i.e., research organizations and cultural heritage institutions,99 (2) exclusively for purposes of scientific research and (3) under the condition that the beneficiaries have lawful access to the works in question and that the copies of works will be stored in a secure environment and no longer than necessary for the permitted purposes (Art. 3(2) of the DSM Directive). Given its narrow approach regarding the beneficiaries and purposes of TDM activity undertaken within algorithmic creativity process, the exception does not offer great relief in undertaking AI Art projects without copyright concerns. In fact, the exception could be invoked regarding very specific AI Art scientific and research projects and certainly not by startups and other businesses of the private sector100 97 In that sense, Committee on Legal Affairs of the EU Parliament (2020), pp. 6–7: “With regard to the use of data by AI, that the use of copyrighted data needs to be assessed in the light of the text and data mining exceptions provided for by the Directive on copyright and related rights in the Digital Single Market [. . .]”. 98 Critical on this narrow approach, already re: the DSM Directive Proposal, Geiger et al. (2018a), p. 32: “The TDM exception should not be limited to research organisations but extended to all those enjoying lawful access to underlying mined materials – as the right to read should be the right to mine- especially in order not to cripple research from start-ups and independent researches.”; European Copyright Society (2017), part 2, p. 5: “we therefore regret the fact that the Directive proposes to limit the benefits of the exception to “research organisations” as narrowly defined in the Directive. In our view, data mining should be permitted for non-commercial research purposes, for research conducted in a commercial context, for purposes of journalism and for any other purpose.”; Rosati (2019), p. 9: “Its scope, however, should not be unduly narrow and such as to stifle innovation coming from different sectors, whether research organizations or businesses. In this sense, the EU legislature should carefully consider who the beneficiaries of the resulting exception should be, as well as the uses allowed of works or other subject-matter for TDM purposes.” 99 On that point, see Geiger et al. (2018a), p. 26: “much discussion regarding this proposal does concern whether the TDM exception’s beneficiaries should not be limited to research organizations. To qualify for the exception, research organisations must operate on a not-for-profit basis or by reinvesting all the profits in their scientific research, or pursuant to a public interest mission.” 100 Geiger et al. (2019), p. 30.

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

281

(even if they engage in analytical processing of works within AI Art context for scientific purposes).

3.3.2.2

TDM Exception Introduced by Article 4 of the DSM Directive

Article 4 of the DSM Directive TDM introduces a more inclusive exception than the one of Article 3. In particular, all reproductions and extractions of works and other subject matter made for the purposes of text and data mining are exempted from the rightholder’s monopoly, insofar as the works are lawfully accessible and the reproductions and extractions are retained for as long as is necessary for the purposes of text and data mining. This exception could be invoked, a priori, within the framework of any AI Art project to cover all reproductions and extractions connected with the analytical processing of protected training works (even those that are not ephemeral or transient), as it does not contain a ratione personae or purpose limitation. Nonetheless, according to Art. 4(3) of the DSM Directive, the application of this exception may be opted-out in an appropriate manner by the rightholders. This opt-out may be exercised either by use of technical measures, such as machine-readable means and metadata,101 or contractual agreements102 (such as terms and conditions of a website or a service),103 or even unilateral declarations such as disclaimers,104 by which the rightholder would reserve the right to make reproductions and extractions for data analysis purposes under their exclusive control. That being so, according to the current TDM exception regime, rightholders generally remain able to license and, consequently, to forbid, the uses and reproductions of their works for data analysis purposes, including analytical processing in the algorithmic creativity context,105 except for reproductions and extractions made by research organizations and cultural heritage institutions for the purposes of scientific research, according to Art. 3 of the DSM Directive.

101

E.g., by adding robot.txt type metadata to their content online, see Hugenholtz (2019). Cf. a contrario Art. 7 para. 1 of the DSM Directive. 103 Holder et al. (2019), p. 28: “[. . .] on a website, the terms and conditions could still validly prohibit TDM being made of the contents of the website.” 104 Rec. 18 of the DSM Directive. 105 Cf. Hilty and Richter (2017), § 7, p. 3, referring to the draft proposal of the DSM Directive: “The proposed limitation would allow for the conclusion e contrario that TDM is a separable type of use.” 102

282

T. Chiou

4 Concluding Remarks and Outlook 4.1

De lege lata Considerations

Following the above analysis, it seems that algorithmic creativity process largely remains under private ordering in the EU, as (a) the relevant reproductions of training works that are typically necessary to produce AI-generated art are a priori copyright-significant and (b) the mandatory exceptions of the EU reproduction right do not offer a solid and all-encompassing framework for using works for algorithmic creativity purposes, without prior authorization by rightholders. Indeed, reproductions and extractions of protected training works for algorithmic creativity purposes could be made without prior authorization either if (a) they are temporary (which is not the case for all of them), or (b) if they are undertaken by research organizations and cultural heritage institutions for the purposes of scientific research, or (c) if the rightholders have not opted-out from the exception of Art. 4 of the DSM Directive. Given this multi-factor grid of exceptions,106 the recourse to the framework of exceptions in AI Art projects demands prior legal assessment on a case-by-case basis,107 which also includes the implementation of the three-step-test. If applicability of exceptions cannot be safeguarded due to the profile and the needs of a particular AI Art project, then the clearance of “algorithmic rights” would be necessary, even for lawfully accessible works. In fact, access to freely and lawfully available works online108 (or even licensed works)109 would not necessarily mean lawful use for algorithmic creativity purposes,110 since rightholders would be in position at any time to discretionary reserve their rights on analytical use of their works, by employing appropriate means, as described above. This raises significant obstacles in undertaking algorithmic creativity processes in the EU territory as it 106

Cf. Flynn et al. (2020), pp. 7 ff. See on that point, Rosati (2019), p. 21. Cf. Gervais (2019b), para. 46: “first, it is not always clear to a human user whether a source is legal or not; the situation may be even less clear for a machine. Second, and relatedly, if the source is foreign, a determination of its legality may require an analysis of the law of the country of origin, as copyright infringement is determined based on the lex loci delicti—and this presupposes a determination of its origin (and foreignness) to begin with. Perhaps a requirement targeting sources that the user knows or would have been grossly negligent in not knowing were illegal might be more appropriate.” 108 See Holder et al. (2019), p. 29. 109 The use of works for ML (and AI Art) purposes as an object of licensing contracts should be further investigated to the extent that it could be qualified as a new (unknown) form of exploitation, which might raise additional implications in some jurisdictions, as to the coverage of existing licenses. Cf. for a similar question regarding cloud computing from a Greek Law perspective, Chiou (2014). 110 See Rosati (2019), p. 4: “freedom of access does not necessarily entail that the content (text and data) is also free of legal restrictions.”; ibid., p. 5: “Lawful access to content – whether because such content is freely accessible or access has been obtained through a licence – does not necessarily entitle one to undertake TDM in respect of such content (text or data).” See also Rec. 18 of the DSM Directive. 107

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

283

involves time consumption, costs111 and insecurity, which, in turn, renders actual EU framework not enabling for AI Art projects.112 Alternatively, if rights clearance is not desirable of feasible,113 the use of training works that are in the public domain could be envisaged.114 In fact, it might not be accidental that some emblematic AI projects in the EU are based on works of the public domain.115 Besides, Article 14 of the DSM Directive would be helpful in that direction (at least for works of visual arts), since any (non-original) material resulting from an act of reproduction of public domain works (especially, mere digital copies or photographs of works in the public domain) will not be subject to copyright or related rights.116 Under these conditions, the utility of the use of works covered by open licenses as training material is important,117 as these works would probably be fit for algorithmic creativity purposes, without the need to invoke the applicability of exceptions.118 The (significant) influence of private ordering in the algorithmic creativity process, as described above, is typically compatible with the black letter rules but and derives from the mere application of the definition and contours of the reproduction right. However, in our view, the expansion of protection at the level of creativity

111

Geiger et al. (2019), pp. 30, 31 and 34. Geiger et al. (2019), p. 31; Rosati (2019), p. 21: “In practice, this might have a negative impact on the (unlicensed) development of AI creativity.”; Chiou (2020), p. 411. 113 Clearance of rights (most probably on a work by work basis) might be extremely burdensome and costly task. Cf. Gervais (2019b), para. 57: “Because Big Data corpora used for TDM are necessarily composed of large numbers of works and other data, the TDM function cannot be performed if licensing work by work is required”; Schönberger (2018), p. 17: “Applying the said exception (temporary copy) would avoid the onus of transaction costs in gathering licences from thousands, if not millions of right holders, a situation which could otherwise largely impede the development of new business cases and innovation in the field of computer science. This is especially true for small or medium sized enterprises, where license fees and long-lasting negotiations in a scattered and heterogeneous landscape would be an insurmountable barrier to entry.” 114 Cf. Rec. 9 of the DSM Directive: “Text and data mining can also be carried out in relation to mere facts or data that are not protected by copyright, and in such instances no authorisation is required under copyright law.”; Geiger et al. (2018a), p. 7: “works and other subject matter not protected by copyright or sui generis rights can be freely mined.”; Cf. Geiger et al. (2019), pp. 7–8: “Obviously, although the DSM Directive fails to mention that specifically, also works and other subject matter not protected by copyright or sui generis rights can be freely mined.” 115 See for instance the Next Rembrandt Project, where the machine has been trained to produce Rembrandt-style painting by using as training data 346 known paintings by Rembrandt (d. 1669), that are on the public domain. See https://www.nextrembrandt.com/ (accessed 5 May 2020). 116 It remains to be checked whether annotated/labeled copies of training works would not be covered by Art. 14, as being original according to the EU originality criterion. 117 De Meeûs d’Argenteuil et al. (2014), p. 25: “it goes beyond the scope of this Study to analyze the overall impact which the Open Access movement will have on TDM but it seems undeniable that it will facilitate TDM.” 118 Cf. Sag (2019), p. 49: “For example, Wikipedia includes a cornucopia of over 5 million Creative Commons licensed works in a fully machine readable format. This has made Wikipedia a key source of training data for nearly every modern AI system dealing with facts.” 112

284

T. Chiou

process itself is not consistent with the spirit and dogmatic foundations of copyright law and the very basic idea/expression dichotomy principle that underpins also EU copyright law. In fact, the placement of algorithmic creativity process under the realm of copyright restraints leads to a de facto extension of external boundaries of EU copyright protection, as copyright functionally becomes a means of controlling (and licensing) the sources of inspiration for future (AI) Art. Indeed, rightholders will be able to reserve (and license) the use of their works as source of (algorithmic) inspiration and ideas on several occasions (i.e., in cases where the AI Art project is not made by beneficiaries and for purposes covered by the exception of Art. 3 of the DSM Directive). Therefore, the common cultural reserve that consists of preexisting works and serves as source of inspiration for future creations will be fragmented and “less common” in the algorithmic environment.

4.2

De lege artis Considerations

The de lege lata considerations expressed above need to be put into future perspective. From an artistic point of view, there are founded reasons to consider that algorithmic creativity may become dominant paradigm of creativity in some fields, such as translation or music.119 True, algorithmic art might sound somehow futuristic and marginal few years ago. However, the creative models are becoming increasingly elaborated and the use of AI systems has become more widespread and available, even among people with limited or no artistic or computer science background.120 From a rather technical point of view, it is also possible that the selection and/or collection of the training works will be made without human intervention.121 This means that the copyright status of the works employed for the training of the machine might not be manually assessed by humans. In that case, copyright restrains would be deterring for undertaking such projects, if the risk for unintentional copyright infringement is taken seriously. Besides, it is not sure yet whether the

119

See for instance the product description of the AI system AIVA (www.aiva.ai) (accessed 5 May 2020): “A Creative Assistant for Creative People Whether you are an independent game developer, a complete novice in music, or a seasoned professional composer, AIVA assists you in your creative process. Create compelling themes for your projects faster than ever before, by leveraging the power of AI-generated music.” 120 See for instance Deahl (2018), referring to an AI music system called Amper (https://www. ampermusic.com/) (accessed 5 May 2020): “All you have to do is go to the website and pick a genre of music and a mood. That’s it. You don’t have to know code or composition or even music theory in order to make a song with it.” 121 Cf. AIPPI (2019), p. 2.

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

285

use of AI-generated works as training works will make things simpler or more complex, as their proprietary status remains still contested.122 From a practical point of view, it is possible to see rightholders that reserve the “right of algorithmic inspiration” especially by using technical means that abort analytical processing of works for algorithmic creativity purposes.123 Besides, Art. 7 § 2 of the DSM Directive promotes indirectly this possibility, given that the technological measures of protection applied voluntarily by rightholders will enjoy adequate legal protection against their circumvention, according to art 6(1) and (4) subparagraph of the Infosoc Directive.124 Indeed, preexisting works that are not very “useful” or “important” for humans, due to their low creativity or esthetic merit, may find a new circle of life as training data for machines. By contrast, on the user side, it is also possible that a new form of copyright infringement arises in response to such reserve. Users may be tempted to bypass technological measures of protection to use lawfully accessed copyrighted works for training purposes, without prior authorization from rightholders, to the extent that this use could not be traced back or detected in the trained model or in the generated output.125

4.3

De lege ferenda Considerations

The advent of AI and its application in the field of artistic creativity suggests often a bipolar spectrum of observation: human vs. machine or, better, human vis-à-vis machine. This holds true also for the creativity process under EU copyright law. As shown above, EU copyright law introduces a divergent approach between human and algorithmic creativity process. This divergence is a fundamental challenge for copyright law and transcends the expressed concerns that were relevant with application of copyright law in “non artistic” TDM activities. Because the potential

122

In the absence of protection, AI-generated works would be treated as public domain works. On the contrary, several different approaches have been suggested as to their copyright ability so far: protection via a legal fiction in favour of persons who have deployed the arrangements necessary for the production of the AI-generated work (see e.g., Guadamuz 2017, no 5; cf. Art. 9§3 CDPA); related or sui generis right (see e.g., Dornis 2020; Ginsburg and Budiardjo 2019; Ramalho 2017, p. 16 and references cited therein; Iglesias et al. 2019, p. 15); recognition of “electric copyright” in favour of “electronic persons” (see European Parliament, REPORT with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)) Committee on Legal Affairs, Rapporteur: MadyDelvaux, nr. 59, f.—contra Committee on Legal Affairs of the EU Parliament (2020), no 9, p. 6). Adde Committee on Legal Affairs of the EU Parliament (2020), p. 9, in favor of granting copyright to the natural person who prepares and publishes the Ai-generated work lawfully, provided that the designer(s) of the underlying technology has/have not opposed such use. See also the concise presentation by Mezei (2020), pp. 20 ff. 123 Cf. Geiger et al. (2019), p. 19, mentioning the “rent-seeking behaviour of economic actors controlling content”. 124 See Geiger et al. (2019), p. 29. 125 Cf. Lauber-Rönsberg and Hetmank (2019), p. 577; Dornis (2020), pp. 39 ff.

286

T. Chiou

control over the use of protected works as data for algorithmic creativity purposes creates a gap between the copyright basic principles and the lex lata in the EU copyright law, which will become blatant when algorithmic creativity process becomes mainstream. In our view, the creativity process should not be treated divergently on the grounds of its human or algorithmic character. Creativity and inspiration in the artistic field are unitary concepts. Αccordingly, copyright law protection should not be extended to areas that were never intended to be covered by monopolistic control.126 Against this teleological backdrop, copyright basic principles that shape the external boundaries of the copyright protection scope, such as the idea/expression dichotomy principle and the principle of unrestricted use of works as source of inspiration should be transposed in the algorithmic environment. The approach of unrestricted idea-extraction processing of works is already adopted in EU acquis as far as it concerns computer programs (in form of exception though), as shows Art. 5 (3) of the EU Directive 2009/24, according to which: the lawful user of a computer program shall be entitled, without the authorization of the rightholder, to observe, study or test the functioning of the program to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do.127 The exception formula to the benefice of lawful user adopted in the computer program context could be justified, since the simple use (loading, displaying, running. . .) of the (functional) work itself is copyright-restricted (see Art. 4(1) Directive 2009/24) and a user is typically considered lawful via the existence of an end-user license. By contrast, in the context of algorithmic inspiration, the use of a work may refer to mere access thereto, which is not covered per se by economic rights and whose implementation may often be covered by an existing exception or limitation according to applicable law, such as temporary or (in some EU member states) private copying, (e.g., in case of on-screen copies of online available images).128 Therefore, the transposition of the unrestricted idea-extraction processing approach, as expressed in Art. 5(3) of the EU Directive 2009/24, in the algorithmic context, would suggest that the use of works for inspirational purposes should not derive from the application of an exception (which implies the existent norm that would provide for protection)129 nor implicate the existence of a licensed

Cf. Schönberger (2018), p. 13: “copyright has always been a “doctrine of public places” in a sense that copyright’s primary function is to protect an author from acts of expressive substitution, by controlling the public diffusion of the work to the public. Copyright has never been about regulating access to or use of the works.” 127 Hilty and Richter (2017), § 13, p. 4. 128 See CJEU Public Relations Consultants Association Ltd v Newspaper Licensing Agency Ltd and Others, Case C-360/13, Judgment of 5 June 2014. 129 The idea of a TDM exception in form of opening clause or open norm has been also suggested before the adoption of the DSM Directive. See Geiger et al. (2018a), pp. 20 ff; Geiger et al. (2019), pp. 22 ff. and 37; Papadopoulos et al. (2019). Cf. also IFPI (2020), p. 4: “For instance, an all-encompassing exception to “train” AI would fall at the first hurdle of the three-step-test.” 126

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

287

lawful user. On the contrary, analytic processing of works for algorithmic inspiration purposes should be considered, from a teleological point of view, as the equivalent of normal use for lawfully (even without license) accessed works,130 similar to admiring a protected painting or understanding a protected literary work in the analog world.131 That being so, such normal use would be set outside the external boundaries of the copyright protection scope. Similarly, eventual copyright control could be exercised at the output level-as it happens with traditional creativity process for years now. In the AI context, such control could be exercised in principle by the person who would be qualified as author of the ΑI-generated work (and its assignees), according to the applicable law,132 or by the rightholder of a work used for training purposes, to the extent that the AI-output could be characterized as reproduction or adaptation of that work.133 The DSM Directive is typically expected to be reviewed no sooner than 7 June 2026 (Art. 30(1) of the DSM Directive). What is worst, the above criticized EU copyright law approach on use of preexisting works for algorithmic creativity purposes seems to be used as starting point within initiatives that focus on shaping the AI strategy for Europe, with regards to copyright law.134 In fact, a recent motion for a European Parliament Resolution on intellectual property rights for the development of artificial intelligence technologies, prepared by the JURI Committee makes reference to the existing TDM framework and especially the mechanism of opt-out of Art. 4 of the DSM Directive as a “European system of protection of ‘works data’.”135 In our view, the doctrinal plea for strengthening the dogmatic

130 “Legal” access to works is also a requirement for the benefice of exceptions and limitations, as shows already Art. 6(4) of the Infosoc Directive: “[. . .] Member States shall take appropriate measures to ensure that rightholders make available to the beneficiary of an exception or limitation provided for in national law [. . .] the means of benefiting from that exception or limitation, to the extent necessary to benefit from that exception or limitation and where that beneficiary has legal access to the protected work or subject-matter concerned.” See from a comparative law perspective on the requirement of lawful access of mined data, Geiger et al. (2019), p. 26. 131 In that sense, Hilty and Richter (2017), § 13, p. 4: “Just as reading corresponds to the normal use of analogue written works (this awareness of contents does not conflict with copyright), the normal use of digitally stored content lies – in the light of today’s technologies – in automatically finding and correlating the information it contains.” Cf. Murray-Rust et al. (2014), p. 28: “right to read should be the right to mine.” 132 It is possible, however, that applicable law does not offer a straightforward answer on authorship of AI-generated works. On that issue see above ftnote n28. 133 More on that scenario, see Sartor et al. (2018). 134 See the initiative of the European Parliament under reference 2020/2015(INI), Intellectual property rights for the development of artificial intelligence technologies (https://oeil.secure. europarl.europa.eu/oeil/popups/ficheprocedure.do?reference¼2020/2015(INI)&l¼en) (accessed 5 May 2020). 135 Committee on Legal Affairs of the EU Parliament (2020), p. 9. It is however somehow ironic that in the report’s preamble (p. 3), a reference is made at the Berne Convention for the Protection of Literary and Artistic Works.

288

T. Chiou

foundations and basic principles136 of EU copyright law (along with necessary evidences),137 including the idea/expression dichotomy and the unrestricted use of works as source of inspiration, shall be promoted within the current institutional discussions and initiatives at EU level (and beyond).138 Besides, the transposition of the human-centric copyright approach on use of preexisting woks for creativity purposes in the algorithmic environment is absolutely in line with the desired objective of a human-centric AI in the EU.139 This should be considered when adjusting the Intellectual property rights framework (including the DSM Directive) to the needs of the development of artificial intelligence technologies.

References AIPPI 2019 AIPPI World Congress – London. Adopted Resolution (2019). https://aippi.org/wpcontent/uploads/2020/05/Resolution_Copyright_in_artificially_generated_works_English.pdf. Accessed 5 May 2020 Barfield W (2015) Cyber-humans: our future with machines. Springer, Cham Burk D-L (2020) Thirty-six views of copyright authorship, by Jackson Pollock. Houston Law Rev 58. https://ssrn.com/abstract¼3570225. Accessed 5 May 2020 Chiou T (2014) Music licensing in the cloud: the Greek experience. GRUR Int 3:228 ff Chiou T (2020) Copyright lessons on machine learning: what impact on algorithmic art? JIPITEC 10: 398 ff Committee on Legal Affairs of the EU Parliament (2020) Draft report on intellectual property rights for the development of artificial intelligence technologies (2020/2015(INI)), (Rapporteur: Stéphane Séjourné), 24.4.2020

Cf. Recital 3 of the DSM Directive: “The objectives and the principles laid down by the Union copyright framework [shall] remain sound.” 137 Cf. IFPI (2020), p. 5: “a baseline study is essential to understand how existing laws might apply to uses of works (and other protected subject matter) in AI processes, and what the impact would be of different policy options.” 138 This could be made also at the international level as well. Cf. the public consultation initiative at the WIPO (2019), Issue 7, §13 (i). It should be noted that the EU response at this public consultation (European Union 2019, no 6, p. 3) is much more conciliatory in comparison to the approach of the JURI committee in the recent Draft Report (see above): “We also propose to discuss, on the basis of evidence and by assessing the relevant impacts, how the copyright framework does or should apply to uses of content as input to feed AI.” 139 For the human-centric approach of AI at the EU level, see already COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE EUROPEAN COUNCIL, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS, Artificial Intelligence for Europe, Brussels, 25.4.2018, COM(2018) 237 final; COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS, Building Trust in Human-Centric Artificial Intelligence, Brussels, 8.4.2019, COM(2019) 168 final; Independent High-Level Expert Group On Artificial Intelligence Set Up By The European Commission, Policy and Investment Recommendations for Trustworthy AI, 26 June 2019; Committee on Legal Affairs of the EU Parliament (2020), p. 4, under E. 136

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

289

De Meeûs d’Argenteuil J, Triaille JP, De Francquen A (2014) Study on the legal framework of text and data mining (TDM). De Wolf and Partners. Funded by the European Commission. https:// op.europa.eu/en/publication-detail/-/publication/074ddf78-01e9-4a1d-9895-65290705e2a5/ language-en. Accessed 5 May 2020 Deahl D (2018) How AI-generated music is changing the way hits are made. The future of music, episode 2. https://www.theverge.com/2018/8/31/17777008/artificial-intelligence-taryn-south ern-amper-music. Accessed 5 May 2020 Deltorn J-M, Macrez F (2018) Authorship in the age of machine learning and artificial intelligence, Centre for International Intellectual Property Studies (CEIPI) research paper no. 2018-10. https://ssrn.com/abstract¼3261329 Dornis T (2020) AI creativity: emergent works and the void in current copyright doctrine. Yale J Law Technol 22:1. https://yjolt.org/ai-creativity-emergent-works-and-void-current-copyrightdoctrine. Accessed 5 May 2020 Drexl J, Hilty R, Beneke F, Desaunettes L, Finck M, Globocnik J, Gonzalez Otero B, Hoffmann J, Hollander L, Kim D, Richter H, Scheuerer S, Slowinski P, Thonemann J (2019) Technical aspects of artificial intelligence: an understanding from an intellectual property law perspective. Max Planck Institute for Innovation & Competition research paper no. 19-13. https://ssrn.com/ abstract¼3465577. Accessed 5 May 2020 European Copyright Society (2017) General opinion on the EU copyright reform package. https:// europeancopyrightsocietydotorg.files.wordpress.com/2015/12/ecs-opinion-on-eu-copyrightreform-def.pdf. Accessed 5 May 2020 European Union (2019) Response of the European Union and its Member States to the public consultation on the WIPO Draft Issues Paper on Intellectual Property and Artificial Intelligence of 13 December 2019. https://www.wipo.int/export/sites/www/about-ip/en/artificial_intelli gence/call_for_comments/pdf/org_european_union.pdf. Accessed 5 May 2020 Flynn S, Geiger C, Quintais J, Margoni T, Sag M, Guibault L, Carroll M-W (2020) Implementing user rights for research in the field of artificial intelligence: a call for international action. https:// ssrn.com/abstract¼3578819. Accessed 5 May 2020 Geiger C, Frosio G, Bulayenko O (2018a) The exception for text and data mining (TDM) in the proposed directive on copyright in the digital single market - legal aspects, Centre for International Intellectual Property Studies (CEIPI) research paper no. 2018-02. https://ssrn.com/ abstract¼3160586. Accessed 5 May 2020 Geiger C, Frosio G, Bulayenko O (2018b) Crafting a text and data mining exception for machine learning and big data in the digital single market. In: Seuba X, Geiger C, Pénin J (eds) Intellectual property and digital trade in the age of artificial intelligence and big data, CEIPI/ ICTSD publication series on “Global Perspectives and Challenges for the Intellectual Property System,” Issue No. 5, Geneva/Strasbourg, pp 97–111 Geiger C, Frosio G, Bulayenko O (2019) Text and data mining: articles 3 and 4 of the directive 2019/790/EU, Centre for International Intellectual Property Studies (CEIPI) research paper no. 2019-08. https://ssrn.com/abstract¼3470653. Accessed 5 May 2020 Gervais D (2019a) The machine as author. Iowa Law Rev 105. https://ssrn.com/abstract¼3359524. Accessed 5 May 2020 Gervais D (2019b) Exploring the interfaces between big data and intellectual property law. JIPITEC 10:3 ff. Ginsburg J, Budiardjo LA (2019) Authors and machines. Berkeley Technol Law J 34:343 ff. Goodfellow I, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y (2014) GenerativeAdversarial Nets, QC H3C 3J7 Département d’informatique et de recherche opérationnelle, Université de Montreal. https://papers.nips.cc/paper/5423-generative-adversar ial-nets.pdf. Accessed 5 May 2020 Grimmelmann J (2016) Copyright for literate robots. Iowa Law Rev 101:657 ff. Guadamuz A (2017) Do androids dream of electric copyright? Comparative analysis of originality in artificial intelligence generated works. https://ssrn.com/abstract¼2981304. Accessed 5 May 2020

290

T. Chiou

Hadjeres G, Pachet F (2016) Deep bach: a steerable model for Bach chorales generation. https:// arxiv.org/pdf/1612.01010v1.pdf. Accessed 5 May 2020 Hilty R, Richter H (2017) Position statement of the Max Planck Institute for Innovation and Competition on the proposed modernisation of European copyright rules part b exceptions and limitations (Art. 3 – Text and Data Mining), Max Planck Institute for Innovation & Competition research paper no. 17-02. https://papers.ssrn.com/sol3/papers.cfm?abstract_ id¼2900110. Accessed 5 May 2020 Holder C, Iglesias M, Triaille J-P, Van Gysegnem J-M (eds) (2019) Legal and regulatory implications of artificial intelligence. The case of autonomous vehicles, m-health and data mining, Publication Office, Luxembourg. https://op.europa.eu/en/publication-detail/-/publication/ f962b17b-5c04-11e9-9c52-01aa75ed71a1/language-en/format-PDF. Accessed 5 May 2020 Hugenholtz B (2019) The new copyright directive: text and data mining (Articles 3 and 4). http:// copyrightblog.kluweriplaw.com/2019/07/24/the-new-copyright-directive-text-and-data-min ing-articles-3-and-4/. Accessed 5 May 2020 IFPI (2020) IFPI submission to WIPO on draft issues paper on intellectual property policy and artificial intelligence. https://www.wipo.int/export/sites/www/about-ip/en/artificial_intelli gence/call_for_comments/pdf/org_ifpi.pdf. Accessed 5 May 2020 Iglesias M, Shamuilia S, Anderberg A (2019) Intellectual property and artificial intelligence – a literature review, EUR 30017 EN, Publications Office of the European Union, Luxembourg. https://op.europa.eu/el/publication-detail/-/publication/68287734-207b-11ea-95ab01aa75ed71a1/language-en/format-PDF/source-114929194. Accessed 5 May 2020 Kawohl F, Kretschmer M (2009) Johann Gottlieb Fichte, and the trap of inhalt (content) and form: an information perspective on music copyright. http://ssrn.com/abstract¼20638161. Accessed 5 May 2020 Kreutzer R, Sirrenberg M (2020) Understanding artificial intelligence. fundamentals, use cases and methods for a corporate AI journey. Springer, Cham Lauber-Rönsberg Α, Hetmank S (2019) The concept of authorship and inventorship under pressure: does artificial intelligence shift paradigms? J Intellect Prop Law Pract 14(7):570 ff Levendowski A (2018) How copyright law can fix artificial intelligence’s implicit bias problem. Wash Law Rev 93(2):579–630 Margoni T (2018) Artificial intelligence, machine learning and EU copyright law: who owns AI? CREATe working paper 2018/12. https://ssrn.com/abstract¼3299523. Accessed 5 May 2020 Mezei P (2020). From Leonardo to the Next Rembrandt – the need for AI-Pessimism in the age of algorithms. https://ssrn.com/abstract¼. Accessed 5 May 2020 Murray-Rust P, Molloy J, Cabell D (2014) Open content mining. In: Moore S (ed) Issue in open research data. Ubiquity Press, London Papadopoulos M, Zampakolas C, Ganatsiou P (2019) The idea of an open norm for text and data mining in the EU copyright law. Paper presented at the 9th ICIL conference, University of Rome Tor Vergata, Pontifical University St. Anselm, Ionian University Greece, Rome, 11–13 July 2019 Pollaud-Dullian F (2005) Le droit d’auteur. Economica, Paris Rachum-Twaig O (2017) Recreating copyright: the cognitive process of creation and copyright law. Fordham Intellect Prop Media Entertain Law J 27:287 ff.. https://papers.ssrn.com/sol3/papers. cfm?abstract_id¼2776292. Accessed 5 May 2020 Ramalho A (2017) Will Robots Rule the (Artistic) World? A Proposed Model for the Legal Status of Creations by Artificial Intelligence Systems. https://ssrn.com/abstract¼2987757. Accessed 5 May 2020 Rosati E (2018) The exception for text and data mining (TDM) in the proposed directive on copyright in the digital single market - technical aspects. Briefing requested by the JURI Commission of the European Parliament, Policy Department for Citizens’ Rights and Constitutional Affairs PE 604.942. Brussels. https://www.europarl.europa.eu/RegData/etudes/BRIE/ 2018/604942/IPOL_BRI(2018)604942_EN.pdf. Accessed 5 May 2020

11

Copyright Law and Algorithmic Creativity: Monopolizing Inspiration?

291

Rosati E (2019) Copyright as an obstacle or enabler? A European perspective on text and data mining and its role in the development of AI creativity. https://papers.ssrn.com/sol3/papers. cfm?abstract_id¼3452376. Accessed 5 May 2020 Sag M (2019) The new legal landscape for text mining and machine learning. J Copyright Soc USA 66. https://ssrn.com/abstract¼3331606. Accessed 5 May 2020 Sartor G, Lagioia F, Contissa G (2018) The use of copyrighted works by AI systems: art works in the data mill. https://papers.ssrn.com/sol3/papers.cfm?abstract_id¼3264742. Accessed 5 May 2020 Schönberger D (2018) Deep copyright: up - and downstream questions related to artificial intelligence (AI) and machine learning (ML). https://ssrn.com/abstract¼3098315. Accessed 5 May 2020 Shalev-Shwartz S, Ben-David S (2014) Understanding machine learning: from theory to algorithms. Cambridge University Press, New York. http://www.cs.huji.ac.il/~shais/ UnderstandingMachineLearning. Accessed 5 May 2020 Skilton M, Hovsepian F (eds) (2018) The 4th industrial revolution: responding to the impact of artificial intelligence on business. Palgrave Macmillan, London Surden H (2019) Artificial intelligence and law: an overview. https://ssrn.com/abstract¼3411869. Accessed 5 May 2020, p 92 Tanz J (2016) Soon we won’t program computers. We’ll train them like dog. https://www.wired. com/2016/05/the-end-of-code/. Accessed 5 May 2020 Verostko R (n.d.). The algorists. http://www.verostko.com/algorist.html. Accessed 5 May 2020 Vogan A (2016) Let’s explore wired’s article about ‘The End of Code’. https://artandlogic.com/ 2016/05/software-developers-response-wireds-end-coding-article/. Accessed 5 May 2020 Von Lewinski S, Walter M (2010) Information Society Directive. In: Walter M, Von Lewinski S (eds) European Copyright Law: a commentary, part II. Oxford University Press, Oxford, p 11 WIPO (2019) Conversation on intellectual property (IP) and artificial intelligence (AI), draft issues paper on intellectual property policy and artificial intelligence, WIPO/IP/AI/2/GE/20/1. 13 December 2019, Second Session, Prepared by the Secretariat. https://www.wipo.int/edocs/ mdocs/mdocs/en/wipo_ip_ai_2_ge_20/wipo_ip_ai_2_ge_20_1.pdf. Accessed 5 May 2020

Part III

Emerging Issues in EU Digital Law

Chapter 12

The Duties and Responsibilities of an Internet News Portal on Online Comments Posted by Users in the ECtHR Case Law Costas Paraskeva

Abstract This chapter seeks to examine the responses of the European Court of Human Rights in cases concerning the complex and multifaceted context of the Internet. Focus is placed on the Court’s case law concerning the liability of Internet intermediaries for the violation of the right to reputation under Article 8 of the European Convention on Human Rights. This case law clearly illustrates the Court’s struggle in delineating the proper balance to be struck between freedom of expression, reputational and privacy interests in the Internet setting.

1 Introduction Over the past years the European Court of Human Rights (‘the ECtHR’ or ‘the Court’) has been faced with an increasing amount of case law concerning the use of the Internet and the challenges arising thereof to human rights protected under the European Convention on Human Rights (‘the Convention’). The Internet has without a doubt transformed the world and the societies we live in and will continue doing so for many years to come. From the standpoint of the freedom of expression, the Internet forms a unique and unparalleled platform for exercising this right. At the same time, the risks it poses to the right to respect for private life and reputation is considered higher than that posed by the printed press. The Convention as a living instrument and the Court, responsible for enforcing it, have not remained passive to such developments. The purpose of the present chapter is to examine the Court’s responses in cases concerning the complex and multifaceted context of the Internet. It is argued that the Court has moved beyond its traditional approach concerning the right to freedom of expression and has developed certain guiding principles on the scope and limitations of the right within the digital environment. Focus is placed on the Court’s case law concerning the liability of Internet intermediaries for the violation of the right to C. Paraskeva (*) Department of Law, University of Cyprus, Aglantzia, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_12

295

296

C. Paraskeva

reputation under Article 8 of the Convention. This case law clearly illustrates the Court’s struggle in delineating the proper balance to be struck between freedom of expression, reputational and privacy interests in the Internet setting.

2 The Internet as a Modern Means of Imparting Information According to Article 10 of the Convention, the right to freedom of expression entails the right to receive and impart information ‘regardless of frontiers’.1 Without a doubt, the Internet as a medium functioning on a global basis without frontiers allows for the exercise of the right to freedom of expression in the widest scope possible.2 Its wide ranging accessibility to vast amount of information, with billions of users globally has utterly transformed the way people receive and impart information. Its importance in enhancing the public’s access to information and facilitating the dissemination of information has been recognised by the Court on various occasions.3 It is hardly surprising therefore that blocking and/or interfering with Internet access may well be in direct conflict with paragraph 1 of Article 10 of the Convention.4 In the case of Ahmet Yıldırım v. Turkey,5 the Court observed that the Internet has now become one of the principal means by which individuals exercise their right to freedom of expression and information, providing essential tools for participation in activities and discussions concerning political issues and issues of general interest.6 The case concerned a court order blocking access to Google Sites in the course of criminal proceedings against an individual who posted content insulting the memory of Atatürk. The applicant, owner of a website hosted by Google Sites unrelated to the criminal proceedings, complained that he was unable to access his own Internet site because of the court order. This, according to the applicant, constituted an infringement of his right to receive and impart information and ideas. The Court held that the order rendered ‘large quantities of information inaccessible, substantially restricted the rights of Internet users and had significant collateral effect’.7 Accordingly, the Court found a violation of Article 10 of the Convention.

1

Article 10.1 of the European Convention on Human Rights. Benedek and Kettemann (2013). 3 See for example, ECHR, Ahmet Yıldırım v. Turkey, App No 3111/10, 18 December 2012, par. 48, ECHR, Times Newspapers Ltd (nos. 1 and 2) v the United Kingdom, App Nos 3002/03 & 23676/03, 10 March 2009, par. 27. 4 see, Ahmet Yıldırım v Turkey and ECHR, Cengiz and Others v Turkey, App Nos 48226/10 & 14027/11, 1 December 2015 (concerning the wholesale blocking of access to YouTube). 5 Ahmet Yıldırım v. Turkey. 6 Ibid., par. 54. 7 Ibid., par. 66. 2

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

297

In the case of Times Newspapers Ltd v. the United Kingdom,8 the Court emphasised the importance of the Internet not only in its role as a ‘public watchdog’ but also as a means of maintaining and making available to the public archives containing previously reported news.9 In that case the Court stressed that Internet archives constitute an important source for education and historical research, particularly as they are readily accessible to the public and are generally free.10 Indeed, due to the importance of Internet archives in enhancing public access to information, the Court considers that they merit protection under Article 10 of the Convention. Article 10 in general applies to the Internet as a means of communication11 despite of the ‘type of message’ or whether it is used for ‘commercial purposes’.12 In the case of Editorial Board of Pravoye Delo and Shtekel v Ukraine, the Court has held that the absence of a sufficient legal framework domestically to allow journalists to use information obtained from the Internet without fear of incurring sanctions seriously hindered the exercise of the vital function of the press as a ‘public watchdog’. However, in the same case the Court recognised that it would be justified to assume different policies concerning the reproduction of material from traditional media and the Internet due to the risk of causing harm through the latter.13 Due to the particular features of the Internet and especially its capacity to store and transmit information, the Court views it as a different information tool from the printed press and as aforementioned, the risks it poses to the rights protected by Article 8 are thought to be higher.14 One of the major differences between the Internet and the traditional printed press lies with the amount of information which is published by each medium as well as the speed by which such information is spread.15 It is not unusual for the Internet to be used as an uncontrollable platform for unlawful activities, the spread of hate speech or other abusive forms of expression.16 The ability of citizens to engage actively in the political discourse and express wide-ranging, alternative and dissenting views has been especially enhanced through the development of Web 2.0 based platforms (such as blogs, news websites which allow reader comments, or social media).17 Naturally, the ECtHR has held that ‘user-generated activity on the Internet provides an unprecedented platform for

8 ECHR, Times Newspapers Ltd (nos. 1 and 2) v the United Kingdom, App Nos 3002/03 & 23676/ 03, 10 March 2009, par. 27. 9 Ibid. 10 Ibid., par. 45. 11 ECHR, Delfi AS v Estonia, App No 64569/09 [GC], 16 June 2015, par. 113. 12 ECHR, Ashby Donald and others v France, App No 36769/08, 10 January 2013, par. 34. 13 ECHR, Editorial Board of Pravoye Delo and Shtekel v Ukraine, App No 33014/05, 5 May 2011, par. 63. 14 See, among others, ECHR, Węgrzynowski and Smolczewski v Poland, App No 33846/07, 16 July 2013, par. 58, Editorial Board of Pravoye Delo and Shtekel v Ukraine, par. 63. 15 Benedek and Kettemann (2013), p. 97. 16 Giakomopoulos (2020), p. 7. 17 Akdeniz (2011), p. 39.

298

C. Paraskeva

the exercise of freedom of expression’.18 The ECtHR has specifically noted how information on the Internet and often unlawful speech can be disseminated in a matter of seconds and remain persistently available online.19 Naturally, as opportunities for sharing information and comments online broaden, the Court has increasingly had to adjust its traditional approaches and application of legal principles to the Internet’s specific features,20 especially in cases concerning problematic speech, the impact of which can be magnified through the Internet.21 A question which has attracted much attention in the last years is that of the liability of online intermediaries for hosting unlawful user comments and content. The next section will focus on case law concerning the question and the Court’s balancing exercise of the competing rights of freedom of expression and reputation.

3 ECtHR Case Law on the Liability of Internet Intermediaries 3.1

Delfi AS v Esthonia: Setting Precedent

The first case in which the Court had been called upon to examine a complaint concerning the liability of a company running an Internet news portal because of user generated comments was Delfi AS v. Esthonia.22 The applicant, Delfi SA, one of the largest Internet news portals in Esthonia, provided a platform run on commercial lines, inviting users—whether eponymous or anonymous—to post comments on previously published content. Domestically the company faced defamation proceedings for offensive and threatening comments posted by readers under an article on its website concerning the activities of a ferry company. It removed the comments 6 weeks after their publication upon the request of the lawyers representing the ferry company. The domestic courts found the company liable for the offending comments and ordered it to pay EUR 320 in damages. Delfi AS complained to the ECtHR that the domestic courts’ finding that it had been liable for comments posted by its readers was in violation of Article 10 of the Convention. Both the Chamber and later the Grand Chamber held that there had been no violation of Article 10 and that a commercial operator of an Internet news portal such as the applicant may be held accountable for offensive comments posted by its users.

18

Delfi AS v Estonia, par. 110. Ibid. 20 Editorial Board of Pravoye Delo and Shtekel v Ukraine, par. 63. 21 Vajic and Voyatzis (2012), p. 395. 22 Delfi AS v Estonia. 19

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

3.1.1

299

The Scope of the Assessment: The Nature of the Intermediary and the Comments Posted

The Grand Chamber begun its analysis of the case by delineating the scope of its assessment. At the outset of its analysis, the Grand Chamber made explicit mention to the fact that the particular case concerned a major Internet news portal run on a professional and commercial basis. The company published news stories written by its staff on which users were invited to comment. The Court differentiated this platform from any other types of Internet media where comments could be freely posted—such as Internet discussion groups, bulletin boards, blogs run by private individuals as a hobby or social media platforms—without the discussion being channelled by any input from the medium’s manager.23 At the same time, the Grand Chamber placed particular emphasis on the nature of the comments, namely that they did not simply constitute defamatory comments, but rather constituted hate speech advocating acts of violence against others.24 It appears from the Court’s analysis that the nature of the comments was such that protection under Article 10 of the Convention could not be extended.25 In its preliminary remarks the Grand Chamber also reiterated the need to maintain a balance between two conflicting realities, namely, the value of the Internet as a unique forum for the exercise of freedom of expression and the need to protect the right to reputation and privacy in light of the inherent dangers in the dissemination or even perpetuity of unlawful speech online.26 It also did not fail to acknowledge that the ‘duties and responsibilities’ of an Internet news portal for the purposes of Article 10 may differ to some degree from those of a traditional publisher on thirdparty content, exactly because of the particular nature of the Internet.27 On the issue of lawfulness, which is traditionally assessed based on the accessibility and foreseeability of domestic law, the Grand Chamber noted that the applicant company, as a professional Internet publisher which ought to have been familiar with the relevant legislation and case law and able to seek legal assistance, was in a position to assess the risks associated with its activities as well as foresee, within reasonable bounds, the consequences of such activities.28 The Court was satisfied that the domestic law and case law made it foreseeable that a media publisher running an Internet news portal for an economic purpose could, in principle, be held liable under domestic law for the uploading of clearly unlawful comments on its news portal.29

23

Ibid., par. 116. Ibid., par. 117. 25 Spano (2017a). 26 Delfi AS v Estonia, par. 110. 27 Ibid., par. 113. 28 Ibid., par. 129. 29 Ibid., par. 128. 24

300

3.1.2

C. Paraskeva

Four Critical Factors in Assessing Proportionality

Subsequently and more significantly in conducting the proportionality assessment of the impugned interference, the Grand Chamber adopted four factors, identified by the Chamber, as relevant to its analysis: the context of the comments, the measures applied by the applicant company to prevent or remove defamatory comments, the liability of the actual authors of the comments as an alternative to the applicant company’s liability, and the consequences of the domestic proceedings for the applicant company.30 It is interesting to note about the first factor, that the Court acknowledged at the outset that the newspaper article published by Delfi AS was considered balanced and did not contain offensive language. Nonetheless, it emphasised the fact that the portal functioned on a commercial basis, it had integrated the comments section in its news portal and actively sought comments on the articles it published. The Court also noted that the company’s advertising revenue depended partly on the number of comments on its site. The Grand Chamber considered the company’s rules on posting comments and its ability of removing comments, unlike the authors of the comments who could not delete or modify them once posted on the company’s portal.31 As such, the company’s involvement went beyond that of a merely passive and purely technical service provider and it did in fact exercise substantial control over the comments posted on its site.32 Turning to the second aspect, namely the possibility of holding the authors of the comments liable, the Grand Chamber did not disregard the interest of Internet users in not disclosing their identity and the effect anonymity could have on the free flow of ideas. It also did not ignore that different degrees of anonymity were possible. However, the Court remained mindful of the uncertain effectiveness of measures allowing the identity of the authors of comments to be established both through the domestic legal order as well as through the company’s own site, leaving victims of hate speech with little possibility in effectively bringing a claim against the authors of the comments.33 This second aspect appears crucial to the Courts assessment as it is not unlikely that had there existed a realistic prospect to hold the authors of the comments liable, the result of the case might have been different. What is more, as noted by Judge Spano, any possible case lodged with the Court on behalf of the authors of the comments would likely have been dismissed as manifestly ill-founded.34 On the third aspect, the Grand Chamber was critical of the mechanisms adopted by the company to filter comments amounting to hate speech or entailing incitement to violence, as both the automatic word-based filter used by the company and the 30

Ibid., par. 142. Ibid., par. 144. 32 Ibid., paras. 145–146. 33 Ibid., paras. 157–151. 34 Spano (2017a). 31

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

301

notice-and-take-down system did not filter out such speech leading to the protracted appearance of the comments on the website before being removed.35 Lastly, in examining the consequences of the domestic proceedings for Delfi AS, the Grand Chamber paid particular emphasis to the low amount of compensation (EUR 320) that the company had been ordered to pay. The said amount was considered proportional by the Court, which observed that the company did not have to change its business model while at the same time the number of comments on its website remained unaffected and continued to increase.36 The Grand Chamber also took into consideration the broader impact of the domestic judgment, finding that while in post-Delfi cases the Esthonian courts were imposing liability on similar intermediaries, they did not make awards for nonpecuniary damage. It appears therefore that the Court, while not explicitly stating so, assessed the possible ‘chilling effect’ of such interference to the exercise of the right to freedom of expression.37

3.2

Magyar Tartalomszolgáltatók Egyesülete and Index.Hu Zrt v Hungary

A little while after its judgment in Delfi AS, the Court was faced with the issue of liability of Internet intermediaries once more in the case of Magyar Tartalomszolgáltatók Egyesülete and Index.Hu Zrt v. Hungary (hereinafter, ‘MTE and Index’).38 The case concerned the liability of a self-regulatory body, namely, Magyar Tartalomszolgáltatók Egyesülete (‘MTE’) and an Internet news portal, namely, Index.hu Zrt which complained before the Court of the national court’s decisions finding them liable for online comments posted by their readers on their respective websites. MTE published an opinion concerning two real-estate management websites. The same opinion was published on Index.hu’s portal. The impugned articles attracted user comments, some of which were vulgar and offensive, criticising the ‘misleading’ business practices of the real estate websites. Actions for defamation were subsequently brought against MTE and Index.hu who were found liable for defamation due to the user comments, for which they were considered to have assumed objective liability, although these intermediaries removed the comments in question immediately after having been informed of the civil action. Unlike in Delfi SA, the ECtHR found that the national courts’ decisions violated the applicants’ rights under Article 10 of the Convention.

35

Delfi AS v Estonia, par. 156. Ibid., par. 161. 37 Fathaigh (2017), p. 389. 38 ECHR, Magyar Tartalomszolgáltatók Egyesülete and Index.Hu Zrt v Hungary, App No 22947/ 13, 2 February 2016. 36

302

C. Paraskeva

As with Delfi SA, the Court noted at the outset that both the first applicant (MTE) and the second applicant (Index.hu), provided a forum for the exercise of the right to freedom of expression while enabling the public to impart information and ideas by posting their comments.39 Consequently, the Court observed that although MTE and Index.hu were not publishers of the comments in the traditional sense, Internet news portals should also, in principle, assume duties and responsibilities.40 Neither party to the proceedings before the Court disputed the interference by the domestic courts’ judgments. The Court further considered that both applicants should have been able to foresee, to a reasonable degree, that they could be held liable under domestic law for unlawful comments of third parties published on their portals.41 The main issue of the case lay once more with the domestic courts’ balancing exercise. 3.2.1

A Modified Five-Step Approach

In assessing whether the domestic courts had struck the right balance between the applicants’ right to freedom of expression under Article 10 of the Convention and the real-estate company’s right to reputation under Article 8, the ECtHR applied the four critical aspects developed in Delfi AS, adding a fifth element to this assessment, namely the consequences for the injured party. Concerning the context of the comments, the Court observed that the article referred to a subject of public interest and made possible an informed public debate over a matter of interest to many consumers and Internet users. It considered the fact that numerous complaints by affected consumers had already been lodged with the relevant state organs and proceedings were taken against the said real-estate company. The article was therefore considered to have sufficient factual basis and it was not therefore seen as provoking offensive comments. The Court did not ignore the fact that the second applicant owned a large Internet portal on a commercial basis; however, it noted that this had not been the case for the first applicant, which was a non-profit self-regulatory association of Internet service providers with no known commercial activities. The Court went on to note that while the comments expressed were offensive or even vulgar, this was not in itself the only decisive element in the assessment of what constitutes an offensive expression. According to the Court ‘regard must be had to the specificities of the style of communication on certain internet portals’.42 The Court therefore considered that the expressions used in the comments were of a ‘low register and style’ but this was not uncommon for many Internet portals.

39

Ibid., par. 61. Ibid., par. 62. 41 Ibid., par. 51. 42 Ibid., par. 77. 40

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

303

Accordingly, this was perceived to be a consideration that reduces the impact that can be attributed to those expressions.43 On the possibility of holding the authors of the comments accountable, the Court noted that the domestic courts failed to consider the possible liability of the actual authors of the comments vis-à-vis that of the applicants.44 The Court reiterated that the provision of a platform to third-parties to express their opinion by posting comments is a form of journalistic activity and the liability of the applicants is difficult to reconcile with the Court’s case law which does not condone penalising journalists for assisting in the dissemination of statements made by third parties. Such a stance would hamper the contribution of the press to discussion of matters of public interests.45 Importantly, considering the measures taken by the applicants and the conduct of the injured company, the Court noted that the applicants had taken certain measures to prevent or remove defamatory comments from their portals. These included a disclaimer, a team of moderators (second applicant), and a notice-and-take-down system. Crucially, the Court observed that the domestic courts finding that the applicants were liable for allowing unfiltered comments to be posted, amounted to requiring ‘excessive and impracticable forethought capable of undermining the freedom to impart information on the internet’.46 Additionally, the Court noted that what was at stake in the case was the commercial reputation of a private company instead of the reputation of a natural person (as was the case in Delfi AS). As inquiries into the conduct of the real-estate company had already started when the articles were published, the Court considered that the user comments were hardly capable of significantly impacting the attitude of consumers.47 Once again, the Court noted the domestic courts’ failure to evaluate whether the comments had reached a level of seriousness and actually caused prejudice. Lastly, as for the impact of the judgments on the applicants, the Court observed that while they had not been required to pay compensation for non-pecuniary damage, it could not be excluded that the finding against them could lead to further legal action resulting in such an award. Nevertheless, the decisive issue according to the Court was that objective liability for third-party comments could have foreseeable negative consequences for an Internet portal, for example by requiring it to close the commenting space altogether. This could in turn have a chilling effect on freedom of expression on the Internet, which could be particularly detrimental for a non-commercial portal such as that operated by the first applicant.48 The Court was clearly concerned with the failure of domestic courts to assess how the application of

43

Ibid., par. 77. Ibid., par. 79. 45 Ibid. 46 Ibid., par. 82. 47 Ibid., par. 85. 48 Ibid., par. 86. 44

304

C. Paraskeva

civil liability to a news portal operator could affect freedom of expression on the Internet. In the absence of hate speech or direct threats to physical integrity in the user comments, the Court found that there was no reason to hold that, if accompanied by effective procedures allowing for a rapid response, the notice-and-take-down-system could not have provided a viable avenue to protect the real-estate company’s commercial reputation in the present case.49

3.3

Phil v Sweden and Høiness v. Norway: Further Departure from Delfi AS?

The principles established in Delfi AS and MTE and Index were applied by the Court in subsequent case law. One such case is that of Pihl v. Sweden50 which concerned the applicant’s complaint that his rights under Article 8 of the Convention were violated by a blog post published on the website of a non-profit Internet portal, which contained allegations that he was involved with a Nazi party. The applicant requested both the blog and a comment posted therein to be removed. The Internet portal responded immediately and published both a clarification and an apology. Domestic proceedings for defamation were unsuccessfully brought by the applicant, who subsequently decided to pursue his claims in Strasbourg. In contrast to the two cases, it had not been the Internet intermediary who brought a claim to the ECtHR, but the individual who was allegedly aggrieved by the post and comments posted on the Internet portal. In examining the case, the Court took guidance from the five-step approach of MTE and Index. The Court attached importance to the fact that the Internet intermediary was a small non-profit association, unknown to the wider public. Consequently, it was according to the Court unlikely that it would attract many comments or that the comment about the applicant would be widely read.51 The Court further held that the comment, while offensive, did not amount to hate speech neither did it incite violence. Notably, it repeated that ‘expecting the association to assume that some unfiltered comments might be in breach of the law would amount to requiring excessive and impractical forethought capable of undermining the right to impart information via the Internet’.52 The Court also raised the issue of the possible chilling effect of imposing liability on a non-commercial Internet portal.53 In light of the above, the Court found that the domestic courts had managed to strike

49

Ibid., par. 91. ECHR, Pihl v Sweden, App No 74742/14, 7 February 2017. 51 Ibid., par. 31. 52 Ibid., par. 31. 53 Ibid., par. 35. 50

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

305

a fair balance between the competing rights of the applicant under Article 8 and the association under Article 10.54 A similar approach to Phil was followed by the Court in the recent case of Høiness v. Norway, which concerned the refusal of Norwegian courts in civil proceedings to find an Internet forum host liable of vulgar comments posted on the forum directed against the applicant. Interestingly, the Court found that the fact that the Internet portal removed the offensive comments 13 min after these came to their knowledge, exempted the portal from liability. The cases of Pihl and Høiness differ in many respects from Delfi AS. Pihl differed in that the Internet portal which posted the article and hosted the offensive comments was a small non-profit association, while the comments were not considered to incite violence and hate. However, with Phil, as previously with MTE and Index the Court seemed to attribute great importance to the possible chilling effect of holding an Internet intermediary liable for user generated content and to the broader consequences of monitoring and removing user comments. This is evident in both cases where the Court emphasises the ‘excessive and impracticable burden’ such a practice would place on the Internet platforms as well as the possibility of undermining the right to receive and impart information online. Such considerations were not however taken into account in Høiness where the Internet portal had an established system of moderators who monitored content, indicating that the Court has still not fully considered the possible consequences of filtering user generated content.

3.4

Magyar Jeti Zrt v. Hungary: From User Generated Content to Hyperlinking

In Magyar Jeti Zrt v. Hungary55 which concerns liability of an Internet intermediary for defamatory content hyperlinked in their report, the Court found a violation of Article 10, thus further developing its case law on these issues. The Court pointed out that the domestic courts’ finding that the hyperlink amounted to dissemination of information which entailed objective liability meant there had been no balancing of the parties’ rights under Articles 8 and 10 of the Convention. This objective liability could according to the Court have adverse consequences on the flow of information on the Internet, such as for example, impelling authors and publishers to refrain altogether from hyperlinking to material whose content they could not control.56 Consistently with its findings in MTE and Index, the Court emphasised that such a

54 A similar approach was adopted by the Court in subsequent cases concerning alleged violations of the applicant’s right to privacy and reputation by an Internet portal. See for example, the cases of ECHR, Tamiz v the United Kingdom, App No 3877/14 (dec.), 19 September 2017 and ECHR, Høiness v Norway, App No 43624/14, 19 March 2019. 55 ECHR, Magyar Jeti Zrt v Hungary, App No 11257/16, 4 December 2018. 56 Ibid., par. 83.

306

C. Paraskeva

practice could directly or indirectly have a chilling effect on freedom of expression on the Internet. The Court also noted that imposing a general requirement for journalists to distance themselves systematically and formally from the content of a quotation, cannot be reconciled with the role of the press in providing information.57 In addition, the Court particularly referred to the fact that hyperlinks are different from traditional acts of publication as they simply direct users, or bring their attention, to content published elsewhere on the Internet.58 Thus, according to the Court, hyperlinking is different from traditional acts of dissemination of information. Consequently, the Court disagreed with the domestic courts’ approach of equating the mere posting of a hyperlink with the dissemination of defamatory information and automatically entailing liability for the content itself.59 Instead, the Court held that liability is to be decided once each case is individually assessed, considering several elements. The Court identified five such elements, relevant for the analysis of the liability of the applicant company as publisher of a hyperlink, namely, whether: (1) the journalist endorsed the impugned content; (2) the journalist repeated the impugned content (without endorsing it); (3) the journalist merely included a hyperlink to the impugned content (without endorsing or repeating it); (4) the journalist knew or could reasonably have known that the impugned content was defamatory or otherwise unlawful; (5) the journalist acted in good faith, respected the ethics of journalism and performed the due diligence expected in responsible journalism. Applying the above elements to its assessment, the Court held that the applicant suffered a disproportionate restriction of its right to freedom of expression, in violation of Article 10 of the Convention.

4 Final Conclusions to Be Drawn from the Court’s Case Law The Court’s approach in Delfi AS v. Esthonia has received stringent criticism by several commentators60 which consider that the imposition of liability on intermediaries while at the same time expecting them to institute mechanisms to monitor user generated content, restricts the freedom of expression on the Internet.61 Some commentators have argued that the majority’s rejection of the chilling effect argument raised by the Internet intermediary in Delfi was inconsistent with the Court’s

57

Ibid., par. 80. Ibid., par. 73. 59 Ibid., par. 76. 60 See among others, Brunner (2016), pp. 163–174; Cox (2014), pp. 619–629; Woods (2016); Gstrein (2015). 61 Spano (2017b), p. 678. 58

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

307

treatment of similar chilling effect arguments in other areas of the Court’s jurisprudence on freedom of expression.62 However, it appears that the aforementioned fears of a possible chilling effect to the right to freedom of expression may have been shared to a certain extent by the Court which, as observed above, seemed to raise the issue more clearly in its case law following Delfi AS. As rightly argued by Judge Spano, it is imperative to keep in mind that the issue under consideration is part of a complex context while studies on the effects of the constantly evolving technological innovations on human rights and the society are so far inconclusive and partial. It is also crucial to remember that when deciding a case in Strasbourg, the Court is making an assessment of the limited facts before it, considering the specificities of the case. The Court’s judgment in Delfi AS was the first of its kind and it is true that it is to some extent unique and not suitable for broader interpretative conclusions beyond the specific facts of the case.63 Nonetheless, this is not to say that there are no lessons to be drawn from Delfi AS and the rest of case law discussed in this paper. First, the Court has set out five aspects it will consider for the balancing exercise between Article 8 and Article 10 rights in cases concerning the liability of Internet intermediaries for user generated content. These aspects provide substantial guidance on the Court’s approach to the duties and responsibilities of Internet intermediaries and their liability for user generated content.64 The same applies to cases concerning liability of Internet intermediaries for hyperlinking, as can be seen in Magyar Jeti Zrt. The latter has been described as a ‘highly relevant and well-rounded judgment’ which ‘forms the missing link concerning the protection of speech on the internet’.65 Further the Court has certainly acknowledged the need to adapt and update its traditional principles concerning Article 10 within the context of the use of the Internet as a means for expression. It has simultaneously acknowledged the importance of the Internet, especially in the modern world, as an unparalleled platform for receiving and imparting information. In Magyar Jeti Zrt, the Court indicated a thorough understanding of the importance of hyperlinks on the Internet and established five flexible criteria before imposing liability to intermediaries for posting a hyperlink which leads to defamatory content. The Court is alert to the dangers of undermining the right to receive and impart information through the Internet when holding Internet intermediaries accountable for user generated comments or hyperlinks. Considering its more recent case law, the original criticisms raised after Delfi SA that the Court did not consider the possibility of a ‘chilling effect’ when it comes to interfering with freedom of expression as exercised on the Internet,66 no longer seem justified. The Court remains nevertheless open to the holding an Internet intermediary liable, where the content posted takes

62

Fathaigh (2017), p. 392. Spano (2017b), p. 676. 64 Voorhoof (2020), p. 39. 65 Maelen (2019). 66 See, Fathaigh (2017), p. 389; and Cox (2014), p. 626. 63

308

C. Paraskeva

the form of hate speech, incites violence and it is not removed speedily as regards user generated content; or where a hyperlink is posted in bad faith or in a manner not in accordance with the ethics and diligence expected from responsible journalism. These considerations, although may offend those who wish expression on the Internet to remain unregulated, are the inevitable consequences of the Court’s balancing exercise between two equally important rights protected by Articles 8 and 10, respectively.67 Although it can be argued that the balancing of the rights under consideration may benefit by utilising more suitable approach, it should also be noted that the current case law is recent and based on a set of complex jurisprudential challenges for the Court, which were surely not envisaged by the founding fathers of the Convention. The Court, as it is its wont will certainly need to act with prudence while developing its case law. This is especially so given that due to the trans-border nature of the Internet lightly balanced responses can affect large groups of people found even outside the Council of Europe Member States.

References Akdeniz Y (2011) Freedom of expression on the Internet: a study of legal provisions and practices related to freedom of expression, the free flow of information and media pluralism on the Internet. In: Ženet Mujić Z, Yazici D, Stone M (eds) OSCE Benedek W, Kettemann MC (2013) Freedom of expression and the Internet. Council of Europe Publishing, December 2013 Brunner L (2016) The liability of an online intermediary for third party content. The watchdog becomes the monitor: intermediary liability after Delfi v Esthonia. Hum Rights Law Rev 16 (1):163–174 Cox N (2014) Delfi AS v Esthonia: the liability of secondary Internet publishers for violation of reputational rights under the European Convention on Human Rights. Mod Law Rev 77 (4):619–629 Fathaigh RO (2017) The chilling effect of liability for online reader comments. Eur Hum Rights Law Rev 4:387–393 Giakomopoulos C (2020) Opening remarks in human rights challenges in the digital age: judicial perspectives. Council of Europe Publishing, 1 January 2020 Gstrein OJ (2015) The difficulties of information management for intermediaries. 30 July 2015. http://jean-monnet-saar.eu/?p¼881 Maelen CV (2019) Magyar Jeti Zrt v Hungary: the Court provides legal certainty for journalists that use hyperlinks, Strasbourg Observers, 18 January 2019. https://strasbourgobservers.com/2019/ 01/18/magyar-jeti-zrt-v-hungary-the-court-provides-legal-certainty-for-journalists-that-usehyperlinks/ Spano R (2017a) Don’t kill the Messenger – Delfi and its progeny in the case-law of the European Court of Human Rights. Conference “Europe After Delfi”, University of Tallinn, 8 September 2017 Spano R (2017b) Intermediary liability for online user comments under the European Convention on Human Rights. Hum Rights Law Rev 17:665–679

67

Spano (2017b), p. 679.

12

The Duties and Responsibilities of an Internet News Portal on Online. . .

309

Vajic N, Voyatzis P (2012) The Internet and freedom of expression: a ‘brave new world’ and the European Court of Human Rights’ evolving case law. In: Freedom of expression, essays in honour of Nicolas Bratza, pp 391–407 Voorhoof D (2020) Same standards, different tools? The ECtHR and the protection and limitations of freedom of expression in the digital environment, 1 January 2020, Council of Europe Publishing Woods L (2016) Delfi v Esthonia: curtailing online freedom of expression. EU Law Analysis, 18 June 2016. http://eulawanalysis.blogspot.com/2015/06/delfi-v-estonia-curtailing-online.html

Chapter 13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of Data Protection Ioanna Hadjiyianni

Abstract The extraterritorial reach of EU data protection law is welcomed by many as enhancing individuals’ trust as to the protection of their data in a globalized world. However, there is considerable diversity around the world regarding the appropriate balance between data protection and privacy on the one hand and freedom of expression and information on the other. Unilaterally determining this balance can raise legitimacy concerns and jeopardize the trust of external actors in the EU’s commitment to transparency and free movement of data. The global reach of EU data protection law is manifested both in the legal design of secondary legislation, with its territorial scope expanded in the GDPR, as well as in judicial interpretation by the CJEU, which usually extends the EU’s regulatory reach. Within this context, this chapter analyzes the enabling features of EU law and relevant case law that have facilitated the extraterritorial reach of EU law as well as the CJEU’s recent attempt to limit this territorial expansion as regards the right to be forgotten. This constraining approach may partly address the concerns of third countries and restore external trust but raises questions about the promise of EU law to protect privacy rights against tech giants thus undermining individuals’ trust.

1 Introduction In today’s digital, data-driven age, the storing and processing of data can grant a considerable political and technological advantage to a state as data may be considered “the world’s most valuable resource.”1 At the same time, the protection of personal data has emerged as a fundamental right cherished as a significant aspect of privacy in some parts of the world. The unilateral extension of European Union (“EU”) stringent data protection requirements beyond EU borders is welcomed by

1

Kessler (2019).

I. Hadjiyianni (*) Department of Law, University of Cyprus, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_13

311

312

I. Hadjiyianni

many as ensuring the protection of privacy in a globalized digital world that knows no boundaries. Despite the increasing importance and recognition of data protection rights however, there is still considerable diversity around the world as to the appropriate level of protection. This lack of consensus is due to historical, cultural and legal factors which differently determine the value of data, privacy, availability of information and transparency in societies across the globe. The appropriate balance to be struck between data protection and privacy on the one hand and freedom of expression and information on the other is difficult to determine. The unilateral determination of this balance by the EU in favor of privacy and its projection universally can give rise to legitimacy concerns and jeopardize the trust of external actors in the EU’s commitment to transparency and free movement of data. Within this context, this chapter analyzes the extraterritorial reach of EU data protection requirements and argues that law does and should serve a dual role in controlling the EU’s unilateral action.2 On the one hand, EU law enables the high level of protection of personal data through unilateral action by providing the regulatory space for the EU to unilaterally project the value of privacy beyond its borders. On the other hand, law should sufficiently constrain EU global regulatory power considering its impacts in third countries. The chapter discusses key enabling features of EU law and relevant case law that have facilitated the extraterritorial reach of EU law as well as the Court of Justice of the European Union (“CJEU”)’s recent attempt to limit this territorial expansion as regards the right to be forgotten in Case C-507/17 Google v CNIL.3 The constraining approach may partly restore external trust and address some of the concerns raised by third country actors affected by the EU’s unilateral action, but also raises questions about the EU’s promise to protect privacy rights against tech giants thus undermining individuals’ trust. The discussion on the territorial scope of the right to be forgotten demonstrates the different degrees of extraterritoriality that EU law may exhibit as well as the acute complexities—practical, legal and moral—in projecting an essentially internal value universally. The chapter is structured as follows. Section 2 identifies the nature of the extraterritorial reach of EU data protection requirements by analyzing the motivating factors for the EU’s leadership role in this field, and by specifying the different kinds of extraterritorial impacts that manifest both in the legal design of EU secondary legislation and in the CJEU’s interpretation. Section 3 problematizes the normative value of EU unilateral action on data protection considering its effects on third country actors, demonstrating that digital trust is a multi-faceted concept with implications both internally and externally of the EU legal order. The broad range of external action values that the EU has set for itself indicate that it cannot promote data protection and privacy universally without sufficiently considering the impacts its action may have on conflicting rights of information and freedom of expression as well as adverse impacts of economic and social nature that are particularly acute in

2 3

The analysis in this chapter reflects legal developments as they were on 30 March 2020. CJEU, Google v CNIL, Case C 507/17, Judgment of 24 September 2019.

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

313

relation to developing countries. Finally, Sect. 4 discusses the dual role of EU law in enabling and constraining the extraterritorial reach of EU data protection requirements, focusing on the central role played by the CJEU in determining the balance between the two functions when the legislative intent as to the exact territorial scope of EU requirements is not clearly determined. As the final interpreter of EU legislation, the CJEU sets the exact level of protection sought by EU law and the parameters of its application, thereby enhancing and breaking trust at different fronts.

2 Nature of the Global Reach of EU Law and Data Protection Increasingly in areas where there is insufficient international regulation and the subject matter is inherently transboundary or global, the EU resorts to unilateral measures that regulate conduct beyond its territorial borders through market access conditions. This phenomenon manifests in different policy areas including competition law,4 financial services regulation,5 food safety,6 environmental protection7 and animal welfare.8 The global reach of EU law often manifests through the regulatory technique known as “territorial extension” whereby based on a territorial trigger, EU legislation requires as a matter of law to consider conduct and processes taking place outside its borders.9 Such measures are often legally designed to unilaterally extend the territorial remit of EU legislation, by conditioning access to the EU market based on the conduct or processes that take place abroad.10 Data protection issues, particularly in the Internet context, which is “fundamentally and profoundly anti-spatial,”11 and to which many states may have a regulatory claim, present an important example which the EU has sought to regulate first, thereby providing a regulatory model for the world. As indicated by former VicePresident of the European Commission (“Commission”), Viviane Reding, the EU’s robust data protection framework “can be the gold standard for the world.”12 This leadership commitment has been re-confirmed in the 2020 European Strategy for

4

Aydin (2012), pp. 663–681; Krisch (2014), pp. 1–40; Bradford (2012), pp. 19–22. Scott (2014b), pp. 1343–1380; Fahey (2016), pp. 24–52. 6 Bradford (2012), pp. 32–35; Pollack and Shaffer (2009). 7 Hadjiyianni (2019b); Scott (2014a), pp. 87–125. 8 Hadjiyianni (2019a), pp. 1–34. 9 Scott (2014a), pp. 87–125. 10 Hadjiyianni (2019b). 11 American Civil Liberties Union v RENO, 217 F.3d 162 (3rd Cir. 2000), p. 169. 12 Redding V, Speech: “A data protection compact for Europe.” 2014. https://ec.europa.eu/ commission/presscorner/detail/en/SPEECH_14_62. Accessed 24 February 2020. 5

314

I. Hadjiyianni

Data, with the new Commission actively promoting the European model around the world based on the EU’s fundamental values, including privacy protection.13 Projecting the EU’s standards on data protection to data processors and controllers in third countries can be attributed to different motivating factors.14 It partly contributes to the universal protection of fundamental rights, an objective explicitly recognized in the EU’s external action commitments.15 Also, it partly protects the competitive position of controllers based in the EU by creating a level-playing field irrespective of where the processing of data takes place. These explanations feed into to the EU’s political ambitions to be considered a global leader in this policy field. As Kuner aptly explains in the context of Internet regulation, including data protection, “. . .the EU has been able to use its strengths in law and regulation, areas where it is a superpower, to make itself heard globally,”16 something which it has not managed to do through cooperative action alone. The EU’s leadership style has evolved over time from directional leadership by example, to power-based leadership, employing the power of its market to incentivize regulatory changes in third countries.17 This market-based leadership style is clearly evident in the data protection field. Indeed, the effects of EU unilateral market-related measures for third countries can be far-reaching. According to Bradford, the EU is sometimes able to “externalize its laws and regulations outside its borders through market mechanisms,”18 giving rise to the so-called “Brussels effect.”19 Non-EU economic operators may change their business practices to match EU regulatory standards, across their entire production or operation irrespective of its ultimate market (“de facto Brussels effect”).20 At the same time foreign governments may be urged to alter their own domestic policies following the EU’s model (“de jure Brussels effect”).21 In relation to data protection, the likelihood of a de facto Brussels effect materializing is significant due to the economic and technical difficulty of maintaining different data protection practices for different markets.22 At the same time, a de jure Brussels effect is already evident,23 with many countries following the EU’s

13 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A European Strategy for Data, COM (2020) 66 final, pp. 23 and 24. 14 For a recent account of both internal and external reasons explaining the EU’s regulation on data protection see Bradford (2020), pp. 136–141. 15 Articles 3(5) and 21 TEU. 16 Kuner (2019), p. 145. 17 Cremona (2004), pp. 553–573. 18 Bradford (2012), p. 3. 19 Ibid., pp. 1–68. 20 Ibid., see also Young (2003), pp. 457–484. 21 Ibid. 22 Bradford (2020), pp. 142–147. 23 Ibid., pp. 147–155.

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

315

standards, from Chile to Japan, from Russia to Mauritius, from Argentina to Kenya with the latest example arising in California.24 According to the Commission this “upward convergence offers new opportunities to promote data flows based on trust and security.”25 This convergence, however, is not without problems and as explained below in Sect. 3, the unilateral extension of strict data protection requirements can raise legitimacy concerns as it can threaten the technological and data sovereignty of third countries. Additionally, due to the lack of a global regime on data protection, unilateral examples of convergence can lead to different reactions by tech companies. The power of the EU’s market has meant that most global tech companies have had to adjust their practices and that some countries have adopted General Data Protection Regulation (“GDPR”)26-like standards domestically. While the unilateral action of a significant market like the EU has led to such convergence, the unilateral action by smaller markets is likely to create the risk for global techs avoiding these smaller markets altogether to avoid stricter regulatory standards. Characteristically, in the context of the “vastly smaller market in Kenya, it will be interesting to see whether the similarly strict provisions. . .will result in some global tech companies deciding that the Kenyan market is not worth engaging.”27 The effects of unilateral regulation with an extraterritorial reach on data protection may thus threaten the technological sovereignty of third countries, especially developing countries, and hamper their economic and social development as further discussed below in Sect. 3. This chapter focuses not on the ways in which regulatory convergence has been occurring around the world in reaction to the EU’s unilateral action, but rather on how the EU’s requirements are either legally designed or judicially interpreted to apply beyond the EU. EU data protection legislation exhibits an extraterritorial reach in two main ways. First, by their legal design both Directive 95/4628 (or “Directive”) and the General Data Protection Regulation 2016/679 (“GDPR”) have a broad territorial scope, covering activities loosely linked to the EU market. The Directive’s requirement covers processing occurring in the context of the activities of an establishment of the controller on the territory of a Member State,29 which has been interpreted broadly by the CJEU as examined below. The Directive also applies

24

On the California Consumer Privacy Act, see Kessler (2019). European Commission, Press Release, “General Data Protection Regulation: one year on.” 2019. https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2610. Accessed 24 February 2020. 26 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). 27 Rutenberg I, Expert Commentary: Kenya follows the path of European-style Data Protection. In: World Privacy Forum. 2019. https://www.worldprivacyforum.org/2019/11/expert-commentarykenya-follows-the-path-of-european-style-data-protection/. Accessed 25 February 2020. 28 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31. 29 Directive 95/46/EC, Article 4(1)(a). 25

316

I. Hadjiyianni

when the equipment used, such as cookies and ad banners, is located in the EU,30 a jurisdictional trigger considered to be a “flimsy territorial connection.”31 Under the GDPR, the territorial scope covers processing occurring in the context of the activities of an establishment in the EU, regardless of where the processing takes place,32 a formulation that arguably carries with it the broad interpretation given to the Directive by the CJEU. Additionally, the GDPR applies to non-EU controllers offering goods/services to data subjects in the EU or monitoring their behavior.33 The guidelines developed by the European Data Protection Board on the territorial scope of the GDPR confirm the extensive extraterritorial reach of EU requirements.34 The legislative intent to expand the requirements of EU law beyond its borders is also manifested in the transfers of data to third countries based on an adequacy decision by the Commission.35 The effect of such a decision is that personal data can flow from the EU to the third country without additional safeguards, similarly to intra-EU transmissions, unlocking free flows of data. Adequacy decisions, referred to by the Commission as “digital diplomacy,”36 directly engage with third countries, functioning as a “seal of approval” that the third country’s level of protection is adequate from an EU point of view, amounting to a direct, albeit voluntary, exportation of EU standards based on negotiations.37 Second, when the extent of the extraterritorial reach of EU law is not entirely clear in the legislative text, the CJEU, as the final arbiter on the interpretation of EU law has played a crucial role in realizing the global reach of EU data protection requirements. As will be discussed below in Sect. 4, the CJEU has ex-post facto judicially expanded the territorial scope of EU requirements to cover processing of data taking place as far as California and reinforced the stringency of adequacy decisions for transfers to third countries requiring an essentially equivalent level of protection. As Tzanou puts it, “the Court, in essence, has interpreted an internal market harmonization instrument (the Directive) in a manner that fosters the protection of a fundamental right.”38 And the protection of this fundamental right does not usually stop at the EU borders, but extends to processing of data beyond the EU. 30

Ibid., Article 4(1)(c). Scott (2019), p. 39. 32 GDPR, Article 3(1). 33 Ibid., Article 3(2). 34 For example, a mere “intention” to offer goods/services in the EU market is sufficient, not requiring an actual economic activity to take place. See Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guide lines-32018-territorial-scope-gdpr-article-3-version_en. Accessed 5 February 2020. 35 Directive 95/46/EC, Article 25; GDPR, Article 45. 36 COM (2020) 66 final, p. 5. The EU has recognized 13 countries as providing an adequate level of protection, the latest one being Japan in 2018. Negotiations are currently underway regarding adequacy with South Korea. 37 On the cooperative nature of adequacy agreements with third countries see Schwartz (2019). 38 Tzanou (2010), p. 59. 31

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

317

3 Legitimacy Concerns and Digital Trust According to the Commission, through the GDPR, “the EU created a solid framework for digital trust.”39 However, trust is a multi-dimensional concept, cultivated among different interested actors in the EU data ecosystem, physically located both within and outside EU geographical borders. This becomes clear when the third country interests affected by the EU’s global regulatory power are deciphered. First, EU data protection requirements primarily affect multi-national companies as data processors or controllers which directly must comply with EU requirements. Second, countries that engaged in international transfers of data with the EU and which may be the subject of an adequacy decision to be considered as “trusted countries” are also directly affected. Third, countries where data processors are based, and which wish to protect their technological and data sovereignty are indirectly affected by the EU’s unilateral action. Fourth, third country affected interests may also include individuals located in third countries with an interest of accessing data particularly available online, as evident below in Sect. 4 regarding the right to be forgotten. Balancing the consideration of the third country interests affected by EU unilateral action on data protection outlined above with the myriad of domestic interests within the EU, including processors located in a Member State and individuals in the EU whose data is the subject of the regulatory intervention, is not a simple task. As AG Szpunar has aptly expressed it, “[r]econciling the right to privacy and the protection of personal data with the right to information and freedom of expression in the age of the Internet is one of the main challenges of our time.”40 As discussed below in Sect. 4, the CJEU has a critical role to play in this context by enhancing or breaking trust among the different actors involved in data handling and processing of EU data subjects; enhancing external trust may undermine internal trust of the individuals that seek protection of their personal data on a global scale and vice versa. Based on the premise that global problems should ideally and primarily be dealt with through cooperative international solutions, the EU may lack a legitimate basis for exercising global regulatory authority in the absence of a consent-based multilateral cooperative regime. The unilateral exportation of EU values on privacy may ignore the local priorities and preferences of third countries, thereby confining the space for legal pluralism in light of different perceptions as to the value of data protection. Arguably, the more harmonization exists the less problematic an extraterritorial assertion of jurisdiction becomes,41 an argument similarly made in relation to other policy fields.42 While many countries in the world have adopted or are in the process of adopting GDPR-like policies, the upward convergence is by no means universal as seen for example by the divergent approach in most parts of the United COM (2020) 66 final, p. 3. AG Szpunar, GC and others v CNIL, Case C 136/17, Opinion of 10 January 2019, par. 1. 41 Padova (2019). 42 Cooreman (2017). 39 40

318

I. Hadjiyianni

States and the recent indications from the UK to divert from EU standards following Brexit.43 In any case, the emergence of regulatory convergence through unilateral action with extraterritorial impacts can raise significant legitimacy concerns from the perspective of affected third countries. As discussed by Tzanou, there are two main approaches to data protection: an economic approach and a fundamental rights approach.44 The former highlights the economic value of information and data, which are closely connected with a state’s sovereignty. Following this logic, the OECD guidelines on data protection for example emphasize the need to ensure unrestricted flows of data across borders and consequently guarding against national approaches that create barriers to such flows.45 A fundamental rights approach to data protection, notably embraced by the EU, recognizes the value of the fundamental right to data protection. A right which is explicitly recognized both in the Treaty of the Functioning of the European Union (“TFEU”),46 and in the Charter of Fundamental Rights (“Charter”),47 as belonging to everyone. The symbolic move of recognizing data protection, supplemental to the right to privacy,48 demonstrates the changing approach from the first EU directive on data protection which aimed to harmonize divergent data protection approaches in the Member States and which put the internal market and the fundamental right of data protection on an equal footing. From a legitimacy perspective, each of these approaches may raise distinct concerns about the extraterritorial reach of EU law. From an economic perspective, restricting transboundary movements of data may harm the sovereign rights of third countries associated with the free movement of data. From a fundamental rights perspective, restricting transboundary movements of data deprives the third country from independently determining the balance to be achieved among conflicting fundamental rights. Despite the growing consensus as to the value of privacy and the protection of personal data, the balance to be achieved in situations of conflict with freedom of expression and the right to information may be subject to a plurality of approaches that may differ in different parts of the world. The attempt of the EU to expand its own approach in valuing data protection as a fundamental right and its own assessment as to the appropriate balance to be struck in situations of conflicting rights can be problematic from the perspective of third countries. Passing on internal values and interests as universal values exhibits hegemonic tendencies on the part of

Solton S, “UK to diverge from EU data protection rules, Johnson confirms,” https://www. euractiv.com/section/digital/news/uk-to-diverge-from-eu-data-protection-rules-johnson-confirms/. 2020. Accessed 26 February 2020. 44 Tzanou (2017), pp. 14–18. 45 Ibid. 46 Article 16 TFEU. 47 Article 8 Charter of Fundamental Rights of the European Union (“Charter”). Since the entry into force of the Lisbon Treaty, the Charter has the same legal value as the treaties, Article 6 (1) TEU. 48 Article 7 Charter. 43

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

319

the EU,49 which can be particularly problematic towards developing countries as discussed below. Legally analyzing and assessing the unilateral exercise of global regulatory power is not straightforward. Unilateral requirements with an extraterritorial reach can amount to an intrusion into state sovereignty which is conventionally understood to be territorially restrained and subject to the principles of non-interference and selfdetermination. Regulatory states wishing to protect their technological and data independence should thus have the right to determine the level of protection they wish to maintain on their territory. However, in today’s globalized world, and particularly in the context of the Internet, territory and the delimitation of borders become fluid concepts with no one clear legitimate claim to regulatory authority over specific activities. Already 20 years ago, it was recognized in relation to the Internet that “one cannot say where it is located or describe its form or proportions, one cannot say to someone how to go there. But, one can find things on the Internet without knowing where they are. The Internet is ambient.”50 In light of the antispatial nature of the regulatory issue—data protection in the digital age—assessing EU unilateral action based on conventional understandings of state sovereignty determined by territorial borders in relation to traditional issues of exercising jurisdiction lawfully may no longer be appropriate or constructive. Transnational or global approaches to normatively analyzing the legitimacy of unilateral regulatory power may indeed be useful.51 At the same time, given that regulatory power is exercised within the institutional structures of sovereign states and in the case of the EU within an organization made up of sovereign states with decision-making processes akin to usual regulating jurisdictions, conventional understandings of legitimacy and accountability related to the regulatory state should not be ignored. On this basis, it is constructive to examine the EU’s constitutional commitments which indicate “the constitutionally determined normative basis. . . values and objectives” by which the EU is required to conduct its external action.52 These are set out in Articles 3(5) and 21 of the Treaty of the European Union (“TEU”) and commit the EU to conducting its external action by respecting and promoting among others, the rule of law, the protection of human rights in a universal manner and multilateral cooperation on common issues. Arguably, these commitments may support a transnational understanding of legitimacy that universally respects different kinds of fundamental rights. Specifically, unilateral action on data protection may be contradictory to the EU’s commitment to promoting multilateral solutions to common problems,53 which “should involve more than simply motivating other States to adopt EU data protection law

49

Kuner (2019), p. 137. American Civil Liberties Union v RENO, Hadjiyianni (2019b), p. 169. 51 On the usefulness of a combination of normative understandings of legitimacy for analysing the EU’s global regulatory power see Hadjiyianni (2019b), pp. 50–97. 52 Eeckhout (2015), p. 226. 53 Article 21 TEU. 50

320

I. Hadjiyianni

and then leaving them to their own devices.”54 Depending on how they are applied in practice, the EU’s external action values and objectives could address some of the legitimacy concerns raised by unilateral measures with extraterritorial reach, for example relating to the exportation of EU values without sufficient consideration of third country priorities and values. They can also support a legitimacy understanding that is founded on the incorporation of different kinds of third country interests, including of economic and social nature.55 The extraterritorial impacts of EU regulation particularly raise concerns when they affect developing countries with limited resources, like Mauritius or Kenya, given the pressure they are under to follow, develop and enforce EU-like standards so as to attract investments.56 In light of this, the legitimacy of the EU’s unilateral action depends on its readiness to provide financial and technical assistance to such countries to assist in their transition to complying and accumulating EU standards. For example, delivering on the promise to provide such support to Africa in the recent 2020 European Strategy for Data is a significant factor for the EU to consistently pursue its external action values.57 These include not only a commitment to universally protect fundamental rights, which in itself cannot be done selectively to prioritize some rights over others without sufficient consideration as to the balance achieved, but also a commitment to eradicate poverty while fostering the sustainable economic, social and environmental development of developing countries.58 Provided that the free flow of data contributes to the economic and social development of contemporary societies, restricting access to data without sufficiently taking into account the impacts of such restriction beyond EU borders can lead to contradictory efforts of achieving and promoting the different values that the EU has committed to. Sufficiently considering the effects of EU unilateral action on global issues emanates as a constitutionally entrenched requirement from the EU’s own external action commitments and should inform both the EU’s regulatory choices and the CJEU’s role in interpreting the territorial scope of EU requirements. Overall, the extraterritorial reach of EU data protection rules provides a regulatory technique for ratcheting up standards within and beyond the EU to ensure the protection of the fundamental rights to data protection and privacy, fostering the trust of individuals in the EU as to the effective protection of their rights. At the same time, extending the EU’s own values on privacy beyond its borders raises legitimacy concerns regarding the coercive effects on third country actors, including governments, sectoral interests and individuals, potentially threatening external trust as to the openness and accessibility of the digital, borderless data ecosystem.

54

Kuner (2014), p. 68. Kuner (2019). 56 See for example in relation to Mauritius, Madhub (2013). 57 COM (2020) 66 final, p. 24. 58 Article 21 TEU. 55

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

321

4 Enabling and Constraining Global Data Protection Through the CJEU Considering the discussion developed in the chapter so far, this section argues that law can and should play a dual role in controlling the exercise of EU global regulatory power through internal legislation with extraterritorial impacts.59 On the one hand, EU law can create the regulatory space by providing the legal basis for the EU to act unilaterally in light of insufficient international action. On the other hand, law should sufficiently control how the EU exercises global regulatory power by requiring sufficient consideration of third country affected interests and delimiting the outer reach of EU law. Both functions are important for the legitimate exercise of global regulatory power. Unconstrained regulatory power can exacerbate the legitimacy concerns from the perspectives of third countries. At the same time, disproportionately constraining the EU’s ability to act unilaterally would prevent it from effectively protecting valued fundamental rights of its citizens and of individuals located within its borders. This dual function of law is already visible in the EU’s external action values discussed above, particularly in the EU’s commitment to upholding and advancing the “universality and indivisibility of human rights and fundamental freedoms in the wider world.”60 On the one hand, the recognition of the right to privacy61 and the right to data protection,62 provide the legal basis and the normative authority for the EU to act to ensure the effective protection of these rights, which belong to “everyone,” thus largely enabling the EU’s unilateral action on data protection. On the other hand, protecting fundamental rights in a universal manner cannot be restricted to specific kinds of rights. Freedom of expression and information, which may be infringed within the EU or in third countries by stringent EU data protection requirements, is also expressed in the Charter as belonging to “everyone” and should be borne in mind when determining the appropriate level of data protection.63 Furthermore, references to sustainable development, eradicating poverty, and the EU’s commitment to multilateralism,64 can further discipline how the EU exercises global regulatory power, by requiring due consideration of the impacts of EU unilateral action on third country actors. Neither the TEU nor the Charter indicate how to reconcile the different values or rights when they contradict. Nonetheless, the equal recognition of the multiple objectives and values indicates that “[i]n pursuing these values in a constitutionally legitimate way the EU cannot 59

On the dual role of law in the context of the legitimacy of the global reach of EU law, see Hadjiyianni (2019b); Hadjiyianni (2019a); Scott (2019). In the data protection field specifically, see Kuner (2019). 60 Article 21 TEU. 61 Article 7 Charter. 62 Article 8 Charter; Article 16 TFEU. 63 Article 11 Charter. 64 Article 21 TEU.

322

I. Hadjiyianni

simply choose to export one set of values abroad and ignore the rest.”65 The balance to be achieved among different values and rights is effectively determined through political and legislative choices expressed in secondary legislation, as well as through judicial interpretation by the CJEU, which plays a key role in determining the balance between the enabling and constraining functions of law. This section focuses primarily on the role of the CJEU in interpreting what is required by secondary legislation. Judicial review can determine the parameters of extraterritoriality, by facilitating and potentially extending the extraterritorial scope of EU legislation as well as by constraining its reach by delimiting the boundaries of permissible action. As in other areas of EU law, the CJEU’s interpretation has largely and significantly expanded the territorial reach of EU data protection requirements in many respects (Sect. 4.1).66 More recently, the CJEU imposed a limit to the extraterritorial reach of EU data protection requirements particularly as regards the scope of the so-called right to be forgotten (Sect. 4.2). This right, more appropriately known as the right to de-referencing entitles a person to require a search engine operator to delist URL(s) from the index of a search engine containing data concerning the particular person. The right to be forgotten provides an interesting example to analyze in the context of the legitimacy of the extraterritorial reach of EU law given that this right finds its origins in the EU and is not necessarily endorsed by third countries.67

4.1

Enabling Global Data Protection

As already discussed, the enabling function of EU law by providing the legal basis for the EU to act unilaterally, emanates from its external action values in the TEU and the EU’s clear competence to regulate the issue of data protection based on fundamental rights protection. Furthermore, as mentioned above in Sect. 2, the global reach of EU data protection requirements is clearly established in the legal design of secondary legislation which adopts a broad territorial scope for its application and establishes the mechanism of adequacy decisions for transfers of data to third countries. Beyond these enabling features of EU law, this section demonstrates how judicial interpretation by the CJEU further facilitates the extraterritorial reach of EU law in this area ex-post facto. This is primarily in two different ways. First, through a demanding interpretation of the requirement for an “adequate level of protection” for the issuance of an adequacy decision that enables unrestricted transfers of data to third countries. Second, through a broad interpretation of the territorial scope of

65

Hadjiyianni (2019b), p. 110. On the enabling role of judicial review by the CJEU in other policy areas see Hadjiyianni (2019a); Scott (2019); Fahey (2016), pp. 24–52. 67 Padova (2019). This was also recognized by the CJEU itself in Google v CNIL, par. 59. 66

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

323

Directive 95/46 to cover processing taking place outside of the EU by a parent company in the context of the activities of a subsidiary based in the EU. 4.1.1

Interpreting Adequacy

In determining what is considered as an “adequate level of protection” in the context of an adequacy decision, the CJEU has put considerable emphasis on the high level of protection sought by the EU. On this basis, in Schrems,68 it annulled the Commission’s equivalence decision known as the US Safe Harbor Decision.69 The CJEU found that the right to privacy under Article 7 of the Charter and of the right to effective judicial protection under Article 47 were violated due to the generalized system of access to data by public authorities in the US and the fact there was no provision for remedies that would allow erasure of personal data of individuals in the EU transferred to the US.70 Notably, this system was considered to violate the essence of the rights beyond what was proportionate and strictly necessary to protect national security. The CJEU also clarified that an adequacy decision should only be issued when the level of protection in the third country is “essentially equivalent” to that of the EU.71 While not requiring an identical level of protection, this interpretation is demanding and according to AG Bot should be assessed based on the high level of protection afforded by EU law in light of the Charter.72 The Court’s approach is remarkable because it annulled the Commission’s equivalence decision, although this decision had political effects and would undermine the EU’s relations with the US. With this decision the CJEU effectively “narrowed the Commission’s discretion and insisted that the requirements underpinning an adequacy determination must be strictly applied.”73 This approach reinstated the trust of individuals in the EU as to the level of protection of their data on a global scale. At the same time, it potentially harmed the trust of external partners of the EU with which the Commission negotiated an adequacy decision.74 This can be problematic since the CJEU potentially

68 CJEU, Maximillian Schrems v Data Protection Commissioner, Case C 362/14, Judgment of 6 October 2015. 69 Commission Decision 2000/520/EC pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce [2000] OJ L 215/7. 70 Maximillian Schrems v Data Protection Commissioner, par. 94–95. 71 Ibid., par. 73–74. 72 AG Bot, Maximillian Schrems v Data Protection Commissioner, Case C 362/14, Opinion of 23 September 2015, par. 139–142. 73 Scott (2019), p. 37. 74 It should be noted that a new agreement has been concluded between the EU and the US, known as the EU-US Privacy Shield, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the

324

I. Hadjiyianni

held third countries to a higher standard than the one applied in practice within the EU, where there is a great variation in the use of personal data by Member State intelligence authorities.75 4.1.2

Interpreting the Territorial Scope of EU Legislation

The enabling trend of the CJEU’s case law is also evident in relation to the territorial scope of Directive 95/46. Particularly the CJEU broadly interpreted the territorial trigger of Article 4(1)(a), which covers “processing in the context of the activities of an establishment of the controller on the territory of a Member State.” In Google Spain, the CJEU established the applicability of the Directive on the basis that a subsidiary’s activities—Google Spain—were “inextricably linked” to the parent company—Google Inc—which was operating the search engine.76 This was the case although Google Spain was involved in advertising activities and did not itself handle the data, which was stored on servers in California. The advertising activities were deemed as the means of rendering the Google search engine economically profitable.77 This enabling approach was adopted based on teleological interpretation, finding that a “particularly broad territorial scope” of the Directive was needed to ensure the complete and effective protection of individual rights.78 In establishing the jurisdictional basis of EU law, the CJEU implicitly endorsed “effects-like” reasoning in light of the impact that Google’s activities would have on individuals located in the EU.79 Additionally, again implicitly, expanding the regulatory reach of EU law in this way would ensure a level playing-field for companies based in the EU by avoiding exposure to a competitive disadvantage compared to multinational companies with only a subsidiary in the EU.80 The requirement of “processing occurring in the context of the activities of an establishment” was further watered down in subsequent case law.81 This broad approach to the territorial trigger was carried over in the

Adequacy of the Protection Provided by the EU-U.S. Privacy Shield, OJ L 207/1. This agreement is also being challenged before the CJEU at the moment in General Court, La Quadrature du Net and Others v. Commission, Case T-738/16, Judgment pending. See Bradford (2020), pp. 151–152. 75 Kuner (2019), p. 142. 76 CJEU, Google Spain v AEPD and Mario Costeja González, Case C 131/12, Judgment of 13 May 2014, par. 56. 77 Ibid. 78 Ibid., par. 54. For further analysis, see Tzanou (2017), pp. 60–61. 79 Van Alsenoy and Koekkoek (2015), pp. 105–120. 80 Ibid. 81 CJEU, Weltimmo v Nemzeti, Case C 230/14, Judgment of 1 October 2015; CJEU, Verein für Konsumenteninformation v. Amazon, Case C 191/15, Judgment of 28 July 2016. See Gömann (2017), pp. 567–590.

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

325

GDPR, which explicitly recognizes that where processing is actually carried out is not a relevant factor for establishing the jurisdiction of the EU.82 4.1.3

The Judicially Created Right to Be Forgotten

Beyond expanding the territorial scope of the Directive, the CJEU in Google Spain also interpreted the rights established by Directive 95/46 as encompassing a right of de-listing search results associated with the person’s name that link to information relating to that person. In particular, the CJEU interpreted the rights of the data subject under Directive 95/46 to include the following the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.83

The CJEU explicitly prioritized the rights of the individual, stemming from Articles 7 and 8 of the Charter, to have those links de-listed over both the economic interest of the search engine operator and the general interest of the public to have access to that information following an online search.84 This rule, according to the Court can only be exempted if the violation of this right is justified by reason of the role played by that person in public life, in which case the right of the general public to have access to that information, by way of displaying it in the list of the search results, would take precedence.85 The Court did not provide much guidance about how a “fair balance” between the legitimate interest of Internet users to have access to that information and the right of the person to have the links removed would be achieved, apart from indicating certain factors that would be relevant, for example relating to the sensitivity of the data in question.86 Notably, in establishing this presumption in favor of privacy, the Court did not once refer to Article 11 of the Charter which establishes freedom of expression and information in the following terms, Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.

Given the global nature of the right to receive information as expressed in the Charter, the CJEU’s approach in prioritizing the right to be forgotten over the rights of individuals to have access to the information seems one-sided. It is also

82

GDPR, Article 3(1). Google Spain v AEPD, par. 88. 84 Ibid., par. 99. 85 Ibid. 86 Ibid., par. 81. 83

326

I. Hadjiyianni

remarkable that the global approach in protecting the right to be forgotten against search engine operators based abroad is in struck contrast with the global protection of the right to information, protected under human rights instruments outside the EU,87 raising questions about interfering with the third country’s state sovereignty in determining the right of access to data by individuals within its borders. This very much relates to the exact territorial scope of the obligation of the search engine operator to remove the links from the search results, which was not expressly dealt with by the CJEU until recently, in September 2019, as discussed below in Sect. 4.2. Overall, where the legislative intent is not entirely clear, the CJEU has played a significant role in interpreting the extent of the extraterritorial reach of EU law, usually prioritizing the high level of data protection required by EU law which must be upheld both in the cooperative avenue of adequacy decisions, and in the broad application of EU requirements to protect individuals as regards the processing of their data in far-away places. The CJEU has largely served an enabling role for the extension of EU data protection law beyond EU borders, which reinforces the trust of individuals located in the EU as to the effective protection of their data in a globalized digital age.

4.2

Constraining Global Data Protection

While this section has so far focused on the enabling function of judicial interpretation in delivering the EU’s leadership ambitions through a broad territorial application of EU requirements, the analysis now turns to the constraining elements of judicial review, focusing on the interpretation of the right to be forgotten in Case C-507/17 Google v CNIL. 4.2.1

The Territorial Scope of the Right to Be Forgotten: The Options

Prior to Google v CNIL, the CJEU had not devised any clear limitations as to the extraterritorial reach of EU data protection law other than the weak territorial links, the requirement of equivalence and the narrow exception of the presumption of privacy discussed above. A notable exception was the clarification in Lindqvist that Directive 95/46 was not meant to apply to the entire Internet and therefore the upload of personal data on an Internet page could not amount to a transfer to a third country.88 This limitation was recognized partly due to the considerable enforcement

International Covenant on Civil and Political Rights, Article 19(2): “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.” 88 CJEU, Lindqvist, Case C 101/01, Judgment of 6 November 2003. See Kuner (2015). 87

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

327

burden it would place on the Member States in ensuring compliance. While clear, this limitation did not do much in restricting the extraterritorial reach of EU requirements in substantive ways. Instead, the recently devised limits on the territorial scope of the right to be forgotten, seem to restrict the extraterritorial reach of EU law more substantively. Following Google Spain, the extent of the obligation to de-list the links from the search results was not clear. It neither explicitly required the results to be delisted outside of the EEA nor did it geographically limit the obligation. There are at least three options for implementing the obligation stemming from the right to be forgotten. Each has its own benefits and disadvantages, and academic opinion is divided as to the most appropriate interpretation. Depending on the exact territorial scope of the obligation to de-list, the effective protection of the right to be forgotten varies considerably. First, the removal of links from the search engine can be based on the domain used—with possibilities to remove links on the domain used in the particular Member State (for example google.fr) or domains in all EU Member States. A domain-based approach enables easy circumvention of the CJEU’s rule on the priority of privacy over both the economic interests of the operator and the public interest of accessing the information, as domains outside the EU are accessible by users located in the EU. This approach does protect the data subject to a certain extent as users in the EU are likely to end up on the domain in the Member State where they are located, which is usually automatically prompted. Most users would therefore likely not have the easy access to the information that the search result provides. If they however choose to change the domain where they carry out their search, they would easily, and without the need of any software, have access to the results. This “regional” approach accommodates the territoriality principle given that links are removed from the websites that are actively targeting users in the EU,89 and the “digital territory” from which results are deindexed is the physical territory of the EU.90 Second, a geo-filtering approach, characteristically referred to as “glocal,”91 goes a step further in protecting the right to be forgotten as it precludes the links from the search result even if the user is on a non-EU domain, on the basis that the user initiates their search from within a specific Member State or within the EU. With this approach, users outside of the EU could have access to the search results that include the link using proxy or VPN programs that hide or redirect the location of the IP address. Such technologies are becoming widespread and therefore geo-blocking can also be circumvented, albeit by the more tech-savvy users. Third, universal or global implementation that removes the links from search results in all domains irrespective of the location of the IP address, would guarantee the most effective protection of the right to be forgotten, thus putting the trust of the

89

Van Alsenoy and Koekkoek (2015). Padova (2019). 91 Ibid. 90

328

I. Hadjiyianni

data subject on a firm ground. At the same time, it would be the most controversial option from the perspective of third country constituencies that might have a legitimate interest in having access to that information. Access would be denied based on a decision taken not by the regulating jurisdiction where third country individuals with interest to have access are located but by a regulatory jurisdiction far away which seeks to protect the specific individual. Most commentators do not recommend this approach as it circumvents the principle of territoriality in relation to a right that is not internationally recognized and threatens state sovereignty of third countries,92 and is not in line with current public or private international law.93 Those who are open to it, warn that this should not be on a carte blanche basis but to be used only in cases where substantial effects would arise if universal implementation is not followed. This is based on a reasonableness assessment that achieves a balance between effectiveness and the principle of non-intervention, thereby requiring courts to balance internal and external interests in specific cases.94 While a reasonableness test would be useful in taking into account all affected interests, it would put considerable pressure for courts to determine the appropriate balance to be achieved in a particular case as well as raise questions about the legitimacy of the particular court to make such assessments. 4.2.2

The CJEU-Devised Scope of the Right to be Forgotten: A Temporarily Constrained Approach

The CJEU clarified the territorial scope of the right to be forgotten in September 2019, by rejecting a global approach of implementation at the EU level at the moment, while leaving the door open for its extension beyond EU borders at the Member State level. This judgment is of vital importance in understanding the current state of EU data protection law and the assessment of the extraterritorial reach of EU law by the CJEU more broadly, but it is not likely to be the last word on the matter. Before looking closely at the CJEU’s judgment, it should be noted that the right to be forgotten has been codified in Article 17 of the GDPR which spells out the situations where the data subject has the right to request erasure of personal data which is to take place without undue delay.95 Notably, Article 17(3)(a) indicates that this right shall not apply “to the extent that processing is necessary” for a defined list of reasons, including “for exercising the right of freedom of expression and

92

Ibid. Van Calster G, “Regulating the internet. Prescriptive and jurisdictional boundaries to the EU’s ‘Right to be forgotten,’” https://papers.ssrn.com/sol3/papers.cfm?abstract_id¼2686111. 2015. Accessed 26 February 2020. 94 Van Alsenoy and Koekkoek (2015), pp. 116–117. 95 While the judgment concerned both the Directive and the GDPR, the discussion here focuses on the GDPR-aspects which are most relevant moving forward. 93

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

329

information.” While recognized in the legislative text, the GDPR does not determine the territorial scope of the right to be forgotten or how to balance it with other rights. When insufficient guidance is provided by the legislature, it is more likely that courts “will be left to determine it based on their interpretation of the EU’s policy objectives of the moment,”96 which is clearly visible in Google v CNIL. The CJEU devised temporary limits on the extraterritorial reach of the right to be forgotten that reflect the perception about the acceptability of this right in the international community at the current moment. At the same time, what is seemingly a constraining case and a win for free speech, also contains significant enabling aspects that leave the door open for a universal implementation of the right to be forgotten. The case arose out of the implementation of a dereferencing request by Google by removing links on domains in the EU and applying geo-blocking practices to prevent the links from appearing in searches originating in France irrespective of the domain used. While this approach is considered as sufficient by most Member State Data Protection Authorities (DPA), it was not accepted by the French DPA, CNIL, which proceeded to fine Google with a 100,000 euro fine. Google challenged this fine before the Conseil d’État, which referred questions to the CJEU as to the exact territorial scope of the right to be forgotten. The CJEU had to make a choice among the three main options explained above or a combination thereof. The starting point of the CJEU’s reasoning was the familiar emphasis in extraterritorial reach cases on the objective for a high level of protection of personal data throughout the EU, accompanied with a recognition that universal de-referencing on all versions of the search engine would “meet that objective in full.”97 The CJEU also explicitly recognized the EU’s jurisdiction to regulate data protection in such a universal manner based on effects within the regulating jurisdiction. In light of the borderless nature of the Internet, access to the results, including by Internet users outside of the EU, could have substantial effects on the person located within the EU.98 Unlike AG Szpunar, who clarified that the starting point is that the treaties are territorially limited,99 the CJEU did not consider effects-based competence that would lead to the extraterritorial reach of EU law as such an extreme situation of exceptional nature.100 While implicitly underscoring the CJEU’s approach in the environmental field,101 and explicitly recognized as the jurisdictional basis for extraterritorial reach in competition law,102 such clear endorsement of

96

Kuner (2019), p. 139. Google v CNIL, par. 54 and 55. 98 Ibid., par. 57 and 58. 99 According to Article 52(2) TEU and Article 355 TFEU. 100 AG Szupnar, Google v CNIL, Case C 507/17, Opinion of 10 January 2019, par. 47–53. 101 CJEU, Air Transport Association of America and Others v Secretary of State for Energy and Climate Change, Case C 366/10 Judgment of 21 December 2011. 102 General Court, Gencor Ltd v Commission, Case T-102/96, Judgment of 25 March 1999, par. 73–74; CJEU, Intel v Commission, Case C-413/14, Judgment of 6 September 2017. 97

330

I. Hadjiyianni

effects-based competence is not frequently adopted in EU law.103 The explicit recognition of effects-based jurisdiction in this case constitutes a significant step towards enabling the extraterritorial reach of EU law given the increasing range of activities beyond EU borders with effects within the EU. Having established the EU’s competence to require universal de-listing however, the CJEU went on to clarify that EU law does not “currently” require such universal implementation, given that there is no international consensus as to the protection of the right to de-referencing and the right to data protection is not absolute.104 In this way, the CJEU sought to avoid a direct conflict with third country norms and preferences, respecting the variations in different parts of the world relating to this particular right. Such an approach has not usually been adopted in other areas of law where the CJEU was ready to extend the reach of EU law despite the lack of an international consensus, for example in relation to animal welfare issues.105 At the same time, the CJEU implied that if and when an international consensus on the right to be forgotten is reached, the EU could lawfully exercise its competence in a global manner. The rationale for considering the variation among different countries’ approach to this right as relevant relates to the fact that the right to personal data protection is not absolute. As such, the Court reiterated that it must “be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”106 The function of data protection in different societies is variable and so is the balance to be achieved between the right to privacy and data protection, and the freedom of information of Internet users.107 Regrettably, the Court missed the opportunity in this case to clarify “necessity” and “proportionality” in the GDPR, terms which bear significance for its application both within and beyond the EU.108 Instead, the Court assumed that the balance between conflicting rights has been struck among Member States in Article 17(3) (a) of the GDPR, but not beyond the EU.109 The principles of “necessity” and “proportionality” are both crucial factors in striking the balance, and depending on their interpretation they could lead to differing approaches and fragmentation as to

103

Scott (2014a), pp. 95–96. Google v CNIL, par. 59, 60 and 64. 105 Hadjiyianni (2019a). 106 Google v CNIL, par. 60. 107 Ibid. 108 Further guidance was provided by the Court in another case decided on the same day involving the scope of the right to be forgotten in relation to sensitive data. The CJEU clarified that the operator must determine if inclusion of the link in the search results is “strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter,” CJEU, GC and others v CNIL, Case C-136/17, Judgment of 24 September 2019, par. 68. 109 Google v CNIL, par. 61 and 62. 104

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

331

the level of protection under the GDPR also within the EU.110 The misconception about the existence of a consensus within the EU as to the appropriate level of protection of personal data is evident by the very facts of the specific case and is recognized both in the GDPR, which allows for some differentiation among Member States,111 and by the CJEU itself which grants discretion to Member States as to the scope of de-referencing as further discussed below. The territorial scope of the implementation of the right to be forgotten as determined by the CJEU in this case presents both enabling and constraining features for the extraterritorial reach of EU law. On the constraining side, the CJEU clearly recognized that “currently, there is no obligation under EU law, for a search engine operator. . . to carry out such a de-referencing on all the versions of its search engine.”112 Instead the obligation is limited to removing the links from the search results on domains in all the Member States as well as to use, where necessary, measures to “effectively prevent or, at the very least, seriously discourage” access to the links by users initiating a search from a Member State, without referring to the geo-blocking technique used by Google in this case.113 Effectively according to the CJEU’s interpretation, EU law currently requires an EU-wide domain-based de-referencing accompanied by additional geo-blocking-like measures that prevent access when the search is initiated in one of the Member States. While at first sight this seems as a significant curtailing of the extraterritorial reach of the right to be forgotten, the CJEU went a step further enabling its universal implementation through the Member States. On the enabling side, despite an overall consensus among the Member States on the balance to be struck among conflicting rights, the CJEU recognized that there may be variations among the Member States, and EU law does not prevent them for requiring universal de-referencing themselves to effectively protect fundamental rights at their desired level.114 With this interpretation, the CJEU effectively considers the GDPR “as a floor, not a ceiling,” allowing Member State DPAs and national courts to go beyond its requirements.115 This is somewhat surprising in light of the GDPR’s purpose to largely harmonize Member State approaches.116 It is also likely to create fragmentation within the EU internal market and possibly opportunities for “forum shopping” depending on the stringency of requirements in different 110

Samonte M, Google v CNIL: The Territorial Scope of the Right to be Forgotten Under EU Law. 2020. http://www.europeanpapers.eu/en/europeanforum/google-v-cnil-territorial-scope-of-right-tobe-forgotten-under-eu-law. Accessed 27 February 2020. 111 GDPR, Article 85. 112 Google v CNIL, par. 64. 113 Ibid., para 73. 114 Ibid., para 72. 115 Samonte M, The Territorial Scope of the Right to be Forgotten Under EU Law. 2019. https:// europeanlawblog.eu/2019/10/29/google-v-cnil-case-c-507-17-the-territorial-scope-of-the-right-tobe-forgotten-under-eu-law/. Accessed 27 February 2020. 116 Gstrein OJ, The Judgment that Will be Forgotten. 2019. https://verfassungsblog.de/thejudgment-that-will-be-forgotten/. Accessed 27 February 2020.

332

I. Hadjiyianni

Member States. From an external perspective, it enables the extraterritorial reach of EU law, albeit with variability determined at the national level. From an internal perspective, it enhances the trust of Member States that wish to do more on data protection than is currently feasible at the EU or international level. From the perspective of the individual whose data is at issue, it creates a problematic variation among the level of protection afforded in different parts of the EU which correspondingly also affect the balance achieved with contradicting rights of freedom of expression and information depending on where the specific individual whose data is protected is located. Furthermore, the discretion left to Member States as to the extraterritorial application of the right to be forgotten has important internal implications on the relationship of the EU with the Member States. Any national decision going beyond the level of protection of fundamental rights granted at the EU level in the Charter, is only allowed so long as it does not compromise the primacy, unity and effectiveness of EU law, in accordance with CJEU case law.117 At the same time, if the logic for the existence of such regulatory freedom for the Member States is that the extraterritorial application of the right to be forgotten is not yet occupied by EU law following the principle of pre-emption of EU law, then any national action must be in full conformity with EU law.118 This includes free movement rules of the internal market. Arguably, a search engine operator could potentially challenge a disproportionate effect on the internal market interfering with the freedom to provide services as protected under EU law if an individual Member States requires universal de-listing.119 Notably, an important factor in the CJEU’s reasoning for limiting the extraterritorial reach of the right at the EU level is that the GDPR specifically provides Member State supervisory authorities with instruments of cooperation120 to come to a joint decision about the appropriate balance between conflicting rights.121 It is not clear how the discretion left to individual Member States to require universal de-listing would fit with the cooperation framework of the GDPR.122 At the same time, the absence of corresponding mechanisms enabling cooperation with third country authorities, that would facilitate implementation and enforcement of EU standards abroad, was deemed a crucial factor against universal implementation by

117

Google v CNIL, par. 72. The CJEU refers to Fransson Case C 617/10 and Melloni Case C 399/11. 118 Van Calster G, Court of Justice in Google v CNIL. 2019. https://gavclaw.com/2019/09/25/courtof-justice-sees-no-objection-in-principle-to-eu-right-to-be-forgotten-leading-to-worldwidedelisting-orders-holds-that-as-eu-law-stands-however-it-is-limited-to-eu-wide-application-leave/. Accessed 27 February 2020. 119 Ibid. 120 GPDR, Articles 56, 60–66. 121 Google v CNIL, par. 63. 122 Samonte suggests that it could be interpreted as not requiring cooperation when it comes to universal de-referencing as the global reach of the right falls outside of the scope of EU law, Samonte (2020), supra n. 109.

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

333

the CJEU. Requiring specific cooperative mechanisms provided in legislation as a prerequisite for extending the territorial scope of EU requirements is a somewhat surprising move on the part of the CJEU, which has not considered the lack of cooperation and enforcement mechanisms in other areas of EU law as obstacles for interpreting its extraterritorial reach.123 Notably, the CJEU made no reference to Article 50 of the GDPR, which provides for international cooperation for the protection of personal data. While not specifically providing mechanisms on the balance to be achieved between conflicting rights, it does require the development of cooperation mechanisms to facilitate enforcement of data protection legislation. Particularly, Article 50(d) calls for the exchange and documentation of legislation and practice, including on jurisdictional conflicts with third countries. While these provisions lack in specificity, the CJEU could have interpreted these provisions as requiring the consideration of third country impacts through cooperative means. As Kuner suggests, more concrete action is needed in international cooperation to amount to meaningful consideration of third country impacts, for example an Internet portal with updates on significant developments as well as input by and consultation with third countries.124 The CJEU likely opted to leave international cooperation options open and to the hands of the executive, avoiding judicial interference with international relations. While this is in line with the principle of separation of powers within the EU legal order, the interpretation of the territorial scope of EU requirements as developed in this very case and many others, already influences the relations of the EU with the wider world, and the CJEU cannot avoid becoming a transnational actor itself.125 Overall, this judgment presents both enabling and constraining features, with the balance currently tilted towards constraining the extraterritorial reach of EU data protection requirements. In this sense, it can be seen as an effort by the CJEU to restrain the hegemonic tendencies of the EU by exporting its own values, and specifically the right to be forgotten which originated in the EU legal order, as a universal value with worldwide implementation. This is particularly evidenced in the readiness of the CJEU to respect that third countries may have other approaches as to the appropriate balance to be achieved between data protection and privacy on the one hand and freedom of expression and information on the other. At the same time, the constraining interpretation of what EU law currently requires comes at a striking contrast with the willingness of the CJEU to judicially interpret EU legislation in other policy areas with a broad territorial scope, including in relation to legislation that did not specifically provide for application of EU requirements in third countries and for which enforcement challenges were not considered relevant.126 This raises questions as to the systematic parameters of permissible extraterritoriality under EU law depending on the policy field, as well as questions as to whether instead the 123

Hadjiyianni (2019a). Kuner (2019), p. 142. 125 Hadjiyianni (2019a). 126 Particularly in relation to animal welfare cases. See Hadjiyianni (2019a). 124

334

I. Hadjiyianni

CJEU caved, for the moment, under the pressure of multinational tech giants. In any case, despite its constraining effect at the EU level, the CJEU upheld the lawfulness and arguably the legitimacy of the EU’s right to regulate the right to be forgotten in an extraterritorial manner.

5 Conclusion Effectively regulating data protection in today’s globalized word, particularly as regards availability of data on the Internet, has proven impossible to date through cooperative action at the international level. Considering this significant regulatory gap, unilateral regulation with extraterritorial reach has emerged as a promising alternative. The EU has, as in other policy fields, leveraged this gap to set its own priorities and values as the gold standard for the world. In light of significant legal and cultural differences around the globe however, the unilateral extension of EU strict standards on data protection can give rise to legitimacy concerns if the EU ignores the interests of third country actors and the impacts of its regulation beyond the EU. Digital trust does not concern only the data subject but many more stakeholders with an interest to either have access to the data or have a say about how it should be handled. To date, the EU legislature, reinforced by the CJEU’s interpretation, has struck a balance largely in favor of privacy and data protection that has enabled the extraterritorial reach of EU data protection requirements. This balance and the enabling function of EU law has not been significantly curtailed by the latest attempt of the CJEU to determine the right to be forgotten, an EU-cherished, judicially created right, with potentially universal application in Google v CNIL. More systematic constraints that foster cooperation with third country actors in achieving the appropriate balance in individual cases between data protection and freedom of expression and information are still needed and the CJEU has a key role to play in formulating such constraints before a worldwide implementation of EU data protection requirements is endorsed.

References Aydin U (2012) Promoting competition: European Union and the global competition order. J Eur Integr 34:663–681 Bradford A (2012) The Brussels effect. Northwest Univ Law Rev 107:1–68 Bradford A (2020) The Brussels effect: how the European Union rules the world. OUP, Oxford Cooreman B (2017) Global environmental protection through trade, a systematic approach to extraterritoriality. Edward Elgar, Cheltenham Cremona M (2004) The Union as a global actor: roles, models and identity. Common Mark Law Rev 41:553–573

13

The Global Reach of EU Law in the Digital Age: The Territorial Scope of. . .

335

Eeckhout P (2015) A normative basis for EU external relations? Protecting internal values beyond the single market. In: Krajewski M (ed) T.M.C. Asser Press, The Hague, pp 219–232 Fahey E (2016) The global reach of EU law. Routledge, Abingdon Gömann M (2017) The new territorial scope of EU data protection law: deconstructing a revolutionary achievement. Common Mark Law Rev 54:567–590 Hadjiyianni I (2019a) The CJEU as a transnational actor through judicial review of the territorial scope of EU environmental law. Camb Yearb Eur Leg Stud 21:1–34 Hadjiyianni I (2019b) The EU as a global regulator for environmental protection, a legitimacy perspective. Hart Publishing, Oxford Kessler J (2019) Data protection in the wake of the GDPR: California’s solution for protecting the world’s most valuable resource. Southern Calif Law Rev 93:99–128 Krisch N (2014) The decay of consent: international law in an age of global public goods. Am J Int Law 108:1–40 Kuner C (2014) The European Union and the search for an International Data Protection Framework. Groningen J Int Law 2:55–71 Kuner C (2015) Extraterritoriality and regulation of international data transfers in EU data protection law. Int Data Privacy Law 5:235–245 Kuner C (2019) The Internet and the global reach of EU law. In: Cremona M, Scott J (eds) OUP, Oxford, pp 112–145 Madhub D (2013) The pioneering journey of the Data Protection Commission of Mauritius. Int Data Privacy Law 3:239–243 Padova Y (2019) Is the right to be forgotten a universal, regional, or ‘glocal’right? Int Data Privacy Law 9(1):15–29 Pollack M, Shaffer G (2009) When cooperation fails: the international law and politics of genetically modified foods. OUP, Oxford Schwartz PM (2019) Global data privacy: the EU way. N Y Univ Law Rev 94:771–818 Scott J (2014a) Extraterritoriality and territorial extension in EU law. Am J Comp Law 62:87–125 Scott J (2014b) The new EU ‘extraterritoriality’. Common Mark Law Rev 51:1343–1380 Scott J (2019) The global reach of EU law. In: Cremona M, Scott J (eds) OUP, Oxford, pp 21–63 Tzanou M (2010) Balancing fundamental rights: united in diversity ? Some reflections on the recent case law of the European Court of Justice on Data Protection. Croatian Yearb Eur Law Policy 6:53–74 Tzanou M (2017) The fundamental right to data protection: normative value in the context of counter-terrorism surveillance. Hart Publishing, Oxford Van Alsenoy B, Koekkoek M (2015) Internet and jurisdiction after Google Spain: the extraterritorial reach of the ‘right to be delisted’. Int Data Privacy Law 5:105–120 Young AR (2003) Political transfer and “Trading Up”?: transatlantic trade in genetically modified food and US politics. World Polit 55:457–484

Part IV

Fighting Cyber Criminality: European and National Approaches

Chapter 14

Legal Aspects of Malicious Cryptomining in the EU Philippe Jougleux

Abstract This chapter examines various important legal issues related to malicious mining of cryptocurrencies from the scope of the European Union (“EU”) law. First, it explores the various methods of malicious cryptomining and then it focuses on the threats posed by this new phenomenon. It refers to existing relevant criminal legislation and analyses its adequacy to malicious cryptomining. Specifically, the possibility to apply the Convention of Budapest’s taxonomy on cyber offenses to malicious cryptomining and the new EU Directive on combating fraud are considered. Finally, issues related to enforcement and evidence are analyzed. This chapter concludes on the need to introduce specific legislative measures to apprehend better this new damaging behavior.

1 Introduction The exponential growth of interest on cryptocurrencies has already raised various legal issues, obviously in the fields of banking law, tax law, even data protection law, and more generally private law (cryptocurrency as an asset in the frame of divorce, succession, etc.).1 Even if some reasonable doubts exist regarding the future of the most famous cryptocurrency, bitcoin,2 the technology itself that fuels cryptocurrencies, the “blockchain” is sometimes seen as a “web 3.0,”3 that is a digital revolution equivalent to the emergence of social medias in the early 2000s. In the Blockchain technology, the registry of transaction (the “ledger”) is not held by a central organisation but is divided into a decentralized network. To ensure the unity of the registry, the blockchain technology, the network needs a verification

1

Abramaowicz (2016). Urquhart (2016). 3 Vogel (2015). 2

P. Jougleux (*) School of Law, European University Cyprus, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_14

339

340

P. Jougleux

process. This verification process is called proof-of-work system (on some cryptocurrencies, a similar and allegedly more efficient system called “proof-ofstake” is used instead). Some devices connected to the cryptocurrency’s network are specialized in the verification process. They are competing against each other to solve mathematical equations that will validate the transaction and update the ledger. As remuneration for this work, the first device to solve the equation obtains a token of the cryptocurrency. This operation is described as “mining.” The term mining here is not an innocent one: it induces an implicit comparison with gold4 and suggests a subjective added value to cryptocurrencies on the same idea. However, to receive compensation, the miner must be the first to solve the mathematical puzzle and that requires a lot of computing power. The notion of malicious mining of cryptocurrency has simultaneously emerged with this technology. It can be defined as the fraudulent use of third party’s computing resource to mine cryptocurrency. This exercise is becoming increasingly popular for practical reasons. First, the multiplicity of cryptocurrencies offers some new opportunities as some first stage cryptocurrencies demand a low level of computing power and can be easily mined. Therefore, the theft of the computing power of everyday tech devices appears economically interesting. Second, the malicious mining actor does not literally steal money from someone. He just uses the computing resources of someone else to pursue mining activities and this is often perceived as “legal” in the sense that no victim is to be found. Third, the anonymous character of transactions, real or assumed, give more incentive to the hackers to pursue malicious mining activities. According to data published by Microsoft in March 2018, an average of 644,000 unique computers encountered coin mining malware in the past months from September 2017 to January 2018.5 It must be noted that the phenomenon is directly related to the speculation around cryptocurrencies: “the increase in the value of cryptocurrencies led to a massive increase in cryptojacking activity, as the risk vs. reward equation became much more weighted towards the reward.”6 Subsequently, malicious mining’s legal cases have gradually emerged during the last years. One would have expected that the recent erosion and stagnation of the cryptocurrencies market would have led to a loss of interest on malicious mining, but the reality is quit more complex. Cheap cryptocurrencies indeed signify lower interest in malicious mining as the reward’s value lowers, but it also means a more open market to competition and cheap mining, and more desperation to achieve a financial gain. Malicious cryptomining can take various forms (Sect. 2). It certainly raises a lot of questions as regards its legality. Even if various legal offenses can be used depending on the circumstances (Sect. 3), the legal framework remains uncertain.

4

Asress Adimi Gikay (2018). Pornasdoro et al. (2018). 6 Billman (2018). 5

14

Legal Aspects of Malicious Cryptomining in the EU

341

Additionally, and assuming that malicious cryptomining is criminalized, the enforcement also constitutes a legal issue (Sect. 4).

2 The Emergence of Malicious Cryptomining as New Kind of Cyber Attack 2.1 2.1.1

Practical Forms of Malicious Cryptomining Cryptomining at Work

The easiest way for an individual to obtain control on computer resources is maybe to simply use the ones that are already on his/her disposal. Employees could be tempted to misuse the digital devices they control for cybermining activities. For instance, in the USA, a state employee had been arrested for unauthorized use of state resource and embedment. He was the information technology manager of a public service and used the computers he had in charge for cryptomining activities. The increased electricity bills alerted the competent authorities that arrested him.7 Although cases of malicious cryptomining at work remain rare, it would be a mistake to view this USA case as an isolated one. The same happened in Russia, at the Russian Research Institute of Experimental Physics (RFNC-VNIIEF)—the Russian Federation Nuclear Center facility. Engineers, who used the supercomputer of the facility for mining activity, stole some “cycles” of the raw computer power of the device, and had been arrested for mining cryptocurrency with “office computing resources.”8 As the device was not meant to be connected to the Internet, the malicious activities were discovered when the engineer tried to connect it and start the mining. 2.1.2

Cryptomining Through Applications/Botnets

Smartphones nowadays are extremely competitive to classic computer devices such as a PC in term of raw computing power. They also possess some unique quality: their user rarely switches them off, which means that for a large lapse of time (such as nighttime for instance), their computing capacity is left unaffected. Their computing resources therefore become increasingly interesting for hackers, not yet alone but when put together in a common pool of resources, through the creation of a botnet of mobile devices. Botnets are very well known in cybercriminality: the main idea is to constitute a huge online pool of victim computers (“zombies”), through virus injection, that operates under the remote control of the hacker (the “master”).

7 8

Nambiampurath (2018). Gallagher (2018).

342

P. Jougleux

However, until now botnets were mainly used for a specific kind of cyber attack, the Distributed Denial of Service (DDOS) attack.9 In the past, hackers could monetize their botnet by renting them on the darknet to unscrupulous employers. For instance, a company that wants to disturb a competitor’s network could order a DDOS attack on the dark web. In this context, malicious cryptomining is a new promising activity for botnet’s administrators that offers a way of direct monetization of the botnet and make them by consequence even more compelling for cyber criminals. Concretely, the perpetrator remotely orders his network to mine a specific cryptocurrency for his own benefit and commonly without any knowledge of the targeted devices’ legitimate owners. However, use of botnets for cryptomining purpose differs from DDOS attacks. The creation of a pool of computing resources, if the users consent to it, is not in itself illegal, and therefore the activity of creation of a common pool or resources of cryptomining, through networking, is legal. Characteristic of this situation is the case of the Russian developer Alexey Khripkov,10 who proposed some popular games, like the “Puzzle,” on Google’s Android platform. His games gave him the ability to control the smartphone of the player while he or she does not use it, for mining purposes. Some of his games have 10 to 50 million downloads. The developer however considers that his activity is entirely legal as it is used as a counterpart for in-game bonus. The issue here is whether the insertion of a cryptomining code in the game is considered as silent mining (and therefore malicious according to the definition proposed above) or if a disclaimer does clearly inform and effectively warn the user that his or her device’s computing power will be used for gaining revenues by the game developer. In other cases, the botnet clearly works without any form, even implicit, of consent from the users and members of the network. Therefore, this activity enters in the definition of malicious cryptomining. For instance, the “Smominru” botnet has been known to be used for malicious cryptomining and earned his inventor the estimated amount of 3.6 millions of dollars.11 2.1.3

Online Cryptomining: Browser-Based Coin Miners (Cryptojacking)

Maybe the most interesting and disturbing case of malicious cryptomining is the so called “cryptojacking” activity. It is technically possible, in the case of some cryptocurrencies that do not require a lot of raw computing power, to insert a mining code directly on the website’s code.12 The code will be automatically executed by the users visiting the website. Two distinct situations can therefore occur. In the first 9

Barroso (2007). Fox-Brewster (2017). 11 Groysman (2019). 12 Eskandari et al. (2018). 10

14

Legal Aspects of Malicious Cryptomining in the EU

343

one, cryptojacking can be used by the website’s owner as a complementary source of revenue. The website’s owner deliberately inserts a mining code on his/her website and, with each visitor’s connection, if the visitor remains some time on the website (or that he/she just lets the window open), the user’s computer will silently mine cryptocurrency for the benefit of the website’ owner. In the second one, the website’s owner is not even aware of the existence of the cryptomining’s code on his site: hackers find a vulnerability on the website and successfully inject a mining code into an official and frequently visited webpage for their own personal financial gain. In the first case, the website’s owner can for instance use a script such as “Tidbit,” presented by its creators, these being award-winning students of MIT, as an alternative to advertisement for the purpose of monetizing webpage frequentation. In the context of the EU strict data protection legislative framework (this being the General Data Protection Regulation “GDPR”),13 the idea to drop the business of personal data monetization and replace it with another source of revenues could be tempting.14 It must be highlighted that Tidbit’s creators recently faced judicial difficulties as the New Jersey division of consumer affairs issued a subpoena against them, asking them to turn over all versions of the source code, all Bitcoin wallets associated with Tidbit, all agreements and communications with third parties, and the name and IP addresses of everyone who mined Bitcoins using Tidbit.15 In the second case, the criminal activity combines both cryptojacking and hacking activities. Some instances of this behavior have already been noticed. For instance, in the UK in February 2018, journalists revealed that hackers had successfully injected a cryptocurrency mining script into the Information Commissioner’s Office website. As it was mentioned by a journalist “the hijacked website would use the processing power of a visitor’s computer to mine cryptocurrencies without the knowledge of the user.”16 Characteristically, a code similar to Tidbit, called “Coinhive,” was found on hundreds of websites. One month after the code’s release, empirical research showed that already more than 200 top websites had it, for an estimated audience of 500 million people.17 It is very unlikely that all these websites are aware that a coinhive’s code has been inserted in the code of their pages.

2.2

Legal Interests Threatened by Malicious Cryptomining

Energy management plays a central role in the economy of cryptocurrencies. In Russia, some power plants have been bought for the exclusive purpose of providing

13 It has been estimated that GDPR has led to a 10% loss of revenue related to online data commerce. See Goldberg et al. (2019). 14 Mondschein (2020). 15 Blattberg (2014). 16 Cellan-Jones (2018). 17 AdGuard Research (2017).

344

P. Jougleux

energy to cryptomining centers.18 The cost of electricity is closely related to the potential or not financial interest in mining.19 Recently, in China, Police seized 600 Bitcoin Mining Computers over Electricity Theft. The energy company had observed a pick of consumption around 28% and after investigations found a junction box on the grid, placed by the miners to avoid charges. Cryptomining in general poses some serious threats to the environment as it needs a tremendous amount of energy to maintain the mining network. Malicious cryptomining is at essence an effort to avoid the substantial cost of the electricity’s consumption. However, in this time of global climate change, environmental policies have become a priority. Under Article 191 of the Treaty on the Functioning of the European Union (TFEU) combating climate change is an explicit objective of EU environmental policy20 and, as stated in Article 3 (3) of the Treaty of the European Union (TEU), one of the primary goals of the internal market is to promote a “high level of protection and improvement of the quality of the environment.” In this context, malicious cryptomining must be perceived as a specific threat to society as the perpetrator avoids paying the ecological cost of his or her actions.21 Furthermore, malicious cryptomining leads to a strain on computer resources of the victim. In other words, what is stolen is not really a thing, neither data, but raw computer power. Raw computer power has emerged in contemporary contracts, such as contracts related to cloud mining, an agreement where remote data centers are collectively used (shared processing power). Computing resources are related to the use of the digital device and is protected as part of the prerogatives of the possessor of the movable. In other words, malicious cryptomining does not only hurt environmental interests. The idea that a device is used for a foreign purpose without its owner’s awareness brings human rights issues, related to the right of property, obviously, but also to the protection of personality, as digital devices can be seen in our modern society as a virtual extension of the individual’s personality. This logic follows for instance the contemporary use of trespass to the chattels’ tort for cyberspace activities.22 Additionally, the damage received by the device’s owner are not only related to the energy’s consumption but also to the fact that the substantial strain on computing resource affects the device’s durability.

18

Kommesant (2018). See on CNN, available at https://www.ccn.com/chinese-police-seize-600-bitcoin-miningcomputers-over-electricity-theft/. 20 Article 191(1) TFEU. 21 Zimba et al. (2018). 22 Fritch (2004). 19

14

Legal Aspects of Malicious Cryptomining in the EU

345

3 Legal Qualifications of Malicious Cryptomining 3.1

The General Framework of Criminal Law in Search of an Answer

As mentioned above, cryptomining requires computing resources. One must note that computing resources are very eager on energy. Bitcoin has even been characterized as an ecological disaster.23 Electricity is stolen in the sense that it is used by a third party for his/her own benefit. While theft is one of the most fundamental offenses, recognized universally, the legal definition of theft is, however, far from creating a consensus, even at the EU level.24 In the international classification of crimes, for statistical purposes,25 the theft of electric power is included in the notion of theft of services, which is distinguished from the notion of theft of goods. In common law countries it is assumed that when attackers manipulate a victim’s phone to make calls or send messages these actions fall within the crime of theft of services.26 Depending on the case in question, the notion of embezzlement could also be relevant. However, the notion of theft of services seems foreign in the EU countries that seem to prefer to apply the notion of fraud whereas no violent act had led to the adverse possession. It is important to mention that electricity theft is also specifically created in all the EU Member State legislation as a specific offense. However, the offense normally implies malicious acts of intervention on the power grid itself (either by meter tampering or by illegal connection).27 In the case of malicious cryptomining, no illegal intervention occurs on the grid itself and the application of this offense to malicious cryptomining activities must be rejected. Finally, the general offense of theft of goods shall be discussed. Malicious cryptomining is characteristic of a fraudulent subtraction of property. Yet legal uncertainties exist as to the exact application of this offense. Theft of goods is not regulated at the EU level but, commonly, it is interpreted as the loss of possession on a movable.28 Only on rare and specific cases, some national courts have interpreted the notion of theft in such a way that it englobes dematerialized goods.29

23

Carstens (2018). Ambos (2005). 25 United Nation Office on Drugs and Crime (2015). 26 Leavitt (2005). 27 Smith (2004). 28 Steel (2008). 29 For instance in France, Cass crim 28 juin 2017 n 16-81113, where the act of downloading files on a private server, without using password, has been ruled as theft. 24

346

3.2

P. Jougleux

Cryptomining and Specific Legislation on Cybercriminality

Cyber attacks are divided at the EU level in five distinct offenses by Directive 2013/ 40/EU (“Cyber Attacks Directive”) on attacks against information systems30 these being illegal access to information system, illegal system interference, illegal data interference, illegal interception of communication data, and dissemination of tools used for cyber attacks. This distinction between various kinds of cyber attacks at the EU level is inherited from the famous Convention of Budapest on Cybercriminality that built the foundations of an international criminal law of Internet.31 Recital 5 of the Cyber Attacks Directive explicitly states that “the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber attacks” is criminalized. Yet which offense would be relevant to malicious cryptomining? Malicious cryptomining uses specific software that allows the interaction with the ledger of the cryptocurrency. However, Article 7 of the Cyber Attacks Directive (tools used for committing offenses) takes a lot of precaution to ensure that solely tools that are not only used but are additionally really designed for an illegal intent are concerned with the offense. Indeed, the legislator adds this safeguard by making a reference to the intent to use the tool in an illegal way.32 Consequently, this “double intent” legal barrier would prevent any legal use of this offense on malicious cryptomining cases. The offense of illegal access to information system is the first offense one would think of in case of digital device’s misuse. However, this offense only criminalizes the illegal access to an information system (which could be either a computer or a smartphone) whereas a technical measure of protection is circumvented. Therefore, the categories of malicious cryptomining at work or cryptojacking are not concerned. The offense could be relevant only in case whereas botnets are used to cryptomine. However, in this case, it is not the act of cryptomining itself that is covered by the infraction of illegal access to information system, but the creation of the botnet itself. At the opposite end, if the botnet’s creation is based on the consent (even biased through deception) of the victims, the botnet does not belong to the 30 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, 14.8.2013, pp 8–14, ELI: http://data.europa.eu/eli/dir/2013/40/oj. 31 The Convention on Cybercrime of the Council of Europe (CETS No.185) of 23 November 2001. 32 “Article 7, Tools used for committing offences: Member States shall take the necessary measures to ensure that the intentional production, sale, procurement for use, import, distribution or otherwise making available, of one of the following tools, without right and with the intention that it be used to commit any of the offences referred to in Articles 3 to 6, is punishable as a criminal offence, at least for cases which are not minor:

(a) a computer programme, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6; (b) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.”

14

Legal Aspects of Malicious Cryptomining in the EU

347

offense of illegal access. This does not mean that a contrario malicious cryptomining is legal, even if some seems to believe the opposite. Characteristically, journalists had the opportunity to interview some perpetrators of malicious cryptomining and reported that “by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even been legal.”33 Ultimately, the offense of illegal system interference is—of all the arsenal proposed by the Cyber Attacks Directive- the most related offense to the case of malicious cryptomining. Indeed, malicious cryptomining implies the use of a mechanism that will severely puncture the raw computing power of the system to solve the mathematical puzzles and mine cryptocurrency. Therefore, it, arguably, interferes with the system’s performance, in a technical sense. Is it however an interference in the meaning of the illegal system interference’s offense? Under Article 4 of the Cyber Attacks Directive, the act of “seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible” is illegal. Therefore, the interference to be criminalized must be of such a magnitude as to provoke a situation of interruption or quasi-interruption (“seriously indering”) of the system. This was intended to specifically target the situation of DDOS attacks and differentiate it from a situation of simple heavy communication traffic. In case of malicious cryptomining, the purpose is not to seriously hinder or interrupt the communication. It can only be a side effect of the cryptomining, in marginal cases. Based on the above analysis one may conclude that the actual cybercrime legislation does not provide for an adequate legal answer to malicious cryptomining. Even if three offenses of the cyber attacks arsenal are directly related to malicious cryptomining (these being communication of tools designed for hacking illegal access and illegal interference to the system), each one of these offenses possess specific characteristics and requirements that forbid their general application to all malicious cryptomining situations.

3.3 3.3.1

Malicious Cryptomining as Cyber Fraud The Rise of Virtual Currencies in the Cybercriminality’s Legislation

The EU decided in 201534 to engage in a new discussion on the modernization of its legal framework related to fraud and computer fraud, starting from the idea that new types of fraud appear to use non-cash payments. One of the specific goals of the EU

33 See on Wired, available at https://www.wired.com/2014/07/how-hackers-hid-a-money-miningbotnet-in-amazons-cloud/. 34 European Agenda on Security (2015).

348

P. Jougleux

was to update the existing legislation (the 2001 Council Framework Decision on combating fraud and counterfeiting of non-cash means of payments),35 that no longer reflects today’s reality, to integrate virtual currencies in this framework. The discussions led to a new directive, namely, Directive 2019/71336 on combating fraud (“Combating Fraud Directive”). While no explicit reference is made to either cryptocurrencies in this legislation, the Combating Fraud Directive innovates in this field and possesses a substantial importance, as the European legislator defines and uses the more general term of “virtual currencies.” Under this Directive, “Virtual currency means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of a currency or money, but is accepted by natural or legal persons as a means of exchange, and which can be transferred, stored and traded electronically.”37 This embryonic legislative framework of virtual currencies will provide some answers to the huge ongoing legal debate on the legal nature of cryptocurrencies: money or commodity.38 Virtual currency means, in the framework of the Combating Fraud Directive, a digital representation of value, explicitly excluding the notion of money from this definition. Interestingly, the Combating Fraud Directive proposes a new and improved definition of the cyber fraud to consider behaviors related to cryptocurrencies. Article 6 of this Directive, entitled “Offences related to information systems,” provides for the first time that the following acts constitute an offence, that is the acts of “[. . .] performing or causing a transfer of money, monetary value or virtual currency and thereby causing an unlawful loss of property for another person in order to make an unlawful gain for the perpetrator or a third party is punishable as a criminal offence, when committed intentionally by: (a) without right, hindering or interfering with the functioning of an information system; (b) without right, introducing, altering, deleting, transmitting or suppressing computer data.” Malicious cryptomining, arguably, encompasses all the characteristics of the said offense given that the malicious mining act intends to transfer virtual currencies through mining, this gain is deemed to be unlawful since no consent is given by the device’s owner, and the act is executed through interfering with the functioning of the system, that is, by using its computing power.

35

2001/413/JHA: Council Framework Decision of 28 May 2001 combating fraud and counterfeiting of non-cash means of payment, Official Journal L 149, 02/06/2001 P. 0001 – 0004. 36 Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA OJ L 123, 10.5.2019, p. 18–29, ELI: http://data.europa.eu/eli/dir/ 2019/713/oj. 37 Article 2 of the Directive 2019/713. 38 Rirsch and Tomanek (2019).

14

Legal Aspects of Malicious Cryptomining in the EU

3.3.2

349

The Difficulties of the Application of the New Cyber Fraud Definition to Malicious Cybermining

It could be tempting therefore to conclude that Article 6 marks the end of the discussion on the legal qualification of malicious cryptomining. Certainly, its scope and its formulation mark a closer attempt to regulate malicious cryptomining than both general offenses and cyber attacks offenses. The offense holds four requirements: a transfer of virtual currency, an unlawful loss of property, the purpose of an unlawful gain, the mean of an interference with the system of with the data. As mentioned above, assuming that three requirements are met in the case of malicious cryptomining, what remains at issue is that of loss of property. It is uncertain whether courts will eagerly accept that the use of computing power constitutes loss of property. The perpetrator indeed only uses the capacity of the device, he controls it but without damaging it in an immediate sense. On the one hand, either the computer or the smartphone’s longevity (specifically the graphic card for the computer and the battery for the smartphone) suffers from this practice. On the other, there is strictly speaking no loss of property, as the smartphone is still in the possession of its owner. Moreover, the purpose of an unlawful gain’s requirement could also lead to judicial uncertainty. One inherent characteristic of cryptomining is randomness, as it is not possible to predict when and by whom the next “mining puzzle” (algorithm related to the verification process of the ledger) will be solved, and thus the financial gain is randomized. In other words, cryptomining activities could occur without any insurance that one specific computer’s misuse had led at a specific time to the creation of a new token of cryptocurrency. This characteristic could create some difficulties as far as evidence is concerned. The term “unlawful gain” itself is misleadingly vague, as cryptomining, per se, is legal.

3.4

Towards a Sui Generis Offense?

Based on the above discussions one could claim that, even if several offenses could be applied to malicious cryptomining, this would not have occurred without serious judicial uncertainty, especially on a topic where internationalization is the norm. Therefore, de lege ferenda the introduction of legislation or the enactment of an international convention forbidding the misuse of computer resources should be discussed. This means for instance modifying the existing offense of illegal interference to the information system in order not to apply only to interferences that hinder the system but also to interferences that “steal” computing power from the system as well. Alternatively, the new definition of cyber fraud could be amended to become more flexible. Ultimately, the fraudulent aspect of malicious cryptomining is not related to cryptocurrencies themselves but more generally to what could be called a digital transfer of chattel’s possession: the exploitation of a device by a third

350

P. Jougleux

party without authorization. This new approach would also take into consideration the recent emergence of the so called “Internet of Things,” that poses new ethical and legal questions that are in part closely related in their essence to those of malicious cryptomining.39 One must note that the Council of Europe is currently preparing an amendment to the Convention of Budapest to adapt the Convention to modern challenges.40 Unfortunately no modifications of the substantive law on cybercrime are envisaged.

4 Malicious Cryptomining and Law Enforcement 4.1

The Blockchain as Evidence

The term blockchain refers to the ledger whereas the transactions (and ultimately the wallets) are registered. The blockchain’s technology actually surpasses the mere cryptocurrencies’ environment and is applied to various situations whereas a decentralized registration process is needed. In the context of malicious cryptomining, the blockchain is relevant to law enforcement in two different ways. First, when a malicious cryptomining case has already been discovered the blockchain will offer a possibility to trace the transactions back to the owner (or at least to the owner’s public key). For instance, Bitcoin transactions are permanently recorded and publicly available. However, it must be noted that not all cryptocurrencies offer this level of transparency. Characteristically, Monero, which is a cryptocurrency primarily used for cryptojacking activities because the cryptocurrency is easy to mine, does not permit to trace transactions. It can be concluded that most cryptocurrencies are “pseudo-anonyme” which means that even if apparently the owner’s identity is unknown, techniques exist to trace transactions across cryptocurrency ledgers.41 Second, blockchain can be a precious material for law enforcement agencies in a more general perspective, as a detection tool. Indeed, through blockchain analysis with the combination of Artificial Intelligence (AI) tools, detection of malicious cryptomining activities would be effective. For instance, tools have already been developed for ransomware detection through topological data analysis.42 More specifically, the EU is already working on a project called “Titanium,” which is actually an acronym for “Tools for the Investigation of Transactions in Underground

39

Weber and Studer (2016). Drafting Group of the COE (2019). Enhanced international cooperation on cybercrime and electronic evidence: Towards a Protocol to the Budapest Convention, T-CY (2018)23, Strasbourg, version 8 November 2019, available at https://rm.coe.int/provisional-text-of-provisions-2ndprotocol/168098c93c. 41 Yousaf et al. (2019). 42 Akcora et al. (2019). 40

14

Legal Aspects of Malicious Cryptomining in the EU

351

Markets.”43 The project aims to develop novel data-driven techniques and solutions designed to support law enforcement agencies charged with investigating criminal or terrorist activities involving virtual currencies and/or underground markets in the darknet.

4.2

Anti-Money Laundering Legislative Measures

The EU Directive 2018/843 adopted in 2018, which is the fifth version of the EU Directive on money laundering and terrorist financing (AMLD),44 proposes a legal framework on banking services that also applies to virtual currencies. The main idea of this legislative instrument regarding malicious cryptomining is to adopt a “followthe-money” approach. Assuming that malicious cryptomining is illegal, the result of malicious cryptomining automatically falls into the definition of money laundering, as it is deemed to be considered possession of property derived from criminal activity. However, it can be a challenge to determine the real identity of the perpetrator. According to the EU legislator, therefore, a law enforcement agency must be in a position, “through obliged entities, to monitor the use of virtual currencies,”45 but, principally, should have the means to fight against anonymity of transactions. This is peculiarly evident in Recital 9 of the AMLD Directive, that states that “The anonymity of virtual currencies allows their potential misuse for criminal purposes. The inclusion of providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers will not entirely address the issue of anonymity attached to virtual currency transactions, as a large part of the virtual currency environment will remain anonymous because users can also transact without such providers. To combat the risks related to the anonymity, national Financial Intelligence Units (FIUs) should be able to obtain information allowing them to associate virtual currency addresses to the identity of the owner of virtual currency. In addition, the possibility to allow users to self-declare to designated authorities on a voluntary basis should be further assessed.” The EU anti-money laundering legislation focuses on the exchange between fiat currency and virtual currency and therefore does not address the mining part of the activity. This constitutes a legislative gap, currently.46 It must be underlined that AMLD Directive does not constitute the only European legislative framework

43

See https://www.titanium-project.eu/. Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (Text with EEA relevance). 45 Recital 8 of the Directive. 46 Houben and Snyers (2018). 44

352

P. Jougleux

applicable to cryptocurrency. Basically, three more pieces of legislation are relevant. More specifically arguably, some cryptocurrencies constitute additionally a “fund” within the scope of the Directive on Payment Services (“PSD2”),47 a “financial instrument” within the scope of Markets in Financial Instruments Directive (“MiFID2”)48 and/or an electronic money in the sense of the second Electronic Money Directive (“EMD2”).49 In any case, as highlighted by the European Banking Authority,50 a case-by-case analysis is needed. However, the existing legislative framework does not directly regulate the malicious cryptomining activities.

5 Conclusion All technologies possess a dark side and obviously the blockchain’s technology does not constitute an exception. The concept of cryptomining, specifically, reflects the Internet’s philosophy of decentralization and democratization. Also, the concept corresponds to Locke’s doctrine of property: acquisition of an exclusive right on the result of a workload, except that here both the property and the workload are digital. Ultimately, malicious cryptomining is, in this context, a theft of this digital workload. Criminalization of acts of malicious cryptomining is therefore in line with the liberal values of our contemporary societies. The EU has already developed various types of criminal offenses related to cybercriminality, but both the Cyber Attacks Directive and the Cyber Fraud Directive show gaps in the qualification of the activity as an offense, while the Anti-Money Laundering Directive also present some gaps in the enforcement of such activities. One step forward for dealing better with these illegal activities would be the creation of an ad hoc criminal offense of the with intent transfer, without authorization from the device’s owner, of computing resources of a device.

47

Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance). 48 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (Text with EEA relevance). 49 Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (Text with EEA relevance). 50 EBA (2019) report with advice for the European Commission on crypto-assets, available at https://eba.europa.eu/sites/default/documents/files/documents/10180/2545547/67493daa-85a84429-aa91-e9a5ed880684/EBA%20Report%20on%20crypto%20assets.pdf.

14

Legal Aspects of Malicious Cryptomining in the EU

353

References Abramaowicz M (2016) Cryptocurrency-based law. Ariz Law Rev 58:359 AdGuard Research (2017) Cryptocurrency mining affects over 500 million people. And they have no idea it is happening. https://adguard.com/en/blog/crypto-mining-fever.html Adimi Gikay A (2018) Regulating decentralized cryptocurrencies under payment services law: lessons from European Union law. J Law Technol Internet 9:15 Akcora CG, Li Y, Gel YR, Kantarcioglu M (2019) Bitcoin Heist: topological data analysis for ransomware detection on the Bitcoin Blockchain. arXiv preprint arXiv:1906.07852 Ambos K (2005) Is the development of a common substantive criminal law for Europe possible? Some preliminary reflections. Maastricht J Eur Comp Law 12(2):173–191 Barroso D (2007) Botnets-the silent threat. Eur Netw Inf Secur Agency (ENISA) 15(2007):171 Billman A (2018) Cryptojacking: abusing computational power for profit. Utica College, ProQuest Dissertations Publishing, 10932888, p 2 Blattberg E (2014) New Jersey slaps MIT Bitcoin hackers with subpoena — and they’re fighting back. Venture Beat. https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackerswith-subpoena-and-theyre-fighting-back/ Carstens (2018) Press release, Bank for International Settlements, 06 February 2018. Available at https://www.bis.org/press/p180206.htm Cellan-Jones R (2018) Hackers hijack government websites to mine crypto-cash, BBC, bbc.com, 11 February 2018 Drafting Group of the COE (2019) Enhanced international cooperation on cybercrime and electronic evidence: Towards a Protocol to the Budapest Convention, T-CY, Strasbourg, version 8 November 2019. Available at https://rm.coe.int/provisional-text-of-provisions-2nd-protocol/ 168098c93c EBA (2019) report with advice for the European Commission on crypto-assets, available at https:// eba.europa.eu/sites/default/documents/files/documents/10180/2545547/67493daa-85a8-4429aa91-e9a5ed880684/EBA%20Report%20on%20crypto%20assets.pdf Eskandari S, Leoutsarakos A, Mursch T, Clark J (2018) A first look at browser-based Cryptojacking. arXiv preprint arXiv:1803.02887 European Agenda on Security (2015) The European Commission, Strasbourg, 28.4.2015 COM (2015) 185 final Fox-Brewster T (2017) This Russian has the power to turn 100,000 android phones into cryptocurrency miners. forbes.com, Available at https://www.forbes.com/sites/ thomasbrewster/2017/11/08/google-android-cryptocurrency-miner-launched-by-russian/ Fritch D (2004) Click here for Lawsuit - Trespass to Chattels in Cyberspace. J Technol Law Policy 9:31 Gallagher S (2018) Russian nuclear weapons engineers caught ----minting blockchange with supercomputer Goldberg S, Johnson G, Shriver S (2019) Regulating privacy online: the early impact of the GDPR on European web traffic & e-commerce outcomes. Available at SSRN 3421731 Groysman I (2019) Revolution in crime: how cryptocurrencies have changed the criminal landscape. City University of New York John Jay College of Criminal Justice, ProQuest Dissertations Publishing, 2018, p 38 Houben R, Snyers A (2018) Cryptocurrencies and blockchain. Legal context and implications for financial crime, money laundering and tax evasion, STUDY Requested by the TAX3 committee, European Parliament. Available at http://www.europarl.europa.eu/cmsdata/150761/ TAX3%20Study%20on%20cryptocurrencies%20and%20blockchain.pdf, p 79 Kommesant (2018) Power plants for cryptocurrency mining purchased for the first time in Russia, Source: https://www.kommersant.ru/doc/3516547 (in Russian) Leavitt N (2005) Mobile phones: the next frontier for hackers? Computer 38(4):20–23

354

P. Jougleux

Mondschein CF (2020) Browser-based crypto mining and EU data protection and privacy law: a critical assessment and possible opportunities for the Monetisation of web services. J Br Blockchain Assoc 12585 Nambiampurath R (2018) Florida state employee arrested for mining cryptocurrency on agency infrastructure, cnn.com. https://www.ccn.com/florida-department-of-citrus-employee-arrestedfor-mining-cryptocurrency-on-state-infrastructure/ Pornasdoro A, Johnson M, Avena E (2018) Invisible resource thieves: the increasing threat of cryptocurrency miners, March 13. Available at https://cloudblogs.microsoft.com/ microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-ofcryptocurrency-miners/last. Accessed 30 Mar 2018 Rirsch R, Tomanek S (2019) Crypto-assets: commodities under European financial markets law? J Financ Compliance 2(3):199–206 Smith TB (2004) Electricity theft: a comparative analysis. Energy Policy 32(18):2067–2076 Steel A (2008) Taking possession: the defining element of theft. Melb UL Rev 32:1030 United Nation Office on Drugs and Crime (2015) International classification of crime for statistical purposes, March 2015. Available at http://ec.europa.eu/eurostat/ramon/statmanuals/files/ICCS_ final-2015-March12_FINAL_v1_0_EN.pdf Urquhart A (2016) The inefficiency of Bitcoin. Econ Lett 148:80–82 Vogel N (2015) The great decentralization: how Web 3.0 will weaken copyrights. J Marshall Rev Intell Prop Law 15:136 Weber RH, Studer E (2016) Cybersecurity in the internet of things: legal aspects. Comput Law Secur Rev 32(5):715–728 Yousaf H, Kappos G, Meiklejohn S (2019) Tracing transactions across cryptocurrency ledgers. In 28th Security Symposium Security 19, pp 837–850 Zimba A, Wang Z, Mulenga M, Odongo NH (2018) Crypto mining attacks in information systems: an emerging threat to cyber security. J Comput Inf Syst:1–12

Chapter 15

Combatting the Cybercrime: Thoughts Based on the Second Additional Protocol (Draft) to the Budapest Convention on Cybercrime Vagia Polyzoidou

Abstract The Second Additional Protocol to the Budapest Convention on Cybercrime is being prepared during the last 3 years, trying to capture some of the most complicated aspects of cybercrime—such as mutual legal assistance, cooperation between authorities and service providers (in general) and data protection requirements. Because of the limitations on fundamental rights and freedoms that the previous issues bring, it would be extremely interesting how individuals and legal entities would be protected in terms of the EU Charter of Fundamental Rights, general principles of the EU law, and the European Court of Justice’s case law.

1 Introduction: Regulatory Field The rapid spread of the Internet and the realization of the special features of cybercrime1 (such as the speed of their commission, the fact that they do not require specialized knowledge to perform them, the fact that they can be done easily notwithstanding where the perpetrator is, without any cost, as well as the fact that it is still extremely difficult to been investigated2) led to a global need: to recognize common legal measures to address the various forms of cybercrime. First, distinguishing “crimes related to electronic environment” themselves and finding their relation to common crimes was not prima facie simple; indeed, until late 1990s and the dawn of the new millennium, there was no clear, generally accepted definition of crime in cyberspace, neither in international jurisprudence and

1 For the definitions cybercrime and computer crime see Kaiafa-Gbadi (2007), pp 1061 ff; Mylonopoylos (1991), pp. 14 ff; Giannopoulos (1986), pp. 170 ff; Gabriole (1998). 2 Analytically, for cybercrime’s characteristics: Sieber (2004), pp. 16 ff; Clough (2015); Yar (2006); Williams(2006); Speer (2000), pp. 259–273; Strossen (2000), pp. 11–24.

V. Polyzoidou (*) Law School. University of Nicosia, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_15

355

356

V. Polyzoidou

legislation, nor in national judicial practice, which was mostly concerned with computer crime and not cybercrime. A first attempt to define cybercrime by Parker3 presents computer crime as a crime committed by an offender who uses expertise in computer technology, and cybercrime as crime in which the perpetrator uses expertise from cyberspace, i.e., the Internet.4 This definition, although clear, may not fully correspond to the breadth of modern criminal offenses concerned, so it needs to be supplemented by separate distinction of crimes. Moreover, according to Casey,5 cybercrime refers to any crime that involves a computer and a network. Today, cybercrime is defined as “directly related to the misuse of computer capabilities, while a crime committed with the help of a computer can be characterized as any illegal or immoral behavior, related to the automatic processing or data transmission.”6 Furthermore, cybercrime can be distinguished in turn, based on the possibility of being committed in a common or electronic environment or in both, (a) in a crime committed both in a common environment and on the Internet (non-genuine cybercrime),7 (b) a crime committed only in a computer environment, without the use of the Internet, and c) a genuine cybercrime.8 The realization that modern computer communications infrastructure (or information systems) upon which wealth, information and control of today’s world depend are highly vulnerable to intrusion, interference and disruption led to specific International and European legal instruments to fight cybercrime, based on either cooperation or harmonization of national substantive and procedural provisions. Their purpose is to describe the criminal conduct, procedural standards to gain evidence and international-cooperation-related mechanisms that deal with computer crime.

3

Parker (1998), p. 82. So, it was crucial to first distinguish between (a) crimes committed with the use of computers and (b) crimes committed specifically in cyberspace/through Internet. 5 Casey (2004), pp. 37 ff. 6 Aggelis (2000). 7 Non-genuine cybercrime is in turn divided into: (a) behaviors which, although infringing on traditional legal goods, would not be punishable without special standardization because they differ from the existing congenital legal form of crime; and (b) criminal offenses where the infringement derived from content related crimes. For example, the crime of digital child pornography can be included in the family of non-genuine computer crimes and in particular in the second category of them, as is evident from the above distinction, cf. Kaiafa-Gbadi, supra 1, pp. 1062–1063. 8 For the distinction between crimes in genuine and non-genuine information technology, ibid, p.1062. 4

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

357

2 Budapest Convention The first attempt to create a legal framework is made with the signing of the Budapest Convention on Cybercrime in 20019 (ETS 185 /Budapest Convention/ CCC).10 Council of Europe (CoE), Interpol, Europol, the Organization for Economic Cooperation and Development, the G8 Group of States, the Commonwealth and the United Nations (UN) cooperated for the Convention’s formulation. Besides, as the EU is concerned, in 2005 the European Union issued the Council Framework Decision 2005/222 after the increasing number of attacks. Some years later in 2013, the European Parliament and the Council voted the Directive 2013/40/EU11 due to the fact that attacks had been even more complicated. The last Directive came to fill the gaps that the previous Framework Decision had left. In addition to this, Directive about the European investigation order in criminal matters (Directive 2014/41/EU/EIOD), adopted by the Parliament and the Council of the European Union on 3 April 2014.20 for regulating e-evidence.12 The Budapest Conventions’ aim was to function an international framework for the harmonization of cybercrime legislation. The legal “arsenal” of individual states before the signing of the Convention regarding violations of legal interests on the Internet was clearly insufficient.13 But even if in some states a lot of the usual Internet related behaviors had already been standardized, dealing with the phenomenon in practice by each state separately was ineffective in view of the usually transnational nature of this new type of crimes.

9 According to T-CY by September 2019, 64 States had become Parties and a further eight had signed it or been invited to accede. In addition to these 72 States a further 28 are believed to have legislation largely in line with this treaty and a further 52 to have drawn on it at least partially. [T-CY is “The Cybercrime Convention Committee,” which represents the State Parties to the Budapest Convention on Cybercrime. Under Article 46 of the Convention, the consultation of the Committee aims at facilitating the effective use and implementation of the Convention, the exchange of information and consideration of any future amendments. https://www.coe.int/en/ web/cybercrime/tcy The Ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows was established by the Cybercrime Convention Committee (T-CY), at the 6th plenary session (23-24 November 2011)]. 10 Before Budapest Convention, Council of Europe dealt with electronic crime and cybercrime via the following Recommendations: (a) Recommendation No R (89) 9 on Computer related crime, (b) Recommendation No R (95) 13 Problems of criminal procedural Law connected with information technology) and (c) Recommendation No R (2001) 8 on self-regulation concerning cyber content. Nonetheless, their importance was limited because of their non-binding nature. 11 Cyprus adopted law 147(I)/2015 transposing it or (to be more accurate) copying it. In Greece the establishment of a proper law for the treatment of Cybercrime came many years later. Before 2016 there was not any law which would clearly refer to cybercrime. Therefore, the only legal background that it was used for such cases, was some articles of Criminal Code. Finally, the law 4411/ 2016 was voted to embody the Budapest Convention as well as the Directive 2013/40 to Greek law. Simultaneously, some articles of Criminal Code were adapted accordingly to the new law. 12 See more in Blažič and Klobučar (2020), pp. 66–81. 13 Akdeniz (2003), p. 3.

358

2.1

V. Polyzoidou

Convention’s Content

In the field of criminal law, Budapest Convention includes: a) provisions for the establishment of new legal forms, which set limits on the Internet users’ behaviors (Chapter 2, Section 1, Art. 1-13). Particularly, substantial criminal law’s provisions are presented in four categories: i. Crimes against confidentiality, integrity and availability14 of data and information systems15 (so called CIA cybercrimes) ii. Computer related offences (computer related forgery, computer related fraud) iii. Content-related offences (e.g., child pornography, child grooming etc.) and iv. Offenses related to infringement of copyright and related rights.16

When speaking for information systems and criminalizing the attacks of them, the first notion that comes to our mind and at the same time the prime value we need to ensure is Security in Information Technology (otherwise IT Security). However, IT Security, is still a quite broad concept—even after its specialization. On the other hand, criminal doctrine finds empirical dimension (the crucial characteristic of a legal interest) in the following three concepts: confidentiality, integrity and availability. Thus, in every attack of information system we can find an offense related to one (at least) of the aforementioned legal interests in the following context: (1) Integrity protects against unauthorized use modifying the data. The modification includes: write /create new data, insert new data into existing ones, deleting part or all of the data (and it is Achieved through the use of authentication mechanisms, with digital signatures, and with access control). (2) Availability ensures that system resources are always available, within a reasonable time, to everyone authorized users only and only to them. (3) Confidentiality protects against unauthorized use, disclosure of sensitive information. It is achieved by encrypting the data, which makes it data unreadable, and with access control to data. 15 Attacks against information systems belong to cyber-enabled crimes and in particular in cyberoffenses/cybercrime in stricto sensu. The main forms of attacks against information systems are well known, and all that changes is the modus operandi of perpetrators. If we must categorize them prima facie, we should create the following groups: (a) First, crimes related to illegal access to information systems or digital data (known worldwide as hacking) and more specific forms of attack such as pharming websites, phishing e-mails, the technique of “packet sniffers,” IP spoofing attack, the Joomla Bugs technique, the SQL Injection Technique. (b) Second, behaviors like obstructing or blocking the operation of a system and specific types of attacks like denial of Service—DoS attack, SYN flood attack ping of death and ping flood. (c) Thirdly, acts of copying, altering, or deleting data or damaging it, particularly by “infecting” it with malicious software, in other words illegal interference with digital data known in international terminology as malware attack and specifically, the well-known viruses, the “worms,” “trojan horses,” “key logger,” and “logic bombs.” 16 On the other hand, Directive’s 2013/40/EU content, except for necessary definitions and predictable provisions (relating to incitement, aiding and abetting and attempt – Article 8), differs from Convention as it seems to be more detailed. The categorization here is the following: (a) illegal access to information systems (Article 3), (b) illegal system interference (Article 4), (c) illegal data interference (Article 5), (d) illegal interception (Article 6), (e) tools used for committing offences mentioned at Articles 3 to 6 (Article 7). For a deep analysis of the Directive see Kaiafa-Gbandi (2012), pp. 67 ff. and Naziris (2014). 14

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

359

In this context, Convention of Budapest distinguishes cybercrimes in four categories: b) procedural provisions specifically for collection of relevant evidence from each Member State to facilitate the prosecution of the relevant crimes (Chapter 2, Section 2, Art. 14-22). Criminal procedure’s provisions refer mainly to (i) common provisions, (ii) expedited preservation and disclosure of traffic data, (iii) production order, (iv) search and seizure of stored computer data, (v) real time collection of computer data, (vi) interception of content data and (vii) jurisdiction but also c) actions to address the problem collectively in the context of international cooperation (Chapter 3, Section 1, Art. 23-35). International co-operation provisions mainly deal with (i) extradition, (ii) general principles on mutual assistance, (iii) spontaneous information, (iv) expedited preservation of stored computer data, (v) expedited disclosure of preserved traffic data.

2.2

Convention’s “Added Value”

Budapest Convention is the first international17 treaty aimed at protection against cybercrime. The contribution of the Cybercrime Convention to the criminalization/ standardization of behaviors like child pornography or attacks against information systems is indisputable; it has been a “guide” for subsequent legislative initiatives at both Council of Europe and the EU level.18 Consequently, the Cybercrime Convention ultimately accomplishes the presentation of the most important Internet related offenses in their most complete form and with an explicit reference not only to their forms of criminalization but also to those whose standardization can raise concerns in specific legal orders; that is why it recognizes in several places the discretion of the states for exceptions to the punishment of the relevant behaviors.

2.3

Convention’s Implementation and Arising Issues

CoE’s major concern on whether (and how) the Convention could respond to the dynamically changing new digital environment was evident even in its text. Art. 46 of Convention (Consultations of the Parties) created more than a legal basis: the

17 In fact, its importance in transnational level stems from the fact that the European Union actively participated in the drafting of Budapest Convention by signing it autonomously: not only to motivate its members but also to ensure the non-disruption of its relevant objectives, since in this way it could to a certain extent co-determine the provisions of the Convention. 18 CDPC (2001), par. 91, Kaiafa—Gbadi supra n16, p. 1058, Furnell (2002), p. 25 ff.

360

V. Polyzoidou

obligation19 (to the Parties) of monitoring, modifying and updating the Convention. The European Committee on Crime Problems (CDPC) should assist the Parties in their efforts to supplement or amend the Convention according to the needs of effective prevention and prosecution of cyber-crime while ensuring the associated privacy issues –and in general human rights.20 2.3.1

First Additional Protocol: Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems

The inadequacy of Convention on Cybercrime to face every aspect of cybercrime became quickly clear. First, in the field of substantial criminal law, the standardization of a separate group of content related crimes was considered crucial; more specifically it was considered that racist and xenophobic offenses via Internet were not mentioned clearly in Budapest Convention. Consequently, the Council of Europe reached its final text for First Additional Protocol in Cybercrime Convention in 2003, considering two very important factors: first, the fact that the Internet must be inspired by the principle of freedom of expression and, second, the finding that its misuse may pose the risk of spreading racist and xenophobic ideologies and propaganda against individuals’ groups.21 2.3.2

Second Additional Protocol (Draft): Preparation22

As far as more procedural and technical matters were concerned, Parties had early to admit that the implementation of the Budapest Convention on Cybercrime looked like a tug of war: on the one side the protection of society and individuals against crime; on the other side, the protections of human rights and the promotion of rule of law in cyberspace. First, it must be clear that “Budapest Convention consider this a criminal law treaty that is to be used in specified criminal investigations and for specified data, and that it is not a treaty to be used for national security or mass

See grammatically “shall” in Article 46 par. 1 of the Convention. See Explanatory Report on Cybercrime Convention (2001), p. 60. 21 For its ratio see Explanatory Report to The Additional Protocol to the Convention on Cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed through the computer systems (2003). 22 For a broaden study see Draft on Second Protocol on Budapest Convention Consultative Committee of the Convention for the Protection of individuals with regard to automatic processing of personal data, Opinion on the provisional text and explanatory report of the draft Second Additional Protocol to the Budapest Convention on Cybercrime (ETS 185) on direct disclosure of subscriber information and giving effect to orders from another Party for expedited production of data (2019). 19 20

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

361

surveillance purposes” despite the arising doubts for the role of criminal justice authorities in national security measures.23 The (related to cybercrime) procedural matters were underlined from 2012 to 2014 through a working group on trans-border access to data and from 2015 to 2017 through the Cloud Evidence Group. The latter proposed that the following specific issues be addressed: (a) the need to differentiate between subscriber, traffic and content data in terms of requirements and thresholds for access to data needed in specific criminal investigations, (b) the limited effectiveness of mutual legal assistance for securing volatile electronic evidence, (c) situations of loss of, (d) the question as to when a service provider is sufficiently present or offering a service in the territory of a Party so as to be subject to the enforcement powers of that Party, (e) the current regime of voluntary disclosure of data by US-providers which may help law enforcement but also raises concerns, (f) the question of expedited disclosure of data in emergency situations and (g) data protection and other rule of law safeguards.24 Furthermore, T-CY was adopting Recommendations related to the effectiveness of the mutual legal assistance process, the implementation of Art. 18 by Parties in their domestic law, the role of service providers. In particular, T-CY was methodically working on trans-border access to data concluding to some major assumptions such as the importance of mutual legal assistance (MLA) arrangements to acquire access to electronic evidence in foreign jurisdictions, the difficulties or ineffectiveness in MLA procedures because of technological developments and the volatility of electronic evidence, the limited framework for permitted trans-border access to data based on Art. 32 of the Convention, the national continuous search for solutions to find an international legal basis for access in data beyond the provisions of the Budapest Convention without violating rule of law and human rights.25 Some years later, it agreed on the beginning of negotiations for Second Additional Protocol to the Budapest Convention on enhanced international cooperation (September of 2017).26 During the last 3 years, the Second Additional Protocol to the Budapest Convention on Cybercrime is being prepared, trying to capture some of its most complicated aspects such as mutual legal assistance, cooperation between authorities and service providers (in general) and data protection requirements. However, its fight raises so many red lines in the field of humans’ rights protection that the final successful capture of procedural rules is questionable. The preparation of the Protocol (draft) is based on the following pillars:27 23

T-CY, Cybercrime Convention Committee (2014), p. 3. See analytically in T-CY (2019b) Enhanced international cooperation on cybercrime and electronic evidence: Towards a Protocol to the Budapest Convention. 25 T-CY, supra n23, p. 8. 26 The Protocol is expected to be completed by December 2020 (if another postponement due to COVID-19 does not take place). 27 See analytically in T-CY (2017) Terms of Reference for the Preparation of a Draft 2nd Additional Protocol to the Budapest Convention on Cybercrime, and T-CY (2019a) Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime. 24

362

V. Polyzoidou

A. Provisions on more efficient mutual legal assistance28 B. Provisions allowing for direct cooperation with service providers in other jurisdictions regarding requests for subscriber information, preservation requests, and emergency requests C. Clearer framework and stronger safeguards for existing practices of trans-border access to data D. Safeguards, including data protection requirements The focus of the next lines lies on the concentration of the realistic objections and questionings that have been arisen until now—especially by the Civil Society (companies, private sector, and organizations)—during the proceedings of a targeted consultation (bearing in our mind that most of the problems and concerns that arise during the draft’s study could belong to more than one of the aforementioned categories).

3 Concerns and De Lege Ferenda Proposals on the Second Additional Protocol 3.1 3.1.1

Mutual Legal Assistance29 (Direct) Disclosure of Subscriber Information

The relevant provision refers to direct cooperation between the authorities of one Party and a service provider in the territory of another Party to obtain subscriber information.30 According to the Draft Explanatory Report,31 the rationale of the article based on the importance of the electronic evidence (that may be held by a service provider in the territory of another country). Besides, international cooperation procedures, such as mutual assistance, “are not always able to provide assistance rapidly or effectively enough for the needs of the investigation or proceeding due to the continually increasing volume of requests seeking electronic evidence.”

28

E.g., simplified regime for mutual legal assistance requests for subscriber information, international production orders, direct cooperation between judicial authorities in mutual legal assistance requests, joint investigations and joint investigation teams, requests in English language, audio/ video hearing of witnesses, victims and experts, emergency MLA procedures. 29 For MLA’s (Mutual Legal Assistance) importance and its content in Cybercrime Convention see T-CY, supra n23, especially pp. 33 ff for Art. 25 and 27. 30 Under Art. 4 (in draft) “1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to issue an order to be submitted directly to a service provider in the territory of another Party, to obtain the disclosure of specified, stored subscriber information in that service provider’s possession or control, where the information is needed for the issuing Party’s specific criminal investigations or proceedings.” 31 See Explanatory Report on 2nd Additional Protocol (draft) on Cybercrime Convention (2019), p. 15.

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

363

Nonetheless, the question that stems from such a regulation is how the non-involvement of both Parties involved in the case could be justified in terms of legal certainty; on the other hand it seems as the rule for the disclosure of subscriber information should be the provision of 5th section of the draft since the authorities in the country of the receiving party are much stronger involved.32 3.1.2

Single Points of Contact (SPOCs)

According to the draft, cross-border orders under Section 4 could, in principle, be issued by “any” law enforcement agency which a party provides with the necessary legal competence. However, the importance of specific (national) single points of contact (SPOCs) for the transmission of cross-border orders in terms of law enforcement, process accelerations and added security to both parties is highly underlined (externally). In particular, both EuroISPA and ISPA Austria33 stated that service providers receive a large number of informal requests on technical issues prior to receiving a production order—something that could be avoided (to a large degree) if all requests and orders are transmitted via a SPOC which has the necessary technical and legal know-how in respect of how to request data from service providers.34 National SPOCs (rather than jurisdictional authorities in abstracto) will contribute to reliable authentication process, ensuring harmonization and a secure method of data transfer—and even increasing opportunities for new jobs.35 3.1.3

Dual (Double) Criminality36

Under Art. 25 par. 5 of the Convention, a Party has the possibility to make the mutual assistance conditional upon the existence of dual criminality;37 while in the draft of the Second Protocol, one could find that both in Section 4.5.c (5) c and Section 5.8., it is the receiving state (only) which can refuse to comply with an order by another party based on the grounds established in Art 25. (4) and Art. 27 (4) of the Budapest Convention – which lay down the reasons to refuse a response to a Mutual Legal 32

See EuroISPA’s comments (2019), p. 2. EuroISPA, supra n34, p. 7, ISPA Austria’s (2019). 34 ISPA Austria suggests adding a provision which requires that all orders under Section 4 should be transmitted via a SPOC. Besides, a similar provision should also be provided for orders under Section 5, where 5.10 currently only leaves that to the discretion of the receiving party. 35 Facebook (2019). 36 For the concept of “double/dual criminality” see, among others, Asp (2016), pp.115 ff. 37 This principle, whereby the offence prosecuted in one State must also constitute a crime in the State in which the data is being requested, is crucial in international judicial cooperation. It provides legal certainty for individuals and service providers and prevents politically motivated or otherwise unjust prosecutions. Regular refusals to execute European Arrest Warrants in the EU show the divergences between States in terms of freedom of expression protections and their application. 33

364

V. Polyzoidou

Assistance request. Practically, the Protocol permits a country that, for example, recognizes blasphemy as a crime, to issue an order for disclosure of subscriber information to prosecute that crime to a service provider in a country in which the blasphemy is not a crime.38 Therefore, the absence of a dual criminality requirement as ISPs (Internet Service Providers) are regarded puts the free expression rights world-wide at jeopardy if they use a service provider with a global user base (given also that the draft Protocol seems to extend the ability to issue orders for compelled disclosure of subscriber information to all crimes, even petty, not just to serious crimes39). That is why organizations as Joint Civil Society, EuroISPA and CDT consider that dual criminality’s prerequisite should be clearly referenced40 as a condition for issuing an order by the requesting Party and that the offence for which the order is issued should be punished similarly in both Parties.41 3.1.4

Prior Judicial Authorization

The draft Second Additional Protocol provides broad discretion to Parties to adopt national legislation to empower any “competent authorities” to issue orders under Art. 4 par. 142 and Art. 5 par. 1—approach which reminds a lot par. 138 of Cybercrime’ s Convention Explanatory Report.43 Without excluding the concretization of the phrase in the means of “prosecutor or other judicial44 authority or a legal entity under independent supervision,” the draft leaves though the choice to the Parties.45 However, the adoption of a broad criterion of authority for the issuance of

38

CDT (2019), p. 3. Such as those with a minimum maximum of imprisonment at least 3 years. 40 Even in Explanatory Report according to EuroISPA (and subsequently that service providers are permitted to refuse orders which do not fulfil based on Art. 25 (4) and Art. 27 (4) of the Budapest Convention). See EuroISPA, supra n34, p. 2. 41 See Joint Civil Society Response (2019), p. 9; Joint Civil Society Response (2018). 42 Art. 4 2b’s provision is indisputably preferable as it requires involving the authorization of an independent judicial authority should be mandatory, not optional: “at the time of signature or when depositing its instrument of ratification” that the order must be issued by, or under the supervision of, a prosecutor, or other judicial authority, or otherwise be issued under independent supervision.”[EDPB, understands though that this could imply, a contrario and in the absence of such declaration, that where the requested State did not make such a declaration, orders to service providers could be issued by any authority in the requesting Party, see EDPB (2019), pp. 3 ff.]. 43 See Explanatory Report on Cybercrime Convention, supra n20, p. 22 according to which “judicial, administrative or other law enforcement authority that is empowered by domestic law to order, authorise or undertake the execution of procedural measures for the purpose of collection or production of evidence (...)”. 44 CDT also underlined the different nature of “prosecutor” depending on the legal system (continental or common law) supporting that in some countries, “prosecutors” are not at all independent—inflaming the uncertainty about the types of information that could constitute subscriber information subject to direct disclosure. See CDT, supra n40, p. 2. 45 Asociación por los Derechos Civiles (2019), p. 4. 39

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

365

measures does not bring (as previous judicial authorization brings) the necessary guarantees minimum in terms of legality—and that is why could be risky for the rights of individuals.46 Furthermore, EDPB has highlighted the importance of judicial authorities’ early involvement in the procedure “in order to give these authorities the possibility to effectively review compliance of the orders with the Convention and ensure the obligation for these authorities to raise grounds for refusal on that basis”47 based on CJEU’ s cases and the adopted criteria48—and its importance as far as the principle of dual criminality in the field of judicial cooperation has to be applied. What is, finally, recommended: the requirement of a judge or other independent oversight body49 (and their involvement as soon as possible) both in Art. 4 and Art. 5 of the draft. 3.1.5

Emergency Mutual Legal Assistance

Under Section 3.1 of the draft, an “emergency means any situation in which there is a significant and imminent risk to the life or safety of a natural person.” However, the life and safety could not be considered as equal units: life is the most important legal interest of any human while safety is considered as an emotion—that is why its meaning is quite broad and not always empirically verified. To avoid improper requests based on emergency, the Explanatory Report defines the time factor (“imminent”50) but not the qualitative one (why, for example, the notion of safety is more useful to another legal interest like health or physical integrity). In practice, MLA requests may be used under the pretext of “imminent risk to the safety in abstracto” to receive swift responses—causing system to overload. An “emergency” must be defined narrowly to avoid undermining the efficiency of the provision.51

According to Joint Civil Society (supra n43, p. 10) “Under this rule, local or municipal authorities, police or anybody freely determined by the state party will have the legitimacy to communicate directly with the service provider and compel it to provide subscriber information. Thus, there may be situations in which access to or transfer of data occurs without the intervention of any independent public body capable of assessing the legality of the order.” 47 EDPB, supra n44. 48 CJEU (in joint cases C-203/15 and C-698/15, Tele2 Sverige AB and in joint cases C-293/12 and C-594/12, Digital Rights Ireland Ltd) has restricted the possibility to provide for such access a “prior review carried out by a court or an independent administrative body,” “following a reasoned request of [competent national] authorities submitted within the framework of procedures of prevention, detection or criminal prosecution.” 49 So does Facebook, supra n37. 50 Explanatory Report, supra n33, p. 12. 51 Same ISPA Austria and Facebook,. 46

366

3.1.6

V. Polyzoidou

Production Order’s Timeframe

The timeframe of 30 days for responding to a cross-border production order (Section 4) seems to be adequate and rational –while the 20 days’ timeframe (Section 5) for the disclosure of the same data category does not meet the need for procedure’s simplification as far as “deadlines” concerned by Service Providers –as both EuroISPA and ISPA Austria recommend. 3.1.7

Videoconferencing

Section 2 of the draft (videoconferencing) leaves many questions as procedural safeguards are concerned, mainly because of the absolute discretion of the requested Party to require particular conditions and safeguards with respect to the taking of testimony or a statement from such person (Section 2.1 par. 7). CCBE, based on relevant ECHR’s provisions52 insists on the importance of developing (by CoE) mandatory minimum standards (reflected not only in the main text but also in the explanatory report) as to the technical arrangements that should be in place for the use of videoconferencing to ensure as much as possible a true-to-life hearing experience including full communication/interaction of all the parties to the procedure with the examined person.53 Its proposals intend to ensure principally the participants’ and lawyers’ presence during hearing (notification of the precise date and time, taking into account different time zones), the protection of professional secrecy (verifying whether it is necessary to seek explicit consent of participants, ensuring confidentiality) and legal professional privilege during the VC session (the lawyer should be able to sit together with his/her client, legal instructions on the procedure they must follow).

3.2 3.2.1

Direct Cooperation With Service Providers Defense Access to Evidence-Gathering Tools

Given the differentiation between the legal system that each state adopts and the subsequent differences in criminal procedure (in the branch of evidence) it is quite interesting to see if (and how) the powers to the defense to demand evidence gathering are on equal terms with prosecutors, and obligations on States or service

52 Art. 6(1) ECHR [:the right to a “fair” hearing], Art. 6(3)(c) [:the rights of the suspected and accused persons to defend themselves in person, through legal assistance of his/her own choosing or to be given it free], Art. (3)(d) [:the right to examine witnesses against him/her] and Art. 6(3)(d) [: the right to have the free assistance of an interpreter]. 53 CCBE (2019), p. 1.

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

367

providers receiving such requests to process them with the same urgency as requests received from competent authorities.54 3.2.2

Legal Basis for Disclosure of Subscriber Information by the Service Provider

Beyond any other concerns, a compromise between different national jurisdictions, as well as the EU (and European Economic Areas) framework is needed. As Joint Civil Society Response55 raised, even “a blanket provision that simply removes obstacles in data protection laws for voluntary disclosure56 of subscriber information by private service providers” could not be a solution as well as it would be against with GDPR requirements. Not to mention that EU Member States have—in general—more mechanisms and instruments to gather e-evidence (such as the European Production Order “EPO”)—a possibility that could be considered as their own privilege in such a way that whoever outside the EU is necessarily deprived of it.57

3.3

3.3.1

Trans-Border Access to Data (Categories of Data, Definition of “Subscriber Information” and Type of Offense) Traffic Data

“Subscriber information”58 must be clarified to avoid any inclusion of “traffic data”59 or “content data” ex officio in the initial term. Besides, according to the CJEU case law60 “metadata such as traffic data and location data provides the means of establishing a profile of the individuals concerned—information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.”61

54

See Joint Civil Society Response, supra n43, p.11. Ibid, p. 13. 56 As long as “Disclosure implies that personal data is transferred from the service provider to a controller in another State which may conflict with third-country provisions in States’ data protection law.” 57 Facebook, supra n37. 58 See also Art. 18.3 of the Convention. 59 Traffic Data (relating to the transmission of a communication) include certain Internet Protocol (IP) address information—for example, the IP address used at the time when an account was created, the most recent log-on IP address or the log-on IP addresses used at a specific time. 60 See joined cases C-203/15 and C-698/15, supra n50. 61 EDPB, supra n44, p. 4. 55

368

3.3.2

V. Polyzoidou

The Nature of IP Addresses

The IP address and other information recorded are traffic data, but the following distinction is necessary: when an IAS (Internet Access Service) provider discloses the IP address that it has persistently assigned to a specific individual, this represents a disclosure of subscriber data; when any other type of service provider reveals how the subscriber has used his or her IP address to communicate with other Internet users or services, this consists a disclosure of traffic data. So, when considering IP addresses, their characterization as either subscriber information or traffic data depends on the context and circumstances in which information about them is revealed. According to Explanatory Report on the draft subscriber data, it is not sensitive as it does not allow “precise conclusions concerning the private lives and daily habits of individuals.” However, it would be preferable to consider the level of sensitivity of IP addresses ad hoc and in concreto taking account that the same information (e.g., one customer’s visit) may have different background (visit to grocery or visit to a health center)—and that is how its sensitiveness depends on the context.62 3.3.3

Dynamic IP Addresses and Log-On IP Addresses

No doubt that the definition of subscriber information stems from the original text of the Cybercrime Convention (Art. 18 (3)), it would be helpful though to exclude the disclosure (Section 4) of at least dynamic63 and log-on IP-addresses (in Explanatory’s Report text at least). Besides, both of them could be highly revealing—and harm free expression and on-line privacy. Besides, given that this distinction exists in several Parties’ legal framework and doctrine, there is no need (for the Draft Protocol) to equate dynamic IP addresses and subscriber information—similarly with excluding log-on IP address as an example of subscriber Information.64 3.3.4

Better Definition of “Possession and Control” of Data

One more time, Budapest Convention seem insufficient as digital terminology converts day by day. Thus, possession’s65 and control’s meaning seems to get other meaning in Explanatory Report of the Budapest Convention and in T-CY’s

62

Ibid. For the distinction between static and dynamic IP address see Conditions for obtaining subscriber information in relation to dynamic versus static IP addresses see T-CY (2018), p. 26. 64 Joint Civil Society Response, supra n43, p. 6, EuroISPA, supra n34, p. 2. 65 For the meaning of “digital possession” see R v Sharpe (2001), Clough (2008), p. 234, Nair (2008), 160, Danay (2005), p. 174. 63

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

369

Guidance Note on Art. 18 of the Protocol (draft). EuroISPA suggests an accurate definition of what data is in the provider’s “possession and control” as long as consistency of the terminology could prevent any conflicts with other relevant provisions.66 3.3.5

Notification to the Individual Whose Data Is Being Sought

The timely notification of the subscriber from the requesting Party, the requested Party, or the service provider should be faced as a sine qua non prerequisite; on the other hand, a request for non-notification by the requesting State is not enough to overcome data protection’s commitments. 3.3.6

Security, Authenticity, Confidentiality of Data

IT Security addresses issues related to: (a) prevention: measures to prevent damage to constituents of a bp (e.g., lock placement, encryption), (b) detection: take steps to detect when, how and who caused the damage to components of a PS—personal system. (e.g., circuit with cameras, log files) and (c) reaction: measures for recovery or rehabilitation of the components of the PS (e.g., police call, file recovery from backup). As Protocol regarded, it should either require Parties to define, declare, and keep up-to-date the rules and technical mechanisms (in the process of sending and reception of orders and replies) or create a formal process through which Parties’ technical representatives can identify best practices in the aforementioned procedures.67 Moreover, T-PD68 devotes a special reference to the cornerstone of “confidentiality.” According to it, confidentiality may be important to maintain efficiency in criminal investigations, it may equally be vital in safe-guarding data protection, considering at the same time its inclusion in the text as inevitable because of a group of several provisions [Art. 26.2 and 27.8 in Budapest Convention (ETS 185), Art. 25 of the Second Additional Protocol to the Convention on MLA in criminal matters (ETS 182)].

66

EuroISPA, supra n34p. 6. Indeed, EDPB thinks that besides Art. 4(6) and Art. 5(5), the development of further specifications and requirements so that the personal data are disclosed and communicated in a secure environment (ensuring the authenticity of documents and in compliance with fundamental rights) would be ideal. 68 T-PD (2019). 67

370

3.4 3.4.1

V. Polyzoidou

Safeguards for Human Rights Personal Data Safeguards

In the field of substantive law, the Committee of Convention 108 (T-PD), recognizing the common field of interest and at the same time the inevitable conflicts between the two instruments (personal data and digital investigations) suggest some mandatory common safeguards to the Second Protocol like: “a. purpose legitimacy, purpose specificity and purpose limitation; b. lawfulness; c. fairness and transparency; d. necessity for and proportionality to the legitimate purpose pursued; e. non-excessive data processing and data minimization; f. adequacy, relevance and accuracy of data; g. data retention limitation; h. accountability of controllers and processors; i. logging, data security and data breach notification duty; j. information security k. specific, additional safeguards for special categories of sensitive data; l. lawful use of exceptions and derogations; m. enforceable data subjects’ rights and effective administrative or judicial redress; n. appropriate protection in (onward) data transfers; o. effective independent oversight.”69 Under these circumstances, could the Protocol allow service providers or competent authorities to proceed to the actions described guaranteeing the protection of individuals. Besides, as procedural provisions are regarded, Protocol must ensure—for example70—a clear legal basis for any processing, the prior authorization (except for cases of urgency), the limited amount of personal data collected using criteria of adequacy and relevance, the punctual notification of the persons involved (and their defendants), limited duration of personal data’s retention. Not to mention that every interference with fundamental human rights (such as privacy and the right to private life) should be proportionate to the seriousness of the investigated crime.71 Using the principle of proportionality here could contribute to create a limitation (compatible with Art. 18 of Convention as well) of the offences under the umbrella of Second Protocol—given than in the draft there is no exception for petty offenses. Lastly, the draft Second Additional Protocol should clarify the scope of Art. 4 so as “to exclude data from individuals’ ongoing use of a service that allows precise conclusions concerning the private lives and daily habits of the individuals concerned.”72

69

Ibid. EDPB, supra n44, p. 5. 71 CJEU judgment on Ministerio Fiscal, C-207/162018 See, also, Arts. 7 and 8 of the Charter. 72 Joint Civil Society Response, supra n43, p. 12. 70

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

3.4.2

371

Direct Disclosure Safeguards

Under par. 8 of the Draft Explanatory Report on Art. 4, par. 1, “orders may only be issued for information that is needed for an investigation or proceeding.” “Needed” could be interpreted in accordance with principle of necessity and proportionality (derived from the ECHR, the ECtHR jurisprudence, the EU law,73 and national legislation). But for Parties which do not belong to Council of Europe the principle of relevance could be a significant contribution (the data sought should be relevant to the investigation or prosecution74). The draft Protocol should open the road to access subscriber information only when the person investigated is suspected of planning, committing or has planned or committed criminal acts. Moreover, the competent authorities in the receiving party shall be notified accordingly so as to be involved on time and to ensure finally that rule of law in the receiving state is applied. 3.4.3

Transparency

Carolyn Ball75 tried to examine the evolving definition of transparency from a postmodernist approach stating that its definition reveals three metaphors: transparency as a public value embraced by society to counter corruption, transparency synonymous with open decision-making by governments and nonprofits, and transparency as a complex tool of good governance in programs, policies, organizations, and nations. Expanding her thought in the first metaphor, transparency could be fulfilled through the right of access to information. Expanding the example in the context of Second Protocol we could say that high level of obligatory transparency (see metrics and results on annual basis) will ensure the smooth application of the suggested measures.76

4 Conclusion The foundations of Second Additional Protocol to Cybercrime Convention stem from the idea that the same networked technologies that create criminal opportunity can also be harnessed to police cybercrime and also that the bodies policing the Internet include the many other nodes in the networked model of Internet policing outlined earlier. It is more than crucial to set the balance between the need to

73 For principle of proportionality in the EU context see ECPI (2009), A Manifesto on European Criminal Policy, ECPI (2013), A Manifesto for European Criminal Procedural Law. 74 EuroISPA, supra n34. 75 Ball (2009), pp. 293–294. 76 ISPA Austria supra n35, CDT, supra n40, p. 4.

372

V. Polyzoidou

maintain order online and the need to enforce law; until this balance has been achieved the cybercrime “reassurance gap” will not be closed. Notwithstanding the fact that T-CY Committee did its best to engage in close consultation with civil society, data protection organizations and industry during the drafting process as well as to coordinate and to cooperate with so many Committees, there are still remaining a lot of human rights’ issues that seem extremely seem easy to emerge during Protocol’s implementation. The provisional text should be amended to include clear limits on specific obligations to protect users’ rights to privacy and free expression –and generally human rights guaranteed under the International Covenant on Civil and Political Rights (ICCPR), the Universal Declaration of Human Rights or the EU Charter of Fundamental Rights. Not to mention that the establishment of direct cooperation mechanisms (see direct disclosure) between law enforcement authorities and service providers is not really a mechanism that could substitute co-operation rules without proper judicial oversight. To sum up, the modifications needed to take place in the Protocol’s draft could be summarized in a prior judicial review mechanism’ s establishment, ensuring data’s transfer to the requesting country only after notification as well as sufficient safeguards and grounds for refusal to execute international production orders, acknowledging legal remedies and realizing the principle of equality of arms, implementation of confidentiality restrictions on production orders and ensuring that production orders targeting subscriber information can only be issued for serious crimes.77 Needless to say that the Second Additional Protocol should adequately reflect the Council of Europe’s spirit on fundamental rights and freedoms, in particular on the protection of personal data.78 Moreover, due to the direct effect of the additional protocol to the Convention in the EU legal order, the draft provisions could then be interpreted as allowing any authority to issue an order, thus putting the lawfulness of the agreement into question in light of the EU law. Considering the CJEU case law already cited, the type of requesting authorities who may issue such order should be limited to a person or entity bringing guarantees (e.g., a judicial authority or another independent authority). On the doorstep of Second Additional Protocol the matters that it deals with are more than complicated—while the expectations set for this new instrument are high (just like the Budapest Convention). Perhaps it must stand the test of time to make a difference in terms of an effective criminal justice response with human rights and rule of law safeguards.

77

Analytically in CCBE, supra n55, p. 3 ff. It is therefore essential to ensure consistency between the Protocol and Convention 108+ (Convention 108 as amended by Protocol CETS 223) which applies to all data processing carried out in the public and private sectors. 78

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

373

References Aggelis I (2000) Diadiktyo kai Poiniko Dikaio (Internet and Criminal Law). Poinika Chronika 2000:678 ff Akdeniz Y (2003) An advocacy handbook for the non-Governmental Organisations – The Council of Europe’ s Cyber Crime Convention 2001 and the additional protocol on the criminalisation of acts of a racist or xenophobic nature committed through computer systems, 2003 (revised 2008), https://www.cyber-rights.org/cybercrime/coe_handbook_crcl.pdf, Accessed 18 July 2020 Asociación por los Derechos Civiles (2019) Comments on protocol draft, https://rm.coe.int/adccomments-2nd-additional-protocol/168098c93d, Accessed 18 July 2020 Asp P (2016) The procedural criminal law cooperation of the EU. Jure and Stockholm University, Stockholm Ball C (2009) What is transparency? Public Integrity 11(4):293–308 Blažič B, Klobučar T (2020) Removing the barriers in crossborder crime investigation by gathering e-evidence in an interconnected society. Inf Commun Technol Law 29:66–81 Casey E (2004) Digital evidence and computer crime. In: Forensic science, computer and networks, 2nd edn. Academic Press, Cambridge CCBE (2019) Comments on Draft 2nd Additional Protocol to the Convention on Cybercrime Provisional draft text of provisions on Language of requests, Emergency MLA, Video Conferencing, direct disclosure of subscriber information, and giving effect to orders from another Party for expedited production of data, 8 – 11 - 2019, https://rm.coe.int/ccbe-written-commentsdraft-2nd-additional-protocol-to-the-convention-/168098bc6e, Accessed 18 July 2020 CDPC (2001) European committee on crime problems. Explanatory Memorandum to the Convention on Cybercrime, 8 November 2001, http://conventions.coe.int/treaty/en/reports/html/185. htm, Accessed 18 July 2020 CDT (2019) Center for Democracy and Technology. Initial Observations of the Center for Democracy & Technology on the provisional draft text of the Second additional Protocol to the Budapest Convention on Cybercrime, 8-11-2019, https://rm.coe.int/cdt-comments-2ndadditional-protocol/168098c93e, Accessed 18 July 2020 Clough J (2008) Now you see it, now you don’t: digital images and the meaning of possession. Criminal Law Forum 19:205–239 Clough J (2015) Principles of cybercrime, 2nd edn. Cambridge University Press, Cambridge. https://doi.org/10.1017/CBO9781139540803 Danay R (2005) The danger of fighting monsters: addressing the hidden harms of child pornography law. Rev Const Stud 11:151 Draft on Second Protocol (2019) on Budapest Convention Consultative Committee of the Convention for the Protection of individuals with regard to automatic processing of personal data, Opinion on the provisional text and explanatory report of the draft Second Additional Protocol to the Budapest Convention on Cybercrime (ETS 185) on direct disclosure of subscriber information and giving effect to orders from another Party for expedited production of data 20-11-2019, https://rm.coe.int/t-pd-2019-8fin-opinion-second-additionnal-protocol/ 168098e42a, Accessed 18 July 2020 ECPI (2009) A Manifesto on European criminal policy, http://www.zis-online.com/dat/artikel/ 2009_12_383.pdf, Accessed 18 July 2020 ECPI (2013) A Manifesto for European criminal procedural law, https://www.juridice.ro/wpcontent/uploads/2013/11/manifesto.pdf, Accessed 18 July 2020 EDPB (2019) Contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime, 13-11-2019, https://edpb.europa.eu/our-work-tools/ourdocuments/edpb-contribution-consultation-draft-second-additional-protocol-council_en, Accessed 18 July 2020 EuroISPA (2019) Comments on the provisional text of the 2nd Additional Protocol to the Budapest Convention on Cybercrime, https://rm.coe.int/euroispa-s-comments-to-draft-provisions-2ndadd-protocol-final/168098bcab, Accessed 18 July 2020

374

V. Polyzoidou

Explanatory Report on 2nd Additional Protocol (draft) on Cybercrime Convention, 8-11-2019., https://rm.coe.int/provisional-text-of-provisions-2nd-protocol/168098c93c, Accessed 18 July 2020 Explanatory Report on Cybercrime Convention, 2001., https://rm.coe.int/16800cce5b, Accessed 18 July 2020 Explanatory Report to The Additional Protocol to the Convention on Cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed through the computer systems, 2003., https://rm.coe.int/16800d37ae, Accessed 18 July 2020 Facebook, Public ConsultationResponse2ndAdditional Protocol to the Budapest Convention on Cybercrime4thRound of Consultation, 2019., https://rm.coe.int/facebook-comments-2ndadditional-protocol/168098c93f, Accessed 18 July 2020 Furnell S (2002) Cybercrime: vandalizing the Information Society. Addison-Wesley, Boston. https://doi.org/10.4135/9781446212196 Gabriole Z-G (1998) The state of the law on cyber jurisdiction and cybercrime on the internet, vol. 1. 1997 Giannopoulos T (1986) Opseis kai provlimata Electronikis Egklimatikotitas (Aspects and Problems of Cybercrime). Nomiko Vima 1986:170 ff ISPA Austria (2019) Contribution to the public consultation on the provisional text of the Second Additional Protocol to the Budapest Convention on Cybercrime, 2019, https://rm.coe.int/ euroispa-s-comments-to-draISPA%20AUSTRIA%E2%80%99S%20CONTRIBUTION% 20TO%20THE%20PUBLIC%20CONSULTATION%20ON%20THE%20PROVISIONAL% 20TEXT%20OF%20THE%20SECOND%20ADDITIONAL%20PROTOCOL%20TO% 20THE%20BUDAPEST%20CONVENTION%20ON%20CYBERCRIMEft-provisions-2ndadd-protocol-final/168098bcab, Accessed 18 July 2020 Joint Civil Society (2018) Response to discussion guide on a 2nd additional protocol to the Budapest convention on cybercrime, https://edri.org/files/consultations/globalcoalitioncivilsocietyresponse_coe-t-cy_20180628.pdf, Accessed 18 July 2020 Joint Civil Society (2019) Response to the provisional draft text of the Second Additional Protocol to the Budapest Convention on Cybercrime, https://rm.coe.int/civilsocietysubmission-tcydraftsecondadditionalprotocol/168098bc6d, Accessed 18 July 2020 Kaiafa-Gbadi M (2007) Poiniko Dikaio kai Kataxriseis tis Pliforofikis (Criminal Law and IT Abuses). Armenopoulos 2007:1061 ff Kaiafa-Gbandi M (2012) Criminalizing attacks against information systems in the EU: the anticipated impact of the european legal instruments on the Greek legal order. Eur J Crime Criminal Law Criminal Justice 59:67 ff Mylonopoylos C (1991) Electronikoi Ipologistes kai Poiniko Dikaio (Computers and Criminal Law). POINIKA 33. Antonis N. Sakkoulas’ Publications, Athens, p 14 ff Nair A (2008) “Caveat Viewer!”: the rationale of the possession offence, international review of law. Comp Technol 22(1-2):157–164 Naziris Y (2014) “A Tale of Two Cities” in three themes –A critique of the European Union's approach to cybercrime from a “power” versus “rights” perspective. Eur Criminal Law Rev 3:319–354 Parker D (1998) Fighting computer crime, A new framework for protecting information. Wiley, New York Sieber U (2004) Computer crimes, cyber – terrorism, child pornography and financial crimes (General report). In: Spinellis D (ed) Computer crimes, cyber – terrorism, child pornography and financial crimes, reports presented to the preparatory colloquium for the round Table II of the 17th International Congress of Penal Law (Beijing, 2004), Athens, pp 11–50 Speer D (2000) Redefining borders: the challenges of cybercrime. In: Crime, law and social change, vol 34. Kluwer Academic Publishers, Amsterdam, pp 259–273 Strossen N (2000) Cybercrimes vs cyberliberties. Int Rev Law Comp Technol 14:11–24

15

Combatting the Cybercrime: Thoughts Based on the Second Additional. . .

375

T-CY Cybercrime Convention Committee (2014) Assessment report: the mutual legal assistance provisions of the Budapest Convention on Cybercrime, 3-12-2014, https://rm.coe.int/ 16802e726c, Accessed 18 July 2020 T-CY Cybercrime Convention Committee (2017) Terms of reference for the preparation of a draft 2nd additional protocol to the Budapest Convention on Cybercrime, 9-6-2017, https://rm.coe. int/terms-of-reference-for-the-preparation-of-a-draft-2nd-additional-proto/168072362b, Accessed 18 July 2020 T-CY Cybercrime Convention Committee (2018) Conditions for obtaining subscriber information in relation to dynamic versus static IP addresses: overview of relevant court decisions and developments, 25- 10-2018, https://rm.coe.int/t-cy-2018-26-ip-addresses-v6/16808ea472, Accessed 18 July 2020 T-CY Cybercrime Convention Committee (2019a) Preparation of a 2nd additional protocol to the Budapest convention on cybercrime, 8-11-2019, https://www.coe.int/en/web/cybercrime/t-cydrafting-group, Accessed 18 July 2020 T-CY Cybercrime Convention Committee (2019b) Enhanced international cooperation on cybercrime and electronic evidence: towards a protocol to the Budapest convention, 15-92019, https://rm.coe.int/t-cy-pd-pubsummary-v6/1680795713, Accessed 18 July 2020 T-PD Consultative Committee of the Convention for the Protection of Individuals with regard to automatic processing of personal data (2019) Opinion on 2nd additional protocol, 20 – 11 - 2019 https://rm.coe.int/t-pd-2019-8fin-opinion-second-additionnal-protocol/168098e42a, Accessed 18 July 2020 Williams M (2006) Virtually criminal – crime, deviance and regulation online. Routledge, London Yar M (2006) Cybercrime and society. SAGE Publications Ltd, Thousand Oaks. https://doi.org/10. 4135/9781446212196

Chapter 16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England: Identification of the Offence and the Need for Legislative Regulations and Prevention Nikolaos Z. Zeniou

Abstract ‘Revenge Porn’ is described as a very serious issue because of its detrimental consequences on victims and society as a whole. This situation generated the need for direct measures which could tackle the issue. However, despite its gravity and severity, the adopted criminal law responses, particularly in England and Cyprus, seem to be misleading, unsatisfactory and inadequate for various reasons. At the same time, the preventive techniques, in these countries, could be described as problematic, unable, in that way, to prevent the commission of the offence by future offenders and protect their potential victims from further damage. This chapter focuses on these issues and, by referring to theorists, reports and researches, attempts to identify the offence and its seriousness. Subsequently, comparing the law in England and Cyprus suggests various legislative improvements and practical, preventive solutions, which could be used to provide coherent and efficient responses to the aforementioned offence.

1 Introduction During the last years, researches indicated that more and more people report incidences of, as it is generally known, ‘Revenge Porn’1 and seek for help. In fact, according to Julia Davidson et al., within the first eight months since the criminalisation of this non-consensual distribution, in 2015, there were over 1000 reports of ‘Revenge Porn’ in England and Wales.2 Simultaneously, the offence The term ‘Revenge Porn’, although inappropriate, as it will be explained, is used throughout this chapter for referencing purposes, because this phenomenon is internationally known as ‘Revenge Porn’ and is used to describe it. 2 Davidson et al. (2019), p. 49. 1

N. Z. Zeniou (*) Criminal Law and Criminal Justice, The University of Edinburgh, Edinburgh, UK Nicosia, Cyprus © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_16

377

378

N. Z. Zeniou

showed an increasing trend in 2016.3 At the same time, in 2017, the number of calls received by the United Kingdom’s ‘Revenge Porn Helpline’, from potential victims who sought assistance, was over 1000.4 Based on the prevalence of ‘Revenge Porn’ in the recent era, the present chapter engages in a thorough analysis of this phenomenon. As such, Sect. 2 presents ‘Revenge Porn’s’ background. More specifically, Sect. 2.1 identifies the issue by providing a definition and, subsequently, frames the high rates of women’s victimisation by presenting various researches and statistics. Simultaneously, Sect. 2.2 highlights its various detrimental consequences on victims and society as a whole, in an attempt to underline its severity. Thus, in terms of victims, this section outlines the inflicted physical and mental harm and the violation of their fundamental human rights, such as the right to dignity, privacy and expression, while, in terms of societal damage, discusses the promotion of biased cultural views, which undermine the responsibility of perpetrators, creating, in that way, victim-blaming approaches. In light of the above, Sect. 3 demonstrates the immediate need for improvement by providing practical suggestions on a terminological, legislative and preventive level. Thus, Sect. 3.1 identifies the terminological issues, through the wording ‘Revenge Porn’, which ignores its true nature, and suggests its immediate substitution with ‘Image-Based Sexual Abuse’, which recognises it directly as an abuse of sexual nature. Moreover, Sect. 3.2 focuses on a legal analysis in a legislative context of ‘Revenge Porn’ in England and Cyprus. As such, Sect. 3.2.1 outlines the English legislation and mentions the immediate need for further improvement, namely the substitution of motive requirements with intention, which could be proved helpful for potential prosecutions as the current restricted scope of the law will be avoided. Subsequently, Sect. 3.2.2 argues that Cyprus should address the issue in an indirect way as it seems that there is no specific criminal legislation against ‘Revenge Porn’. Hence, it suggests the creation of a new criminal offence based on English standards. Furthermore, Sect. 3.2.3 raises awareness regarding the behaviour of bystanders and ‘Sextortion’ tactics and proposes their criminalisation in both England and Cyprus, which is currently absent. Simultaneously, it emphasises the necessity of an exception on public interest as this would be able to provide an enhanced protection to victims. Nevertheless, Sect. 3.3 focuses on preventive measures, on a technological level, which could be proved helpful in preventing further harm to victims. In the end, a conclusion will be reached supporting ‘Revenge Porn’ as a crucial issue and necessitating the implementation of these suggestions in order for the negative outcomes to be combatted and restricted sufficiently and effectively.

3 4

Ledward and Agate (2017), p. 41. Baggs (2018).

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

379

2 The Phenomenon of ‘Revenge Porn’: Identification and Its Consequences on Victims and Society 2.1

Defining and Identifying the Background of ‘Revenge Porn’

According to various theorists, although ‘Revenge Porn’, as a term created by the media,5 ‘is not a new phenomenon’,6 its impact and prevalence have been amplified in the recent era.7 From a critical point of view, this seems to be actually based on (a) the rapid development of the Internet and the excessive use of technological means, which, inter alia, facilitated the creation of thousands of websites hosting ‘Revenge Porn’ material8 and, at the same time, made the identification of those who posted and shared it an extremely difficult task,9 particularly because of their online anonymity,10 and (b) the contemporary types of sexual expression, such as sexting.11 More specifically, ‘Revenge Porn’ refers to the distribution on the Internet or via the assistance or utilisation of ‘communication technologies’12, such as mobile phones, of sexual material, such as sexual videos or images, without the necessary consent of the individual who engages in such sexual actions.13 Narrowly defined, this distribution is often used in the context of a sexual relationship among people, in which a vengeful partner wants to revenge his/her ex-lover for the breakup of their relationship.14 However, this is not the only scenario, as it will be explained below. Simultaneously, it must be observed that the underlying factor that triggers the commission of the offence is the non-consensual distribution of the aforementioned material and not the recording of a video or the taking of a photograph per se. Therefore, the offence may be committed even though the recording or the taking is consensual. Additionally, regarding victimisation, the vast majority of victims are women,15 whereas those who are more likely to commit the offence against them are men.16 In this context, it has been argued in the literature that the consequences of ‘Revenge Porn’, as they will be described below, have a greater impact on women rather than

5

Henry et al. (2017), p. 3. Pegg (2018), p. 513. 7 Kamal et al. (2016), p. 361. 8 The Economist (2014). 9 Love (2013). 10 Van Der Wilk (2018), p. 26; Powell and Henry (2017), p. 256; Roberts (2008), p. 278. 11 Humbach (2014), p. 215. 12 Henry and Powell (2016), pp. 1–2. 13 Franklin (2014), p. 1303. 14 Scheller (2015), p. 558. 15 Sharatt (2019), p. 5; Kitchen (2015), p. 249; Eaton et al. (2017), pp. 12–14. 16 Sharatt (2019), p. 15. 6

380

N. Z. Zeniou

men.17 Moreover, another factor that could support the view that women are highly victimised is that, according to the United Kingdom’s Government Equalities Office, over 70% of those who called the Helpline, in 2015, were women rather than men.18 Based on the aforementioned statistics, it could be argued that, although men could also be victims, the offence seems to be gender based as the majority of them are women. Nevertheless, in many cases, ‘Revenge Porn’ is accompanied by two further practices used by the perpetrators, namely ‘Doxing’ and ‘Sextortion’. Concerning ‘Doxing’, this refers to cases in which perpetrators, alongside the distributed image or video, also publish victims’ various personal details,19 such as their full name, email address, home address and phone numbers.20 For instance, in 2013, a research conducted by the Cyber Civil Rights Initiative indicated that over 55% of the respondents/victims found their full name alongside the published material.21 As a matter of fact, victims are subject to greater harm22 as they could be identified effortlessly, either online of offline. Concerning ‘Sextortion’, this includes perpetrators’ threats to distribute the material for various reasons,23 such as if the victim wants to report the incident to the police.24 For instance, in some rape cases, rapists record the rape, threating, on a later stage, the victim with publication, in their attempt to discourage them from seeking police assistance.25 Generally, ‘Sextortion’ is another method that elevates the inflicted harm to victims, as they will be described below.26

2.2

The Detrimental Consequences on Victims and Society

Because of the material’s sexual and private nature, it has been acknowledged that ‘Revenge Porn’ inflicts a wide set of detrimental harms, which underlines its severity and the immediate need for effective and sufficient responses. More specifically, the first set of harms is caused to the victims. Sometimes these harms last for long as the material is uploaded on the Internet for an indefinite period

17

Pina et al. (2017), p. 31. Government Equalities Office (2015). 19 Logan and Gozen (2018), p. 253; Regina v. Connor Douglas Allsopp [2019] EWCA Crim 95, para.7. 20 Franklin (2014), p. 1323. 21 Cyber Civil Rights Initiative (2013). 22 Souza (2016), p. 107. 23 Wolak et al. (2017), p. 1. 24 Simpson (2014). 25 Franks (2015), p. 3. 26 Wolak and Finkelhor (2016), p. 2. 18

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

381

of time27 and towards an indeterminate range of people, making the humiliation that victims feel28 even greater, affecting, subsequently, the development of their lives.29 Hence, concerning also ‘Doxing’ and ‘Sextortion,’ victims are often subject to various forms of sexual assault, online and/or offline stalking, and harassment, as they can be identified through their personal information, and face loss of employment.30 Moreover, ‘Revenge Porn’s’ consequences on their mental health are profound as they experience severe psychiatric disorders, such as post-traumatic disorder, depression, severe anxiety,31 panic attacks32 and suicidal thoughts.33 Moreover, some victims consume drugs to ‘self-medicate’34 in order to overcome the mental suffering. However, in some instances, these harms are described, according to Franks, as ‘irreversible’35 because, inter alia, some victims commit suicide.36 An illustrative example could be found in the infamous case of Audrie Pott, in which an American teenager, Audrie, was found hanged in her shower after the online distribution, without her consent, of her nude images by some of her classmates.37 Nevertheless, it must be mentioned that the mental consequences caused by ‘Revenge Porn’ are similar to those caused by other sexual offences, such as rape and sexual assault.38 From a critical point of view, this seems to be an extremely important factor, in favour of the classification of ‘Revenge Porn’ as a sexual offence. Additionally, from a legalistic perspective, ‘Revenge Porn’ violates victims’ fundamental human rights as well. In fact, victims’ right to dignity, in the sense that they have to be treated with respect, is transgressed because are ‘dishonoured through a failure to show respect, through the treatment of others as less than creatures of inherent worth’.39 Subsequently, their right to privacy is severely infringed as the confidential character of this material is breached and eradicated40 through its unauthorised publication. In a similar vein, the right of victims’ expression, in the sense that a consensual sharing of sexual material constitutes a type of

27

Cecil (2014), p. 2523. Bates (2017), p. 23. 29 Citron (2014), p. 11. 30 Ronneburger (2009), p. 9. 31 Bates (2017), p. 31. 32 Amnesty International (2017). 33 Sophia Ankel (2018). 34 Sturza and Campbell (2005), p. 353. 35 Franks (2015), p. 2. 36 Citron and Franks (2014), p. 372. 37 Revesz (2016). 38 Bates (2017), p. 39. 39 Reaume (2003), pp. 31–32. 40 Solove (2010), pp. 15, 20. 28

382

N. Z. Zeniou

sexual expression,41 is restricted as, in many instances, they are pushed to stop sending images or videos to their partners.42 Furthermore, ‘Revenge Porn’ produces devastating consequences on the society as a whole as it promotes problematic and biased cultural approaches. In some instances, these incidents are seen as jokes by ‘misunderstood tricksters’43 on ‘hypersensitive’ victims.44 Inevitably, this perception results in the naturalisation and simplification of these practices,45 which see no fault when the sexual autonomy of someone is violated.46 Hence, this may lead to the perception that complaints/ reports should not be taken into account.47 Additionally, the biased approaches offer a breeding ground sometimes for victim-blaming views,48 in the sense that victims could be considered as naïve, for taking, sending or consenting to the recording of sexual material,49 and, thus, the only responsible for their suffering.50 Understandably, these views do not address in an explicit and clear way perpetrators’ responsibility for the non-consensual distribution.51 Consequently, one of the main examples that may sign the cultural harm could be found in the various degrading and insulting viewer comments52 regarding, inter alia, the victims’ appearance on a specific image or video.

3 Terminology, Criminal Law in England and Cyprus and the Need for Preventive Measures Based on what has been stated so far throughout this chapter, it is apparent, from a critical point of view, that ‘Revenge Porn’ is an extremely crucial issue, particularly because of its prevalence in the recent era and the detrimental consequences on the victims and society. As a matter of fact, there is an immediate need for direct and sufficient responses, which will improve the various issues that arise, on a terminological, legal and preventive level.

41

Cruz and Miguel (2014), pp. 139–147. Jackson (2016). 43 Jane (2014), p. 539. 44 Ibid. 45 Franks (2006), p. 194. 46 Waldron (2012), pp. 90–91. 47 Kelly (1988), p. 104. 48 Scott and Gavin (2019), p. 263. 49 Star and Lavis (2018), p. 428. 50 Salter et al. (2013), p. 312. 51 Powell and Henry (2017), p. 240. 52 Franks (2011), pp. 258–260. 42

16

3.1

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

383

The Importance of an Accurate Terminology

One of the most important issues of ‘Revenge Porn’ could be found on its own terminology.53 The word ‘revenge’ is highly problematic as it restricts sharply the scope of the offence between ex-partners who are motivated solely by vengeance.54 However, as noted earlier, this is not the only case. In fact, there are various scenarios and motives that may trigger the commission of the offence other than revenge. These other motives could be, inter alia, blackmailing for monetary or sexual purposes, intimidation55 and coercion, which, sometimes, aims to facilitate human trafficking by pushing victims into the sex trade.56 Therefore, one of the most important consequences of this conceptualisation is, from a critical point of view, that the public, legislators and law enforcement agencies cannot be fully aware of the other motives that may accompany the commission of this offence because they are trapped in the word ‘revenge’. Hence, a reasonable question may arise as to how they are going to tackle the offence since they ignore its true nature. Additionally, the word ‘revenge’ promotes, even implicitly, the blaming of the victims57 by assuming that they did something wrong to the perpetrators, which created their desire to revenge,58 mitigating, in that way, their responsibility. Accordingly, the term ‘porn’ is problematic as although some academics would be able to support it as being itself abusive because it ‘is the graphic sexually explicit subordination of women’,59 the term refers more to something that is considered as consensual or chosen, that is, for instance, adult commercial pornography.60 In a similar vein, the aforementioned problem regarding terminology could be found in ‘child pornography’ cases, in which the word ‘pornography’ has been characterised as inappropriate since it implies that the depicted sexual activities, involving children, were consensual rather than abusive.61 Therefore, it undermines and ignores significantly ‘Revenge Porn’s’ aforementioned harm caused to the victims.62 Consequently, it is suggested the substitution of ‘Revenge Porn’ with the term, as McGlynn and Rackley underlined, ‘image-based sexual abuse’63 because it could be proved beneficial for future policies, by reversing the confusing effects of ‘Revenge Porn’. Through the word ‘sexual’, the offence is identified and classified as a form of sexual crime, which, in turn, deals in a more direct way with the true nature of the 53

Suzor et al. (2017), p. 1059. Maddocks (2018), p. 347. 55 Henry et al. (2017), p. 3. 56 Bartow (2008), p. 818. 57 Bates (2017), p. 40. 58 Maddocks (2018). 59 MacKinnon (1984), p. 321, fn.1. 60 McGlynn et al. (2017), p. 38. 61 Gillespie (2011), p. 2. 62 McGlynn and Rackley (2017), p. 536. 63 Ibid, p. 537. 54

384

N. Z. Zeniou

offence as the distributed material is sexual images and/or videos. Moreover, the word ‘abuse’ emphasises the devastating harm that it causes64 to victims’ lives, while the term ‘image-based’ underlines the technological means that are primarily used for its commission, such as mobile phones,65 which may encourage experts to develop more robust technological approaches to face the problem. In that way, the confusion regarding consent, through the term ‘porn’, and motives, through ‘revenge’, is totally vanished, and a fertile ground for the consideration of a more general view of the offence is offered. Inevitably, the connection that will be established through this change with the other forms of sex crimes and motives will raise the awareness of the public, legislators and law enforcement by underlining its importance and will lead to more adequate public perceptions, strategies and legal responses66 as the context of sex crimes, which are very serious, will shape the debates and regulations. At this point, it must be noticed that terminological issues of ‘Revenge Porn’ must not be considered as a simple linguistic mistake. Their solution, through this suggestion, is pivotal because terminology is a key factor that contributes in a very direct way to the public’s view, influences the view that legislators have for these offences and, furthermore, has an impact on the police’s way of dealing with victims.67 For instance, if ‘Revenge Porn’ causes confusion as to its nature and consequences, the police may not give appropriate weight on victims’ complaints by thinking that this is something less important.68 Therefore, it is advised that the term ‘image-based sexual abuse’, as developed by McGlynn, must be promoted through the media and implemented in the law.

3.2

The Inadequate Criminal Law Responses in England and Cyprus

Generally, the law plays a pivotal role in combatting various issues as it sends particular messages to society, through which, as McGlynn and Rackley pointed, ‘it can affirm . . . existing norms as well as articulating new ones’.69 Because of ‘Revenge Porn’s’ seriousness, various states have adopted specific criminal legislation that directly addresses the offence, whereas some others provide an indirect response, through other laws. In this context, England and Cyprus, although based on the same legal system, that is common law, follow a different approach.

64

Henry et al. (2017), p. 4. Calvert (2014), p. 678. 66 McGlynn and Rackley (2017). 67 Powell and Henry (2017), p. 203. 68 Bates (2017), p. 40. 69 McGlynn and Rackley (2017), p. 552. 65

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

3.2.1

385

Combatting ‘Revenge Porn’ in England and Wales

England and Wales have already implemented specific criminal legislation against ‘Revenge Porn’, which dictates that ‘It is an offence for a person to disclose a private sexual photograph or film if the disclosure is made—(a)without the consent of an individual who appears in the photograph or film, and (b)with the intention of causing that individual distress’.70 Despite the positive fact that specific criminal legislation exists that provides criminal sanctions, this provision seems to be problematic. One of the most important problems that must be resolved could be found in the mens rea requirement that the law dictates, that is the ‘intent to cause distress’.71 The issue that can be observed at this point is that legislation confuses the terms intention and motive.72 In fact, it is totally focused on motive, ignoring the fact that these two terms are significantly different in common law.73 Indeed, intention provides adequate answers as to how the accused engaged in a certain action, intentionally or unintentionally, while motive on why they acted in such a way.74 Therefore, it has been accepted, as Ashworth stated, that intention refers to the purpose, aim or objective of the defendants,75 in the sense that they aimed to cause the consequences of their behaviour.76 For instance and in simple words, in murder cases, the intention is interpreted as the accused’s purpose to kill its victim.77 As a result, it is suggested that the law should change its focus from the requirement of motive to the requirement of intention78 because, as it was stated above, motives may vary. Hence, from a critical perspective, it could be argued that, according to the current law, if the perpetrator engaged in such a conduct with the ‘intention’ to gain money or coerce or for sexual purposes but not to ‘cause distress’, then the offence will not be proved. Probably this was one of the reasons that, in 2016, 61% of ‘Revenge Porn’ reports did not result to prosecutions.79 Consequently, a new provision that will state that the perpetrators had the intention to publish the material, in the sense that it was their purpose to distribute it online or offline,80 will provide the law with a more solid

70 Criminal Justice and Courts Act 2015, section 33 (England and Wales); Generally, in the United Kingdom there is criminal legislation dealing with the offence. For instance, Abusive Behaviour and Sexual Harm Act 2016, section 2 (Scotland) and Justice Act (Northern Ireland) 2016, section 51. 71 Criminal Justice and Courts Act 2015, Section 33 (1) (b). 72 Franks (2015), p. 5. 73 Smith and Hogan (1988), pp. 78–80. 74 Salmond (1913), pp. 338–339. 75 Ashworth (2009), p. 174. 76 Coffey (2009), p. 413. 77 Parsons (2000), p. 5. 78 Franks (2017), p. 1289. 79 Sherlock (2016). 80 Franks (2017), p. 1284.

386

N. Z. Zeniou

approach of intention based on common law standards, and it will have the potential to prosecute and convict, when proven guilty beyond any reasonable doubt, those who share these images, regardless of their motives. 3.2.2

‘Revenge Porn’ in Cyprus: An Ineffective Response

Contrastingly, it seems that there is no specific criminal legislation in Cyprus that deals with ‘Revenge Porn’ directly. Thus, in the absence of any academic, prosecutorial and judicial guidance, the legal basis for prosecutions and convictions remains on a theoretical level. In this context, from a critical point of view, it seems that two legislative grounds could be possibly used by the authorities to justify a prosecution. Therefore, the first ground could be found on the legislation, regarding the protection of personal data.81 More specifically, the law dictates that ‘a person who, without right intervenes, in any way, in a filing system or acquires knowledge of the personal data thereof or removes, alters, damages, destroys, processes or uses in any way, discloses, communicates, renders them accessible to non-authorised persons or allows these persons to acquire knowledge of the said data, for gainful purposes or not’ is subject to imprisonment or fine or both.82 However, critically assessed, it seems that this is not a satisfying approach. Although the sexual life of a natural person is considered a special category of personal data and its processing without this person’s explicit consent is an unlawful act,83 this law has different objectives and victims in mind, namely the protection of those to whom various data, in the context of privacy, were disclosed, without their authorisation. Instead, from a critical perspective, the underlying principle of sexual laws is to protect, inter alia, the sexual autonomy, dignity and expression of victims rather than solely their privacy. Therefore, it seems that these provisions’ applicability to the area of ‘Revenge Porn’ is not well known to victims and potential defendants. This is verified by the fact that key terminology on sexual offences, such as the fundamental concept of ‘consent’, as it is framed in sexual laws, is utterly absent. Consequently, their effectiveness could be questioned. Second, as a matter of fact, it fails to address the sexual nature of the offence and recognise it as a form of sexual crime and sexual abuse because it does not treat it as such. Instead, via the aforementioned provision, it seems that it undermines it by conceptualising and labelling it strictly as an infringement of privacy. Therefore, plausible questions arise as to how this legislation is going to combat effectively ‘Revenge Porn’ since it misrepresents it and ignores its true sexual nature84 and its detrimental consequences.

81

Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of such Data (LAW 125 (I)/2018). 82 Law 125 (I)/2018, Article 33 (1) (k) and Article 33 (2). 83 General Data Protection Regulation 2016/679, Article 9. 84 The sexual nature in the context of ‘Revenge Porn’ is based on the materials’ content, such as sexual activities and sexual/nude posing.

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

387

Additionally, someone could suggest that another possible ground is the legislation regarding obscene publications.85 The law dictates that publication covers a wide range of actions, such as printing, distributing, circulating, selling and hiring obscene articles.86 In turn, obscene articles are considered as those which impact tends to cause depravity and corruption on persons that are likely to use, handle, read, view or listen to the article or to its content.87 However, from a critical view, this does not seem to be an adequate approach. First, this law was enacted in 1963, and its last update occurred 20 years ago. Therefore, it seems that it was implemented in an era during which ‘Revenge Porn’ was an utterly unknown situation, particularly because of the lack of technological development, the absence of new types of sexual expression and the totally different societal attitudes. Thus, it seems that it is outdated and unable to capture the contemporary context and behaviours related to ‘Revenge Porn’. Second, the law, as it is written, is almost the same with the English Obscene Publications Act of 1959.88 As it was mentioned earlier, ‘Revenge Porn’ was criminalised in England and Wales in 2015. Therefore, this in an indicator that this legislation was not put into force to combat such offences as even in England, from which the Cypriot law was adopted, it was not used for the prosecution of ‘Revenge Porn’ prior to 2015. Third, the requirement of causing depravity and corruption on those who had any type of contact with such material, without any reference to the existence or not of the depicted person’s/victim’s consent, strengthens the aforementioned view. Understandably, it could be stated that its aim was to cover different offences and victims, such as cases in which a person publishes commercial pornographic material, online or offline, without taking the appropriate measures to prohibit their access by people vulnerable to this material, such as children, to whom it could cause corruption or depravity by watching it. Consequently, it could be stated that this law is inappropriate to combat ‘Revenge Porn’ because, as with personal data, it fails to capture its precise nature since its primary aim is different. Hence, it undermines it, misrepresents it and ignores its consequences. In light of the above, it is suggested that Cyprus has to follow the English example. More specifically, the creation of a separate criminal offence, titled ‘Image-Based Sexual Abuse Offences’, under the Criminal Code (CAP 154), for reasons mentioned earlier, against ‘Revenge Porn’ is urgent. In this context, the actus reus must remain the same, as in English law, that is the non-consensual disclosure of a private sexual image or video. However, in terms of mens rea, Cyprus must

85

Publication of Obscene Articles Law (LAW 35/1963). Ibid, Article 3. 87 Ibid, Article 2. 88 Exporama Trading LTD v. The Police, and Nicolas Giorgallides v. The Police, Cr. App. 7477/ 7478, Judgement of 26 March 2004. 86

388

N. Z. Zeniou

avoid the consideration of motives and implement directly the intention requirement, as it was analysed in the context of English law.89 3.2.3

Addressing Bystanders, ‘Sextortion’ and the Exception of Public Interest

Despite the above, the legislation regarding ‘Revenge Porn’ needs further improvement in order to provide a more sufficient protection to the victims. It is obvious that the issues of bystanders, those who contribute to the further distribution of the image by sharing and commenting on the material, are not addressed. This could be based on the assumption that these acts are not sufficient to be criminalised because they are ‘routine sharing of images on social networking sites’.90 However, it is suggested that an opposite approach must be adopted. This is based on the fact that through bystanders’ practices, that is through further sharing, the inflicted harm on victims is aggravated and becomes even more damaging because the material gets widely available to even more people.91 Under this context, the suggestion is based on the creation of a criminal provision with criminal sanctions and, thus, a criminal record on bystanders who know that the material is non-consensually distributed but willingly and purposely decide to share it, as for instance in a case where the bystanders are the friends of the accused. Alternatively, a plausible approach is the creation of an administrative offence, which will impose a warning or fine, without criminal records. This measure could be proved helpful, particularly when the bystanders are adolescents and, hence, the avoidance of criminal records is crucial for their future. Additionally, it is suggested the implementation of the word ‘threat’, in terms of actus reus, which is currently absent, as this will cover the sextortion tactics, providing a ground for the prosecution and conviction of those who use threats to distribute the material. Scotland criminalises ‘Sextortion’92 and constitutes a helpful example, which could be used by England and Cyprus for their future policies. ‘Sextortion’ is a very important issue as it causes severe damages on the physical and mental health of the victims,93 and its regulation is urgent. Nevertheless, it is also suggested, in terms of criminal legislation, the implementation of a crucial exception to the aforementioned distribution, that is, as Franks 89 At this point, it must be mentioned that Copyright Law could also be used in combatting ‘Revenge Porn’ to some extent, as the victim is the co-author of the material and, thus, any non-consensual distribution is an offence. However, this approach is not without its drawbacks, since Copyright Law protects intellectual property rights and, hence, undermines the true nature of ‘Revenge Porn’, by labelling it solely an infringement of intellectual property, rather than a form of sexual abuse. For a more detailed discussion on Copyright Law, see Levendowski (2014) and McGlynn (2017). 90 Scottish Government (2015). 91 Bambauer (2014), p. 2029. 92 Abusive Behaviour and Sexual Harm (Scotland) Act 2016, Section 2 (1) (a). 93 Wolak and Finkelhor (2016), pp. 31–33.

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

389

mentioned, disclosure ‘made in the public interest’.94 In this context, it has been acknowledged that ‘the right to privacy does not prohibit any publication of matter which is of public or general interest’.95 Thus, although the notion of public interest in common law systems is vague,96 this exception could be proved particularly helpful in cases in which the victim’s relatives, friends or partner who is aware of the material decides to send it to the authorities or organisations97 without the victim’s consent, with the intention of ‘having it removed’98 on behalf of the victim. Hence, potential criminal procedures for such a non-consensual distribution will be avoided as the underlying purpose for their actions was the victim’s protection from further damage. At this point, it is noted that public interest will be decided according to the particular facts of each case.

3.3

Prevention: The Role of Technology

The legislative and terminology measures, which frame the whole legal context against ‘revenge porn’, are not enough to combat it because, from a critical point of view, they are a tool that, most of the time, can be used after the commission of the offence and the damage done on the victim. Other suggestions must aim toward prevention, particularly through technology. Considering the technological measures, it is observed that some existing techniques, such as ‘hash’, which is used for the detection of child pornography,99 could be proved efficient on ‘revenge porn’ as well. According to the literature, when an image is uploaded on the Internet, it has a key or, as it is also known, digital fingerprints.100 This digital fingerprint could be, then, shared with other web service providers, which will compare it with the keys of other images in their database.101 If the key matches with the key of another image, then it means that the second material is copied, and, therefore, they will delete it from the website,102 protecting, in that way, victims from further humiliation by the sharing practices. This technique is used by Facebook as a method to address ‘Revenge Porn’ issues.103 At this point, someone could argue that the aforementioned filtering technique poses a threat to the freedom of expression of those who upload such material. However, freedom of

94

Franks (2017), p. 1286. Warren and Brandeis (1890), p. 214. 96 Langer (1988), p. 279. 97 This can occur in various ways: such as providing links, CDs and USBs. 98 Franks (2017), p. 1286. 99 Redmond (2009). 100 Franks (2017), p. 1273. 101 Ibid. 102 Ibid. 103 Seetharaman (2017). 95

390

N. Z. Zeniou

expression is not an absolute right. From a critical perspective, since this technique aims to protect, as mentioned earlier, victims from further damage, physical or psychological, as well as humiliation because of the material’s content, any restriction could be possibly justified based on public interest, as it is framed in common law countries, and the protection of the rights of others.104 Besides, there is no case law that rules that in cases of ‘Child Pornography’, which is considered as a sexual offence, a ‘hashing’ technique, for the detection of such material, violates perpetrators’ freedom of expression. Accordingly, another technological solution is by means of artificial intelligence. In simple words, artificial intelligence is a form of a program or machine with a developed way of interacting and thinking that is very similar to humans.105 This measure has the potential to flag these images automatically106 without the need for reporting by the victim and, therefore, provides better protection and prevention as the removal process will be, inter alia, faster. This particular technique was announced by Facebook in 2019 as a part of the company’s campaign to tackle ‘Revenge Porn’,107 and the results will be evaluated. Under this context, it is suggested that the Ministries of Justice, through the law, must push companies, even those smaller brands than Facebook, to implement these technological techniques in order to protect potential victims. This can happen either through the cooperation of governmental authorities with some companies or by adopting criminal laws that will establish their criminal liability in case of failure to use these techniques. As it was stated in the House of Commons, ‘companies must not be allowed to expand exponentially without constraint or proper regulatory oversight, but only governments and the law are powerful enough to contain them’.108 Consequently, promoting these techniques to various web companies and forcing them upon these companies through criminal legislation or cooperation is crucial for the prevention of further damage on victims.

4 Conclusion In conclusion, it seems that ‘Revenge Porn’ is a very serious offence, with increasing trends in the recent years, committed predominantly by male perpetrators against female victims. Furthermore, it causes detrimental harm to both victims and society

104

For instance, the Constitution of Cyprus, on Article 19 dictates that freedom of expression could be restricted for ‘the public order or the public health or the public morals or for the protection of the reputation or rights of others’. The term ‘protection of right of others’ could, possibly, include, inter alia, victims’ right to dignity, in terms of ‘Revenge Porn’. 105 Dilek et al. (2015), p. 23. 106 Ibid. 107 Salinas (2019). 108 House of Commons (2019), p. 5.

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

391

as whole, dictating, in that way, the urgent need for sufficient, holistic responses and an improvement on a terminological, legislative and preventive level. In this context, the substitution of the term ‘revenge porn’, which misrepresents its nature, with the ‘image-based sexual abuse’ is crucial as it will label the offence as a form of sexual abuse, framing, in that way, future and current policies from a different basis. Subsequently, the legislative improvements, namely the replacement of motive with intention in England, the creation of a new offence in Cyprus based on English standards, the liability of bystanders, the consideration of ‘sextortion’ and the exception of public interest, will play a major role for a more coherent legislation, which will provide enhanced protection to victims. Furthermore, the compulsory, that is through law, adoption of specific methods, such as ‘hashing’ and artificial intelligence, is crucial for the policy of this offence as they have the potential to prevent further damage on victims. In the context of prevention, it is submitted that there is a need for further research regarding the potential benefits of education in combatting ‘Revenge Porn’, through educational programmes that will contribute to the changing of the problematic cultural approaches.109 Arguably, ‘Revenge Porn’ must be combatted in a more direct way. It must be clear that criminal law is not a panacea nor the perfect solution. Therefore, despite the necessity of effective criminal laws, prevention seems to be the key for the protection of victims. Currently, ‘Revenge Porn’ constitutes a Damocles’ sword against those who decide to express their sexuality through sexual images or videos, threating them with detrimental consequences on every aspect of their life. Because of this, legislative and preventive measures must be improved. Hence, the aim of any possible and future change that may occur in terms of combatting ‘Revenge Porn’ must be to help—to help justice, to help those who suffer, to help those who fight for something that for the majority of people is self-evident: their right to live with dignity, ‘free from harassment, abuse and instances of revenge porn’.110 Otherwise, their presence and future will be jeopardised.

References Amnesty International (2017) Amnesty reveals alarming impact of online abuse against women. Available https://www.amnesty.org/en/latest/news/2017/11/amnesty-reveals-alarming-impactof-online-abuse-against-women/. Accessed 15 Apr 2020 Ankel S (2018) Many Revenge Porn victims consider suicide: why aren’t schools doing more to stop it?. The Guardian. Available https://www.theguardian.com/lifeandstyle/2018/may/07/ many-revenge-porn-victims-consider-suicide-why-arent-schools-doing-more-to-stop-it. Accessed 15 Apr 2020 Ashworth A (2009) Principles of criminal law, 6th edn. Oxford University Press, New York

109

Citron and Norton (2011), pp. 1473–1476; Goldsworthy and Raj (2016), p. 43; Carmody (2014), pp. 150–169; Powell and Henry (2017), p. 255; Jones and Mitchell (2015), p. 2064; Gillespie (2015), p. 875. 110 MM v. BC [2016] NIQB 60, para. 8.

392

N. Z. Zeniou

Baggs M (2018) Revenge Porn: what to do if you’re a victim. BBC. Available https://www.bbc. com/news/newsbeat-42780602. Accessed 15 Apr 2020 Bambauer D (2014) Exposed. Minn Law Rev 98:2025–2102 Bartow A (2008) Pornography, Coercion and Copyright Law 2.0. Vanderbilt J Entertain Technol Law 10:799–840 Bates S (2017) Revenge Porn and mental health: a qualitative analysis of the mental health effects of Revenge Porn on female survivors. Fem Criminol 12:22–42 Calvert C (2014) Revenge Porn and freedom of expression: legislative pushback to an online weapon of emotional and reputational destruction. Fordham Intellect Prop Media Entertain Law J 24:673–702 Carmody M (2014) Sexual violence prevention educator training. In: Powell A, Nicola H (eds) Preventing sexual violence: interdisciplinary approaches to overcoming a rape culture. Palgrave Macmillan, New York, pp 150–169 Cecil A (2014) Taking back the internet: imposing civil liability on interactive computer services in an attempt to provide an adequate remedy to victims of non-consensual pornography. Wash Lee Law Rev 71:2513–2556 Citron DK (2014) Hate crimes in cyber space. Harvard University Press, United States of America Citron DK, Franks MA (2014) Criminalising Revenge Porn. Wake Forest Law Rev 49:345–391 Citron D, Norton H (2011) Intermediaries and hate speech: fostering digital citizenship for our information age. Boston Univ Law Rev 91:1435–1484 Coffey G (2009) Codifying the meaning of intention in criminal law. J Crim Law 73:394–413 Criminal Justice and Courts Act 2015 Cruz EG, Miguel C (2014) I’m doing this right now and it’s for you: the role of images in sexual ambient intimacy. In: Berry M, Schleser M (eds) Mobile media making in an age of smartphones. Palgrave Macmillan, United States, pp 139–147 Cyber Civil Rights Initiative (2013) Revenge Porn Statistics. Available http://www. endrevengeporn.org/main_2013/wp-content/uploads/2014/12/RPStatistics.pdf. Accessed 15 Apr 2020 Davidson et al (2019) Adult online hate, harassment and abuse: a rapid evidence assessment. Available https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attach ment_data/file/811450/Adult_Online_Harms_Report_2019.pdf Dilek S et al (2015) Applications of artificial intelligence techniques to combatting cyber crimes: a review. Int J Artif Intell Appl 6:21–39 Dinenage C, The Rt Hon Baroness Morgan N (2015) Hundreds of victims of Revenge Porn seek support from helpline. Government Equalities Office. Available https://www.gov.uk/ government/news/hundreds-of-victims-of-revenge-porn-seek-support-from-helpline. Accessed 15 Apr 2020 Eaton A et al (2017) 2017 nationwide online study of non-consensual porn victimisation and perpetration – a summary report. Cyber Civil Rights Initiative. Available https://www. cybercivilrights.org/wp-content/uploads/2017/06/CCRI-2017-Research-Report.pdf. Accessed 15 Apr 2020 Franklin Z (2014) Justice for Revenge Porn victims: legal theories to overcome claims of civil immunity by operators of Revenge Porn websites. Calif Law Rev 105:1303–1335 Franks MA (2006) An aesthetic theory: Adorno, sexuality and memory. In: Heberle R (ed) Feminist interpretations of Theodor Adorno. Pennsylvania State University Press, United States, pp 193–215 Franks MA (2011) Unwilling Avatar: idealism and discrimination in cyberspace. Columbia J Gender Law 20:224–262 Franks MA (2015) Drafting an effective Revenge Porn law: a guide for legislators. Available h t t p s : / / p o s e i d o n 0 1 . s s r n . c o m / d e l i v e r y . p h p ? I D ¼5481111060890890640191111140760660270210250630380870910931261151250071210

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

393

940730081110180371220160150260270641041090021101201071180450470330521251231 201090870050730790080080140260260750681140010820961241121000250061150931190 86097096120081096107082004123&EXT¼pdf. Accessed 15 Apr 2020 Franks MA (2017) Revenge Porn’ Reform: a view from the front lines. Florida Law Rev 69:1251–1337 General Data Protection Regulation 2016/679 Gillespie A (2011) Child pornography: law and policy. Routledge, Oxon Gillespie A (2015) Trust me, it’s only for me. Crim Law Rev 11:866–880 Goldsworthy T, Raj M (2016) Inquiry into the phenomenon colloquially referred to as ‘Revenge Porn’, which involves sharing private sexual images and recordings of a person without their consent, with the intention to cause that person harm. https://pure.bond.edu.au/ws/portalfiles/ portal/26013140/Final_report.pdf. Accessed 15 Apr 2020 Henry N, Powell A (2016) Technology facilitated sexual violence: a literature review of empirical research. Trauma Violence Abuse 19:195–208 Henry N, Powell A, Flynn A (2017) Not just revenge pornography: Australians experiences of image-based abuse. https://www.rmit.edu.au/content/dam/rmit/documents/college-of-designand-social-context/schools/global-urban-and-social-studies/revenge_porn_report_2017.pdf. Accessed 15 Apr 2020 House of Commons Digital, Culture, Media and Sports Committee (2019) Disinformation and fake news: final report. Available https://publications.parliament.uk/pa/cm201719/cmselect/ cmcumeds/1791/1791.pdf. Accessed 15 Apr 2020 Humbach J (2014) The constitution and Revenge Porn. Pace Law Rev 35:215–259 Jackson G (2016) Revenge Porn and the morality police: stop blaming women for being alive. The Guardian. Available https://www.theguardian.com/commentisfree/2016/feb/19/revenge-pornand-the-morality-police-stop-blaming-women-for-being-alive. Accessed 15 Apr 2020 Jane E (2014) You’re an ugly, whorish, slut: understanding E-Bile. Fem Media Stud 14:531–546 Jones L, Mitchell K (2015) Defining and measuring youth digital citizenship. New Media Soc 18:2063–2079 Kamal S et al (2016) Revenge pornography: mental health implications and related legislation. J Am Acad Psychiatry Law 44:369–367 Kelly L (1988) Surviving sexual violence. Polity Press, Cambridge Kitchen A (2015) The need to criminalise Revenge Porn: how a law protecting victims can avoid running afoul of the first amendment. Chic Kent Law Rev 90:247–299 Langer V (1988) Public interest in civil law, socialist law and common law systems: the role of the public prosecutor. Am J Comp Law 36:279–305 Ledward J, Agate J (2017) Revenge Porn and s.33: the story so far. Entertain Law Rev 28:40–42 Levendowski A (2014) Using copyright to combat Revenge Porn. NYU J Intellect Prop Entertain Law 3:422–446 Logan L, Gozen A (2018) Reporting on sensitive current events. Entertain Law Rev 29:250–254 Love D (2013) It will be hard to stop the rise of Revenge Porn. Business Insider. Available https:// www.businessinsider.com.au/revenge-porn-2013-2. Accessed 15 Apr 2020 MacKinnon C (1984) Not a moral issue. Yale Law Policy Rev 2:321–345 Maddocks S (2018) From non-consensual pornography to image-based sexual abuse: charting the course of a problem with many names. Aust Fem Stud 33:345–361 McGlynn C, Rackley E (2017) Image based sexual abuse. J Leg Stud 37:534–561 McGlynn C, Rackley E, Houghton R (2017) Beyond Revenge Porn: the continuum of image-based sexual abuse. Fem Leg Stud 25:25–46 Parsons S (2000) Intention in criminal way: why is it so difficult to find? Mountbatten J Leg Stud 4:5–19 Pegg S (2018) A matter of privacy or abuse? Revenge Porn in the law. Crim Law Rev 7:512–530 Pina A et al (2017) The malevolent side of Revenge Porn Proclivity: dark personality traits and sexist ideology. Int J Technoethics 8:30–43 Powell A, Henry N (2017) Sexual violence in a digital age. Palgrave Macmillan, Basingstoke

394

N. Z. Zeniou

Reaume D (2003) Discrimination and dignity. https://www.law.utoronto.ca/documents/Reaume/ DiscriminationandDignity.pdf. Accessed 15 Apr 2020 Redmond W (2009) New technology fights child porn by tracking its PhotoDNA. Microsoft News. Available https://news.microsoft.com/2009/12/15/new-technology-fights-child-porn-by-track ing-its-photodna/. Accessed 15 Apr 2020 Revesz R (2016) Audrie & Daisy review: Netflix documentary exposes epidemic of sexual assault culture among teenagers. The Independent. Available https://www.independent.co.uk/news/ world/americas/review-audrie-daisy-teenagers-sexual-assault-rape-documentary-powerfulsocial-media-culture-a7317381.html. Accessed 15 Apr 2020 Roberts L (2008) Jurisdictional and definitional concerns with computer-mediated interpersonal crimes: an analysis on cyber stalking. Int J Cyber Criminol 2:271–285 Ronneburger A (2009) Sex, privacy and webpages: creating a legal remedy for victims of Porn 2.0. Syracuse Sci Technol Law Rep 21:1–35 Salinas S (2019) Facebook says it made an AI tool that can detect Revenge Porn before it’s reported. CNBC News. Available https://www.cnbc.com/2019/03/15/facebook-ai-tool-detects-revengeporn-before-its-reported.html. Accessed 15 Apr 2020 Salmond JW (1913) Jurisprudence, 4th edn. Steve & Haynes Salter M, Crofts T, Lee M (2013) Beyond criminalisation and responsibilisation: sexting, gender and young people. Curr Issues Crim Justice 24:301–316 Scheller S (2015) A picture is worth a thousand words: the legal implications of Revenge Porn. N C Law Rev 93:558–595 Scott A, Gavin J (2019) Attributions of victim responsibility in revenge pornography. J Aggress Confl Peace Res 11:263–272 Scottish Government (2015) Equally safe: reforming the criminal law to address domestic abuse and sexual offences. Available https://www2.gov.scot/Resource/0047/00473932.pdf. Accessed 15 Apr 2020 Seetharaman D (2017) Facebook takes aim at Revenge Porn. Wall Street Journal. Available https:// www.wsj.com/articles/facebook-takes-aim-at-revenge-porn-1491428994. Accessed 15 Apr 2020 Sharatt E (2019) Intimage image abuse in adults and under 18s. SWGfl. Available https://swgfl.org. uk/assets/documents/intimate-image-abuse-in-adults-and-under-18s.pdf. Accessed 15 Apr 2020 Sherlock P (2016) Revenge pornography victims as young as 11. BBC. Available https://www.bbc. com/news/uk-england-36054273. Accessed 15 Apr 2020 Simpson J (2014) Revenge Porn: what is it and how widespread is the problem?. The Independent. Available https://www.independent.co.uk/news/uk/home-news/what-is-revenge-porn9580251.html. Accessed 15 Apr 2020 Smith JC, Hogan B (1988) Criminal law, 6th edn. Butterworths, London Solove D (2010) Speech privacy and reputation on the internet. In: Levmore S, Nussbaum M (eds) The offensive internet. Harvard University Press, Cambridge, pp 15–30 Souza E (2016) For his eyes only: why federal legislation is needed to combat Revenge Porn. UCLA Women’s Law J 23:101–129 Star T, Lavis T (2018) Perceptions of revenge pornography and victim blame. Int J Cyber Criminol 12:427–438 Sturza M, Campbell R (2005) An exploratory study of rape survivors prescription drug use as means of coping with sexual assault. Psychol Women Q 29:353–363 Suzor N, Seignior B, Singleton J (2017) Non-consensual porn and the responsibilities of online intermediaries. Melb Univ Law Rev 40:1057–1098 The Economist (2014) Misery Merchants. The Economist. Available https://www.economist.com/ international/2014/07/05/misery-merchants. Accessed 15 Apr 2020 Van der Wilk A (2018) Cyber violence and hate speech online against women. European Parliament. Available https://www.europarl.europa.eu/RegData/etudes/STUD/2018/604979/IPOL_ STU(2018)604979_EN.pdf. Accessed 15 Apr 2020 Waldron J (2012) The harm in hate speech. Harvard University Press, London

16

Criminal Law Responses to ‘Revenge Porn’ in Cyprus and England:. . .

395

Warren S, Brandeis L (1890) The right to privacy. Harv Law Rev 4:193–220 Wolak J, Finkelhor D (2016) Sextortion: keys findings from an online survey of 1,631 victims. Crimes Against Children Research Center. Available http://unh.edu/ccrc/pdf/Key%20Findings %20from%20a%20Survey%20of%20Sextortion%20Victims%20revised%208-9-2016.pdf. Accessed 15 Apr 2020 Wolak J et al (2017) Sextortion of minors: characteristics and dynamics. J Adolesc Health. Available http://unh.edu/ccrc/CV344-J-Sextortion-JAH-Oct-2017.pdf. Accessed 15 Apr 2020

Chapter 17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While Regulating Yianna Danidou

Abstract We live in a world full of data that are expanding at astonishing rates. Internet of Things (IoT) is one of the most significant disruptive emerging technologies, harboring the potential for massive societal impact. IoT is expected to enable mass participation of end users (individuals) in mission critical services (energy, mobility, legal, and democratic stability). Smart objects are not only drivers for change in terms of content and applications. Given their ability to potentially change in function because they can be digitally enhanced and “upgraded,” they may acquire disruptive power that could lead to serious consequences. Beyond technical aspects, the adoption of IoT and the emergence of AI have raised many new legal, policy, and regulatory challenges, broad and complex in scope. In order to address these challenges, cooperation across different sectors and among different stakeholders is essential. This chapter will be dealing only with consumer IoT devices and how these exchange data, how they process information that can lead to inferences revealing an individual/action, and what the considerations are that can be taken in terms of cybersecurity and IoT. More specifically, this chapter will discuss legal problems raised by IoT devices, like discrimination, privacy, security, consent, and liability under the General Data Protection Regulation (GDPR).

1 Introduction “The network of networks is the full-blown Internet of people and things, where every machine-to-machine connection is actually mediated human interaction” (Ernst and Young 2015). As the Internet evolves into the Internet of Things

Y. Danidou (*) European University Cyprus, School of Sciences, Department of Computer Science & Engineering and Research Associate, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_17

397

398

Y. Danidou

(IoT),1 the focus shifts from plain connectivity to a generation of data that can be acted upon to take decisions with embedded intelligence (Rayes et al. 2019). The number of things in IoT is massive and is currently estimated to 50 billion connected devices by 2020 (Cisco 2018) and will continue to expand in line with Moore’s law (Rayes and Salam 2019). The forecast of connected IoT devices and applications is estimated to exceed 67 billion by 2025. The Internet is calculated to produce 44 zettabytes of data, which is roughly 40 times more bytes of data than there are stars in the universe as we know it (Desjardin 2019). IoT devices have thrived before we have had chance to properly consider regulating them. This astonishing expansion and data growth open up Pandora’s box and unveil a field rife with targets uncovering security and privacy concerns for organizations and business leaders to overcome. IoT is the network of things based on the concept of using interconnected sensors and actuators ubiquitously connected to the Internet to collect real-time data, store them on cloud computing storage facilities, and analyze them to take action when needed or help with decision-making, control, and automation (Rayes et al. 2019). Article 29 Data Protection Party (WP29) has defined IoT as “[A]n infrastructure in which billions of sensors embedded in common, everyday devices – ‘things’ as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities” (Data Protection Party 2014). Sensors capture incredibly rich data about a person, which if analyzed can reveal significant information and even lead to unexpected inferences about one’s habits and personality. IoT forms the basis of the Fourth Industrial Revolution and the digital transformation of business and society (Lee et al. 2014). This digital transformation promises to revolutionize businesses by offering improved business processes, reducing costs and risks, improving operational efficiency, obtaining a competitive advantage, and developing rapid transformational business opportunities (Paez and La Marca 2016; Rayes et al. 2019). The current chapter will focus primarily on consumer IoT devices and not on any other industrial or enterprise-type IoT devices. Following the categorization on consumer IoT devices proposed by Peppet (2014), there are five broad categories: (1) Health and fitness sensors, which include countertop devices (such as blood pressure monitors), wearable sensors (such as smartwatches and wristbands), intimate contact sensors (such as electronic tattoos), ingestible sensors (such as an electronic pill), and implantable sensors (such as heart of blood health monitor). Other examples include Wi-Fi-connected pacemakers, insulin pumps, and pill-shaped cameras.

1 Internet of Things use cases are always involving data however, what we do care in this chapter is to explore the legal considerations raised by personal data.

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

399

(2) Automobile sensors, which include event data recorders (EDRs), consumer automobile sensor products (such as apps that sense various parameters of an automobile), and auto-insurance telematics devices. (3) Home and electricity sensors, including smart home and smart grid products that aim to provide users with information and control over their connected home appliances; an example could be smart metering, whereby personal data on household energy consumption are collected. (4) Employee sensors, which are deployed in the workplace to monitor and control employees; at the moment of writing of this book chapter, the planet is in the midst of the COVID-19 pandemic, during which employee sensors have been extensively used to track employees’ health, gathering various medical data such as body temperature as well as geolocation data to help both medical staff and state governments track the contacts of infected patients. (5) Smartphone sensors, which can be found in a variety of devices, from compasses to proximity sensors, the Global Positioning System (GPS), microphones, cameras, and more. This particular type of sensors are more prominently used considering the vast use of smartphones, and gather personal information that could be used categorized under PII, but also data that can be used to infer psychological factors amongst user’s mood, stress levels, sleep quality and type, exercise levels, physical condition. The IoT ecosystem is unique in the sense that it depends on the interconnectivity of countless devices and consumers; hence, companies will need to account for the legal rights and obligations of multiple stakeholders that are involved in the product’s life cycle (Paez and La Marca 2016). As IoT is part of a larger information and data reality, with the many processes it should be closely observed, in a holistic way, to explore how it is coupled with other technologies, processes, use cases, and organizational aspects in the legal context. At the same time, we should investigate the specifics, for example, the areas in which personal data are leveraged, personal data risks, security risks, and other risk aspects. IoT devices base their very technological nature on the intersection of the “Internet,” “things,” and “data”. Cisco refers to IoT as Internet of Everything (IoE) and proposes four key components, namely, “people,” “process,” “data,” and “things” (Cisco 2012). The ubiquitous uninterrupted Internet connectivity; at second the vast data generation, collection, transmission, and storage that varies in nature; and, lastly, the process of ensuring that the right information will be delivered to the right person or entity are important foundations that we will consider in the upcoming sections of the current chapter. Internet connectivity carries many vulnerabilities that could potentially be exploited from a cybersecurity perspective. Network security experts have stated that perfect security cannot be guaranteed while the usability of the object/thing is

400

Y. Danidou

still being met.2 The ability to sense specific information about the “thing” and the data collection process poses significant legal challenges mainly related to discrimination, online privacy, personal data protection rights and principles, consent, and liability. We believe that these legal issues will overlap, complement, and at times contradict each other.

2 Legal Issues Firstly, the nature of IoT is purely based on the exchange of sheer volume of data that can expose personally identifiable information (PII) and can even lead to inferences that could reveal a specific individual. Secondly, from a technical aspect, all IoT devices are continuously connected to the Internet in order to operate, and thus cybersecurity issues should also be taken into severe consideration. An attack on a critical infrastructure or on medical applications handling special categories of data, for example, could be catastrophic. Securing IoT is a huge scientific area on its own since securing your own device, application, system, and network is no longer adequate. Working in silos is not a valid option with IoT since devices that are not known to your network but are thirdparty devices connected to your network (business, personal, governmental, or public) can be a harmful, an example being bring your own device (BYOD) policies. The internal data of the network are exposed to third parties, and at the same time harmful data from noncorporate sources are allowed in the network, increasing vulnerabilities. Beyond the technical aspects, IoT and artificial intelligence as disruptive technologies have raised many new legal, policy, and regulatory challenges, which are quite complex.3 This chapter addresses legal concerns in the consumer’s IoT context in the EU and presents unique and pressing legal issues that consumers should be aware of and businesses should contemplate when engaging with IoT technology. It is argued that although IoT is inevitable and in fact we are currently experiencing this new hype that transforms to the present reality, there are particular legal problems that need to be taken into consideration while regulating in order to minimize their negative impact. To date, there are no regulations related to IoT to answer specific questions like what information IoT devices collect, how that information can be used, and whether data subjects have real control over their data as described under the General Data Protection Regulation (GDPR). The following sections provide an analysis of

See Kizza (2013) who stated that “there is no thing as the secure state of any object, tangible or not, because no such object can ever be in a perfectly secure state and still be useful.” and Abomhara (2015) for in-depth analysis of the vulnerabilities, threats, intruders and attacks in IoT. 3 See Floridi et al. (2018). 2

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

401

legal issues for the regulators to consider when regulating and for consumers when evaluating how and to what extent IoT technologies should be adopted.

2.1

Discrimination

Peppet (2014), in an extensive research on how to regulate the Internet of Things, stated that the Internet of Things can lead to new forms of discrimination. This can be the result of sensitive personal information collected about the user from individual consumer IoT devices and, in a larger scale, of the “sensor fusion” phenomenon.4 This phenomenon describes that “every ‘thing’ may reveal everything” (Peppet 2014; Ohm and Peppet 2016). In other words, there is a sorting of consumers that can potentially lead to unwanted discrimination. Sensor fusion and big data analysis are extensively used to analyze the massive amounts of sensor data from IoT devices. The powerful inferences extracted from the data analysis of a combination of disconnected sensing devices can lead to new forms of discrimination, e.g., racial and economic discrimination. IoT devices are generating huge amounts of rich and accurate data that are related to the consumer, their activities, their habits, their preferences, and other unique characteristics. For businesses and other economy sectors, these data are particularly powerful in economic or information contexts. The Joint Committee on Human Rights (2019) pointed out this exact risk of discrimination against some groups and individuals in the way that collected data are used. Long-established concerns about the use of collected data to discriminate in insurance or credit product context were also reported (Peppet 2014). There is a trend where employers are demanding employees to use particular IoT health and wellness trackers to report wellness data, aiming to improve employee’s health.5 This approach has been harshly criticized, mentioning “It’s technologyenhanced discrimination on steroids” (ABC News). What is important here, in terms of policy, is that the discrimination resulting from the analysis of a mixture of data gathered by organizations, including Internet searches, buying habits, behavioral data, social networks, video surveillance, and IoT device data, may be used to make important decisions that directly affect the welfare and quality of life6 of the consumer. For example, economic discrimination from financial institutions, employers, insurers, etc. can have an impact on the 4

Sensor fusion as a subset of the idea of data fusion, is a term describing the statistical advantage and accuracy that are gained when combining same-source data from multiple types of sensors (Llinas and Hall 1998). 5 See (Virgin Pulse) presenting a wellness solution for organizations’ employees. This practice has become particularly popular with the COVID-19 outbreak. As (PR Newswire Association LLC.) reports, Movista (as Software as a Service company) has launched an initiative called Project Health to facilitate businesses to track and report on employees’ health and was also proposed by commercial officers (Global Banking & Finance Review). 6 See Peppet (2014) for a more extensive analysis on this issue.

402

Y. Danidou

welfare of the consumer or disrupt consumers’ expectations.7 Think, for example, of a scenario where a consumer is rejected a loan based on IoT sensor fusion inferences or where health and life insurers fluctuate premiums according to IoT sensor data. Automated individual decision-making and profiling can lead to more accurate and quick decisions. What is alarming is the irresponsible use of profiling, which increases risks for individuals. Furthermore, to ensure fair and transparent profiling in IoT, the consumer should be informed of the profiling and the rights to object and not to be subjected to profiling. These, however, are tightly tied to consent and privacy policy availability, discussed in detail in the forthcoming Sect. 2.4.

2.2

Privacy

Privacy comes into play when IoT devices gather vast amount of rich data about a data subject and protect that information from being shared with third parties. It is clear that with consumer IoT devices, the personal data aspect is omnipresent (which could not be the case in other IoT sectors, for example, industrial IoT). It should be noted here that privacy cannot be achieved by securing individual’s PII only. Privacy concerns may arise from intentional or authorized processing of information about individuals and even from measures used to secure PII (Interagency International Cybersecurity Standardization Working Group 2018). GDPR8 provides a high level of data protection applicable in all EU member states and recognizes some privacy-enhancing techniques, like anonymization. There is a broadly acceptable residual risk of reidentification, which becomes even stronger in the big data world that we are experiencing today (Ohm 2010; Data Protection Commission Ireland 2019; The New York Times 2019); therefore, many believe that anonymization reflects an outdated approach to data protection (Solomon 2019). Data processing techniques have evolved in the recent years, and taking in consideration the rapid technological development anticipated in the years to come, these could diminish any current anonymization techniques (Data Protection Commission Ireland 2019). One would expect Internet of Things devices to comply with GDPR and when personal data of the individual consumer are collected to be pseudonymized or anonymized (if possible) before further analysis. “Singling out” should be prevented using effective anonymization techniques,9 even if inferences or linking of multiple source data is present. However, Internet of Things sensor data are particularly difficult to deidentify or anonymize. And this is because IoT devices often have

7

See Patterson and Nissenbaum (2013). See General Data Protection Regulation (GDPR) (European Parliament 2016). 9 Some anonymization techniques are “randomization,” “generalization,” “aggregation,” “data masking,” or “pseudonymization” (Križan et al. 2015). 8

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

403

entirely unique “fingerprints.”10,11 Moreover, the sensor data capture is so rich that inferences from the IoT data originating from the devices an individual possesses are expected; thus, we could conclude that privacy protection is not a straightforward task and in fact is extremely difficult to achieve. In the same vein, Professional Security Magazine Online (2020) has reported that computer scientists collected and analyzed biometric samples from 50 users and 100,000 device IDs, which were later able to be deanonymized by 70%, and harvested the biometric information of the device users. It has also been shown that even if personal data information is removed from data sets, reidentification is particularly easy, increasing the risk of consumer identification. The principle of confidentiality should apply to current and future means of communication. The ePrivacy regulation, which has not yet been officially enforced, should apply to IoT since the “things” are based on a machine-to-machine communication, which is explicitly mentioned in the ePrivacy regulation proposal (European Commission 2017). In this regulation proposal, the recommendation refers to specific safeguards in the machine-to-machine communications.

2.3

Security

Many of the consumer IoT devices were created by manufacturers that did not consider security to be a priority, possibly due to lack of knowledge on how to apply the Security System Development Life Cycle (SecSDLC).12 Economic realities for device development unintentionally foster a “race to the market” that prioritizes speed over safety (Corbin 2019a). Scholars argue that due to lower cybersecurity measures, which are attributable partly to weak economic incentives to provide software updates and support, market failures result, which have led to an accumulation of insecure hardware and software in the market.13 This is particularly difficult to deal at this stage since a huge number of such devices that have not taken any substantial steps to prevent cyberattacks are already in use by consumers; however, this should not be the end of the game. From the consumer’s perspective, it is totally impossible to compare product security, yet standardization could be a reasonable solution.

10 “Fingerprinting” refers to the cybersecurity context of the term, which describes the art of correlating different information/data sets in order to identify with high probability a software, a system, an Operating system and more. 11 Uniqueness of data subjects and re-identification from anonymized datasets have been discussed in an excellent paper from MIT researchers (De Montjoye et al. 2013). 12 The SecSDLC process involves the identification of specific threats and the risk that they represent as well as the needed implementation of security controls to counter, mitigate and manage the risk. 13 See Daley (2016), Paez and La Marca (2016) and Dean (2018).

404

Y. Danidou

The security triad known as Confidentiality, Integrity, and Availability (C.I.A.) should be reverently respected to improve the security that consumers feel and actually receive: • Data confidentiality should provide confidence to the user about the privacy of confidential information and prevent disclosure of it to unauthorized parties. • Data integrity should protect the information from interference. • Data availability should allow continuous and immediate access to the owner of the information under all circumstances. Security vulnerabilities constitute a category on their own. Potential security risks that could be exploited to harm consumers include (1) unauthorized access and misuse of personal information, (2) facilitating attacks on other systems, and (3) creating safety risks. 2.3.1

Unauthorized Access and Misuse of Personal Information

Privacy issues concerning IoT have been intensely and lengthily discussed in literature, and more specifically about consumer IoT devices.14 Consumers’ life is continuously connected, and personal data are at stake every single moment. The sheer amount of data that IoT devices can generate is staggering. Consumers feel very concerned about the possibility of their information being stolen from their smart home, with this having an impact on consumer confidence. What really raises IoT privacy issues, though, is how that information and data are being used. The increasing concerns over data security have been the main reason for IoT’s negative publicity from its early deployment. Some have characterized consumers’ fears as a science fiction scenario; however, the near past reveals the contrary bringing into light large-scale IoT security breaches. Stories of smartphones and smart home virtual assistants leaking user data have dominated the media.15 A joint academic collaboration study between US and UK academic institutions analyzed the information exposure from 81 devices located in the US and the UK. Astonishingly, the study revealed that 72 out of 82 devices shared data with third parties,16 and all devices exposed information to eavesdroppers, who could reliably infer the individual to 30/81 devices (Ren et al. 2019). Who would imagine that when purchasing a smart TV, a person’s own data are going to be harvested, shared, sold, or provided to third parties? Experiment showed that smart TVs are tracking and monitoring users daily. Shockingly, the rate in which captured information is shared with third parties is one per second (Fowler 2019). Another joint research study between US academic institutions, focusing on smart TVs and

14

See FCT Staff Report (2015). Cases include Amazon Echo (Murnane 2018; Variyar 2018; Lynskey 2019), Google home (BBC News 2019; Kari 2019; Perez 2019). 16 Parties’ names included manufacturers like Google, Amazon and Akamai. 15

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

405

Internet streaming devices, implemented a smart crawler and illuminated the fact that 89% of Amazon Fire TV channels and 69% of Roku channels included online tracking and collected information about viewing habits and preferences (Moghaddam et al. 2019). The short time to market and cost reduction regarding the production, design, and development process enhance security vulnerabilities (Frustaci et al. 2017). The size of IoT devices is a factor affecting the computational power they carry and therefore cannot support encryption and other complex security implementations and are less robust. Moreover, some of the IoT devices cannot be updated or patched once released in the market, meaning that detected security problems cannot be fixed in retrospect. IoT devices were not originally created having data privacy in mind, although this is one of the main recommendations provided by the European Union Agency for Cybersecurity (ENISA).17 Privacy by design (PbD) has been long discussed between scholars who pinched the difficulty to implement effective privacy protection policies, in the context of IoT. PbD is now a legal obligation for data controllers under Art. 25 of GDPR and is considered the next generation of privacy protection aiming to embed privacy in the design specifications of information technologies from their inception and throughout the Systems Development Life Cycle (SDLC).18 The overarching message here is that IoT manufacturers should build privacy into their products in a bottom-up approach and should adhere to the seven foundational principles.19 Some prominent security vulnerabilities are that data can be accessed while in transit between the IoT device and IoT networks, for example, from sensors to gateways and from gateways to data centers (like cloud storage). Relatedly, the security of stored information should also be mentioned since user credentials could be stolen, along with other PII information. Lack of privacy control may lead to abuse like disclosure and misuse of private data by different actors, including IoT manufacturers, data collectors, data processors, and possibly the state. 2.3.2

Facilitating Attacks on Other Systems

While IoT promises to provide convenience in our everyday activities by turning each physical object into a smart object that can take measurements, communicate with other smart objects, act intelligently, and respond to changes in the environment, additional hurdles present themselves and pose significant security risks and privacy issues. The invention of the fifth generation (5G) is coming to add the great benefits of this era and help IoT to benefit from 5G’s capability to support multiple

17

See European Union Agency for Network and Information Security (2018) Section 4.2.2. p. 37. For more see Markou (2019). 19 See the 7 foundational principles of PbD (Cavoukian 2012). 18

406

Y. Danidou

connections with high speeds. At the same time, the downside is an expanded attack surface.20 Security is a major concern dealing mainly with preventing unauthorized access to the consumer’s network and smart objects. IoT devices could be entirely controlled by unauthorized persons and from there gain access to entire networks, spreading malware and accessing IoT data. A popular example is the smart fish tank that was hacked and left a casino vulnerable to hackers.21 Proofpoint (2014) reported the first type of IoT cyberattack, where 100,000 IoT devices were zombified to launch a botnet attack, sending out 750,000 malicious emails. This section covers hacking incidents, targeted attacks, and exploits,22 which are often neglected or treated as an afterthought from the IoT industry.23 Distributed denial-of-service (DDoS) attacks24 are increasing in volume and complexity with the rise of IoT usage. In the case of Internet of Medical Things (IoMT), it has been specified that only 50% of medical device manufacturers follow the voluntary cybersecurity and best practice frameworks in existence.25 Thus, accountability for the security of IoT devices is lacking. Additionally, the size, low power, and low computational capabilities that many of these IoT devices present do not allow for encryption or other security implementations. Researchers have extensively drilled into the issue of security risks posed by the Internet of Things and are obvious if someone goes through recent IoT attacks including smart security cameras, smart TVs, smart bulbs, smart home appliances, smartphone microphones, connected cars, baby monitors, hotel robots and others. In 2018, Interpol and the FBI published a warning to consumers of IoT devices to secure their devices in the same way as they secure their computers and mobile devices.26 The Bitdefender Investigations and Forensics Unit (2020) has published in a whitepaper about a new IoT botnet packing new infernal features and capabilities. The FBI, following Interpol, alerted the public, through a public service announcement, about the growing dangers of IoT and the leveraged risk of cybercrime. Once a criminal gains access to an unprotected IoT device, it can then access the information stored on those devices and could possibly manipulate the way those devices operate or even attack business-critical online devices. Both law

20

See O’Donnell (2020). The fish tank had sensors connected to a computer that regulated the temperature, the food and the cleanliness of the tank. Using the fish tank, hackers managed to enter the casino’s network and from there leak data (Schiffer 2017). 22 See more on modern IoT attacks (Palo Alto networks). 23 See Frustaci et al. (2017). 24 A compromised IoT device could be used to launch a denial of service attack in order to control those devices and spread malware. See the more recent Internet Security Threat report, referring to IoT attacks p. 20 (Symantec 2019). 25 See Ponemon (2017). 26 See FBI Portland (2019) and Forbes (2019). 21

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

407

enforcement agencies have encouraged users to adapt a new way of thinking by increasing their security awareness.27 2.3.3

Creating Safety Risks

Cybersecurity aspects like preventing a hacking attack on an IoT device are even more critical, considering the area of control, for example, an attack on a critical infrastructure or on physical safety or on sensitive- or confidential-informationhandling application. Medical devices such as insulin pumps and pacemakers have also been in the center of cyberattacks, affecting directly patients’ health, particularly because the security of those devices has not been considered adequately.28 Even more worryingly, researchers have pointed to the possibility of remote attack on implantable and wearable health devices, which can directly threaten life.29 Internet of Medical Things (IoMT) is still in the nascent stage; however, a comprehensive legal and liability structure should be in place to handle cyberattacks, data breaches, and hijacks of such devices, which can cause harm to patients (Corbin 2019a). It has been shown in terms of experiments that an adversary could gain access to a car’s internal computer network without physically touching the car.30 You can then imagine the extreme risk that automated car owners will be exposed to and the prevalent link to their physical safety. True security in IoT devices means much more than simply securing the actual devices themselves. Manufacturers need to build security into software applications and network connections that are linked to those devices.

2.4

Consent

A major aspect of the GDPR is the legal grounds for lawfully processing personal data. Since personal data are collected from IoT devices and processed, consent could be a plausible solution to obtain the consumer’s explicit permission to the processing. As is stated in the GDPR, “in order for the processing to be lawful, personal data should be processed on the basis of the consent of the data subject.”31 It is also clear that individual consumers should remain in control of their personal

27 See FBI (2018) and Forbes (2019). Also an announcement from the (US-CSIRT 2017) on Security the Internet of Things. 28 See Victoria Smith (2020). 29 See Hern (2018), Pycroft and Aziz (2018), Rashid (2019), Sattler (2019) and Watz (2019). 30 See FCT Staff Report (2015). 31 See European Parliament (2016) Recital 40.

408

Y. Danidou

data and that IoT systems should provide sufficient transparency to enable individuals to effectively exercise their data subject rights.32 But here, we need to think more about the where, when, and how consent will be given. Internet of Things devices are often small in size; they lack screens, keyboards, and computational power. You may consider IP cameras and smart home appliances to confirm that they are lacking the mechanisms needed to ensure consumer consent on the collection, processing, and storage of consumers’ data and private information. Often, the user terms are written in a ‘take it or leave it’ form since if the user does not agree, they must not use the device. This leaves the data subjects to be the weaker party in IoT contracts. Even worse, sometimes IoT products often fail to notify consumers about the relevant user terms, privacy policy, and GDPR compliance. Peppet (2014) reviewed such policies and ratified that such policies are not detailed on the type of data collected, who the data collector and processor is, what the retention period is of such data, the purpose of collection, and, finally, how these data are being protected. Toward the end of 2019, the Joint Committee on Human Rights (2019) published the report “The Right to Privacy and the Digital Revolution.” The Committee reported serious grounds for concern about the nature and effectiveness of the “consent” that consumers provide when giving over to private companies, for commercial gain, an extraordinary range of information about themselves and suggested that the “consent model is broken.”33

2.5

Liability

Liability has been long discussed in the context of IoT. The heightened risk associated with IoT products brings to the top a crucial question on which parties bear liability in case “things” go wrong. This is definitely not a straightforward question, as many could have thought, since traditional principles may not remedy harm from IoT defects, taking into consideration the unique and complex interconnected nature of these devices. Liability challenges lie in the fact that IoT devices have complex and lengthy supply chains, which makes it hard to point in which exact point of the manufacturing process things went wrong.34 Legal scholars have been questioning whether IoT will “reshape the law of products liability” (Paez and La Marca 2016). Moreover, because of the complexity present in IoT scenarios, where a number of stakeholders are involved and a fault cannot be easily and clearly attributed to one, it is expected to question if a “fault-based liability approach” could ever be possible.35

32

See European Commission (2013). This has been linked with the fact that the right to privacy may exist on paper but does not exist online (Joint Committee on Human Rights 2019). 34 See Corbin (2019b). 35 See Schulze and Staudenmayer (2016) and Lindqvist (2018). 33

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

409

The three Ps outlined brilliantly by Voas and Laplante (2017), i.e. the people, products, or process or some combination of the three, can be part of the “blame game.” “The blame game and liability go hand in hand”36 because trying to identify the root cause of a failure is the first step of liability attribution. Besides, the complexity of contractual relationships between IoT stakeholders can prompt changes in liability distribution. Apportioning liability between software and device manufacturers in IoT products can be quite challenging since there are no clear boundaries to which party is at fault for the harm ensued.37 On another note, the prevalence of end-user license agreements that shift the liability to the user instead of the manufacturer acts as a deterrent for IoT device take-ups to reach a projected growth. Questions include whether extracontractual liability should be based on the existence of “defects” and whether this concept is adequate for dealing with liability in IoT. How will autonomous systems that can take decisions and actions without human intervention handle the liability aspect? Who should be liable for an unintended autonomous behavior? What should be the more effective approach to compensate victims while at the same time incentivize safe design?38 Moreover, a comprehensive liability framework should be applicable to the health care sector, and particularly IoMT, to ensure an action plan if these kinds of devices are cyberattacked or malfunctioning. Scholars are asking for a serious reassessment of the current EU product liability since it has not enacted yet a coherent and fully fledged regime.39 The old and outdated product liability directive (European Union Council 1985) does not reflect the technological advancements regarding software, the cloud, IoT products, robots, and automated systems.

3 Standardization Currently, every IoT manufacturer follows its own strategy with different platforms, which creates a discrepancy and complexity in terms of the technology used by IoT devices. Standards are considered essential in modern business, as they aim to provide certainty for consumers supporting individual’s safety and privacy, and further decrease the risk of proprietary solutions and likewise the risk of investors. Standardization is crucial to create the conditions for sustainable growth of the IoT ecosystem (CREATE-IoT 2016).

36

See Voas and Laplante (2017) for an excellent analysis on the complexity of attributing liability in the IoT environment. 37 See an analogous discussion on legal responsibility/liability in the Trusted Computing initiative that also involves a hardware and software manufacturers (Danidou and Schafer 2009). 38 See Center for Democracy & Technology (2018). 39 See Risso (2019) and Markou (2019).

410

Y. Danidou

Standard-based Internet of Things is discussed in the academic world, although there is a relatively small number of such standards or family of standards, and is considered the way forward to maintain uniformity in terms of the connectivity requirements of the “things” to the Internet. Although many standards have been proposed in this direction, they do not seem to adequately cover interoperability, common programmable interface, data semantics, and security aspects. This is mainly because standardization has been proposed in specific IoT vertical domain use cases. IoT systems have been considered under a number of cybersecurity-affecting attributes (Interagency International Cybersecurity Standardization Working Group 2018). These attributes reveal also some of the problems arising during an effective standardization of IoT. Scholars have also revealed impediments in the standardization of IoT and divided them into four interrelated categories: platform, connectivity, business model, and killer applications (Banafa 2016). Banafa states that in order to complete the standardization process, all of the categories are absolutely necessary. Under the context of the present chapter, standardization will help hold people accountable for their actions, costs and the impact their IoT devices have on consumers. This directly relates to the upcoming section, which identifies the various legal issues that may come up in the current uncontrollable IoT ecosystem.

4 IoT Regulatory Challenges The GDPR poses complex challenges to IoT programs and networks. In this current section, we attempt to lay down some of the most important considerations in terms of GDPR compliance from consumer IoT devices. The category of IoT is of particular interest since it is the only field in which extensive personal data are gathered and processed. Manufacturers should pay precise attention to compliance since they could face fines of up to 4% of their turnover for data breaches. GDPR compliance is very challenging when it comes to IoT because of the difficulty to acquire consent for the reasons mentioned earlier in Sect. 2.4. Privacy by design is one of the stipulations of GDPR, which is very difficult to apply within IoT. This does not mean, however, that compliance is impossible and should be abandoned. The main purpose of this chapter is to aid in identifying current regulatory grey points for consideration regarding IoT. First, the consumers of IoT devices should be clearly and adequately informed of what kind of personal data will be collected by the device, the type of processing, the purpose of personal data collection, the form of further processing, and the retention period. In addition, some IoT devices may advertently or inadvertently, directly or indirectly process special categories of personal data that need further consideration. It could be the case that special categories of personal data are related to vulnerable data subjects, like in the case of IoT devices developed and used specifically by the elderly.

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

411

Another interesting element is the issue of universality of personal data, especially in an IoT context. It is expected that IoT devices will be used freely around the globe, irrespective of the country of operation of the IoT manufacturer. This creates some obvious legal problems that should be considered, along with the scope of users’ choices and data portability.40 The universal deployment and global nature of the IoT technology creates more issues related to the harmonization of the data protection legislation to ensure the highest level of enforcement. Some further considerations concern the change of purpose of data gathering over time. Will the legal basis still cover the processing of the personal data? Under the GDPR and in the possibility of a data breach of consumer IoT devices (which hold users’ special categories (sensitive) of personal data), data breach notification law would not require a public disclosure of or a remedy for such a breach. Data protection authorities should be strengthened, and the concept of mandatory personal data breach notifications should be extended to all areas of personal data processing. The data subject should be able to exercise their rights on the processing of their own personal data through individual rights. But what happens in cases where consumer IoT devices (e.g., toys) are used by children? This perplexes things because while there are specific regulations regarding the processing of personal data regarding children, the right to erasure, and the right of access to personal data, which are all relevant to the specific case and the same as an adult’s rights, children are probably unaware of them due to their age.41 The security of children’s data, under these circumstances, is also an issue to consider. Lastly, the cloud, where most personal data gathered by IoT devices reside, is still a concern, particularly regarding the GDPR compliance of cloud providers, which are acting in technical terms as the data processors. The cloud user should be fully aware of the way the provider processes their data at all times. However, not all cloud providers are GDPR compliant, which opens up a new chapter in terms of the technical and organization measures they must adhere to in order to be “GDPR-compliant.” Further building on cloud computing technology reflects an asymmetry of powers between cloud service providers and cloud users. This may have an impact on the related contractual practices and may reveal a variation on the perception of data ownership between parties (CREATE-IoT 2017). The adoption of IoT relates to another crucial driver—the one of trust. Trust regarding security, transparency in data usage, clear information impacted by product-related factors, social-influence-related factors, and security factors. ISACA, one of the biggest global IT associations dealing with cybersecurity, reported on the level of agreement regarding manufacturers of Internet of Things, sufficiently informing consumers about information the devices can collect in

40

The proper notification and notices should be applied in case that consumer’s personal data are transferred to third countries. 41 See ICO (Information Commissioner’s Office) (2018).

412

Y. Danidou

Europe in 2016. Only 20% agreed, while the rest, 80%, disagreed on the sufficient information received by manufacturers (Statista 2016). This lack of faith, we argue, could be wiped out if the regulatory landscape is supported by more or enhanced regulations to protect consumer rights in the Industry 4.0 era. The UK’s Information Commissioner’s Office ran a research conducted by 25 data protection regulators globally in 2016, which showed that around 60% of the devices failed to explain to consumers how their personal data were collected, processed, and disclosed (Maguire Michael 2016). We argue that the current situation puts too much onus on the individual to be aware of the risks of using IoT devices. But this should not be on the individual, who cannot be a technical expert and get acquainted with technological terms and security definitions and judge if their data are appropriately used, but it should be a matter of strong regulation to ensure “road safety” on the IoT era.

5 Conclusions Among others, the discussion in this chapter showed that the existing EU legislation is being inevitably challenged by IoT. It also aimed to provide the basis for an analysis of the current gaps and the needed recommendations for legal, accountability, and liability issues in the consumer IoT domain. Consumer IoT manufacturers enter the market without really having considered thoroughly or dealt with security issues. Although some IoT devices are highly sophisticated, many others are inexpensive and essentially disposable.42 Many of those devices are already in use and operating fully, which means that the amplitude of risks is quite wide. Even if vulnerabilities are discovered after manufacturing, it is nearly impossible to update the software or apply a patch. Purchasers may not even be aware of how to update the device or never be informed of an update available. Economic incentives may also attribute to the absence of ongoing support or software security updates, leaving consumers with unsupported or vulnerable devices.43 Individuals should have complete control over their personal data, but for this to be a reality, in the IoT context, manufacturers should inform the users about the data that have been shared about them, with whom, and the purpose. Taking the high number of IoT devices that each individual will use, a possible personal data management proposal could be the creation of a real-time online platform, at a

42

See Fitzgerald (2018). See, e.g., Schneier (2014) (“The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the [original device manufacturer] is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority.”). 43

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

413

national level, that will keep records for each individual’s devices and where personal data are kept by each device’s manufacturer.44 In the EU, there is a demand for regulations considering robots, artificial intelligence, and big data45—which cannot be postponed for a later stage. All these technologies are interconnected and currently developed in the connected digital economy, and as legal researchers and computer scientists have stated in the past, law and technology should walk hand in hand. Industry Revolution 4.0, which is underway, needs to be adequately regulated in all aspects—privacy, data breach, liabilities, compliance, and security. This is a necessity that is twofold: for the consumers to feel secure and privacy protected and for the businesses and organizations to feel the obligation to comply, or they will have to face the consequences of the law. While the risks are increasing and lack of attention for security and personal data becomes imperative, the consequences are also getting big.

References abc News CVS Pharmacy Wants Workers’ Health Information, or They’ll Pay a Fine - ABC News. https://abcnews.go.com/blogs/health/2013/03/20/cvs-pharmacy-wants-workers-health-informa tion-or-theyll-pay-a-fine. Accessed 3 May 2020 Abomhara M (2015) Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. J Cyber Secur Mobil 4:65–88 Banafa A (2016) IoT standardization and implementation challenges - IEEE internet of things. In: IEEE internet things. https://iot.ieee.org/newsletter/july-2016/iot-standardization-and-imple mentation-challenges.html. Accessed 12 May 2020 BBC News (2019) BBC News - Google probes leak of smart speaker recordings Bitdefender Investigations and Forensics Unit (2020) New dark_nexus IoT Botnet Puts Others to Shame Cavoukian A (2012) Privacy by design: origins, meaning, and prospects for assuring privacy and trust in the information era. In: Privacy protection measures and technologies in business organizations: aspects and standards. IGI Global, pp 170–208 Center for Democracy & Technology (2018) Workshop emerging liability challenges in the european data economy draft agenda Cisco (2012) The internet of everything how more relevant and valuable connections will change the world Cisco (2018) Cisco Annual Report (2018-2023) Civil law rules on robotics (2016) Robots and artificial intelligence: MEPs call for EU-wide liability rules | News | European Parliament Corbin B (2019a) When “things” go wrong: redefining liability for the internet of medical things. S C Law Rev 71(36) Corbin B (2019b) Liability for the internet of things. TortSource 21:11 CREATE-IoT (2016) Cross fertilisation through alignment, synchronisation and exchanges for IoT CREATE-IoT (2017) Cross fertilisation through alignment, synchronisation and exchanges for IoT Legal IoT Framework (Initial)

44 This is recommendation adjusted to the context of IoT on the proposal of the (Joint Committee on Human Rights 2019). 45 See Civil law rules on robotics (2016).

414

Y. Danidou

Daley J (2016) Insecure software is eating the world: promoting cybersecurity in an age of ubiquitous software-embedded systems. Stanford Technol Law Rev 19:533–546 Danidou Y, Schafer B (2009) In law we trust? Trusted computing and legal responsibility for internet security. In: Gritzalis D, Lopez J (eds) Emerging challenges for security, privacy and trust. Springer, Boston, pp 399–409 Data Protection Commission Ireland (2019) Guidance Note: Guidance on Anonymisation and Pseudonymisation Data Protection Party (2014) ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 8/2014 on the on Recent Developments on the Internet of Things De Montjoye YA, Hidalgo CA, Verleysen M, Blondel VD (2013) Unique in the crowd: the privacy bounds of human mobility. Sci Rep 3:1–5. https://doi.org/10.1038/srep01376 Dean B (2018) An exploration of strict products liability and the internet of things. SSRN Electron J. https://doi.org/10.2139/ssrn.3193049 Desjardin J (2019) World Economic Forum - how much data is generated each day? Ernst and Young (2015) EY Cybersecurity and the Internet of Things European Commission (2013) Internet of things factsheet privacy & security. Eur Comm:1–9 European Commission (2017) Proposal for a regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Commu. Eur. Comm. European Parliament C (2016) Regulation (EU) 2016/ 679 Of The European Parliament And Of The Council - of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (GDP. European Parliament and of the Council European Union Agency for Network and Information Security (2018) Good Practices for Security of Internet of Things in the context of Smart Manufacturing European Union Council (1985) EUR-Lex - 31985L0374 - EN. Off J L 210 , 07/08/1985 FBI (2018) Internet Crime Complaint Center (IC3) | Cyber Actors Use Internet of Things Devices as Proxies for Anonymity and Pursuit of Malicious Cyber Activities FBI Portland (2019) Tech Tuesday: Internet of Things (IoT) — FBI. https://www.fbi.gov/contactus/field-offices/portland/news/press-releases/tech-tuesday-internet-of-things-iot. Accessed 4 May 2020 FCT Staff Report (2015) Privacy & Security in a Connected World FTC Staa Report Fitzgerald A (2018) IEEE spectrum - the internet of disposable things will be made of paper and plastic sensors. https://spectrum.ieee.org/semiconductors/materials/the-internet-of-disposablethings-will-be-made-of-paper-and-plastic-sensors. Accessed 11 May 2020 Floridi L, Cowls J, Beltrametti M et al (2018) AI4People—an ethical framework for a good AI society: opportunities, risks, principles, and recommendations. Minds Mach 28:689–707. https://doi.org/10.1007/s11023-018-9482-5 Forbes (2019) FBI Issues ‘Drive-By’ Hacking Warning: this is how to secure your devices. https:// www.forbes.com/sites/zakdoffman/2019/12/06/dont-get-hacked-warns-fbi-this-is-how-youconnect-smart-devices/#64d54495360a. Accessed 4 May 2020 Fowler G (2019) The Washington Post - Smart TVs like Samsung, LG and Roku are tracking everything we watch - The Washington Post. https://www.washingtonpost.com/technology/ 2019/09/18/you-watch-tv-your-tv-watches-back/. Accessed 9 May 2020 Frustaci M, Pace P, Aloi G (2017) Securing the IoT world: issues and perspectives. 2017 IEEE Conf Stand Commun Networking, CSCN 2017, pp 246–251. https://doi.org/10.1109/CSCN.2017. 8088629 Global Banking & Finance Review Staying connected in a crisis: how emerging technology and data can reduce the impact of a pandemic. https://www.globalbankingandfinance.com/stayingconnected-in-a-crisis-how-emerging-technology-and-data-can-reduce-the-impact-of-a-pan demic/. Accessed 3 May 2020

17

Opening Pandora’s Box: IoT and Cybersecurity Aspects to Consider While. . .

415

Hern A (2018) Hackable implanted medical devices could cause deaths, researchers say | Hacking | The Guardian. https://www.theguardian.com/technology/2018/aug/09/implanted-medicaldevices-hacking-risks-medtronic. Accessed 4 May 2020 ICO (Information Commissioner’s Office) (2018) The General Data Protection Regulation Children and the GDPR Interagency International Cybersecurity Standardization Working Group (2018) Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) Joint Committee on Human Rights (2019) House of Commons House of Lords Joint Committee on Human Rights The Right to Privacy (Article 8) and the Digital Revolution Kari P (2019) The Guardian - Google workers can listen to what people say to its AI home devices Kizza JM (2013) Guide to computer network security. Springer Križan T, Brakus M, Vukelić D (2015) In-situ anonymization of big data Lee J, Kao HA, Yang S (2014) Service innovation and smart analytics for Industry 4.0 and big data environment. In: Procedia CIRP. Elsevier, pp 3–8 Lindqvist J (2018) New challenges to personal data processing agreements: is the GDPR fit to deal with contract, accountability and liability in a world of the internet of things? Int J Law Inf Technol 26:45–63. https://doi.org/10.1093/ijlit/eax024 Llinas J, Hall DL (1998) An introduction to multi-sensor data fusion. In: ISCAS ’98. Proceedings of the 1998 IEEE International Symposium on Circuits and Systems (Cat. No.98CH36187), vol 6, pp 537–540 Lynskey D (2019) The Guardian - “Alexa, are you invading my privacy?” – the dark side of our voice assistants Maguire Michael (2016) 2016 GPEN Privacy Sweep, Internet of Things: Participating Authorities’ Press Releases | Global Privacy Enforcement Network. https://www.privacyenforcement.net/ node/717. Accessed 5 May 2020 Markou CN (2019) Consumer protection, automated shopping platforms and EU law. Routledge Moghaddam HM, Acar G, Burgess B et al (2019) Watching you watch: the tracking ecosystem of over-the-top TV streaming devices. In: CCS ’19 Murnane K (2018) Forbes - Amazon does the unthinkable and sends Alexa recordings to the wrong person O’Donnell L (2020) More than half of iot devices vulnerable to severe attacks | Threatpost. https:// threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/. Accessed 4 May 2020 Ohm P (2010) Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev 57:1701–1777 Ohm P, Peppet S (2016) What if everything reveals everything? Big data is not a monolith. MIT Press Paez M, La Marca M (2016) The internet of things: emerging legal issues for businesses. North KY Law Rev 43:29–72 Palo Alto networks Impacts of Cyberattacks on IoT Devices Network Scanning Impacts to Network Services 5 Experiment Environment and Test Methods CPU, Memory, and Bandwidth Usage Service Response Time Results Conclusions Impacts C-IoT Device Battery Exhaustion 7 Background and Attack Vectors Patterson H, Nissenbaum H (2013) Context-dependent expectations of privacy in self-generated mobile health data. SSRN Electron J:1–51. https://doi.org/10.2139/ssrn.3115768 Peppet SR (2014) Regulating the internet of things: first steps toward managing discrimination, privacy, security and consent. Tex Law Rev 93:85–179 Perez S (2019) TechCrunch - Google is investigating the source of voice data leak, plans to update its privacy policies Ponemon (2017) Medical Device Security: An Industry Under Attack and Unprepared to Defend Sponsored by Synopsys Independently conducted by Ponemon Institute LLC PR Newswire Association LLC. Movista Helps Track and Report on Employee Health through the COVID-19 Pandemic. https://www.prnewswire.com/news-releases/movista-helps-track-and-

416

Y. Danidou

report-on-employee-health-through-the-covid-19-pandemic-301048067.html. Accessed 3 May 2020 Professional security magazine online (2020) Smart leaks. https://www.professionalsecurity.co.uk/ news/education/smart-leaks/. Accessed 4 May 2020 Proofpoint (2014) Proofpoint Uncovers Internet of Things (IoT) Cyberattack. https://www. proofpoint.com/us/proofpoint-uncovers-internet-things-iot-cyberattack. Accessed 4 May 2020 Pycroft L, Aziz TZ (2018) Security of implantable medical devices with wireless connections: the dangers of cyber-attacks. Expert Rev Med Devices 15:403–406. https://doi.org/10.1080/ 17434440.2018.1483235 Rashid F (2019) DHS warns implanted medical devices can be modified wirelessly | Decipher. https://duo.com/decipher/dhs-warns-implanted-medical-devices-can-be-modified-wirelessly. Accessed 4 May 2020 Rayes A, Salam S (2019) Internet of things from hype to reality. Springer International Publishing Rayes A, Salam S, Rayes A, Salam S (2019) Internet of Things (IoT) Overview. In: Internet of things from hype to reality. Springer International Publishing, pp 1–35 Ren J, Dubois DJ, Choffnes D et al (2019) Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: IMC’19 Risso G (2019) Product liability and protection of EU consumers: is it time for a serious reassessment? J Priv Int Law 15:210–233. https://doi.org/10.1080/17441048.2019.1579994 Sattler J (2019) IoT threats: explosion of “smart” devices filling up homes leads to increasing risks F-Secure Blog. https://blog.f-secure.com/iot-threats/. Accessed 4 May 2020 Schiffer A (2017) The Washington Post - how a fish tank helped hack a casino Schneier B (2014) The Internet of Things Is Wildly Insecure — And Often Unpatchable | WIRED Schulze R, Staudenmayer D (2016) Digital revolution – challenges for contract law. In: Schulze R, Staudenmayer D (eds) Digital revolution: challenges for contract law in practice, 1st edn. Nomos Verlagsgesellschaft mbH & Co. KG, Baden-Baden, pp 19–32 Solomon S (2019) Data is up for grabs under outdated Israeli privacy law, think tank says | The Times of Israel. https://www.timesofisrael.com/data-is-up-for-grabs-under-outdated-israeliprivacy-law-think-tank-says/. Accessed 3 May 2020 Statista (2016) IoT: awareness by manufacturer of information collected EU 2016 | Statista. https:// www.statista.com/statistics/609021/trust-in-iot-device-manufacturers-eu/. Accessed 5 May 2020 Symantec (2019) ISTR Internet Security Threat Report Volume 24 The New York Times (2019) Your Data Were ‘Anonymized’? These Scientists Can Still Identify You - The New York Times. https://www.nytimes.com/2019/07/23/health/data-privacyprotection.html?smid¼nytcore-ios-share. Accessed 3 May 2020 US-CSIRT (2017) Securing the Internet of Things | CISA Variyar M (2018) The Economic Times - Alexa’s recording leak in US ‘echoes’ privacy issues here Victoria Smith (2020) Improving medical devices cybersecurity in the healthcare industry. https:// www.medicaldevice-network.com/sponsored/medical-devices-cybersecurity/. Accessed 4 May 2020 Virgin Pulse Virgin Pulse -Technology to Replenish the Modern Worker. https://www.virginpulse. com/our-products/. Accessed 3 May 2020 Voas J, Laplante PA (2017) The IoT Blame Game. Computer (Long Beach Calif) 50:69–73. https:// doi.org/10.1109/MC.2017.169 Watz E (2019) Can “Internet-of-Body” Thwart Cyber Attacks on Implanted Medical Devices? IEEE Spectrum. https://spectrum.ieee.org/the-human-os/biomedical/devices/thwart-cyberattacks-on-implanted-medical-devices. Accessed 4 May 2020

Part V

Privacy and Information Self-determination in the Digital Age

Chapter 18

Viewing Mediation Under the GDPR Lens Komninos Komnios

Abstract This chapter discusses the application of the EU General Data Protection Regulation (GDPR) to mediation as regulated by the EU Mediation Directive. The GDPR has a broad material and territorial scope. Thus, where applicable, it imposes significant obligations on the processing of personal data during mediations. All personal data controllers/processors with an EU establishment or that target EU data subjects, including the parties, their lawyers, mediation institutions, mediators etc., have individual liability for GDPR compliance. Furthermore, the purposefully broad definitions of what constitutes both personal data and data processing mean that all processing activities taking place during mediation are likely to be caught by the GDPR. The author reviews the GDPR’s legal framework as it applies to mediation and its practical application to the mediation process.

1 Introduction Access to and the processing of information have always been an essential element of every dispute resolution mechanism. However, rapid technological developments and digitalisation have led to a significant increase in the volume, nature and complexity of information processed during a dispute resolution procedure. Data protection legislation becomes relevant when the processing of information during the resolution of a dispute consists of “personal data”. The key data protection legislation within the European Union (EU), applicable as of May 2018, is the

K. Komnios (*) International Hellenic University, Thessaloniki, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_18

419

420

K. Komnios

General Data Protection Regulation (GDPR),1 which envisages a strong and more coherent data protection framework with an innovative extraterritorial effect.2 The GDPR defines “personal data” as any information relating to an identified or identifiable natural person, who is referred to as the “data subject”.3 Additionally, it makes clear that it applies to the activities of courts and other judicial authorities.4 Furthermore, data processing by lawyers is also covered by the Regulation.5 Thus, personal data processing activities within the dispute resolution framework, either in litigation or under extrajudicial dispute resolution mechanisms, are not excluded from the GDPR requirements.6 Moreover, despite the party autonomy principle in out-of-court procedures like mediation and arbitration, the disputing parties may not deselect the application of the GDPR7 when the latter is applicable according to its material and territorial scope. While the GDPR covers data processing in mediation, as a variety of out-of-court procedures for dispute resolution, the Regulation does not explicitly clarify how it is to be applied to mediation. The European Data Protection Board (EDPB), formerly known as the Article 29 Data Protection Party8 (WP29), has not issued any guidelines on the application of the GDPR (or the repealed Data Protection Directive9) to “out-of-court’ dispute resolution mechanisms to date. The WP29 had only addressed pretrial discovery for cross-border civil litigation in the past (the “Pre-trial Discovery Working Document”).10 Given the lack of direct guidance about the application of the GDPR to mediation, this chapter aims to address the impact that GDPR has on mediation and on key players processing personal data in the mediation process. Considering the prevalence of cross-border disputes, the implications that the transfer of personal data outside of the European Union has on practitioners will also be discussed. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1–88. 2 Art. 3(2) GDPR. 3 Art. 4(1) GDPR. 4 Recital 20 GDPR. 5 Cf. Recital 91 GDPR. 6 On the impact of the GDPR on international arbitration see Zahariev (2019), passim, Burianski and Braun (2019), pp. 1096–1100, Fritz et al. (2019), pp. 301–309, Wilske et al. (2019), p. 119, Paisley (2018), pp. 851–936. The International Council for Commercial Arbitration (ICCA) and the International Bar Association (IBA) have established a Task Force on Data Protection in International Arbitration Proceedings. 7 Cf. Däubler (2018), p. 406. 8 The Article 29 Working Party is the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the GDPR). 9 Art. 94 (1) GDPR. 10 Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009.

18

Viewing Mediation Under the GDPR Lens

421

It should be noted that the present chapter focuses on the GDPR and the EU Mediation Directive;11 however, in practice, it may be necessary to consider relevant national law as well.

2 Core Elements of Mediation as an ADR Method Litigation is the most important but not the only way to resolve disputes. With the aim of simplifying the resolution of disputes and reducing the time, cost and distress associated with litigation, the EU actively promotes methods of alternative dispute resolution (ADR),12 such as mediation. Alternative extrajudicial procedures are considered a means to facilitate better access to justice, which according to the European legislation encompasses access to both judicial and extrajudicial dispute resolution methods.13 As regards mediation, this ADR mechanism in the EU was decisively influenced by the Mediation Directive. The Mediation Directive applies to all EU countries and concerns mediation in civil and commercial matters. While the provisions of this Directive apply only to mediation in cross-border disputes, Member States had the opportunity to extend its application to internal mediation processes as well. Following this open window, all but three Member States have accordingly transposed the Mediation Directive to domestic disputes.14 According to Article 3 (a) of the EU Mediation Directive, mediation means a structured process, however named or referred to, whereby two or more parties to a dispute attempt by themselves, on a voluntary basis, to reach an agreement on the settlement of their dispute with the assistance of a mediator. This process may be initiated by the parties or

11 Directive 2008/52/EC of the European Parliament and of the Council of 21 May 2008 on certain aspects of mediation in civil and commercial matters (“Mediation Directive”), OJ L 136, 24.5.2008, pp. 3–8. 12 Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/ 2004 and Directive 2009/22/EC (“Directive on Consumer ADR”), OJ L 165, 18.6.2013, pp. 63–79; Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (“Regulation on Consumer ODR”), OJ L 165, 18.6.2013, pp. 1–12. 13 Recital 5 EU Mediation Directive. Other forms of dispute resolution are mentioned in Recital 11 Mediation Directive: pre-contractual negotiations, processes of an adjudicatory nature, such as certain judicial conciliation schemes, consumer complaint schemes, arbitration, expert determination and processes administered by persons or bodies issuing a formal recommendation, whether or not it be legally binding as to the resolution of the dispute. Recital 11 clarifies that the Mediation Directive shall not apply to these forms of dispute resolution. 14 See the Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the application of Directive 2008/52/EC of the European Parliament and of the Council on certain aspects of mediation in civil and commercial matters, 26.8.2016 (the “EU Commission Mediation Report”), COM(2016) 542 final.

422

K. Komnios

suggested or ordered by a court or prescribed by the law of a Member State. It includes mediation conducted by a judge who is not responsible for any judicial proceedings concerning the dispute in question. It excludes attempts made by the court or the judge seised to settle a dispute in the course of judicial proceedings concerning the dispute in question.

In the traditional mediation process,15 two or more parties to a dispute attempt, normally on a voluntary basis,16 to reach an amicable solution to the settlement of their dispute with the assistance of a third facilitator called the “Mediator”. The mediator acts as an independent and impartial17 intermediary without adjudicatory powers, methodically facilitating communication between the disputants, with the aim of enabling the parties themselves to find their own solution. Additional core elements of mediation are the confidentiality of the procedure and the neutrality of the mediator. Confidentiality in mediation is of utmost importance. Establishing a safe ecosystem for the parties to disclose information, which in turn enables the achievement of a “win-win” solution, is critical for a fruitful mediation. Mediation proceedings are not public, and any personal data disclosed will not be publicly available. The caucus, which is the private discussion between the mediator and only one party, is employed in the context of confidentiality to enable the disputant to convey sensitive information that the mediator may use to develop settlement options. The concept of the mediation caucus was created in order to provide parties in conflict the opportunity to discuss issues privately with the mediator outside of joint negotiations, in order to clarify issues, identify the respective interests of the parties involved, release emotions, gain new information and develop new solutions. The Mediation Directive provides in Article 7 (1) that mediation is to take place in a manner that respects confidentiality. Without prejudice to national legislation that provides for stricter measures to protect the confidentiality of mediation, unless the parties agree otherwise, as a matter of principle,18 neither mediators nor those involved in the administration of the mediation process shall be compelled to give evidence in civil and commercial judicial proceedings or arbitration regarding information arising out of or in connection with a mediation process. To a similar effect, Article 4 of the European Code of Conduct for Mediators,19 developed in 2004 under the auspices of the European Union, provides that “[T]the mediator must

15

For an overview see Hopt and Steffek (2013), p. 3 et seq. Specifically on the different Mediator roles see Bühring-Uhle et al. (2006), p. 189. 16 According to Recital 13 Mediation Directive, “voluntariness” means “that the parties are themselves in charge of the process and may organise it as they wish and terminate it at any time”. Therefore, national legislation is not prohibited from making the use of mediation compulsory or subject to incentives or sanctions provided that such legislation does not prevent parties from exercising their right of access to the judicial system. 17 Art.3 (b) Mediation Directive. 18 See the exceptions in Art. 7 (1) (a) and (b) Mediation Directive. 19 European Code of Conduct for Mediators (2004) https://www.euromed-justice.eu/en/system/ files/20090128130552_adr_ec_code_conduct_en.pdf. Accessed 1 Mar 2020.

18

Viewing Mediation Under the GDPR Lens

423

keep confidential all information arising out of or in connection with the mediation, including the fact that the mediation is to take place or has taken place, unless compelled by law or grounds of public policy to disclose it. Any information disclosed in confidence to mediators by one of the parties must not be disclosed to the other parties without permission, unless compelled by law.” Mediation is not a functional equivalent to litigation. The mediator is not a judge applying the law. Instead, all aspects of the conflict, independent of their legal relevance, may be considered. Further, the mediation procedure is not public, and in contrast to litigation, the personal data reviewed will not be publicly available. Therefore, it is different from litigation in many ways, including, among other things, that it is confidential and generally voluntary, although there are instances where mediation may be compulsory.20 However, mediation should not be regarded as a weaker alternative to court proceedings in the sense that compliance with mediated agreements would depend on the good will of the parties. On the contrary, EU Member States have ensured that written agreements resulting from mediation can be made enforceable.21

3 General Application of the GDPR to Mediation Reference to “out-of-court procedures” is only made twice in the GDPR, both in recitals only.22 Moreover, the Regulation does not explicitly define “out-of-court procedures” nor indicate the relevant applicable provisions. Not only is data processing in mediation not explicitly mentioned in the GDPR, but also the Mediation Directive does not include any provisions that deal with data protection issues. In the absence of special provisions concerning data protection within the context of mediation, if it falls within its material and territorial scope, the GDPR is generally applicable to the processing of personal data in the context of the activities taking place during a mediation process and regardless of the mediator’s profession of origin23 and the number of mediations performed. On the contrary, regarding alternative dispute resolution for consumer disputes in the EU, Recital 28 of the ADR Directive confirms that the processing of information relating to disputes covered by this Directive should comply with the rules on the protection of personal data laid down in the laws, regulations and administrative provisions of the Member States adopted pursuant to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement

20

Art. 5 (2) Mediation Directive. Cf. the country reports in Esplugues et al. (2014); De Palo and Trevor (2012); Hopt and Steffek (2013). 22 Recitals 52 and 111 GDPR. 23 For example, lawyers, psychologists etc. 21

424

K. Komnios

of such data. Recital 29 adds that confidentiality and privacy should be respected at all times during the ADR procedure. Accordingly, Article 5 (2) (f) of the ADR Directive stipulates that the processing of personal data by ADR entities has to comply with the rules on the protection of personal data laid down in the national legislation implementing Directive 95/46/EC in the Member State in which the ADR entity is established. Since Directive 95/46/ EC was repealed,24 the GDPR and the relevant national legislation containing supplementary provisions to the former constitute the current data protection regime for the ADR entities. As regards the judiciary, the GDPR does not remain equally silent. In order to maintain judicial independence, Member State courts and other judicial authorities, when acting in their judicial capacity, are excluded from supervision by the competent data protection supervisory authority. The exemption of courts from supervision by the competent authority should not lead to the conclusion that the GDPR does not apply to the courts. Instead, the GDPR suggests that the judicial authorities regulate data processing operations internally when acting in their judicial capacity.25 In this regard, Recital 20 of the GDPR provides as follows: “While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.” In accordance with the above, Article 55 GDPR expressly provides that “Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity”. While the term “judicial authorities” and “decision making” could be interpreted so as to include arbitration, which is a decision-making institution similar to court procedures,26 this exemption from supervision by the competent supervisory authority cannot apply to mediation, which inherently lacks adjudicatory functions. In any case, Article 55 GDPR clarifies that “[S]supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity” without any reference to either arbitration or mediation. Therefore, mediation is not excluded from the supervision of the competent data protection authority.

24

Art. 94 GDPR. See also Markou (2019), p. 390. 26 See, e.g., Blackaby et al. (2015), p. 2. 25

18

Viewing Mediation Under the GDPR Lens

425

However, if an arbitrator/arbitral tribunal, a mediator or a judge-mediator is supervised and could potentially be penalised by an authority, which is not part of the judiciary, this could pose a threat to their independence and impartiality and undermine the dispute resolution function of these ADR mechanisms. To mitigate this risk, given that it is within their competence, national legislators could delegate the supervision of data processing operations in “out-of-court procedures” performing extrajudicial tasks to the designated bodies within the judicial system of the Member States, which also audit courts acting in their judicial capacity. After all, in view of the EU legislation, access to justice encompasses access to judicial as well as extrajudicial dispute resolution methods. To sum up, when the GDPR is applicable according to Articles 2 and 3, mediation is caught within its reach. That means that every participant in personal data processing has a compliance obligation. Data protection compliance is therefore part of the mediation process, and the rights granted by the GDPR continue to apply during mediation since there is no general waiver. On the other hand, Article 23 GDPR leaves the door open for specific exceptions potentially relevant to out-of-court procedures as well. Member States are given the right to exempt certain activities from the “. . .obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22. . .”. Thus, Member States may enact laws restricting the above-mentioned rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, among other things, the enforcement of civil law claims.27 According to Article 23 of the GDPR, national legislation may, to the extent that the restrictions are necessary and proportionate, stipulate that certain data subject’s rights do not apply to the processing of data where it is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.28 Ireland relied on Article 23 of the GDPR to introduce relevant exceptions to the processing of personal data in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure.29 The latter general reference of the Irish Data Protection Act to “out-of-court procedure” could also cover mediation. It should be pointed out that the legislative activation of Article 23 of the GDPR may not lead to data processing being generally excluded from the GDPR. Instead, it may only legitimise the restriction of certain data subject rights. In particular,

The term “enforcement” suggests that it only refers to enforced execution in the strict sense. However, it should be interpreted as covering extra-judicial assertion of claims, as well as contentious and enforcement proceedings. See also Koreng (2019), DS-GVO Art. 23 rec. 54. 28 Koreng (2019), DS-GVO Art. 23 rec. 54. 29 Art. 60 (3)(a)(iv) Irish Data Protection Act 2018. 27

426

K. Komnios

national legislation may restrict the right to transparent information (Articles 12, 13 and 14), the right of access (Article 15), the right to rectification and erasure (Articles 16 and 17), the right to restriction of processing (Article 18), data portability (Article 20) and the right to object and to automated decision-making (Articles 21 and 22). These rights—which could cover numerous individuals in a complex case—may be difficult to apply to mediation and can impede its dispute resolution function. Targeted exemptions of these rights could be of assistance in reconciling the GDPR with ADR.30 Additionally, the GDPR itself includes a so-called legal claims exception,31 which is relevant to mediation. More specifically, it foresees concrete exceptions from specific GDPR provisions for data processing that is necessary for the establishment, exercise or defence of legal claims. The legal claims exemption in the GDPR provides a legal basis for the processing of special categories of data (Article 9 (2) (f) GDPR) and limits the data subject rights to erasure and to restrict processing (Articles 17 (3) (e), 18 (1)(c), 18 (2) GDPR) as well as the right of the data subject to object (Article 21(1) GDPR). It also provides a basis for lawful data transfer to third countries (Article 49(1)(e) GDPR). Recital 52 explains that in the context of special categories of data, processing should be allowed where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. Similar wording is used in Recital 111 of the GDPR regarding data transfers out of the EU. Hence, sensitive data, otherwise known as special categories of data,32 may be processed during mediation as long as processing is necessary for the establishment, exercise or defence of legal claims.

4 Personal Data Processing in the Context of Mediation 4.1

Processing Activities

All data processed during a mediation procedure containing information by which an individual is, or could be, identified is “personal data” as defined by the GDPR.33 This includes information that is processed by automated means, as well as those processed manually, whether personal data are contained or are intended to be contained in a filing system. While the documents reviewed during the process are typically thought of as being the source of potential data protection concerns, names, addresses, bank accounts of mediating parties, the minutes (when allowed), possible expert reports and the mediated agreement itself are also likely to identify natural

30

Cf. regarding Arbitration Paisley (2018), p. 858. See for example, European Union Agency for Fundamental Rights and Council of Europe (2018), p. 136. 32 Art. 9 (1) GDPR. 33 Art. 4 (1) GDPR. 31

18

Viewing Mediation Under the GDPR Lens

427

persons. It is therefore possible that they will also contain personal data protected by the GDPR. Regarding what constitutes the processing of personal data in litigation under the Data Protection Directive, the WP29 acknowledged that there are different stages during the litigation process, including retention, disclosure, onward transferring, and secondary processing. The use of personal data at each of these stages will amount to processing requiring an appropriate legal basis on which to base the processing.34 Similarly, according to the expansive GDPR definition of “processing”,35 any activity undertaken during a typical mediation relating to personal data is considered processing under the Regulation even if it is just keeping notes or sending preparatory e-mails. During the course of a mediation, the following activities, among others, relating to materials containing personal data would be considered processing covered by the GDPR: data collection, searching, accessing, reviewing, compiling, data transfer to a third party assisting the process, disclosure of materials during the mediation process to the other party, their lawyer and the mediator(s), preparation of the mediated agreement, data storage, document erasure or destruction etc. Preserving data-protection-relevant documents and potential evidence in general as a “data pool” for potential future dispute resolution proceedings is also a processing activity.36 Although controllers will normally have no legal ground to keep personal data at random and for an unlimited period in anticipation of a potential dispute, if the personal data are relevant and intended to be used in a specific or “reasonably anticipated” mediation, a “Mediation hold” may be justified. For example, when there is a specific agreement to mediate or a concrete mediation clause, retention of the relevant data could be considered legitimate. In any event, as regards data retention for the purposes of resolving a dispute, it is rather doubtful that the controllers would have proactively informed data subjects about the possibility that their personal data may be processed during mediation.

4.2

Data Protection Principles

The principles that are most relevant in the context of mediation are the purpose limitation principle, the data minimisation principle, the transparency principle and, of course, the lawfulness principle. The purpose limitation principle poses serious challenges, especially for the use of documents in mediation, given that this use in mediation will often not be the

34

Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009, p. 7. 35 Art. 4 (2) GDRP. 36 Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009, p. 7 et seq; Cf. Burianski and Reindl (2010), p. 191.

428

K. Komnios

purpose for which any personal data in the documents were originally collected. However, in some Members States, national legislation effectively disapplies this requirement to the extent necessary to allow the collateral use of data in connection with the exercise of legal rights.37 For example, according to § 24 (1) German BDSG “[P]private bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected if. . . processing is necessary for the establishment, exercise or defence of legal claims, unless the data subject has an overriding interest in not having the data processed”. The balance of interests should take into account the objective relevance of personal data to mediation and the consequences for the data subject. Regarding the data minimisation principle in mediation, the GDPR reinforces the need to apply it at all stages of the mediation process. In this respect, it should be considered whether the extent to which data are being obtained, presented or otherwise processed is limited to what is reasonably necessary for the relevant purpose. Thus, mediation stakeholders should refrain from producing and sharing large volumes of irrelevant material, especially where files are likely to contain special categories of data. Where applicable, data controllers should restrict processing to anonymised/pseudonymised data or to another redacted form. After all, where personal data are not relevant with the cause of action in the mediation, there is no need to provide such information in the first place. The transparency principle imposes a general obligation on data controllers, when they obtain personal data, to provide data subjects with specified information about how their data will be processed (Articles 13, 14 GDPR), even when the controllers did not collect the data directly from the data subjects. For example, the mediation institution does not collect the data that it controls after a party transfers data to it for use in administering the mediation. In the context of mediation, the transparency principle would require advance general notice of the possibility of personal data being processed during dispute resolution, and if the data are actually processed, then additional notice should take place.38 This obligation also raises other serious concerns, given the impracticality of informing all data subjects whose personal data appears in the mediation process. On the other hand, it could also mean that all potential data controllers in a mediation shall bear the obligation to send privacy notices to all individuals named in the material processed in the course of the mediation, making such materials no longer confidential. One possibility that is consistent with the approach taken to the joint controllers in the GDPR (Article 26) would be for the data controllers to agree to a data protection protocol that the parties as the initial controllers will provide the transparency information, for they are the only ones with real relations with the data

Cf. Art. 25 (1) (c) Greek Law 4624/2019, § 24 (1) German BDSG. Cf. Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009, p. 11. 37 38

18

Viewing Mediation Under the GDPR Lens

429

subjects.39 The arrangement referred to in the data protection protocol shall be made available to the data subjects. Again, in addition to the exceptions provided for in Articles 13 (4) and 14 (5) GDPR, in some cases, national legislation introduces an exception for the obligation to inform the data subjects under the GDPR, where providing information would interfere with the establishment, exercise or defence of legal claims and when the controller’s interests in not providing the information outweigh the interests of the data subject.40

4.3

Lawful Processing

Where the information handled in the context of mediation contains personal data, the aforementioned activities need to be individually justified in order to be lawful. In this regard, Article 6 GDPR stipulates that a specific legal basis is needed. It should be stressed, however, that since mediation is a structured process with different stages, the processing of the personal data at each of these stages may require a specific and appropriate basis to legitimise the processing.

4.3.1

Consent

Consent41 is one of the six lawful bases to process personal data listed in Article 6 GDPR. Article 4 (11) GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. However, achieving valid consent is complex and burdensome since it can only be an appropriate lawful basis if a data subject is offered a genuine choice “with regard to accepting or declining the terms offered or declining them without detriment”.42 Arguably, a data controller may only rely on consent if another basis is unavailable.43 Still, WP29 recognises that “there may be situations where the individual is aware of, or even involved in the litigation process and his consent may properly be relied

39

Cf. regarding Arbitration, Paisley (2018), p. 908. Cf. Art. 31 (1) (d) Greek Law 4624/2019, Section 5, Schedule 2 UK Data Protection Act 2018, § 32 (1) (4) German BDSG. 41 Art. 4 (11), Art. 7 and Recitals 32, 42, 43 GDPR. 42 Article 29 Working Party, Guidelines on consent under Regulation 2016/679, adopted on 28 November 2017, as last revised and adopted on 10 April 2018, p. 3. 43 Cf. ibid, p. 23. 40

430

K. Komnios

upon as a ground for processing”.44 In the context of mediation, this could support an argument that individuals involved in the process may—under specific circumstances—give valid consent to the processing of their personal data. For example, while in a caucus meeting, the mediator may obtain specific consent from the party participating in the caucus to convey personal information to the other party in order to promote the development of solution scenarios. Concrete details about the functions of the caucus are given by the mediator in the opening statement so that the parties are informed accordingly and have the free choice to refuse or withdraw consent without detriment. However, the fact that consent can be withdrawn at any moment by the individual according to Article 7 (3) GDPR potentially makes it practically unworkable,45 even if it only functions ex nunc.46 Moreover, asking for consent may jeopardise confidentiality, which is a key element of mediation.

4.3.2

Processing is Necessary for the Performance of a Contract to Which the Data Subject Is Party or for Compliance with a Legal Obligation

Despite the fact that in specific Member States mediation may be ordered by a court and that compulsory mediation, under specific prerequisites,47 is allowed by the EU legislator, the rule remains that mediation is normally based on the voluntary participation (i.e. on the agreement) of the disputing parties.48 When recourse to mediation is based upon a mediation clause in a contract or upon a specific mediation agreement, the processing of personal data of the data subject may be lawful if it is necessary for the performance of the contract (mediation clause, mediation agreement) to which the data subject is party.49 Processing is deemed necessary if the contract could not be fulfilled without the processing taking place.50 Hence, the fact that the disputing parties have voluntarily submitted to mediation does per se speak for the lawfulness of the processing of their personal data during the mediation process, to the extent that such processing is necessary for the performance of their agreement to mediate. The notion “performance of the

44

Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009, p. 9. 45 Cf. Burianski and Braun (2019), p. 1098. 46 Frenzel (2018), DS-GVO Art. 7 rec. 16. 47 Art. 5 (2) EU Mediation Directive; Cf. CJEU, C-75/16, Livio Menini and Maria Antonia Rampanelli v Banco Popolare—Società Cooperativa. 48 Cf. Art. 2 (1) EU Mediation Directive. 49 Art. 6 (1)(b) GDPR. 50 Frenzel (2018), DS-GVO Art. 6, rec. 14.

18

Viewing Mediation Under the GDPR Lens

431

agreement” is to be interpreted broadly51 since Recital 44 GDPR clarifies that processing should be deemed lawful where it is necessary in the context of a contract. Moreover, this legal ground is not restricted to data processing activities of the disputing parties, i.e. the contracting parties of the agreement to mediate. On the contrary, the wording of Article 6 (1)(b) GDPR allows data processing activities by uninvolved third parties like the mediator as long as they are necessary for the performance of a contract (agreement to mediate) to which the data subject is a party.52 Similarly, the performance of the agreement could constitute the legal basis for the processing of the parties’ personal data during a mediation procedure initiated by court invitation to the disputing parties or based upon court-annexed schemes (e.g. judicial mediation). In the above-mentioned instances, mediation remains a choice of the parties, and the agreement to mediate is still necessary. However, given that mediation agreements/clauses are not granted legal effect in every jurisdiction, identifying which processing operations of personal data of the disputing parties are necessary for the performance of the agreement to mediate cannot be reliably predicted. On the other hand, in the case of compulsory mediation, it is the national law that provides that for specific disputes, the disputing parties are first to attempt mediation as a means of reaching a settlement. In those cases, the processing of personal data shall be lawful if it is necessary for compliance with a legal obligation to which the controller is subject.53 Such legal obligation may only be created by Union or Member State law and not by third country law. According to Recital 45, the legal obligation could cover multiple processing operations at the same time. The latter basis would cover the processing activities that are necessary to comply with the obligations prescribed for the participants within a compulsory mediation. The application of Article 6 (1) (b) and (c) GDPR as legal grounds for data processing in the context of mediation is complex since for each processing activity, it should be assessed if and to what extent a contractual or legal obligation actually requires or authorises data processing. For those reasons, it is expected that these grounds of lawful processing will apply with caution to mediation as they do not qualify as the ideal solution.

4.3.3

Legitimate Interest Pursued by the Controller or by a Third Party

According to Article 6 (1) (f) GDPR, the legitimate interest of the controller or a third party introduces a general clause that may function as a legal basis for data processing if this interest is not overridden by the interests or fundamental rights and

51

Voigt and Von dem Bussche (2017), p. 102. Cf. Albers and Veit (2019), Art. 6 rec. 30. 53 Art. 6 (1)(c) GDPR. 52

432

K. Komnios

freedoms of the data subject. Any interest recognised by the legal order may be considered legitimate.54 The Pre-trial Discovery working document has already stressed in the framework of civil litigation and discovery that [C]clearly the interests of justice would be served by not unnecessarily limiting the ability of an organization to act to promote or defend a legal right . . . The aim is to provide each party with access to such relevant information as is necessary to support its claim or defence, with the goal of providing for fairness in the proceedings and reaching a just outcome. Against these aims have to be weighed the rights and freedoms of the data subject who has no direct involvement in the litigation process and whose involvement is by virtue of the fact that his personal data is held by one of the litigating parties and is deemed relevant to the issues in hand, e.g. employees and customers. This balance of interest test should take into account issues of proportionality, the relevance of the personal data to the litigation and the consequences for the data subject. Adequate safeguards would also have to be put in place and in particular, there must be recognition for the rights of the data subject to object [to the processing . . . ] and, in the absence of national legislation providing otherwise, there are compelling legitimate grounds relating to the data subject’s particular situation.55

Similarly, the WP29, in its Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,56 takes the view that if the legitimate interest of the controller is identified, then a balancing exercise must be conducted between that interest and the interests or fundamental rights and freedoms of the data subject.57 For example, in situations where the data subject is a client or in the service of the controller, the reasonable expectations of the data subject must be considered during such an assessment to ascertain whether the interests of the controller override the interests or fundamental rights of the data subject.58 Regarding mediation in particular, the party’s interest in supporting a claim or defending itself against a claim qualifies as a legitimate interest, even when mediation is totally voluntary. After all, the interests of (informal)59 justice would be served. Thus, data processing operations in the context of mediation may rely on this ground as well, given that the establishment, exercise or defence of legal claims in an out-of-court procedure is mentioned several times as an interest in the GDPR.60 The latter argument is further reinforced by the fact that enforcement of legal claims via

54

Plath (2018), Art. 6 DSGVO, rec. 54, Schantz (2019), Art. 6 DSGVO, rec. 98. Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009, pp. 9–10. 56 Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014. 57 Ibid, p. 30. In its case law, the CJEU has expanded on the test to determine what constitutes a legitimate interest. 58 Ibid, p. 40 and Recital 47 GDPR. 59 Cf. Vos (2016), p. 31 et seq. 60 Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 25. 55

18

Viewing Mediation Under the GDPR Lens

433

out-of-court procedures is included in the WP29’s non-exhaustive list of typical cases in which the issue of legitimate interest may arise.61 “Legitimate interest” as a legal basis is not restricted to the data processing of the disputing parties. Rather, data processing may be justified as being in the “legitimate interest” of the data controller, whether it be a party, an expert, a mediation institution or a mediator. Nonetheless, a cautious balancing of the relevant interests on a case-by-case basis is required by law, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.62 This balancing exercise is expected to be challenging since it may concern data subjects who are not among the disputing parties in the specific mediation (e.g. business associates, buyers etc.). In the case where the controller’s legitimate interests to resolve the dispute override the data subject’s rights, safeguards should be put in place to mitigate the relevant risks (such as limitation of access, pseudonymising data etc.). Still, the data subject has the right to object at any time to the processing on grounds relating to his or her particular situation, according to Article 21 (1) GDPR. Following an objection of the data subject, the controller shall no longer process the personal data unless “. . .for the establishment, exercise or defence of legal claims”.

4.3.4

Processing Is Necessary for the Establishment, Exercise or Defence of Legal Claims

There is unlikely to be a substantial volume of special categories of personal data63 in most commercial mediation cases. However, mediation is also broadly and successfully used in family disputes and in disputes involving healthcare and employment-related issues, where processing of sensitive personal data is common. The processing of special categories of personal data, otherwise known as sensitive data, is permitted under Article 9 (2) (f) GDPR if it is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.64 This legal basis constitutes a special form of legitimate interest for the processing of sensitive personal data and can therefore be used for non-sensitive data as well.65 Interestingly, Article

61

Vos (2016), p. 25. Cf. also Albrecht and Jotzo (2017), rec. 51. Recital 47 GDPR. 63 Art. 9 (1) GDPR: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 64 Cf. Recital 52 GDPR. 65 Schiff (2018), Art. 9 rec. 47. Cf. CJEU, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde, Nr. 29. 62

434

K. Komnios

9 (2) (f) GDPR does not stipulate a balancing exercise with the interests or fundamental rights and freedoms of the data subject.66 The notion “legal claims” is an autonomous concept of EU law and should be interpreted broadly, such that a claim may derive from law, tort or contract. Although lis pendens is not required,67 a simple legal relationship is not enough. Instead, it must have resulted in a legal dispute that forces the disputants to act.68 More detailed guidance on the identical phrasing used in the context of international transfers can be found in Article 49 GDPR.69 Assuming that the guidance on the wording in Article 49 GDPR can be transferred to this broader context, it may be suggested that a close link will be necessary between the processing of the special category data and some formal legally defined process, including regulatory or administrative processes or any out-of-court procedure.70 It is unclear how close that connection needs to be. It is likely that it would extend to covering any activities necessary in order to investigate and take legal advice in determining whether there is a basis for making or defending a legal claim. Nonetheless, the derogation cannot be used to justify processing on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.71 In the context of mediation, which is a formal and legally defined ADR process, processing must be relevant to a specific legal claim and its exercise or defence. Data processing operations in the mediation process should be considered necessary as long as they are required in order for the parties to reach an agreement on the settlement of their dispute with the assistance of a mediator.72 However, the “necessity” criterion should not be subject to strict requirements since Article 9 (2) (f) GDPR aims to facilitate enforcement of legitimate rights and to guarantee access to justice.73 Since Article 9 (2) (f) GDPR may serve as legal basis for data processing taking place in the pretrial proceedings,74 potential ADR participants should specify in their data protection policy that personal data may be processed during future dispute resolution procedures and provide the legal basis for such processing.75

66

See however Voigt and Von dem Bussche (2017), p. 113. Schulz (2018), Art. 9 rec. 26. 68 Weichert (2018), DS-GVO Art. 9 rec. 84. 69 EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679. 70 Ibid, pp. 11–12. 71 Ibid, p. 11. 72 Cf. the legal definition of the notion of Mediation in Art. 3 (a) EU Mediation Directive. 73 Albers and Veit (2019), Art. 9 rec. 69, Weichert (2018), DS-GVO Art. 9 rec. 83, Frenzel (2018), DS-GVO Art. 9 rec. 37. 74 Schulz (2018), Art. 9 rec. 29. 75 Cf. regarding Arbitration, Paisley (2018), p. 884. 67

18

Viewing Mediation Under the GDPR Lens

435

5 GDPR Responsibilities of the Participants Based upon the relevant provision of the GDPR,76 the controller of the personal data exchanged during mediation shall be the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purpose and means of the processing of personal data. The question is who initiates the processing and who decides why and how the processing is taking place in order to undertake its role in the mediation process, whether it be as a party or lawyer, mediator or any mediation institution. The majority of participants in the mediation process will normally be data controllers. This includes the parties,77 their lawyers and the mediators/the mediation institution. However, service providers whose role is primarily to process documents or other forms of information, such as document review services, and translators are more likely to be data processors. In the case of processors, the mandatory contractual provisions stipulated by the GDPR (Article 28) to regulate this kind of relationship shall apply. With the exception of the parties, which will be the controllers of any personal data processed both for the original purposes that they have been collected and for the purpose of conducting the mediation, others will be the controllers of the personal data they receive during the mediation and for the purpose of the mediation itself.78 Hence, each of the participants in a Mediation process has to apply the GDPR only to the data that it actually processes, which imposes speaks for reasonable restrictions on the amount of data being processed.79

5.1

The Disputing Parties

Assuming that the GDPR is applicable and data processing occurs during mediation, the disputing parties will typically be data controllers of the personal data processed by them. This is because—as a rule—the data will have originated in the context of the party’s activities that are the subject of the mediation and for which each party determined the purpose and means of the processing. The processing of this data shall typically occur in the framework of a business, employee or family relationship and then continue for the purposes of mediation. As a result, in the context of mediation, the parties bear an obligation to comply with the GDPR since there are strong arguments supporting their qualification as data controllers.

76

Art. 4(7) GDRP. See also Fritz et al. (2019), p. 305. 78 Cf. regarding Arbitration, Paisley (2018), p. 894. 79 Ibid, p. 899. 77

436

5.2

K. Komnios

The Lawyer in Mediation

A lawyer’s role in mediation is different from their respective role in litigation and will vary depending on the nature of the dispute. In general, they are expected to offer information and guidance to the clients, provide practical and legal advice on issues raised and offers made, and assist in drafting terms and conditions of settlement as agreed.80 Depending on the legal order and the specific mandate, the lawyer may be restricted from advising the client before the mediation, representing the client during the mediation and undertaking all communications on behalf of the client. Where a barrister processes data in the course of representing a client in court, the WP29 has already taken the view that lawyers should be regarded as independent “controllers” when processing data in the course of legally representing their clients.81 Lawyers in mediation process personal data related to the client’s dispute. Processing of the necessary information takes place because of the client’s mandate. However, the mandate that clients provide to the lawyer is not to process personal data but, rather, to legally assist and advise them in mediation. Because the processing of data is an ancillary function that is mainly determined by the lawyer, done so independently from the client, the data processing carried out by the lawyer should be conceptualised as that of a controller. So the lawyer should be considered a controller when he or she receives personal data about a third party in order to advise the client on his or her rights vis-a-vis the third party.

5.3

The Mediator

The ultimate mandate of the mediator is not to process personal data but to conduct the mediation process in an effective, impartial and competent way so as to assist the parties to come to their own solution to the dispute. It is inherent in the function of the mediator, who is an independent and impartial third party,82 that he or she determines and controls the purpose and means of the processing of personal data or relevant material presented by the parties. In effect, it assumes that the mediator controls the personal data received by the parties (and potentially by the mediation institution) during the mediation process. Hence, the mediator has to comply with the GDPR for their activities that constitute processing of personal data. As a result,

80

Cf. Clark (2012), p. 36 et seq. Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”, adopted on 16 February 2010, p. 28. 82 Cf. Art. 2 European Code of Conduct for Mediators. 81

18

Viewing Mediation Under the GDPR Lens

437

they are also expected to regulate their relations with processors they might come in contact with (e.g. cloud service providers, translators, accountants etc.).83 Furthermore, without prejudice to national law exceptions, mediators will be required to observe the GDPR provisions concerning, e.g., the lawfulness of processing, the rights of data subjects, data minimisation, transparency and information requirements, data transfer restrictions, data security etc. Reconciling GDPR with the fundamental functions of mediators is a challenge. For example, the transparency principle may be invoked to enable the disclosure of confidential discussions between the mediator and a party during a caucus. For this reason, national legislation may eventually need to provide for restrictions in the application of the data subject rights in so far as they affect the core elements of mediation (for instance, its confidential nature). Last but not least, the mediator has to ensure that data processing activities comply with the principles of Article 5 (1) GDPR. This results in numerous duties that may be categorised as follows.

5.3.1

Information Obligation: Right to Access

When personal data relating to a data subject are collected from the data subject, Article 12 GDPR requires that the data controller provide concise and transparent information to the data subject. This obligation does not require a specific request from the data subject, as a result, in the context of mediation, the mediator has to comply proactively. Under the GDPR, when personal data are collected from the data subject, the mediator is obliged to provide, among others, information to the data subject about the purpose and legal basis for the processing and the data subject’s right to lodge a complaint with a supervisory authority. The information must be concise, transparent, intelligible and easily accessible, using clear and plain language. It must be provided in written form, including electronic form where appropriate, and it may even be provided orally at the data subject’s request and if his or her identity is proven beyond doubt. In this respect, it is advisable to attach a data protection policy to the contract to be concluded by the mediators with the disputing parties so as to address their right to be informed. Moreover, if the mediator operates a website, which is prevalent in everyday practice, all necessary information about data processing—including the specific data protection information relating to the website itself—should be provided there as well in the form of a data privacy notice. Regarding personal data of third parties that have not been obtained by the mediator from the data subjects themselves, Article 14 (5) (d) GDPR disapplies the information requirement where the personal data must remain confidential subject to an obligation of professional secrecy. Since confidentiality is a core

83

Art. 28 GDPR.

438

K. Komnios

element of mediation according to Article 7 Mediation Directive, the mediator shall normally have an obligation of professional secrecy stipulated by Member State law.84 Should this be the case, the Mediator as a person subject to professional secrecy is not obliged to inform third parties about their personal data obtained by the disputing parties in Mediation. A similar obligation applies to lawyers which also exercise a profession subject to professional secrecy. However, the disputing parties—in their respective role as controllers —when communicating the data of third parties to the mediator and the participating lawyers, shall normally be obliged to provide those third data subjects—prior to that further processing—with information on that transferring, pursuant to Article 13 (3) GDPR. In some Member States, national legislation has recognised that collisions may arise from the above-mentioned information obligation and the professional confidentiality obligations and, based on Article 23 GDPR, decided to resolve this conflict in favor of professional secrecy obligations. For example, according to Article 31 (4) Greek Law 4624/2019, if in the context of a relationship of mandate the data of third parties are transferred to persons subject to a legal obligation of professional secrecy, the transferring body shall not be obligated to inform the data subject according to Article 13 (3) of Regulation (EU) 2016/679 unless the data subject has an overriding interest in being informed.85 The right to access (Article 15 GDPR) and the obligation to communicate the personal data breach to the data subject (Article 34 GDPR) in specific legal orders are also restricted in a way that could be relevant for data processing in the context of mediation. So, pursuant to Article 33 (4) and (5) Greek Law 4624/2019, the right of access according to Article 15 GDPR shall not apply as far as access would disclose information that by law or by its nature must be kept secret, in particular because of overriding legitimate interests of a third party. Moreover, in addition to the exception in Article 34 (3) GDPR, the obligation to inform the data subject of a personal data breach shall not apply in the case where meeting this obligation would disclose information that by law or by its nature must be kept secret, in particular because of overriding legitimate interests of a third party.86 In this regard, legal provisions concerning confidentiality obligations of the stakeholders in mediation may be invoked so as to address relevant requests of the data subject. In the view of the above, with regard to data that are covered by the professional duty of secrecy and confidentiality,87 the mediator may have no obligations to inform, provide access or communicate data breaches pursuant to Article 14, 15 and 34 DSGVO. These exemptions are beneficial as they promote necessary information sharing and allow the mediator to communicate openly and confidentially with the disputing parties.

See, e.g. § 4 of the German MediationsG. Cf. the similar provision of § 29 (2) German BDSG. 86 Cf. § 29 (1) German BDSG. 87 Cf., e.g. Art. 192 Greek Mediation Law 4512/2018. 84 85

18

Viewing Mediation Under the GDPR Lens

5.3.2

439

Right to Rectification

According to Article 16 GDPR, data subjects have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Since there is no legal claims exemption included in the provision, the right to rectification applies to mediation, unless national law provides otherwise. While this right to rectify may clash with provisions in litigation and in arbitration, requiring retention of evidence as of a particular date in time,88 similar issues like the altering of evidence will generally not occur in mediation because of the inherently different procedural structure of this dispute resolution mechanism.89

5.3.3

Right to Erasure/Right to Restrict Processing

With the aim of preventing unnecessary data collection, the principle of data minimisation requires personal data to be adequate, relevant and limited to what is necessary for the purposes for which they are processed (Article 5 (1)(e) and Article 17 GDPR). As soon as there is no legal basis for the storage of personal data, they are to be erased or rendered anonymous in such a manner that the mediating parties are no longer identifiable. However, Article 17 (3)(b) GDPR stipulates that the erasure does not have to be carried out for compliance with a legal obligation. Depending on the legal order, for mediators who are also lawyers, there is often a specific legal obligation for data retention.90 In addition, for all mediators, irrespective of their “basic” occupation, other tax or commercial retention requirements may also apply.91 In any event, it is advisable to ensure by technical means that the deletion deadlines are met and deletion requests from data subjects are taken into account properly. For this purpose, it is appropriate to note the end of the retention period in a special form after the completion of each mediation. It may be beneficial to maintain and regularly update a calendar with the deletion date. Finally, data erasure or physical data destruction must be documented and carried out in accordance with the data protection legislation.

88 Article 29 Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11 February 2009, p. 12. 89 In “traditional” Mediation there is no investigation of facts or taking of evidence. 90 See e.g. § 50 Abs. 1 S. 2 of the German Bundesrechtsanwaltsordnung (BRAO), Art. 37 lit. (i) of the Greek Code of Conduct for Lawyers. 91 For example, there are usually various legal requirements and professional guidelines about keeping certain kinds of records—such as information needed for income tax and audit purposes.

440

K. Komnios

In addition to these, the data subject has its own right to request the erasure of data and restriction of processing, subject to the conditions set out in Articles 17 and 18 GDPR. Notably, both rights are subject to a legal claims exemption for processing that is necessary for the establishment, exercise or defence of legal claims. Hence, they would not apply to mediations where the data processing is deemed “necessary” to the claims.

5.3.4

Accountability Requirements

Derived from the accountability principle in Article 5 (2) GDPR, the burden of proving that the data processing is legitimate falls on the mediators as data controllers since they have to make certain that personal data are processed lawfully. The mediator can fulfil this obligation only by an adequate documentation of data processing activities. In principle, there is an obligation to document all data processing activities in a record of processing activities within the meaning of Article 30 DSGVO. Still, the GDPR provides for an exception from this obligation. The requirement to keep records does not apply to controllers or processors that employ fewer than 250 persons. The exception is, however, subject to the requirements that the controller or processor concerned does not carry out processing activities likely to result in a risk to the rights and freedoms of data subjects, that processing is only occasional and that it does not include special categories of data as referred to in Article 9 (1) GDPR nor personal data relating to criminal convictions and offences referred to in Article 10 GDPR. Since mediation is a dispute resolution process, special categories of data will be handled regularly. Furthermore, in mediation, the processing of data does not occur occasionally but is part of the typical business operation, so that mediators have to keep a record of their processing activities.

5.3.5

Implementing Appropriate Technical and Organisational Measures

According to Article 32 GDPR, the mediator, having took into account the state of the art, is expected to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk.92 The starting point of implementing TOMs pursuant to Article 32 DSGVO must be to obtain a concrete picture of the risks that the technical and organisational measures to be implemented are to protect against.93 Apparently, what is appropriate in each specific case depends on the nature, scope, context and purposes of processing. For example, although the mediation process is confidential, with no

92 93

Ritter (2018), DS-GVO Art. 32 rec. 70. Piltz (2018), Art. 32 rec. 13–14.

18

Viewing Mediation Under the GDPR Lens

441

records kept of discussions, any meeting notes and personal data files should never be kept in a manner that is accessible to others but rather be sealed in lockers. In the IT area, a number of security measures are also required, e.g. password protection of files with personal data protection relevance, regular security updates, installation of firewalls and antivirus software, encryption of portable data media, protection of wireless local area networks (WLANs), encryption of e-mails94 etc.

6 Co-mediation In co-mediation two or more mediators are employed to assist the parties in resolving their dispute. In this case, the mediators have the same mandate to pursue the abovementioned goal, but they may also, to a certain degree, function independently, in a way that may also affect the purpose and means used for the processing. According to Article 26 GDPR, where several operators determine jointly the purposes and means of the processing of personal data, they participate in that processing as joint controllers. Therefore, in respect of operations involving the processing of personal data for which the co-mediators determine jointly the purposes and means, they shall be considered as joint controllers and will have to conclude an arrangement regarding their mutual responsibilities.95 Moreover, the essence of the arrangement should be made available to the individuals concerned.96

7 Mediation Institutions The function of a mediation institution is to administer mediations according to the institution’s rules, which often provide that the disputing parties communicate to the institution as well information relevant to data protection.97 The mediation

94 In favour of the use of transport layer encryption (e.g., TLS, SSL) to secure the e-mail communication with the parties Keppeler (2019), p. 23. 95 Art. 26 (1) GDPR. 96 Art. 26 (2) GDPR. 97 For example, according to Art. 2 (1) ICC Mediation Rules, “any party or parties wishing to commence mediation pursuant to the Rules shall file a written Request for Mediation (the “Request”) with the Centre. The Request shall include:

a. the names, addresses, telephone numbers, email addresses and any other contact details of the parties to the dispute and of any person(s) representing the parties in the Proceedings; b. a description of the dispute including, if possible, an assessment of its value; c. any agreement to use a settlement procedure other than mediation, or, in the absence thereof, any proposal for such other settlement procedure that the party filing the Request may wish to make; d. any agreement as to time limits for conducting the mediation, or, in the absence thereof, any proposal with respect thereto;

442

K. Komnios

institutions provide administrative support for resolving disputes rather than resolving the disputes themselves. In general, there are convincing arguments supporting the view that the mediation institutions should be qualified as data controllers, i.e. as those who determine the purposes and means of personal data processing, since they are independent entities and process the data they receive for their own purposes, which are not defined or controlled by the parties or their lawyers. Even mediation institutions established in jurisdictions outside of the European Economic Area (EEA) have direct compliance obligations when they process personal data governed by the GDPR. As a result, the legitimate transfer of personal data to mediation institutions established in third countries will pose a challenge.

8 Data Transfer in Third Countries When personal data are transferred from within the EEA to third countries or to international organisations outside the EEA, the level of data protection should not be undermined.98 Data flows to third countries are only allowed if they comply with the rules set out in Chapter V GDPR. Third-country transfer restrictions apply to any personal data transferred outside the EEA by any participant during a mediation process. Several data communications in the context of mediation will be covered by the transfer restrictions, given that the notion of transfer is very broadly interpreted. For example, transfer will normally include any downloading of a document or opening an email while outside the EEA or even storing a document on a computer that is outside of the EEA. In view of the above, data transfer may occur in numerous occasions, e.g. when data are sent to the mediator or to a disputing party located outside the EEA. As regards institutional mediation specifically, filing a written request for mediation to an institution established in a third country, e.g. SIAC99 (Singapore), will also qualify as data transfer should it contain personal data. Notions like the “seat” of mediation is irrelevant for the assessment of whether data are exported. As already mentioned above, in the absence of an adequacy decision pursuant to Article 45(3) GDPR or of appropriate safeguards pursuant to Article 46 GDPR, a e. any agreement as to the language(s) of the, or, in the absence thereof, any proposal as to such language(s); f. any agreement as to the location of any physical meetings, or, in the absence thereof, any proposal as to such location; g. any joint nomination by all of the parties of a Mediator or any agreement of all of the parties as to the attributes of a Mediator to be appointed by the Centre where no joint nomination has been made, or, in the absence of any such agreement, any proposal as to the attributes of a Mediator; h. a copy of any written agreement under which the Request is made”. 98 Recitals 101 and 116 GDPR. The area of free data flow has been extended by the Agreement on the European Economic Area (EEA), which brings Iceland, Liechtenstein and Norway into the internal market. 99 Singapore International Mediation Centre.

18

Viewing Mediation Under the GDPR Lens

443

transfer of personal data to a third country or an international organisation may take place, among others, if the transfer is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or outof-court procedure.100 This is expected to cover most data exchanged in a mediation process to the extent that they are objectively relevant to the issues being mediated.101 Data transfer is not necessary as long as the mediation can be conducted with sufficient prospect of success even without the data or with the data in an anonymised form. Although the appointment of a mediator or a mediation institution established in a third country does not per se constitute a violation of the EU data protection law, for practical reasons, one may prefer choosing an EEA-based mediator/mediation institution102 so as to avoid data transfer difficulties. In any case, mediators/mediation institutions established outside of the EU that envisage offering their mediation services to data subjects who are in the EU still fall under the scope of the GDPR, according to Article 3 (2) (a) GDPR, and will have to comply with its provisions. This means that, among others, they have to designate in writing a representative in the EU (Article 27 GDPR).

9 Conclusions In the context of mediation and with the objective of maximising efficiency and minimising data protection risks, it is advisable to conduct a “data mapping” in view of identifying where the case-relevant data are and possibly pre-calculate the necessary information flow. Moreover, in order to comply with the GDPR requirements, it may be necessary to conclude a data protection protocol among everyone receiving personal data so as to deal with data protection issues in the course of mediation.103 This protocol will typically address transparency issues (e.g. data privacy notices), data security, data transfer and data breach notification and focus on the determination of the respective responsibilities in order to comply with the obligations under the Regulation. Evidently, reconciling the GDPR with the special characteristics of mediation is challenging. This is further complicated by the overlapping rights and duties that the GDPR places on the parties, their legal counsels, the mediation institutions and the mediators, each of whom may have individual obligations for GDPR compliance. As explained above, the key actors of a mediation will generally qualify as data controllers when the GDPR is applicable. Even if it is open to discussion whether

100

Recital 111. See also e.g. Pauly (2018), DS-GVO Art. 49 rec. 21. Schröder (2018), DS-GVO Art. 49 rec. 34, Pauly (2018), DS-GVO Art. 49 rec. 21. Cf. Lange and Filip (2019), DS-GVO Art. 49 rec. 35. 102 Cf. on the selection of arbitrators Paisley (2018), pp. 892–893. 103 Paisley (2018), p. 911, Burianski and Braun (2019), p. 1099. 101

444

K. Komnios

joint controllership requirements would apply, the idea of putting in place an arrangement with the scope to address at the earliest possibility data protection issues during the mediation process is appealing to say the least. This arrangement would address issues like who is the recipient of personal data, whether there are specific national law provisions concerning data protection and mediation, whether a data transfer will take place and how the mediation stakeholders shall ensure the protection of the rights of the data subjects. Moreover, a data protection “roadmap” of this form may be beneficial in the form of a data protection policy, promoting the realisation of the accountability principle. With the above-mentioned practical solution addressing data protection concerns and the absence of specific EU provisions on data protection requirements in the context of mediation in mind, national legislators—within the framework set out by the GDPR—could adjust their respective mediation laws in order to enhance clarity and legal certainty and to avoid hurdles that may undermine mediation as a means of facilitating better access to justice.104

References Albers M, Veit RD (2019) In: Wollf HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 30th edn. C.H. Beck, München Albrecht JP, Jotzo F (2017) Das neue Datenschutzrecht der EU. Nomos, Baden-Baden Blackaby N, Partasides C et al (2015) Redfern and hunter on international arbitration, 6th edn. Oxford University Press, Oxford Bühring-Uhle C, Kirchhoff L, Scherer G (2006) Arbitration and mediation in international business, 2nd edn. Kluwer Law International, The Hague Burianski M, Braun B (2019) DSGVO und internationale Schiedsverfahren – ein Jahr danach. Betriebsberater 20:1096–1100 Burianski M, Reindl M (2010) Truth or dare? The conflict between E-discovery in international arbitration and German data protection rules. SchiedsVZ 4:187–200 Clark B (2012) Lawyers and mediation. Springer, Berlin Däubler W (2018) Das Kollisionsrecht des neuen Datenschutzes. RIW 7:405–412 De Palo G, Trevor MB (eds) (2012) EU mediation law and practice. Oxford University Press, Oxford Esplugues C, Iglesias JL, Palao G (eds) (2014) Civil and commercial mediation in Europe, vol 1: national mediation rules and procedures. Intersentia, Cambridge European Union Agency for Fundamental Rights and Council of Europe (2018) Handbook on European Data Protection Law. Luxembourg Frenzel EM (2018) In: Paal B, Pauly D (eds) Datenschutz-Grundverordnung Bundesdatenschutzgesetz, 2nd edn. C.H. Beck, München Fritz G, Prantl D, Leinwather N, Hofer M (2019) Datenschutz in internationalen Schiedsverfahren – Ein Überblick. SchiedsVZ 6:301–309 Hopt KJ, Steffek F (2013) In: Hopt KJ, Steffek F (eds) Mediation: principles and regulation in comparative perspective. Oxford University Press, Oxford

104

Cf. Recital 2 Mediation Directive.

18

Viewing Mediation Under the GDPR Lens

445

Keppeler L (2019) Warum Anwälte nach der DSGVO nicht (zwingend) Ende-zu-Ende verschlüsselt kommunizieren müssen. Praxisprobleme in der Anwendung von Art. 32 DSGVO. Computer und Recht 1:18–24 Koreng A (2019) In: Taeger J, Gabel D (eds) DSGVO - BDSG, 3rd edn. Deutscher Fachverlag, Fachmedien Recht und Wirtschaft, Frankfurt Lange L-M, Filip A (2019) In: Wollf HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 30th edn. C.H. Beck, München Markou C (2019) Cyprus: a look into the law for the effective application of the GDPR. Eur Data Protect Law Rev 3:389–396 Paisley K (2018) It’s all about the data: the impact of the EU general data protection regulation on international arbitration. Fordham Int Law J 41:841–936 Pauly D (2018) In: Paal B, Pauly D (eds) Datenschutz-Grundverordnung Bundesdatenschutzgesetz, 2nd edn. C.H. Beck, München Piltz C (2018) In: Gola P (ed) Datenschutz-Grundverordnung, 2nd edn. C.H. Beck, München Plath KU (2018) In: Plath KU (ed) DSGVO/BDSG, 3d edn. Verlag Dr. Otto Schmidt, Köln Ritter S (2018) In: Schwartmann R, Jaspers A, Thüsing G, Kugelmann D (eds) Heidelberger Kommentar: Datenschutz-Grundverordnung/Bundesdatenschutzgesetz. C.F. Müller, Heidelberg Schantz P (2019) In: Simitis S, Hornung, Spiecker gen. Döhmann I (eds) Datenschutzrecht. Nomos, Baden-Baden Schiff A (2018) In: Ehmann E, Selmayr M (eds) Datenschutz-Grundverordnung, 2nd edn. C.H. Beck, München Schröder (2018) In: Kühling J, Buchner B (eds) Datenschutz-Grundverordnung, Bundesdatenschutzgesetz: DS-GVO/BDSG, 2nd edn. C.H. Beck, München Schulz S (2018) In: Gola P (ed) Datenschutz-Grundverordnung, 2nd edn. C.H. Beck, München Voigt P, Von dem Bussche A (2017) The EU general data protection regulation (GDPR). Springer, Berlin Vos G (2016) The relationship between formal and informal justice: the courts and alternative dispute resolution (ADR). Paper presented at the Workshop on The Implementation of the Mediation Directive, 29 November 2016, pp 31–42 Weichert T (2018) In: Kühling J, Buchner B (eds) Datenschutz-Grundverordnung, Bundesdatenschutzgesetz: DS-GVO/BDSG, 2nd edn. C.H. Beck, München Wilske S, Markert L, Bräuninger L (2019) Entwicklungen in der internationalen Schiedsgerichtsbarkeit im Jahr 2018 und Ausblick auf 2019. SchiedsVZ 3:101–120 Zahariev M (2019) Data protection in commercial arbitration. In: The light of GDPR. LAP LAMBERT Academic Publishing, Mauritius

Chapter 19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer Privacy and Economic Freedom: The Responses of the EU Legal Order Eleni Tzoulia

Abstract Targeted advertising is considered to jeopardize both the privacy and the economic freedom of individuals. Therefore, at EU level, it is scrutinized from both data and consumer protection law perspectives. It is argued that, in contemporary algorithmic society and digitalized economy, targeted advertising entails additional risks, which relate mainly to (a) excessive data processing and the formation of hyperanalytical consumer profiles, (b) unfair treatment of consumers and obscure decision-making based on autonomous software (AI), and (c) intraplatform and in-app transactions. This study examines whether the applicable EU regulatory framework provides the necessary toolkit to address these modern challenges. In this respect, it conducts a critical analysis pertaining to the General Data Protection Regulation (GDPR), the ePrivacy Directive, and its long-anticipated successor, the ePrivacy Regulation, as well as Directive 2005/29 on unfair commercial practices, taking into consideration the latest pertinent jurisprudence.

1 Introduction The term “targeted advertising” refers to sales promotion measures, which address individual recipients, having been tailored in advance to their purchasing needs and desires. In this sense, targeted advertising is at the same time “direct” and “behavioural.” It contrasts with that type of marketing that is mass produced and appeals uniformly to an indefinite number of consumers, regardless of any circumstances distinguishing each other.

E. Tzoulia (*) Department for Economic and Commercial Law, Law School, Aristotle University of Thessaloniki, Thessaloniki, Greece School of science and technology, Hellenic Open University, Patras, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_19

447

448

E. Tzoulia

Targeted advertising, like any other type of marketing, bears the inherent risk of distorting the consumer’s financial behavior. It may be, for instance, misleading or harassing, thus leading its recipients to transactional decisions they would not have met otherwise. Compared to common advertising, however, targeted advertising entails also the prior collection and processing of its recipients’ personal data. It also reaches each consumer personally, penetrating his/her private sphere, e.g., the electronic networks he/she uses, his/her social media accounts, etc. Consequently, targeted advertising also endangers consumer privacy in multiple ways. Based on the above, it is acknowledged that targeted advertising is regulated at EU level by at least three pieces of legislation.1 On the one hand, the General Regulation on Personal Data (GDPR)2 applies. It has been in force since May 2018, after repealing and replacing Directive 95/46/EC, and lays down the principles and rules for the protection of natural persons regarding the processing of their personal data. Directive 2002/58/EC (“ePrivacy Directive”)3 complements the GDPR as lex specialis4 by introducing a principle of confidentiality with reference to electronic communications. It remains temporarily in force to date but is expected to be replaced by an “ePrivacy Regulation.” In view of the above, targeted advertising utilizing online tracking techniques, thus reaching its recipients remotely by electronic means, is covered also by the EU legislation on ePrivacy. On the other hand, inasmuch as the recipient of targeted advertising falls within the EU concept of consumer,5 EU consumer law is also applicable. In this context, Directive 2005/296 on unfair commercial practices represents a framework law, which regulates business-to-consumer (B2C) marketing horizontally regardless of the means used 1

Without prejudice to any sector-specific piece of legislation related to the type of the promoted product. 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119/2016. 3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201/2002. 4 See Art. 95 and rec. 173 GDPR. 5 In EU law discourse, as “consumer” is regarded any natural person for the transactions he carries out to meet his living needs. It follows that legal persons cannot be protected as consumers. However, in relation also to natural persons the consumer status is conjunctural. It is namely attributed to them in those cases only when they engage in transactions which serve purposes unrelated to their professional or business activity. On the other hand, the concept of “data subject” is broader, since it refers to every natural person, regardless of the purposes served by his/her participation in transactional relations. Nevertheless, any consumer in the above sense represents at the same time a data subject regarding the information identifying him/her and its processing by third parties. 6 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council, OJ L 149/2005.

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

449

by advertisers to reach the consumer. It has been recently amended by Directive 2019/2161/EU,7 which should be transposed in the national legal orders of the EU Member States by 2022. Certain technological developments and economic trends have transformed the practice of targeted advertising over the last decades. Therefore, it is supposed to pose aggravated risks to the consumer privacy and economic freedom, which this study endeavors to identify. Subsequently, the study will examine the protection provided in that regard by the pertinent legal framework, as it currently stands. Any relevant contribution of the pending reforms will be also indicated and commented upon.

2 Targeted Advertising in the Fourth Industrial Revolution 2.1

Evolution and State of the Art of Targeted Advertising

The personalization of commercial decisions was first based on information collected by businesses in the context of their transactions with their customers. These data enabled the formation of behavioral profiles that attributed to each individual specific purchasing attitudes and tendencies. The relevant inferences were based on benchmarks retrieved from several disciplines, like psychology, sociology, and anthropology, as well as on historical and statistical data.8 To the extent that this process pursued the optimization of one’s services toward his/her clientele and the consolidation of trust and loyalty in their relations, it has been characterized as “relationship marketing.” 9 Over the last decades, technological progress and the wide spread of the Internet facilitated the implementation of new techniques for collecting personal data. Digitalization permitted the storage of larger data sets and simplified their transmission, while the improvement of computer programming made it easier to categorize, associate, and analyze data. These developments enable businesses to track consumers, with whom they have never engaged in transactions before. In addition, traders are now able to create more thorough and accurate consumer profiles in shorter time. Moreover, the emergence of new means of communication has facilitated the consumer’s approach from a distance. Targeted advertising can be sent through Short Message Service (SMS) or Multimedia Messaging Service (MMS) to 7 Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rule, OJ L 328/2019. 8 Marketing science has identified several factors that determine value differences among consumer groups and justify respective differences in their transactional behavior. See, for instance, De Mooij and Hofstede (2010), pp. 85–110. 9 See on that Tzoulia (2013), p. 39.

450

E. Tzoulia

one’s mobile phone, enter his/her inbox by email, but also appear as pop-up or interstitial on his/her browser while surfing the web. The most recent forms of online targeting comprise sponsored links on social media profiles,10 the so-called keyword advertising,11 as well as referrals to promoted sites through the “auto-complete” function of search engines.12 Nowadays, humanity is supposed to experience the beginning of the fourth industrial revolution. This is characterized by the convergence of a digital, natural, and biological world, which is facilitated by artificial intelligence (AI) and the so-called Internet of Things (IoT). The term AI refers to algorithmic software capable of imitating features of human behavior which imply intelligence, such as cognitive and problem-solving abilities. Although AI applications have been long deployed in several industry and transaction fields,13 the pertinent discipline experiences today an unprecedented booming due to the implementation of machinelearning techniques. Machine-learning algorithms and deep-learning networks can improve their analytical skills by training themselves on data. Thus, they can confer on computing systems the ability to perform tasks autonomously without prior human modeling.14 Moreover, smart computing programs can be embedded in everyday objects and get interconnected over the Internet, thanks to Radio- Frequency Identityfication (RFID) chips. This practically endows physical objects with the capacity to communicate with each other and with human beings,15 which has been aptly described as a state of “ambient intelligence.”16 Based on the above, once AI is involved in systems used to support decisionmaking, like consumer profiling, the individual is potentially subject to evaluations based solely on automated data processing. Moreover, nowadays, due to the widespread use of smart devices, individuals may be subject to continuous monitoring and profiling. Businesses are capable to collect data useful for identifying behavioral patterns, not only while the consumer is browsing the web but also while he/she is driving his/her car, watching TV, doing sports, or even sleeping.17 By the same token, consumers may be constantly confronted with targeted content, often without being aware of it. The issues of concern raised by these developments are analyzed below.

10

Sieling and Lachenmann (2012), pp. 156–159. Knaak (2014), pp. 770–777; Ohly (2018), pp. 131–139; Ohly (2010), pp. 776–785. 12 See Hoeren (2018), pp. 673–676. 13 See European Parliament Briefing State of the art and future of artificial intelligence, PE 631.051 (2019). 14 European Parliament Briefing How artificial intelligence works, PE 634.420 (2019). 15 See Mullan (2014), p. 170; Hüther and Danzmann (2017), p. 834. 16 For instance, Bibri (2015). 17 European Parliament Briefing Artificial Intelligence: Challenges for EU Citizens and Consumers, PE 631.043 (2019), p. 2 et seq. 11

19

2.2

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

451

Increased Risk of the Consumer’s Financial Freedom Being Impaired

Algorithms supporting commercial decision-making are trained to identify which ads are most likely to cause transactional decisions in any given case. In this respect, account might be taken also of consumers’ misfortunes or weaknesses and that timing and content of advertising might be chosen, to which consumers appear most vulnerable.18 Under these circumstances, consumers can be coerced into transactional decisions that they would not have met otherwise. Moreover, the constant siege of consumers with promotional content, which is automatically selected based on their behavior, can trap them in a state of virtual reality regarding market conditions. Namely, if consumers receive those offers only, which are considered to correspond to their individual profile, they are deprived of thorough and objective information that would enable them to make deliberate transactional decisions. Digital environments, in which the accessibility, dissemination, and content of information are algorithmically determined, are often characterized as “filter bubbles” or “echo chambers.”19

2.3

Unfair Algorithmic Treatment of Consumers

Another concern related to the above is that automated commercial decision-making can lead to unjustifiable discrimination among individuals and societal groups. On the one hand, certain consumers may be excluded from offers and privileges based on parameters that normally should not affect one’s eligibility for receiving them, e.g., gender, race, religious beliefs, or political views.20 This kind of discrimination may result from inherent errors in the algorithmic decision system applied21 or even from prejudices of those administering it, who intentionally create biased databases and let algorithms reproduce social stereotypes in order to achieve unfair market segmentation.22 From another perspective, algorithmic discrimination occurs where consumers receive differentiated deals for the same product based on their profile. A typical example is that of personalized pricing based on each consumer’s welfare, consumption patterns, or vulnerabilities. By this practice, businesses sell their products

18

Ibid, p. 6. Among others see Drexl (2017), pp. 529–543. 20 For instance, newly built houses being offered only to those matching the existing ethnic composition of the region. 21 BEUC Automated decision making and artificial intelligence – A consumer perspective, BEUCX-2018-058 (2018), p. 8. 22 Flett and Wilson (2017), p. 73. 19

452

E. Tzoulia

on the price each consumer would be eager or able to pay.23 This way, however, consumers lose their ability to access competitive prices, face nontransparent markets, and suffer welfare losses.24

2.4

Lack of Transparency and Uncertain Liability

As noted above, AI systems nowadays get integrated into everyday objects and adapt them to the habits of their users. For this individualization to be implemented, the user’s personal data are collected and processed. In many cases, the consumer does not understand when, for what reason, and to what extent his/her data are analyzed nor whether the content he/she receives is associated with these analyses. Most possibly, it is not obvious to the consumer what are the decisive correlations and the statistical deductions leading to each algorithmic decision concerning him/her. This situation gets aggravated by the fact that today evolutionary machinelearning techniques enable algorithms to improve their performance without having been subject to any previous programming. Consequently, they come up with statements that are unpredictable, inexplicable, and unverifiable even for the engineers who initially designed them.25 Under these circumstances, the algorithmic reasoning behind commercial decision-making can be neither proved nor contested by the consumer. This lack of transparency, often referred to as “algorithm blackbox,”26 is fortified by the fact that algorithmic software supporting automated decision-making is commonly protected by intellectual property rights and trade secrets.27 Automation creates also opacity as regards attributing liability for incorrect or biased profiling outcomes. On the one hand, it is disputed whether erroneous assessments made by means of fully autonomous algorithmic software should be assigned to its programmer or to the business applying it.28 On the other hand, it is speculated that the autonomy of the software itself may interrupt the causal link between human fault and the impairment of the consumer’s financial freedom.29

23

See Paal (2019), p. 44. BEUC (2018), p. 9. 25 Flett and Wilson (2017), p. 72 et seq. 26 Among others see BEUC (2018), p. 5 et seq. 27 European Parliament Understanding algorithmic decision-making: Opportunities and challenges, PE 624.261 (2019), p. 66 et seq. 28 Flett and Wilson (2017), p. 73. 29 See European Parliament Report with recommendations to the Commission on Civil Law Rules on Robotics, A8-0005/2017 (2017), p. 16 et seq. 24

19

2.5

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

453

Algorithmic Competition and Data Monopolies

For many years, global economy gets digitalized. First, businesses that used to operate exclusively in the analog environment now facilitate distance transactions by electronic means. Besides, new services are provided today that serve exclusively the online activity of the user, such as social networks, search engines, etc. Moreover, ever since mobile Internet has proliferated, all Internet service providers have penetrated mobile commerce through mobile apps. In general, modern mobile applications are meant to satisfy every conceivable need and desire of a portable device user. As a result, numerous innovative services have emerged in recent years, such as GPS and location-based systems, medical apps, portable scanners, facial recognition apps, etc. Many of the above services are provided through two- (or multi-)sided platforms. Within such digital environments, providers follow an open access model toward end users and monetize their traffic through their business users. The latter may be required to pay commission for using the platform for commercial purposes. More commonly, though, they purchase intraplatform targeted advertising services. The ratio of this economic model is that the more users a platform accumulates, the more targeted advertising orders it will be entrusted to, thereby increasing its profits.30 As noted above, algorithms involved in AI decision-making get trained on data. Therefore, platform providers need to concentrate and analyze big datasets in order to maximize the relevance of sponsored ads with the profiles of their end users. To this end, they may utilize online tracking techniques or even appeal to data brokers. Consenting to the privacy policy of a digital platform is commonly set as a precondition for end users signing up. The above raise two issues of concern: on the one hand, the popularity of certain platforms may lure or force end users into consenting to the collection of their data in order to register. On the other hand, the concentration of huge amounts of data enables popular platforms to continuously optimize their services, thus acquiring a competitive edge over all their existing and prospective competitors. In other words, the monopolization of personal data in the context of algorithmic competition may confer excessive economic power to certain companies, thus enabling them to annihilate their competitors. This can end up to lock-in effects, which inter alia entail consumers being exposed to insufficient and partial information.31

30

See on that Tzoulia (2020), p. 195 et seq. European Parliament Briefing Artificial Intelligence: Challenges for EU Citizens and Consumers, supra n17, p. 3; BEUC (2018), p. 9. 31

454

2.6

E. Tzoulia

Targeted Advertising as In-App Advertising

Due to the spread of mobile commerce, consumers are now receiving targeted advertising on increasingly smaller smart devices. The restrictions in terms of space and time that these devices reserve for their users may increase the misleading and harassing effects of targeting advertising. In such environments, namely, the user faces difficulties in not only erasing unsolicited ads but also reading them properly and understanding them. As a result, the consumer may be forced or deceived into unwanted transactional decisions.

3 Targeted Advertising in the Light of GDPR 3.1

General Remarks

The GDPR is supposed to regulate that stage of targeted advertising, which pertains to the processing of consumers’ personal data with a view to shaping future commercial policies. The EU legislator is aware of the sophistication featured by modern profiling and of the fact that decision-making relies largely today on algorithmic assessments. It is also acknowledged that these mechanisms are commonly employed for, inter alia, commercial purposes. Consequently, the GDPR attempts to establish an appropriate legislative regime to mitigate the risks identified above, making explicit references to targeted advertising and implications for the consumer’s right to fair algorithmic treatment.32 Profiling is defined in the GDPR as any form of automated data processing that is meant to evaluate certain personal aspects of the data subject and to predict his/her preferences, behaviors, and attitudes.33 Human intervention does not exclude data processing from this concept per se, i.e., profiling does not need to entail solely automated data processing.34 Moreover, profiling in the above sense does not have to incorporate a stage of decision-making.35 However, automated decision-making, whether based on prior profiling or not, is regulated by the GDPR separately.36

32

See recitals 38, 47, 58, 70 and 71, as well as Article 21. Pursuant to the definition provided by Article 4 par. 4 GDPR. See on this concept the analysis of Rustici (2018), pp. 34–43. 34 Article 29 Data Protection Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP251rev.01 (2018), p. 7 et seq. 35 Compare Article 1 (e) of the Committee of Ministers Recommendation to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling, CM/Rec(2010)13 (2010), p. 9. 36 WP29 Guidelines, supra n34, p. 8. 33

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

455

The GDPR introduces the concept of privacy by design and by default37 and establishes the responsibility of the data controller38 not only for complying with its provisions but also for being able to demonstrate compliance in any occasion.39 Jointly and severally liable for eventual infringements is also the data processor,40 i.e., whoever executes the processing on behalf of the controller.41 Any trader processing personal data for purposes related to sales promotion acquires the status of a data controller. Eventual intermediaries executing consumer profiling or implementing techniques of automated commercial decision-making on behalf of the trader constitute data processors according to the GDPR’s terminology. In broad terms, the above activities are subject to the general principles governing any type of data processing,42 which are summarized in Article 5 GDPR and further analyzed in the provisions following it. Consequently, consumer profiling and automated commercial decision-making are basically expected to be lawful, transparent, and fair. In their case, however, the implementation of these principles entails some additional obligations and certain restrictions for data controllers and their intermediaries, which the following sections endeavor to explore.

3.2

Targeted Advertising and the Lawfulness Principle

Lawful data processing shall be based on one or more of the grounds provided restrictively for by Article 6 GDPR. Accordingly, it is expected to be either authorized by the data subject or justified by a particular necessity, i.e., the performance of a contract with the data subject, compliance with a legal obligation imposed on the controller, the protection of the vital interests of the data subject or another natural person, or the performance of a task in the exercise of an official authority or in the name of the public interest. Processing is considered lawful also when it serves a “legitimate interest” of the data controller or a third party, except where such an interest is overridden by the interests, fundamental rights, and freedoms of the data subject.

37

See Art. 25. Article 4 point (7) of the GDPR defines as “data controller” any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 39 “Accountability” principle, according to Article 5 par. 2. 40 See Articles 79 and 82 GDPR. 41 Article 4 par. 8. See on these notions CJEU, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, Case C 40/17, Judgement of 29.7.2019. 42 See recital 72 of the GDPR. 38

456

3.2.1

E. Tzoulia

The Trader’s Legitimate Interest to Exercise Targeted Advertising

In terms of the latter legal ground43 interpreted in the light of recital 47 GDPR, legitimate interests comprise any real and present benefits pursued by the data controller, which are acceptable under the law.44 The Regulation prescribes a balancing test to be carried out between the interest invoked by the data controller and the impact of data processing on the data subject. In the context of this assessment, all actual and potential consequences of the processing should be considered.45 Moreover, all interests, fundamental rights, and freedoms of the data subject relevant to the scope of the GDPR shall be weighed. Such are, for instance, the ones referring to the protection of private and family life, image and name, economic freedom, as well as nondiscrimination and self-determination. For the controller’s legitimate interest to ultimately prevail, it is presupposed that data processing complies with the principle of proportionality,46 that the data subject could have reasonably expected it to take place under the pertinent circumstances,47 as well as that appropriate safeguards for the latter’s rights and interests are in place.48 The data controller is accountable to justify data processing based on legitimate interests. Therefore, he/she bears the responsibility to conduct and document any necessary risk assessments in advance.49 The economic interest of a company to process personal data for the purpose of service personalization and targeted advertising is considered in principle legitimate within the meaning of Article 6 par. 1(f) GDPR.50 It is also accepted that a person engaging in transactions with a trader can reasonably expect data shared in this context to be used for future commercial solicitations.51 However, these assumptions do not legitimize consumer profiling without prior consent per se. On a case-by-case basis, the nature and scale of the data processed, their sources of collection, as well as

43

See Art. 6 par. 1(f) GDPR. Article 29 Data Protection Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP217 844/14/EN (2014), p. 24 et seq. 45 Whether it is likely to cause e.g. privacy breaches, societal degradation, monetary damages, etc., or to distort third-party decisions concerning the data subject. Whether the data subject may suffer emotional distress is also of relevance. 46 It is a necessary and appropriate measure to pursue the interest at stake and does not affect the data subject severely. In this respect, the nature of the data and the way they are processed should also be taken into consideration. 47 Taking account of the data controller’s status and object of activity, any legal or contractual terms applying etc. 48 For instance, anonymization techniques, privacy-enhancing technologies, easy-to-use opt-out tools, etc. See WP29 Opinion, supra n44, p. 51. 49 Art. 24 GDPR. See also WP29 Opinion, supra n44, p. 43 et seq. 50 This is clearly stated under recital 47 and derives also from Article 21(2). See also Klar (2019), p. 2248 et seq. 51 See WP29 Opinion, supra n44, p. 31. 44

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

457

the techniques used for their analysis may deem the consumer’s consent necessary. It can be argued that scenarios like the ones cited above, entailing the processing of data acquired through online tracking52 or purchased by third parties, as well as algorithmic assessments without human intervention, necessitate prior consent.53 In line with the above, Article 22 GDPR prohibits automated decision-making in so far as it produces legal effects or otherwise significantly affects the data subject. By exemption, the prohibition shall not apply where automated decision-making is necessary for entering or performing a contract or authorized by the law or based on the data subject’s explicit consent. As argued under the preceding section,54 “significant” in the above sense may be also the influence exercised by automated commercial decisions on the economic interests of the consumer.55 Consequently, automated decision-making, including profiling serving the purposes of targeted advertising, is in principle forbidden, unless conducted on the basis of the consumer’s prior explicit consent. 3.2.2

The Consumer’s Consent to Automated Profiling and Decision-Making

Where consumer profiling is based on consent, the requirements prescribed in Article 4 par. 11 GDPR must be fulfilled. These are further specified by Article 7 and recitals 32, 33, 42, and 43 of the Regulation. Accordingly, the consumer’s consent must precede any processing of his/her personal data.56 It must be specific and informed, i.e., must relate specifically to data processing for targeted advertising purposes and be granted after the consumer has received information about a series of parameters, which enforce the principle of transparency analyzed in the following section. Moreover, consent must be freely given, i.e., must follow as a genuine choice, although the consumer had the option to refuse without detriment. It has been controversial whether consent to data processing having been set as a prerequisite for the conclusion of a contract or the provision of a service fulfills the latter condition. This is the case, for example, when subscribing to an online platform is conditional upon consenting to the provider's privacy policy.57 As

52

See on that the contemplations of Remmertz (2018), p. 254 et seq, and Markou (2016). See WP29 Opinion, supra n44, p. 26 and 46 et seq; Article 29 Data Protection Working Party Opinion 3/2013 on purpose limitation, WP203 00569/13/EN (2013), p. 45 et seq; ICO Update report into adtech and real time bidding (2019), available under https://ico.org.uk/media/about-theico/documents/2615156/adtech-real-time-bidding-report-201906.pdf, p. 18. 54 See above under Sect. 2. 55 This is acknowledged in recital 71 GDPR. See also WP29 Opinion, supra n34, p. 21 et seq. 56 Article 29 Working Party Guidelines on consent under Regulation 2016/679, WP259 rev.01 (2018), p. 17. 57 See for instance the contrasting decisions: Bundeskartellamt, Decision of 6.2.2019, B6-22/16, https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/ 2019/B6-22-16.pdf?__blob¼publicationFile&v¼4, and OLG Düsseldorf, Beschuss v. 26.8.2019, 53

458

E. Tzoulia

explained above, these schemes enable online service providers to monetize the “network effects” of their platform.58 They do not literally charge end users for signing up, thus attracting more traffic. By means of personal data accumulation, however, they can personalize sponsored ads, thus making money from their business users. It can be argued that the GDPR does not in principle preclude such practices. It is more generally observed that the EU legislator acknowledges the economic value attributed to personal data nowadays and considers their tradability as a driving force for the common digital market.59 This is evidenced by the recently adopted Directive 2019/2161/EU, which amends Directive 2011/83/EU by explicitly extending its scope to contracts where the consumer’s consideration for goods or services consists in the provision of personal data rather than money.60 In such cases, however, freely given consent presupposes that the consumer has been informed in advance about the purpose served by data processing, may it be the optimization of user experience on the online platform or third-party advertising. The required personal data must be necessary for the envisaged purpose to be fulfilled.61 It is also suggested to be considered whether the consumer had the alternative under the pertinent circumstances, instead of granting consent to the processing of his/her data, to pay monetary consideration for the full use of the service, to use a downgraded version of the service for free, or even to seek an equivalent service from another provider.62 Consent must be finally manifested by an unambiguous indication, i.e., either by a statement or by a clear affirmative action. In this sense, inaction or silence cannot be interpreted as agreement.63 In broad terms, the proper way for obtaining consent depends on the specific context of each given case. As a rule, consenting is expected to cause the least possible disturbance to the data subject and be demonstrated in a verifiable way.64 In the case of automated decision-making, however, “explicit”

ECLI:DE:OLGD:2019:0826.KART1.19V.00. English translation available under: https://www.dkart.de/wp-content/uploads/2019/08/OLG-D%C3%BCsseldorf-Facebook-2019-English.pdf. See also Bauer (2008), pp. 435–438. 58 See on this term Belleflamme and Peitz (2018). 59 See on that European Parliament Is data the new oil? Competition issues in the digital economy, PE 646.117 (2020). 60 See Article 4 par. 2(b) Directive 2019/2161/EU of 27.11.2019 amending Council Directive 93/13/ EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules, OJ L 328/7. 61 Art. 7 par. 4 GDPR and rec. 43 GDPR. 62 See on this issue Remmertz (2018), p. 255. Compare the reasoning of BGH, KVR 69/19, 23 June 2020, justifying the establishment of anticompetitive abuse by Facebook’s data policy 63 No valid declaration of consent by means of a pre-ticked checkbox, CJEU, Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV v Planet49 GmbH, Case C 673/17, Judgement of 1 October 2019. 64 See Art. 7 par. 1 GDPR.

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

459

consent is required. This condition is supposed to be in principle fulfilled by written statements, signed by the data subject where possible,65 or recorded oral statements.66 3.2.3

The Consumer’s Right to Object to Automated Profiling and Decision-Making

Regardless of the legal ground deemed appropriate when processing data for commercial purposes, the consumer retains the right to, respectively, either withdraw his/her provided consent or object to the processing taking place without his/her prior consent, at any time, thus forbidding any further processing post hoc.67 In the latter case, the data controller is obliged to bring this right to the attention of the consumer explicitly, clearly, and separately from any other information, at the latest at the time of their first communication for direct marketing purposes.68 When exercising his/her right to object, the consumer does not have to provide any justification.69 The controller will then have to interrupt processing and erase all collected data.70 The reservation of Article 21(1) that the controller may continue data processing despite the data subject’s objection if he/she demonstrates compelling legitimate grounds to do so does not refer to financial interests. Therefore, it does not apply to profiling serving the purpose of targeted advertising.71 Specific criteria for the validity of expressing the data subject’s opposition to the processing of his/her personal data have not been established by EU law. Article 7 (3) GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easy as giving consent. Article 21(5) GDPR further prescribes that, in the context of information society services, the data subject may exercise his/her right to object by automated means using technical specifications.72 Based on these provisions, it can be argued that the controller bears the responsibility to provide means of opposition suitable for the medium used for the commercial communication. Any method shall be deemed appropriate inasmuch as it remains free of charge, is not time-consuming or complicated, and at the same time can efficiently signify the consumer’s disagreement to the processing of his/her personal data within the given context.

65 Such statements may be issued by filling in an electronic form, sending an email, uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. 66 WP29 Guidelines, supra n56, p. 18. 67 Articles 21 par. 2 and 3, 7 par. 3 of GDPR. 68 See Article 21 par. 4 GDPR. 69 Compare paras 1 and 2 of the Article 21 GDPR. See on that Albrecht (2016), p. 38. 70 Articles 21 par. 3 and 17(1)(c) of GDPR. 71 WG29 Guidelines, supra n34, p. 18. 72 “Do not track” signal, according to Albrecht (2016).

460

E. Tzoulia

It should be noted that the consumer’s “right to object” covers separately the process of automated decision-making serving commercial purposes, whether it is based on prior profiling or not. Although Article 22 GDPR explicitly refers only to the data subject’s right to challenge algorithmic decisions affecting his/her interests, it also stipulates that data controllers are in principle obliged to safeguard all rights prescribed by the Regulation when exercising solely automated data processing. Therefore, this provision does not negate the individual’s ultimate right to prohibit being subject to automated decision-making per se. The consumer’s right to object to algorithmic decision-making processes literally consists in withdrawing his/her prior explicit pertinent consent. Such an opposition may be manifested in any verifiable way that is convenient for the consumer in the given case, i.e., not necessarily “explicitly” in the sense of this term analyzed above. Commercial decisions having already been taken at the time of the opposition remain valid according to Article 7(3) GDPR.

3.3

Targeted Advertising and the Transparency Principle

The principle of transparency postulated in Article 5 par. 1(a) GDPR is thoroughly analyzed in recitals 39, 60, 63, 70, and 71, as well as in Articles 12 to 14, 21, and 22 of the Regulation.73 In accordance with these provisions, irrespective of the lawful ground on which consumer profiling is based, i.e. even in the exceptional case that it lawfully takes place without the consumer’s prior consent, the latter shall be provided with adequate information on a series of parameters. The provision of this information is also a prerequisite for the validity of the consumer’s consent to data processing for commercial purposes. 3.3.1

The Consumer’s Right to Be Informed

The required information refers to the trader’s identity and contact details, the purposes served by data processing, as well as the categories of data processed and their sources, in case they do not stem from the consumer himself/herself. Any recipients of the collected personal data, may they be data controllers, data processors, or third parties, must be named. In this context, details of eventual data transfers to third countries must be also given. In addition, the duration of the data storage must be determined. Finally, all rights granted to the data subject by the GDPR, as incorporated in Articles 15 et seq., must be communicated. The Regulation grants data subjects a right to access (Article 15), rectification (Article 16),

73

See also Ducato and Strowel (2019), p. 676 et seq; Kremer (2018), pp. 560–569.

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

461

erasure (Article 17),74 restriction on processing (Article 18), objection to processing (Article 21), or withdrawal of prior consent (Article 7), as well as a right to data portability (Article 20). Where legitimate interests are invoked as a legal basis for data processing, they are expected to be clearly specified.75 The trader must justify which reasons advocate the prevalence of his/her interests over the counterinterests of the consumer, thus legitimizing data processing without prior consent. He must also disclose any safeguards in place, including the consumer’s right to opt out of the processing.76 According to Article 12 GDPR, the above information must be provided in a concise,77 transparent, intelligible, and easily accessible manner.78 It must be articulated clearly in plain language79 in writing or by other appropriate means.80 To accommodate for small screens or situations with restricted room for information and to avoid excessive disturbance of user experience or product design, a layered way of presenting information can be considered.81 Privacy-related information is expected to be translated correctly and accurately in the language used by the data subject,82 be differentiated from any other content, and not be hidden in general terms and conditions.83 Moreover, the required information must be provided for free, at the time when personal data are obtained, if they originate from the data subject himself/herself, or within a reasonable period after obtaining the data, if they originate from other sources.84 In the latter case, if data processing serves targeted advertising purposes, the required information must be provided to the consumer at the time he/she receives the first commercial communication at the latest.85

74 Right to be forgotten. See CJEU, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Case C 131/12, Judgement of 13 May 2014; CJEU, Google LLC v Commission nationale de l'informatique et des libertés (CNIL), Case C 507/17, Judgement of 24 September 2019. 75 See Articles 13 par. 1d and 14 par. 2b GDPR. 76 See Article 29 Data Protection Working Party Guidelines on Transparency under Regulation 2016/679, wp260rev.01 (2018), p. 36. 77 This means that information must be presented efficiently and succinctly. 78 It must be furnished to the data subject, i.e., the latter should not be obliged by the circumstances to search for it. 79 It must be namely intelligible for the average person without legal or technical background. It must be also concrete and definite not leaving room for controversial interpretations. 80 Depending on the pertinent circumstances, information may be lawfully provided through text messages, icons, infographics, pop-ups, chat-box interfaces, videos and voice alerts. See also rec. 58 explicitly referring to visualization of the information where appropriate. See for all the above WP29 Guidelines, supra n76, p. 7 et seq. 81 For instance, through links to the corporate privacy notice. WP29 Guidelines, supra n56, p. 14. 82 WP29 Guidelines, supra n76, p. 9 et seq. 83 WP29 Guidelines, ibid, p. 7. 84 See Articles 13 and 14 GDPR. 85 See Art. 14 (3) (b) GDPR.

462

3.3.2

E. Tzoulia

The Consumer’s Right to Algorithmic Explicability

In the case of automated decision-making, including profiling, the concept of transparency acquires a broader meaning. According to Articles 13(2)(f) and 14(2) (g) GDPR, the data controller bears the obligation not only to inform the data subject about the existence of automated decision-making and the purposes that it serves but also to provide meaningful information about the logic it involves, as well as its significance and envisaged consequences for the data subject. Moreover, according to Article 22 par. 3 GDPR, the data controller shall implement suitable measures to safeguard the data subject’s right to obtain human intervention on the part of the controller, to express his/her point of view, and to contest the algorithmic decision. Similarly, recital 71 GDPR stipulates the data subject’s right to an explanation of the algorithmic decision and to challenge such a decision. According to the above, the consumer has a right to understand the rationale behind a certain algorithmic response based on his/her behavioral profile. Subsequently, the consumer may require the reconsideration of the corresponding decision having the option to provide additional or updated personal information to this end. In the context of targeted advertising, the contested decision may, for instance, refer to the sponsored links selected to be placed on the consumer’s profile on social media or the terms and conditions of offers addressed to him/her, e.g., pricing, discounts, installments, etc. In such cases, a natural person in charge shall review the algorithmic assessment and potentially change the pertinent decision. Although the above rules sound programmatically coherent, the practical implementation of algorithmic transparency is an issue of ongoing research and intense debate.86 As noted above, there are three major grounds of concern in that regard: first, that an obligation to publicly disclose information about the operation of algorithmic software deployed in (commercial) decision-making conflicts with intellectual property rights and the competitive interests of its developers and business users;87 second, that algorithms guiding the operation of the critical computing systems, regardless of whether they are subject to exclusive rights themselves or not,88 constitute mere sets of computer-implementable instructions, which are unintelligible for the average consumer; and, third, that machine-learning algorithms train themselves on data, thus gradually finding their own way to apply what they learn. In this case, the reasoning behind outputs of automated consumer profiling may be obscure even for specialists.

86

See for instance Lepri et al. (2018), pp. 611–627; Schmid (2018); European Parliament, supra n27, p. 47 et seq; European Commission – High level expert group Ethics Guidelines for Trustworthy AI (2019), available under https://ec.europa.eu/futurium/en/ai-alliance-consultation; European Parliament Briefing A governance framework for algorithmic accountability and transparency, PE 624.262 (2019); European Parliament Briefing EU Guidelines on ethics in artificial intelligence: Context and implementation, PE 640.163 (2019). 87 See for instance the decision BGH, Urt. v. 28.1.2014, BGHZ 200, pp. 38–51, par. 27, with reference to algorithmic scoring models. See also Bischof and Intveen (2019), p. 135 et seq. 88 See on that Scheja (2018), pp. 485–492.

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

463

The consultation of the pertinent WP29 Guidelines89 reveals that the EU legislator took account of the above challenges while drafting the GDPR. It is in principle acknowledged that automated decision systems (ADSs) can be beneficial not only in economic but also in social terms.90 At the same time, however, they can severely affect fundamental human rights and freedoms. To reconcile these tensions, the EU seeks to cultivate a culture of moral innovation based mainly on human-centric technology and self-restraint.91 It therefore assigns ADS providers and AI stakeholders the mission to design, develop, deploy, and use software and hardware systems that adhere to certain ethical standards. The latter have been espoused by the GDPR in the form of general principles governing data processing. In this context, the above parties undertake the responsibility in their capacity as data controllers or processors to enforce ADS intelligibility. This obligation is apparently not met by overloading the data subjects with technical details or complex mathematical explanations on the operation of machine-learning algorithms.92 It rather refers to finding the appropriate technical approach for the individuals concerned to comprehend the purpose, the criteria relied upon, and the underlying technique of automated decision-making. This entails disclosing the categories of data used by the ADS, their sources, as well as the benchmarks for their assessment. The data subject is namely entitled to understand the relevance of the information processed for the algorithmic responses. To facilitate algorithmic transparency, controllers may implement interactive techniques, e.g., enabling data subjects to self-test the algorithmic reasoning by feeding it with random data and consulting the corresponding results.93 Against this background, controllers shall also commit themselves to settling any conflicts arising between cost, competitive forces, fairness, and privacy.94

3.4

Targeted Advertising and the Fairness Principle

The principle of fairness postulated in Article 5 par. 1(a) GDPR calls for unbiased and nondiscriminatory data processing and decision-making. When it comes to

89

WP29 Guidelines, supra n34, p. 31 et seq. European Parliament Briefing EU Guidelines on ethics in artificial intelligence, supra n80, p. 2. 91 See also Pyrcek (2017), pp. 939–941. 92 Described as “Info-besity” by the European Parliament, supra n13, p. 8. 93 See for example the bill passed by the New York City Council addressing algorithmic transparency within public agencies, Local law in relation to automated decision systems used by agencies No 2018/049 (Int. No. 1696-2017): “Each agency that uses, for the purposes of targeting services to persons, imposing penalties upon persons or policing, an algorithm or any other method of automated processing system of data shall: 1. Publish on such agency’s website, the source code of such system; and 2. Permit a user to (i) submit data into such system for self-testing and (ii) receive the results of having such data processed by such system”. 94 European Parliament, supra n27, p. 73. 90

464

E. Tzoulia

automated commercial decision-making and consumer profiling, the above desideratum corresponds to a consumer right to fair algorithmic treatment,95 i.e., economic self-determination and equity in the digital era. These rights may be impaired if ADSs do not operate in an accurate, transparent, and accountable way.96 The factors influencing accuracy within ADSs relate to either the data input or the modeling of the decision-making. Discriminating commercial decisions may result from the fact that data input on the consumer is incomplete or does not include the relevant causal factors for a correct conclusion to be reached. Wrong modeling relates to the use of variables indicating race, gender, religion, etc.97 In the context of the GDPR, accuracy is supposed to be enforced firstly through the data minimization in accordance with the purpose pursued by their processing in any given case.98 The pertinent obligation refers to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility.99 As noted above, the principle of transparency empowers the data subject with a right to understand, contest, and rectify algorithmic reasonings, thus enforcing accuracy. Principally, however, controllers themselves are expected to introduce appropriate procedures and measures to prevent errors and inaccuracies.100 In that regard, controllers are firstly required to keep the data up to date at all stages of the processing, in particular by responding promptly to any changes likely to make them obsolete, e.g., in the purpose served by processing, the personal situation of the data subject, etc. Moreover, measuring accuracy entails recurrent reviews and experimentation on the ADSs, as well as auditing by internal and external experts.101 Critical for safeguarding accuracy is also the Data Protection Impact Assessment (DPIA) prescribed by Article 35(3) (a) GDPR to take place in case of a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.102 This obligation covers, inter alia, commercial decision-making, including consumer profiling, whether it is wholly automated or not. Impact assessments must be carried out on a regular basis prior to and during the development, implementation, and use of ADSs.103 Finally, where the profiling 95

See European Parliament Briefing, supra n17, p. 4 et seq. See European Parliament Briefing EU Guidelines on ethics in artificial intelligence, supra n86, p. 4 et seq. 97 Partnership on AI (PAI) Report on Algorithmic Risk Assessment Tools in the U.S. Criminal Justice System (2019), accessible under https://www.partnershiponai.org/report-on-machinelearning-in-risk-assessment-tools-in-the-u-s-criminal-justice-system/, p. 14 et seq. 98 See Art. 5 (1) (c) GDPR. 99 See Art. 25 par. 2 GDPR. 100 Rec. 71 and Article 5 par. 1d GDPR. 101 See for instance European Commission—High level expert group, supra n86, p. 19 et seq. 102 “Algorithmic Impact Assessment (AIA)”, according to the European Parliament Briefing A governance framework for algorithmic accountability and transparency, supra n86, p. 53. 103 European Commission – High level expert group (2019), p. 20. 96

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

465

and/or the automated decision-making is a core activity of a business and requires regular and systematic monitoring of data subjects on a large scale, a Data Protection Officer (DPO) must be designated according to Article 37(1)(b) GDPR.

4 Targeted Advertising in the Light of ePrivacy Legislation It has been already noted herein that personal data necessary to personalize advertising messages are currently collected mainly by monitoring users’ electronic communications. Electronic communication services represent also the major channels through which traders deliver their advertisements. However, unsolicited commercial communications sent by electronic means from a distance may harass the consumer.104 These issues are regulated by Directive 2002/58/EC, which is meant to safeguard the consumer’s “right to ePrivacy” or “right to be let alone.”105 Article 5 Directive 2002/58/EC prescribes that electronic communication data shall not be listened to, tapped, stored, or otherwise surveilled without the consent of the users they concern, unless this is authorized by the law or necessary for the service provider to meet specific technical requirements. Moreover, Article 13 par. 1 Directive 2002/58/EC, as amended by Directive 2009/136/EC and in force, prohibits unsolicited electronic commercial communications exercised by electronic mail,106 automatic calling technologies,107 and facsimile108 unless the user has given his/her prior consent. This “opt-in” system applies to all types of advertising resembling in function the electronic mail, e.g., SMS and MMS messages.109 As regards other forms of unsolicited commercial communication, e.g. voice-to-voice calls, pop-ups, pop-unders, interstitials, etc., Article 13 par. 3 Directive 2002/58/EC gives Member States the option to adopt an “opt-out” system. In this case, direct advertising is in principle permitted, without prejudice to the subsequent opposition of its recipients. The opt -out system shall also apply whenever direct advertising is sent to one’s own customers based on electronic data that have been legally obtained in the context of their transactions.110 As mentioned above, the ePrivacy Directive is expected to be replaced by a Regulation. The latter’s enactment was planned to overlap with the entry into force

104

For instance, they may overload his/her inbox, cause trouble with removing pop-ups, slow down Internet browsing, etc. 105 Buchner (2018), p. 1284. See also the relevant analysis of Markou (2016). 106 Spamming. 107 Cold – calling. 108 Fax advertising. 109 See rec. 40 and Article 2 point (h) Directive 2002/58, which defines electronic mail as any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient. 110 Art. 13 par. 2 Directive 2002/58/EC.

466

E. Tzoulia

of the GDPR, which has been, however, not achieved due to several problematic issues.111 According to the published Proposal,112 the upcoming Regulation will extend the concept of electronic communication services beyond conventional services provided by network operators, like telephone, email, fax, etc., to “OverThe-Top” (OTT) services. These refer to instant messaging, online chat, and voice calling facilities provided by third parties, like Facebook, WhatsApp, Viber, Skype, etc. In this context, the confidentiality principle will cover, on the one hand, electronic communication content, i.e. text, voice, images and multimedia, as well as electronic communication metadata. The latter concept refers e.g. to the user’s browsing history, the date, duration, and location of electronic communications, the identity of sender and recipient, etc.113 On the other hand, the principle of confidentiality will apply to information related to or stored in end users’ terminal equipment,114 e.g. pictures, location data from the device’s GPS applications, contact lists, etc., including information about the device’s software and hardware.115 In these cases, lawful data collection and further processing will be conditional upon the data subject’s prior consent. It is to be noted that the upcoming Regulation also deals with the protection of information exchanged between electronic devices without any human involvement (IoT). Article 8 par. 2 prohibits the collection of such information for other reasons than the ones prescribed by its provisions. Accordingly, the collection may be justified by the user's prior consent or on the ground of establishing or maintaining a connection, providing a requested service or serving statistical purposes. In all these cases, the principles of transparency and minimization as prescribed by the GDPR shall be abided by. Finally, the upcoming Regulation will expand the scope of application of the opt-in system referred to above to any kind of unsolicited electronic communications. Namely, their delivery shall be lawful provided that the recipient’s consent has preceded. An exception to this rule refers to exercising direct advertising to a preexisting clientele. In this case, it will suffice that addressees are granted a right to opt out. Member States shall have the option to set a time limit to traders regarding the use of their clients' contact details for advertising purposes. Moreover, they shall be allowed to adopt the opt-out system also in case of direct advertising through voice-to-voice calls.116

111

See on that Härting and Gössling (2018), pp. 6–11. See in particular rec. 32–35 and Articles 4 para 3 points a–c, 5–9 and 16 of the Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 2017/0003 (COD) (updated 10 February 2021). 113 See rec. 14 of ePrivacy Regulation Proposal. 114 For example, smart phone, tablet, smart watch, computer. 115 See rec. 20 and Art. 8 of ePrivacy Regulation Proposal and Herbrich (Teil 1) (2017a). 116 See Herbrich (Teil 3) (2017c). 112

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

467

According to the above, targeted advertising carried out by electronic means from a distance is subject to a double opt-in system.117 Namely, its lawfulness is conditional upon the consumer’s consent to both the collection of his/her personal data and the delivery of promotional content on his/her electronic devices. Despite the fact that the ePrivacy legislation does not define the concept of consent, it contains a reference to the GDPR in that regard.118 Therefore, all conditions for a valid consent analyzed above apply also in this case.119 It is argued that consent to receiving direct advertising by a specific trader legitimizes the delivery of promotional content by various means, e.g., email, MMS, phone calls, etc.120 Moreover, unsolicited marketing communications shall be clearly recognizable as such and should indicate the identity and contact details of the trader. The consumer retains the right to withdraw his/her provided consent at any time.121 The right to object shall be given at the time of data collection and each time an advertising message is sent.122

5 Targeted Advertising in the Light of Directive 2005/29 on Unfair Commercial Practices 5.1

General Remarks

A key piece of European legislation regulating B2C marketing is Directive 2005/29 on unfair commercial practices (UCP Directive). In broad terms, it specifies 31 practices that are prohibited as per se unfair123 and requires the ad hoc evaluation of any other practice in the light of three general clauses. Hence, any commercial practice falling outside the blacklist of this Directive is in principle permitted, as long as it is not deemed in concreto misleading124 or aggressive125 or contrary to professional diligence and simultaneously capable to materially distort the economic behavior of the “average consumer.”126 117

See Herbrich (Teil 2) (2017b). See Art. 4a of the ePrivacy Regulation Proposal and Art. 2 (f) Directive 2002/58/EC. See also the decision BGH, Urt. v. 14.3.2017, BB 2017, pp. 910–913: When granting consent, the consumer must be aware of the fact that it serves commercial purposes, the type of goods or services the commercial communication will relate to and the identity of the trader. 119 All matters not specifically regulated in the ePrivacy legislation are governed by GDPR. This applies for instance in relation to accountability, data portability, data erasure etc. See Keye (2018), p. 24. 120 Buchner (2018), p. 1287; Heil (2018), pp. 535–538. 121 See rec. 34 and 35 ePrivacy Regulation Proposal. 122 See Art. 16 par. 2 ePrivacy Regulation Proposal and Köhler (2017b), p. 1294. 123 Annex I to UCP Directive. 124 Articles 6 and 7 UCP Directive. 125 Articles 8 and 9 UCP Directive. 126 See Article 5 par. 2 and 4 UCP Directive. 118

468

E. Tzoulia

Article 2 (d) UCP Directive defines as commercial practice “any act, omission, course of conduct or representation, commercial communication including advertising and marketing, by a trader, directly connected with the promotion, sale or supply of a product to consumers.” Commercial practices may “materially distort” the average consumer’s economic behavior if they appear likely to appreciably impair the consumer’s ability to make deliberate “transactional decisions.”127 Transactional is any decision taken by a consumer concerning whether, how, and on what terms to purchase, make payment, retain or dispose of a product, exercise a contractual right, or not.128 As the Court of Justice of the European Union (CJEU) had the opportunity to clarify in Case C-281/12,129 this term also covers behaviors directly linked to the above situations, such as the consumer’s decision to enter a shop, to visit a website, to call a business, etc. Consequently, a transactional decision may take place long before the conclusion of a consumer contract, as long as it remains directly related to it.130

5.2

Data Protection Law Infringements as Unfair Commercial Practices

Each one of the stages that compose targeted advertising, i.e. personal data collection, consumer profiling, commercial decision-making, and the delivery of commercial communications, comprises commercial practices in the above sense. In this case, the aforementioned procedures aim to generate transactional decisions on the part of the consumer. As explained above, such a decision may not only refer to the purchase of the promoted product. It may, for instance, relate to granting one’s consent to profiling or to receiving commercial communications from a distance. Inasmuch as a GDPR or an ePrivacy legislation infringement may distort the pertinent behavior of the average consumer, it is prohibited also by UCP Directive as an unfair commercial practice.131 This assumption is consolidated by a decision issued in November 2018 by the Italian Competition Authority against Facebook Ireland Ltd and its parent company, Facebook Inc.132 In the context of this case, the Authority examined Facebook’s privacy policy in the light of Directive 2005/29. It concluded that Facebook

127

According to Article 2 (e) UCP Directive. According to Article 2 (k) UCP Directive. 129 CJEU, Trento Sviluppo srl, Centrale Adriatica Soc. coop. arl v Autorità Garante della Concorrenza e del Mercato, Case C 281/12, Judgement of 19 December 2013, par. 36. 130 See also Art. 3 (1) UCP Directive. 131 See on this Köhler (2019) and Schaub (2019). 132 Autorita Garante della Concorrenza e del Mercato, decision of 29.11.2018, PS11112, available under https://www.agcm.it/media/comunicati-stampa/2018/12/Uso-dei-dati-degli-utenti-a-finicommerciali-sanzioni-per-10-milioni-di-euro-a-Facebook. 128

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

469

committed a misleading commercial practice by violating the transparency principle incorporated in the GDPR and also exercised undue influence against its users by violating their right to object to the processing of their personal data, which is also guaranteed by the GDPR. In more detail, as far as the transparency requirement is concerned, the Italian Competition Authority considered that Facebook did not inform its users adequately and unambiguously before they created their account that their personal data would be processed for commercial purposes, in particular for the purpose of promoting third-party sales through sponsored ads. On the contrary, Facebook invoked the necessity of personal data processing for optimizing its services, emphasizing that these services are provided to end users for free. Thereby, Facebook induced Internet users to subscribe, i.e. to take a transactional decision that they might have avoided if they knew of the speculative incentives of their counterparty. This practice constitutes a misleading omission, i.e., an unfair commercial practice under Article 7 (2) UCP Directive.

5.3

Unsolicited Commercial Communications by Electronic Means Under the Scrutiny of UCP Directive

In the context of the UCP Directive, unsolicited commercial communications by electronic means are primarily examined as harassing advertising, i.e., aggressive commercial practices. Such communications are considered per se unfair, pursuant to point 26 of Annex I to this Directive, when—despite the consumer’s opposition— they persist to such an extent as to justify the assumption that the economic freedom of the consumer is at stake. If the requirements of this provision are not met, unsolicited commercial communication from a distance may nonetheless be considered unfair under the terms of Articles 8 and 9 of Directive 2005/29. Accordingly, the communication may be deemed harassing if, due to its volume, timing, and continuous repetition, it disturbs the consumer so strongly that it is likely to lead him/her to transactional decisions that he/she would not have taken otherwise.133 Moreover, online targeted advertising commonly takes advantage of the restrictions that digital environments and smart devices reserve to their users in terms of space and time, in order to conceal material information that is needed by the consumer for an informed transactional decision. According to Article 7 par. 2 of the UCP Directive, concealment constitutes, e.g., the presentation of information in an unclear, unintelligible, ambiguous, or untimely manner. In these cases, the consumer is prevented from taking note of and comprehending the actual terms and conditions of the trader’s invitation to purchase, thus running the risk to be misled. In Canal Digital Danmark case,134 for instance, the CJEU contemplated the

133

See Köhler (2017a), p. 255 et seq. CJEU, Canal Digital Danmark A/S, Case C 611/14, Judgement of 26 October 2016. See on that Tzoulia (2017a), pp. 24–27.

134

470

E. Tzoulia

misleading character of an online advertisement that presented part of the promoted product’s price highlighted on a front banner while hiding extra costs and charges within links without any proper indications. In such cases, the likelihood of the economic behavior of the commercial communication’s recipient being distorted is assessed with reference to the cognitive abilities of the “average consumer.” This is a notional person who is reasonably well informed and reasonably observant and circumspect in proportion to the pertinent circumstances, i.e., inter alia, the medium through which each advertisement is delivered.135 In principle, the average user of electronic devices is expected to be familiar with, e.g., the operation of common computer programs, the layout and the basic functionalities of websites and mobile apps, the use of hashtags, etc. However, European case law appears protective toward consumers in the context of electronic transactions to date. Consequently, the unfair character of commercial practices taking place online gets acknowledged with relative ease.136 It should be noted that the UCP Directive emphasizes the trader’s obligation to clearly indicate the commercial character of his/her communications and regulates covert advertising by means of three provisions.137 In addition, Directive 2019/2161/ EU has incorporated a new provision to the blacklist of the UCP Directive, numbered 11a, which prohibits advertisements hidden within search results in response to queries of Internet users.138 Consequently, the EU legislator considers as per se unfair commercial practice surreptitious ad targeting taking place by means of keywords on search engines.

5.4

The Consumer’s Unfair Algorithmic Treatment from the Perspective of Directive 2005/29

Under the UCP Directive, the unfair character of commercial policies based on algorithmic assessments is conditional upon their likelihood to distort the economic behavior of the average consumer. Accordingly, automated decision-making that misrepresents the conditions prevailing in a market, adjusts prices to each

135

See on this notion Tzoulia (2017b), pp. 257–262. See for example in Tzoulia (2019), p. 36, how European courts have dealt with online influencer marketing so far. 137 According to Article 7 (2), it constitutes a misleading omission, when the trader fails to identify the commercial intent of his practice. In this case, the trader’s behavior may be deemed unfair as long as it is also likely to distort the average consumer’s economic behavior. Furthermore, point 22 of Annex I prohibits per se falsely claiming or creating the impression that the trader is not acting for commercial purposes, as well as falsely representing oneself as a consumer. Lastly, point 11 of Annex I prohibits per se “[. . .] using editorial content in the media to promote a product where a trader has paid for the promotion without making that clear [. . .]” to the consumer. Such advertisements are characterized as “Advertorials”. 138 See Art. 3 par. 7(a) Directive 2019/2161/EU. 136

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

471

consumer’s welfare rather than products’ quality and their overall demand etc. should be deemed unfair. As regards prejudiced, e.g. racist, algorithmic assessments, in particular, the UCP Directive allows Member States to introduce provisions that surpass its own standards of consumer protection, i.e., to prohibit the pertinent commercial practices regardless of their actual effect on the average consumer’s financial behavior.139 Given that a Member State has not taken advantage of this opportunity on a legislative level, its courts can ban relevant commercial practices as contrary to professional diligence per se. It is noted, however, that the EU is no longer content with the repressive handling of the consumer’s unfair algorithmic treatment. Therefore, the EU legislator seeks to enforce transparency by default with reference to algorithmic reasonings also at a consumer protection law level. In this vein, Directive 2019/2161/EU has amended the UCP Directive by introducing a new provision140 in relation to online marketplaces, which requires platform providers to communicate in advance any criteria considered when ranking products in response to consumer queries. In this way, consumers shall be able to know whether ranking has been influenced by their previous online searches or purchases, i.e., by their behavioral profile. If platform providers fail to meet this obligation, they will have committed a misleading omission.141

6 Consumer Judicial Claims for Damage Caused by Autonomous Algorithmic Software Consumers having suffered damage from erroneous automated decision-making are granted rights to compensation by both the UCP Directive and data protection law.142 The relevant claims can be raised jointly against the trader exercising targeted advertising on the basis of algorithmic profiling and any intermediaries administering the pertinent infrastructure,143 i.e., against the data controller and eventual data processors assisting him/her.144 However, the autonomy of algorithmic software applied in commercial decision-making nowadays justifies concerns See rec. 7 UCP Directive: “Member States should accordingly be able to continue to ban commercial practices in their territory, in conformity with Community law, for reasons of taste and decency even where such practices do not limit consumers’ freedom of choice”. 140 See Art. 3 par. 4(b) Directive 2019/2161/EU. 141 Compare new point 11a of Annex I to UCP Directive: Failing to identify paid rankings of organic search results on search engines shall be considered per se unfair. 142 Additionally, they are entitled to lodge complaints with the competent in each case administrative authorities. See Art. 11 UCP Directive, Art. 77 et seq GDPR and 21 et seq ePrivacy Regulation Proposal. 143 See Commission staff working document Guidance on the implementation/application of Directive 2005/29 on unfair commercial practices, SWD(2016) 163 final, p. 30. 144 See Art. 79 and 82 GDPR, as well as Art. 21 par. 1a ePrivacy Regulation Proposal. 139

472

E. Tzoulia

about an eventual negation of liability for any natural and legal person exercising targeted advertising. Namely, self-learning algorithms involved in ADSs may draw wrong conclusions, which are, however, attributable neither to their administrators nor to their programmers and developers. Civil liability issues have since long been raised in robotics occasioned, e.g., by the operation of self-driving vehicles and drones.145 In cases of damage incurred through the operation of autonomous machines, it is basically suggested to trace back to the cause of their malfunction. Once the responsible parties have been identified, it is suggested to divide liability in proportion to the actual level of instructions given by each person to the robot and the latter’s autonomy.146 More radical views advocate the attribution of legal personality to the most sophisticated robots in order to safeguard redress for those damages that do not relate to human error. In this context, the establishment of a compulsory insurance scheme is postulated, which shall be complemented by a compensation fund.147 In fact, liability toward consumer for the damages he/she may suffer from targeted advertising is regulated in such a way that it cannot be affected by any AI interference. First, the UCP Directive introduces strict liability, i.e., in case an unfair commercial practice occurs, the trader and any intermediaries are held liable to compensate the consumer regardless of negligence or fault.148 By contrast, data protection law introduces fault-based liability.149 However, due to the requirement of privacy by default and the accountability principle that govern the pertinent legislative instruments, negligence on the part of the controller and any processors can be assumed in any case that untrustworthy or flawed algorithmic software is engaged in profiling and decision-making processes. In other words, the controller bears the responsibility not to use decision-making mechanisms that may conduct unfair assessments based on untraceable and unverifiable reasonings. If the controller fails to meet this obligation, he/she will be held responsible for giving rise to damage, on the occurrence of which he/she will have to compensate the consumer. This is true without prejudice to any right reserved to the controller by EU and national law to bring an action for recovery against developers or programmers at fault for the technical malfunction of the algorithmic software.150

145

See for instance European Parliament (Policy Department C) Study European civil law rules in robotics, PE 571.379 (2016), p. 14 et seq. 146 Ibid, p. 16 et seq. 147 See on these theories European Parliament, supra n29, p. 17 et seq; Santoro et al. (2004), p. 107 et seq. See also Schwintowski (2018), p. 1607 et seq: no need to establish any civil liability regimes. 148 See Art. 11 par. 2 UCP Directive. 149 Art. 82 par. 3 GDPR and 22 ePrivacy Regulation Proposal. 150 On civil liability and robotics see the analysis of Spindler (2015), pp. 766–776; Sosnitza (2016), pp. 764–772; Grützmacher (2016), pp. 695–698; Bischof and Intveen (2019), p. 136 et seq.

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

473

7 Conclusion At an EU level, all stages composing targeted advertising are regulated from both data and consumer protection law perspectives. To address the hazards posed by AI technologies deployed in the context of modern targeted advertising, the EU legislator makes the lawfulness of automated consumer profiling and commercial decision-making in principle conditional upon the consumer’s prior consent. Obtaining the consumer’s consent to data processing for commercial purposes in exchange for free access to online services and content is considered in principle legitimate. This is, however, conditional upon the requirement that consent provided is informed and specific and data processing is minimized to the extent necessary for fulfilling the purpose pursued. EU law also imposes transparency and fairness by default in the context of targeted advertising. When it comes to algorithmic commercial decisions, this requirement entails the trader’s obligation to carry out risk assessments and audits in order to keep the data input accurate, inferences made consistent, and outputs justifiable within ADSs. Otherwise, he/she bears liability for any damage suffered by the consumer due to detrimental algorithmic responses, which he/she cannot negate by invoking the autonomy of the software involved. After the enactment of the anticipated ePrivacy Regulation, any commercial communication from a distance will necessitate the prior consumer’s consent to be lawful. However, even in cases where such consent has preceded, overwhelming and persistent commercial solicitations by electronic means may be banned as harassing commercial practices. Online targeted advertising is considered likely to distort the economic behavior of the average consumer in any case that it is not meticulously labeled as such and not providing in a clear, unambiguous, and timely way all information necessary for the consumer to meet an informed transactional decision.

References Albrecht JP (2016) The EU’s new data protection law – how a directive evolved into a regulation. CRi 17:33–43 Article 29 Data Protection Working Party (2013) Opinion 3/2013 on purpose limitation. WP203 00569/13/EN. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/ files/2013/wp203_en.pdf. Accessed 12 April 2020 Article 29 Data Protection Working Party (2014) Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. WP217 844/14/EN. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/ wp217_en.pdf. Accessed 12 April 2020 Article 29 Data Protection Working Party (2017) Guidelines on Automated individual decisionmaking and Profiling for the purposes of Regulation 2016/679. WP251rev.01. https://ec.europa. eu/newsroom/article29/item-detail.cfm?item_id¼612053. Accessed 12 April 2020 Article 29 Data Protection Working Party (2018a) Guidelines on consent under Regulation 2016/ 679 (revised). WP259 rev.01. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_ id¼623051. Accessed 12 April 2020

474

E. Tzoulia

Article 29 Data Protection Working Party (2018b) Guidelines on Transparency under Regulation 2016/679. wp260rev.01. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_ id¼622227. Accessed 12 April 2020 Autorita Garante della Concorrenza e del Mercato, decision of 29.11.2018, PS11112, available under https://www.agcm.it/media/comunicati-stampa/2018/12/Uso-dei-dati-degli-utenti-a-finicommerciali-sanzioni-per-10-milioni-di-euro-a-Facebook Bauer S (2008) Personalisierte Werbung auf Social Community-Websites. Datenschutzrechtliche Zulässigkeit der Verwendung von Bestandsdaten und Nutzungprofilen. MMR 11:435–438 Belleflamme P, Peitz M (2018) Platforms and network effects. In: Corchón L, Marini M (eds) Handbook of game theory and industrial organization, vol II. Edward Elgar Publishing. Cheltenham, pp 286–317 BEUC Position Paper (2018) Automated decision making and artificial intelligence – A consumer perspective. BEUC-X-2018-058. https://www.beuc.eu/publications/beuc-x-2018-058_auto mated_decision_making_and_artificial_intelligence.pdf. Accessed 12 April 2020 BGH, Urt. v. 28.1.2014, BGHZ 200, pp. 38–51 BGH, Urt. v. 14.3.2017, BB 2017, pp. 910–913 Bibri SE (2015) The shaping of ambient intelligence and the internet of things. Atlantis Press, Paris Bischof E, Intveen M (2019) Einsatz künstlicher Intelligenz durch Unternehmen Allgemeine Beschreibung und Fragen des Einsatzes insb. in der Automobilindustrie. ITRB 12:134–140 Buchner B (2018) Die Einwilligung in Werbung. WRP 64:1283–1289 Bundeskartellamt, Decision of 6.2.2019, B6-22/16, https://www.bundeskartellamt.de/SharedDocs/ Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__ blob¼publicationFile&v¼4. Accessed 12 April 2020 CJEU, Trento Sviluppo srl, Centrale Adriatica Soc. coop. arl v Autorità Garante della Concorrenza e del Mercato, Case C 281/12, Judgement of 19.12.2013 CJEU, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Case C 131/12, Judgement of 13.05.2014 CJEU, Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV v Planet49 GmbH, Case C 673/17, Judgement of 1 October 2019 CJEU, Canal Digital Danmark A/S, Case C 611/14, Judgements of 26.10.2016 CJEU, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, Case C 40/17, Judgement of 29.7.2019 CJEU, Google LLC v Commission nationale de l'informatique et des libertés (CNIL), Case C 507/17, Judgement of 24.09.2019 Commission staff working document (2016) Guidance on the implementation/application of Directive 2005/29 on unfair commercial practices. SWD(2016) 163 final. https://eur-lex. europa.eu/legal-content/EN/TXT/?uri¼CELEX%3A52016SC0163. Accessed 12 April 2020 Committee of Ministers (2010) Recommendation to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling. CM/Rec(2010) 13. https://search.coe.int/cm/Pages/result_details.aspx?ObjectId¼09000016805cdd00#_ftn1. Accessed 12 April 2020 De Mooij M, Hofstede G (2010) The Hofstede model – applications to global branding and advertising strategy and research. Int J Adv 29(1):85–110 Drexl J (2017) Bedrohung der Meinungsvielfalt durch Algorithmen: Wie weit reichen die Mittel der Medienregulierung? ZUM 61(7):529–543 Ducato R, Strowel A (2019) Limitations to text and data mining and consumer empowerment: making the case for a right to “machine legibility”. IIC 50(6):649–683 European Commission – High level expert group (2019) Ethics Guidelines for Trustworthy AI. https://ec.europa.eu/futurium/en/ai-alliance-consultation. Accessed 12 April 2020 European Parliament (2015) Report with recommendations to the Commission on Civil Law Rules on Robotics. A8-0005/2017. https://www.europarl.europa.eu/doceo/document/A-8-20170005_EN.html. Accessed 12 April 2020

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

475

European Parliament (2020) Is data the new oil? Competition issues in the digital economy. PE 646.117. https://www.europarl.europa.eu/thinktank/en/document.html?reference¼EPRS_BRI (2020)646117. Accessed 12 April 2020 European Parliament Briefing (2019a) State of the art and future of artificial intelligence. PE 631.051.https://www.europarl.europa.eu/thinktank/en/document.html?reference¼IPOL_BRI (2019)631051. Accessed 12 April 2020 European Parliament Briefing (2019b) How artificial intelligence works. PE 634.420. https://www. europarl.europa.eu/thinktank/el/document.html?reference¼EPRS_BRI(2019)634420. Accessed 12 April 2020 European Parliament Briefing (2019c), Artificial Intelligence: Challenges for EU Citizens and Consumers. PE 631.043. https://www.europarl.europa.eu/thinktank/en/document.html? reference¼IPOL_BRI(2019)631043. Accessed 12 April 2020 European Parliament Briefing (2019d) A governance framework for algorithmic accountability and transparency. PE 624.262. https://www.europarl.europa.eu/thinktank/en/document.html? reference¼EPRS_STU(2019)624262. Accessed 12 April 2020 European Parliament Briefing (2019e) EU Guidelines on ethics in artificial intelligence: Context and implementation. PE 640.163. https://www.europarl.europa.eu/thinktank/en/document. html?reference¼EPRS_BRI(2019)640163. Accessed 12 April 2020 European Parliament Study (2016) European civil law rules in robotics. PE 571.379. https://www. europarl.europa.eu/RegData/etudes/STUD/2016/571379/IPOL_STU(2016)571379_EN.pdf. Accessed 12 April 2020 European Parliament Study (2019) Understanding algorithmic decision-making: Opportunities and challenges. PE 624.261. https://www.europarl.europa.eu/thinktank/en/document.html? reference¼EPRS_STU(2019)624261. Accessed 12 April 2020 Flett E, Wilson J (2017) Artificial intelligence: is Johny 5 alive? Key bits and bytes from the UK’s robotics and artificial intelligence inquiry. CTLR 23(3):72–74 Grützmacher M (2016) Die deliktische Haftung für autonome Systeme – Industrie 4.0 als Herausforderung für das bestehende Recht? Ein Plädoyer für die Nutzung von Beweislastregeln und wider den vorschnellen Ruf nach der Einführung einer Gefährdungshaftung. CR 32:695–698 Härting N, Gössling P (2018) Study on the impact of the proposed draft of the ePrivacy-regulation. CRi 19:6–11 Heil U (2018) Einheitliche Einwilligungserklärung für mehrere Werbekanäle? Zugleich Anmerkung zu BGH, 01.02.2018 – III ZR 196/17 – Einwilligung mit Bezug auf mehrere Werbekanäle. WRP 64:535–538 Herbrich T (2017a) Der Vorschlag für eine ePrivacy-Verordnung-EU (Teil 1): Anwendungsbereich und Verhaltnis zur DS-GVO und zum nationalen Recht. jurisPR-ITR. Anm: 18(2) Herbrich T (2017b) Vorschlag für eine ePrivacyVerordnung-EU (Teil 2): Fernmeldegeheimnis, Zulässigkeit der Datenverarbeitung, Privacy by Default. jurisPR-ITR. Anm: 23(2) Herbrich T (2017c) Vorschlag für eine ePrivacy-Verordnung-EU (Teil 3): Kontrolle über elektronische Kommunikation, insbesondere Direktwerbung, unabhängige Aufsichtsbehörden, Rechtsbehelfe, Haftung und Sanktionen. jurisPR-ITR. Anm 25(2) Hoeren T (2018) Rechtsverletzung durch Amazon Autocomplete-Funktion – goFit. MMR 21:673–676 Hüther M, Danzmann M (2017) Der Einfluss des Internet of Things und der Industrie 4.0 auf Kreditfinanzierungen. Teil 1 -Atmende Finanzierungsverträge und Agency 4.0. BB 27:834–840 ICO (2019) Update report into adtech and real time bidding. https://ico.org.uk/media/about-the-ico/ documents/2615156/adtech-real-time-bidding-report-201906.pdf. Accessed 23 July 2020 Keye J (2018) Direktmarketing nach DSGVO und ePrivacy-VO. ITRB 11:23–24 Klar M (2019) Künstliche Intelligenz und Big Data – algorithmenbasierte Systeme und Datenschutz im Geschäft mit Kunden. BB 29:2243–2252 Knaak R (2014) Metatags and keywords as comparative advertising. J Intellect Prop Law Pract 9:770–777

476

E. Tzoulia

Köhler H (2017a) Zur Neuvermessung der Tatbestände der unzumutbaren Belästigung (§ 7 UWG) § 7 Abs. 2 Nr. 1 UWG. WRP 63:253–262 Köhler H (2017b) Die Regelung der “unerbetenen Kommunikation” in der ePrivacy-Verordnung und ihre Folgen für das UWG. WRP 63:1291–1297 Köhler H (2019) Durchsetzung der DS-GVO – eine Aufgabe auch für Mitbewerber oder zumindest für Verbraucherverbände? WRP 65:1279–1286 Kremer S (2018) Das Auskunftsrecht der betroffenen Person in der DSGVO. Eine sorgfältige Aufbereitung für die Praxis im Unternehmen. CR 34(9):560–569 Lepri B, Oliver N, Letouzé E et al (2018) Fair, transparent, and accountable algorithmic decisionmaking processes. Philosophy Technol 31(4):611–627 Markou C (2016) Behavioural advertising and the new ‘EU Cookie Law’ as a victim of business resistance and a lack of official determination. In: Gutwirth S, Leenes S, De Hert P (eds) Data protection on the move. Springer Science + Business Media Dordrecht, Netherlands, pp 213–247 Mullan J (2014) Re-emerging technologies: what’s hot and what’s not! L.I.M 14(3):168–173 Ohly A (2010) Keyword advertising auf dem Weg zurück von Luxemburg nach Paris, Wien, Karlsruhe und den Haag. GRUR 112(9):776–785 Ohly A (2018) Die markenrechtliche Haftung des Suchmaschinenbetreibers für Trefferlisten § 6 Abs. 1 UWG? WRP 64:131–139 OLG Düsseldorf, Beschuss v. 26.8.2019, ECLI:DE:OLGD:2019:0826.KART1.19V.00. English translation available under: https://www.d-kart.de/wp-content/uploads/2019/08/OLG-D%C3% BCsseldorf-Facebook-2019-English.pdf. Accessed 12 April 2020 Paal B (2019) Missbrauchstatbestand und Algorithmic Pricing. Dynamische und individualisierte Preise im virtuellen Wettbewerb. GRUR 121:43–53 Partnership on AI (PAI) (2019) Report on Algorithmic Risk Assessment Tools in the U.S. Criminal Justice System. https://www.partnershiponai.org/report-on-machine-learning-in-risk-assess ment-tools-in-the-u-s-criminal-justice-system/. Accessed 12 April 2020 Presidency of the Council of the European Union (2020) Amendments to the Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). ST 5979 2020 INIT. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri¼consil:ST_5979_2020_INIT. Accessed 12 April 2020 Pyrcek A (2017) Veränderung der Unternehmerskultur und von Geschäftsmodellen durch die Digitale Transformation – Auswirkungen auf das Compliance-Management. BB 27:939–941 Remmertz F (2018) DSGVO ante portas: Aktuelle Brennpunkte im Online-Marketing. GRUR-Prax 10:254–256 Rustici C (2018) GDPR profiling and business practice – squaring the circle: how to apply the GDPR rules to the commercial and technological realities of profiling? CRi 19(2):34–43 Santoro S, Onida T, Romano F (2004) Electronic agents and the law of agency: an analysis of how the use of electronic agents could be integrated into law. CRi 5:104–109 Schaub R (2019) Verletzung von Datenschutzregeln als unlauterer Wettbewerb? WRP 65:1391–1397 Scheja K (2018) Schutz von Algorithmen in Big Data Anwendungen - Wie Unternehmen aufgrund der Umsetzung der Geschäftsgeheimnis-Richtlinie ihre Algorithmen wie auch Datenbestände besser schützen könne. CR 34:485–492 Schmid A (2018) Keine Geheimnisse vor der DSGVO? Transparenzpflichten beim Einsatz künstlicher Intelligenz (KI). jurisPR-ITR. Anm: 17/2 Schwintowski H-P (2018) Wird Recht durch Robotik und künstliche Intelligenz überflüssig? NJOZ 18:1601–1609 Sieling C, Lachenmann M (2012) Wettbewerbsrechtliche Aspekte bei Werbung in sozialen Netzwerken – Werbung im sozialen Netzwerk Facebook (auch) bei Bring your own Device. ITRB 5:156–159

19

Targeted Advertising in the Digital Era: Modern Challenges to Consumer. . .

477

Sosnitza O (2016) Das Internet der Dinge – Herausforderung oder gewohntes Terrain für das Zivilrecht? CR 32:764–772 Spindler G (2015) Roboter, Automation, künstliche Intelligenz, selbst-steuernde Kfz – Braucht das Recht neue Haftungskategorien? Eine kritische Analyse möglicher Haftungsgrundlagen für autonome Steuerungen. CR 31:766–776 Tzoulia E (2013) Legal issues to be considered before setting in force consumer-centric marketing strategies within the European Union. In: Kaufmann HR, Khan Panni MFA (eds) Customercentric marketing strategies: tools for building organizational performance. IGI Global, pp 36–56 Tzoulia E (2017a) Misleading consumers by providing material information “in an unclear, unintelligible, ambiguous or untimely manner”: the application scope of articles 6(1) and 7 (2) of Directive 2005/29. EuLF 17:24–27 Tzoulia E (2017b) Imprints of behavioural research in EU consumer protection legislation: the ‘average consumer test’ in the Unfair Commercial Practices Directive. TvC 15:257–262 Tzoulia E (2019) “Influencer marketing” on social media: consumer protection issues from the perspective of EU law. EuLF 19:29–39 Tzoulia E (2020) Competition law issues. In: Iglezakis I (ed) Legal issues of mobile apps - a practical guide. Wolters Kluwer, pp 177–210

Chapter 20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case Tine Munk

Abstract In the current online environment, social media platforms, Internet businesses and tech companies are managing a high level of personal data with little regard to their customers’ privacy and data protection. The chapter will focus on the impact that the European General Data Protection Regulation (GDPR) 2018 has on data protection and privacy rights of online users in the light of the increasing data collection and processing practices by voice recognition technologies (voice assistants). The chapter will focus on the use of GDPR’s Article 66 to stop data collection/processing practices that potentially violate the provisions in the regulation. The case study outlined in this chapter investigates how data are managed by the Internet and tech companies, such as Apple, Google, Amazon and Facebook and how these companies’ data collection/processing practices circumvent online users' privacy rights. The case study will predominately focus on Google’s practice of manually assessing personal data collected from voice assistants.

1 Introduction The Internet and various online platforms have been developed and modified over the last three decades—and these platforms continue to increase in size, capacity and capabilities.1 Embedded in the different platforms are various new technologies and pathways developed to enhance the use of computer systems. These are linked to the use of cookies, scripting languages, compressed audiovisual formats, search engines, streaming protocols, social media platforms, smart mobile devices, tracking,

1

European Data Protection Supervisors (2018a), p. 2.

T. Munk (*) Middlesex University, London, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_20

479

480

T. Munk

analytics and profiling tools.2 Internet-of-Things (IoT) devices are continually expanding to connect various physical objects to online networks and systems.3 IoT has already had a significant impact on society. It has, for example, transformed products, customer/customer experience and the labour market.4 The European Network and Information Security Agency (ENISA) defines IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”.5 The popularity of these devices derives from the wireless interconnectedness and the unique way that smart devices transforms well-known physical non-standard devices into smart “objects”.6 These devices are embedded with technology, allowing them to communicate and interact using the Internet and Wi-Fi systems.7 Data produced and transmitted from these devices constitute a significant challenge for protecting personal information—especially those linked to biometrics such as voices, faces and behaviours. In the European Union (EU), the sensitive and identifiable data generated by IoT devices are protected by General Data Protection Regulation (GDPR) 2016/679.8 The adoption of GDPR has created a more extensive awareness of data collection and processing. However, compliance by businesses, organisations and groups is still in a developing phase. Multinational tech companies and social media businesses are developing IoT devices or services where facial recognition or voice recognition are included. These businesses and corporations are attempting to circumvent the GDPR data protection requirements as these can be perceived as creating obstacles for the economical lucrative data collection and processing. The focus of this chapter is on IoT voice recognition technologies and devices used in a private context, such as smart homes. Voice recognition technologies and devices are rapidly developing, and these technologies are included in various IoT applications, sensors, programmes and services. This increasing use of voice recognition technologies and voice assistants causes problems regarding data protection. This chapter will critically analyse human review practices used by multinational tech companies Google, Amazon, Facebook and Apple (GAFA) to maintain and improve their voice recognition devices and software. In this context, Google’s previous review practice to assess various audio snippets will create the fundament

2

Ibid, p. 2. ENISA (2020b) and Munk (2020). 4 ENISA (2018), p. 7. 5 Supra n3. Supra n4. Ibid, p. 7. 6 Fortino and Trunfio (2014). 7 Rouse (2019) and Munk (2020). 8 Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119/ 679. 3

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

481

for a cases study. This method prompted the Hamburg Data Protection Agency (DPA) to invoke the GDPR emergency provision: Article 66.

2 The Internet of Things The fourth industrial revolution is categorised by connecting various technologies, such as data analytics, artificial intelligence, cognitive technologies and IoT.9 The architecture of IoT smart devices creates an extensive networked formation of access points, sensors, storage, location tracking computer technologies, etc.10 Smart homes have significant privacy and data protection issues deriving from the growing use of IoT and the lack of a regulatory framework. Devices used in private households are sources of close, grainy and intimate data of the activities and behaviour of owners and visitors. These types of data are transmitted beyond the original scope of the use. For example, user data and devices are directly monitored, recorded or stored in activity logs.11 Gartner has cautiously predicted that 20.8 billion connected things would be in use by 2020.12 Business Insider Intelligence estimated that the number would be 24 billion in 2020.13 IoT Analytics claims that the whole market is growing from 10 billion IoT devices by 2020 to 22 billion by 2025.14 whereas the International Data Corporation (IDC) estimates that there will be 41.6 billion IoT devices by 2025. The IoT considered in this estimation includes machines, sensors and cameras and industrial tools.15 Nevertheless, the IDC reports that in 2025, the combination of IoT devices, for example interconnected machines, sensors and cameras, would generate 79.4 zb of data. Securing IoT devices and data requires special protective measures. The data can include sensitive information that on its own would not raise any security concerns. However, when fragmented data from multiple end points are gathered, collated and analysed, it might yield information that can identify the user.16 Individuals can be identified by both the actual voice and the unique behavioural pattern generated by the speech.17 Therefore, speeches and voices are specific biometric identifiers that fall under the scope of the GDPR.

9

Jain and Jain (2019), p. 23. Supra n9. Supra n7. 11 ENISA (2014), p. iv. 12 Gartner (2017), Supra n7. 13 Business Insider (2016), Supra n7. 14 IoT Analytics (2018). 15 International Data Corporation (IDC) (2019). 16 ICO (2020d), Supra n7. 17 Hogben (2010), p. 3. 10

482

2.1

T. Munk

Conceptualising IoT and Online Risks

Numerous risks are related to the safety, security and privacy of IoT devices, systems and services. The dangers associated with IoT devices are continually evolving unless security measures are introduced to manage the risks. Yet this managing process constitutes a never-ending circle. Every time one risk is managed, a new one will arise from the process.18 The architecture of IoT systems and devices are tied up to sensors with direct links to networks and computer systems. These sensors are collecting user data from the devices. The risks associated with the use of IoT devices, systems and services are various and rapidly changing due to the technological evolution. Therefore, new safety and privacy risks are evolving.19 Data from actual IoT devices and the use of these are now perceived as an economic commodity. Several manufacturers, companies and administrators are using this bi-product of IoT as a way of enhancing their revenue by harvesting and selling the data to third parties.20 IoT data can create a surprisingly detailed profile of the users by combining a few different sensor readings. For example, data from a smart home can make a profile based on home devices By combining fragmented data set from devices, it is possible to collect specific and personal data, for example to understand when the IoT user wakes up (data from a smart coffee maker), the IoT user’s taste in music and TV programmes/streaming services (data from smart speakers and smart TVs), the type of food and beverages the household likes (data from smart fridges and home appliances), children’s life and preferences (data from smart toys) and guests and by-passers (data from smart doorbells and security cameras).21 Audio recordings collected by voice recognition technologies and voice assistants provide a unique data collection method. The collectors and processors can profile the IoT users’ most intimate private life through analysing sentiments or aspects of mental health, behaviours and preferences.22 These types of data collection give significant insight into the users’ life beneficial beyond the actual purpose of data collection. Such intrusive data collection needs to be subjected to transparent and accountable methods. In this context, online users should give explicit and informed consent before the data collection takes place.23

18

ENISA (2017); Munk (2015), pp. 80–81. ENISA (2020a). 20 Ranger (2020). 21 Ibid. 22 The Centre for Data Ethics and Innovation (CDEI) (2019), p. 2. 23 GDPR (2018) Art 4(2). 19

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

483

3 Online Privacy and Data Protection Legislation Data protection and online privacy are linked to data processes. This process should be separated from online users’ own disclosure on various online platforms, such as social media. Self-disclosure is commonly linked to communicative behaviour, where the level of personal information depends on the communication type as well as the specific circumstances where the information is disclosed.24 There is a significant difference between what online users chose to disclose to the public and the type of data extracted from the actual use of devices and technologies. Privacy can be defined as a right to self-determination, i.e. the right to determine what kind of information is made accessible and who can access it. It can also be described as a “selective control of access to the self”.25 Privacy includes the choice of people to decide to which extent they want to expose private information, attitudes and behaviour to other people.26 Yet privacy can also be lost by choice or through the action of another person.27 Privacy legislation attempts to create a secure system to protect data from the collection point to the deletion. The EU data protection framework is based on the perspective that privacy is a fundamental human right.28 Article 8(2) of the EU Charter of Fundamental Rights states that “data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”29

3.1

The European General Data Protection Regulation (GDPR)

Data confidentiality for IoT applications has become an essential issue in this interconnected era. Any failure to protect data would seriously threaten users’ privacy.30 Globally, data protection legislation has been introduced to protect identifiable personal data. These legislations are mandating data controllers and data processors to establish policies to safeguard personal information as well as manage the risks related to the data. The GDPR creates responsibilities on everyone controlling and processing identifiable data. 24

Taddicken (2014). Altman (1975), p. 18; Westin (1967), Supra n24. 26 Supra n9, p. 26. 27 Ibid. Gavison (1980). 28 European Union (2012) Charter of the fundamental rights of the European Union. 2012/C 326/02. OJ C 326, 26.10.2012. Article 7. Goddard (2017), p. 703. 29 Ibid, Art. 8(2). 30 Romdhani (2017). 25

484

T. Munk

By introducing the GDPR, the EU adopted specific provisions for enhancing technological privacy protection related to data processing. It is essential to ensure that compliance with the new obligation can materialise and increase the effectiveness as intended in the regulation.31 There are six general data protection principles included in the GDPR. These principles are fairness and lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Centrally positioned in this framework is data protection by design and by default.32 The GDPR provides European citizens with comprehensive and robust data protection as compared with non-EU citizens.33 The regulation addresses gaps in the previous data protection directive by establishing legal obligations for data controllers and processors.34 It is clear that organisations established outside the EU face pressure for complying with the GDPR to be able to sell their services and products within the EU. Additionally, clients, companies and partners using data processors outside the EU must ensure that they reflect the higher GDPR standards in contractual provisions.35 The regulation covers the current use of data and the commercialisation of data as a valuable commodity. The GDPR is particularly relevant to IoT devices as the architecture and use of IoT devices are not included in a national or international regulatory framework. Most countries and regions are not addressing this area except by developing guidelines and good practices.

3.2

Personal Data

According to the GDPR, personal data include all information that can be used to identify an individual, on its own or in conjunction with other data sets. The provision covers data linked to Internet protocols (IPs), mobile device identifiers, geolocation and biometric data.36 According to Article 4(1), personal data are “all data attached to a person which allows them to be identified directly or indirectly (. . .) to one of the several specific properties unique to their physical, psychological, genetic, mental, economic, cultural or social identity of that natural person”.37 In conjunction with this definition, data processing is defined in Article 4(2) as the manual or automated process where personal data or sets of personal data are used. Included in the process is “collection, recording, organisation, structuring, storage, 31

European Data Protection Supervisors (2018b), p. 3. Supra n8. Supra n28, p. 703. 33 Articulate (2020), Supra n28, p. 703. 34 Supra n8, Art. 3. 35 Supra n28, p. 704. 36 Supra n8, Art. 4.2. Walker (2021). 37 Supra n8, Art 4.1. Ibid. 32

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

485

adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.38 These parts of the data collection process are highly relevant for protecting IoT users. The personal data are linked to the use of the devices, which can identify the actual user. This data collection can, for example, be linked to biometric identifiers and the use of facial and voice recognition. It is problematic if these personal identifiers are connected to other data sets that enable a direct or indirect identification of the user.

3.3

Controllers and Processors

Data controllers should ensure that everyone involved in the processing practice complies with security by design and by default obligations.39 Therefore, all processors should consider the full range of data collecting practices, such as technological advancements and data access, which includes tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc.40 Article 6 of the GRPR establishes the lawfulness of the processing. For example, the process needs to be more than just useful and more than a standard practice. The data processing needs to be targeted and proportional to archive a specific purpose. Clearly, this requirement is not fulfilled if the data processor can reasonably achieve the same goal by using less intrusive measures. Therefore, the processing needs to be objectively necessary and not just a part of a chosen method.41

3.4

Consent

Consent is a specific part of the regulation, allowing IoT users’ data to be processed. The regulation requires that individuals should consent to the actual data collection.42 Consent is defined in Article 4, and special conditions are set out in Article 7.43 Article 6 (1)(2) set out the different legal obligations for data processing, and at least one of these must apply whenever personal data are being processed.44 The consent must be freely given, and it is a specific, informed and unambiguous indication of the data subjects’ wishes.

38

Ibid. Supra n31, p. 7. 40 European Data Protection Board (2019), p. 13. 41 Supra n8, Art. 6, Recitals 39, Recitals 40, chapter III. ICO (2020b). 42 Supra n8, Art. 6(1)(a). Ibid. 43 Supra n8, Article 4. Article 7. 44 Supra n8, Art. 6(1)(a). Supra n42. 39

486

T. Munk

With all types of data processing, including those related to IoT device, users should be provided with a genuine choice and control over how their data are being used. If a free choice does not exist, the data processing is not valid.45 The information provided to online users about the data processes and consent should be easily accessible from the web page and similar pages associated with the device and the data collection, written in a clear and understandable language and clearly separated from other legal and policy pieces of information.46 It is important to remember that the GDPR is not introduced to restrict technological development or the actual process of producing and using IoT devices or other computer technologies.47 The provisions in the regulation aim to ensure that respect and protection of privacy remain central to the development. Yet the regulation forces IoT manufactures, tech businesses and administrators to consider these areas to enhance cybersecurity and protect personal data.

3.5

Privacy by Design and by Default

By the adoption of the GDPR, data protection by design and by default has been upgraded from being a desirable or recommended good practice to becoming a fully enforceable obligation to all parties processing personal data under EU law.48 The regulation specifying the protection of personal data is the default settings of systems and services.49 In the development and use of IoT devices, security and privacy are often neglected in the early stages of the design process, which have an impact on the actual use of the devices. These two areas need to be incorporated into cybersecurity solutions on all levels.50 According to Article 25, data controllers must demonstrate that measures are implemented appropriately.51 Those measures should align with the cost of implementation and the nature, scope, context and purposes of the actual data processing, together with the rights and freedoms of the online users. Notably, according to Article 25, “by default” means that it is only possible to process personal data that are necessary for each specific purpose of the process.52 In this context, the data controllers must regularly review the processes, taking into account the technological development when determining the appropriate technical and organisational

45

Supra n8, Art. 7. Recital 43. ICO (2020e). Supra n40, p. 23. 47 Zorz (2017) and Mediartis (2019). 48 Supra n31, p. 3. 49 ENISA (2020b). 50 Executive Office of the President. President’s Council of Advisors on Science and Technology (2015), p. 3. 51 Supra n31, p. 5. Supra n40, p. 5. 52 Supra n31, p. 5. 46

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

487

measures. The controllers are required to continually consider how they can ensure the effective implementation of safeguarding measures to uphold the data protection principles and rights of online users.53

3.6

Privacy by Design and Security by Design

The protection of privacy by design and by default derives from two essential concepts: privacy by design and security by design. The data generated by IoT devices should be protected throughout its life cycle.54 However, there is currently an inadequate level of protection inbuilt into smart devices due to the lack of IoT regulation, standardisation and certification. This creates a risk to the users’ privacy. IoT smart home devices, such as voice assistants, might be developed by manufactures with limited knowledge about security design. Additionally, data security might not take priority to keep the cost of the devices down to an affordable level.55 On a more cynical level, the businesses might not be interested in increasing security as they are benefitting economically from trading data. Both security by design and privacy by design follow the whole lifespan of IoT devices. These two concepts require that the data controller and processor regularly review the effectiveness of processes and procedures in the light of data protection.56 Data processing practices aim to include privacy, data protection and security checkpoints within the entire process, covering the different phases inbuilt in the concept stage, development stage, actual live stage until the end-of-life stage.57 Privacy by design requires that the data are pseudonymised from the actual collection point. The GDPR emphasises that data controllers can only process data related to the specific task based on user consent and only store data if necessary. Beyond that point, the data should either be anonymised completely or deleted.58 The functionality of stand-alone devices connected ad hoc to an existing Wi-Fi network creates problems. With security by design, the focus is on the security level inbuilt in the devices, whereas with privacy by design, the focus is on the data processed. Lack of security in these devices exposes not only the actual device but also the whole interconnected smart home to unwanted data breaches and potential data misuse.59 Article 5 of the GDPR set out essential requirements to uphold a certain level of protection by introducing privacy by default. This provision requires that the

53

Supra n40, p. 8. ICO (2020a). 55 Supra n11, p. 16. 56 Supra n40, p. 4. 57 Ibid. Supra n54. 58 Supra n1, p. 4. Supra n40, p. 8. 59 Supra n11, p. 16. 54

488

T. Munk

controller predetermines for “which specified, explicit and legitimate purposes the personal data is collected and processed”.60 Protective measures must be introduced “by default” to ensure that the processed amount of personal data and the purpose of the processing meet the necessity and proportionality criteria inbuilt in the regulation.61 Processing operations may be adequate and necessary for the original processing purpose.62 Yet the actual data collection should not extend the boundaries of compatible purposes and the reasonable expectation of the users.63

3.7

Emergency Measures Included in the GDPR

Most public attention is given to the data breach provision included in Part 3 of the GDPR. The GDPR provides the data protection authorities (DPAs) powers to issue a monetary penalty for an infringement of the provisions.64 Without undue delay and where feasible, the data controllers are required to notify the competent supervisory authority specified by Article 55. This should happen within 72 h after having become aware of the possible data breach.65 According to Recital 75 of the GDPR, Article 55 applies to processes where rights and freedoms of the online users might lead to physical, material or non-material damage.66 Additionally, Recital 87 of the GDPR states that data processors and controllers must quickly establish the likelihood and the severity of the potential data breach. Moreover, the data processors and controllers should take steps to minimise the damage. These steps will include informing online users and the national DPA about the potential breach.67 This requirement includes potential breaches of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data.68 An interesting part of the GDPR is the emergency measures included in Article 66. Article 66 is a proactive measure allowing the authorities to act on a suspicion that a particular practice is breaching the provisions of the GDPR. DPAs and other authorities can invoke Article 66 under exceptional circumstances, for example if a supervisory authority considers that urgent actions are needed to protect the rights

60

Supra n8, Art. 5(1)(b), (c), (d), (e). Supra n40, p. 11. 62 Supra n8, Art. 4(2). This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 63 Supra n40, p. 12. 64 Supra n8, Part 3. 65 Supra n8, Art. 33. 66 Supra n8, Recital 75. 67 ICO (2020c). 68 Ibid. 61

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

489

and freedoms of the online users (the data subjects). The article gives these authorities the power to immediately adopt provisional legal measures, which effectively stops the process within the jurisdiction of the national authority.69 Measures can be introduced for a specified period of validity that does not exceed 3 months. The action and the reason for taking this intrusive step should be communicated without further delay to the other supervisory authorities concerned, as well as the Board and the Commission.70 Article 66 gives the DPAs powers to act proactively to stop ongoing practices during an investigation if there is a suspicion that a practice violates the protective measures included in the GDPR. These emergency measures also send an important signal about the necessity of complying with the regulation to avoid interference by the authorities. The following case study reveals that the DPAs intend to use the provision to enhance the protection of data.

4 IoT Voice Recognition Technologies and Devices With this legislative framework in mind, the growing use of voice recognition software and voice assistants has generated serious concerns about how data from these technologies and devices are processed and controlled. Smart home speakers are connected to the Internet controlled and monitored through applications. By using applications, IoT users can carry out tasks from a distance, i.e. adjust the temperature, open/close shutters or garage doors, switch on the light or set the alarm.71 Together with the growing use of IoT sensors, voice recognition technologies and voice assistants is added a new technological dimension to consumer products that previously lacked smart capabilities.72 Voice recognition technology is the ability of a machine or program to receive and interpret dictation or the ability to understand, respond and act on speech commands. The functionality of voice recognition technologies is linked to cloud technologies. In the cloud, a speech-to-text technology converts the audio. This technology transforms the audio into a machine-understandable structure of meaning by using a type of natural language processing. The outcome of this process is forwarded to an artificial “dialogue manager” that determines the response to the interaction.73 The way voice recognition technologies are being used depends on the product. However, these technologies can transcribe voice to text, set up reminders, search the Internet and respond to simple questions and requests, such as playing

69 Supra n8. By derogating from the consistency mechanism referred to in Articles 63, 64, 65 or the procedure referred to in Article 60. 70 Supra n8, Art. 66. 71 Supra n40, p. 11. 72 Supra n7. 73 Supra n22, p. 4.

490

T. Munk

music, booking tickets, or sharing weather or traffic information.74 It is evident with this constant technological development that the use of these technologies are evolving. The voice recognition tools cover different processes and technologies. The system might recognise the voice, or the voice recognition system might be triggered by a unique keyword, phrases or sentences predetermined by the owner of the device. Finally, some systems and devices monitor and record everything without having a particular wake word or voice. This leaves the speakers to feely talk as everything is recorded.75 Most users recognise the benefits of these computer technologies. However, users are less aware of the technologies embedded in voice assistants. The scope of the data collection by these technologies and devices are often overlooked. By design, most voice assistants are always listening, monitoring all conversations and activities and searching for the wake word.76 Therefore, these voice recognition technologies and voice assistants are opt-in by default.77 This monitoring of the home environment creates a consistent data flow where companies and administrators collect personal data. This practice can be used for the collection, storage, profiling and trade of very personal data. Companies involved in this data process mines data from millions of online users worldwide, and therefore they create lucrative trade opportunities for unimaginable commercial activities exploiting and commercialising personal data.

4.1

Biometric Identifiers

Computer algorithms have become so intelligent that they can automatically analyse peoples’ personalities and behaviours. Therefore, personality traits are used to identify people.78 Names are just one out of the many different identifiers used. As the GDPR has outlined in its definition, several areas fall under the scope of personal data, and biometrics is one of these areas.79 Names are not the most practical identifiers for behavioural targeting carried out by tech companies and social media businesses.80 Behavioural biometrics are used to analyse traits and

74

Supra n7. Scardina (2021). Supra n17, p. 3. 76 Lynskey (2019); Lindsey (2019), Supra n22, p. 8. 77 Ibid 78 Smith (2019). 79 Supra n8, Article 4(1). 80 Zuiderveen Borgesius (2016), p. 256; Equality and Human Rights Commission (2018), p. 3 “Special categories of data include information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation, organic or biometric data used to uniquely identify an individual”. 75

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

491

micro-habits; voice, keystrokes when typing, navigational patterns, engagement patterns, the tone of voice and the spoken pace are all useful behavioural biometrics.81 Voices are one of the most sensitive parts of personal data, and this is a dangerous area if it is exploited. Clearly, at this stage of the technological evolution, software types are developed to recognise samples based on voice recognition as a part of biometric behaviours. It is possible to extract data to produce models of behavioural patterns about the observed user’s data to continually improve the performance of the product, i.e. the voice recognition device.82 Additionally, it is possible to teach an artificially intelligent program to mimic the users’ behaviour.83 Therefore, voices and voice commands are central to the GDPR and data controllers, and processors must clearly explain how the data are collected and why.84 Any company, organisations or groups operating in the EU, regardless of their establishment, needs to comply with the regulation and enhance the data protection of identifiable personal data. This signifies that all processors and controllers need to consider why and how they are using the data.

5 GAFA and Data Processes in the GDPR Era Google, Amazon, Facebook and Apple (GAFA) are four of the leading developers of voice recognition technologies and voice assistants. This particular part of IoT is believed to dominate the future market as it provides an advanced tool for businesses and individuals. These IoT devices and technologies include several functions, i.e. multilingual technology for audio segmentation, speech recognition and speaker digitisation for transforming raw audio data and audiovisual data into new formats, along with language identification.85 The tech market is currently over-flooded with new types of voice recognition and voice assistant technologies spanning from Apple’s Siri and Google Assistant to Facebook Portal and Amazon Echo/Alexa. In 2019, Amazon declared that more than 100 million Alexa-enabled voice assistants are used worldwide, while Google Assistants are inbuilt in more than a billion devices (including Android phones). When voice recognition technologies were introduced, the popularity was largely underestimated.86

81

Supra n78. Supra n22, p. 13. 83 Supra n17, p. 6. 84 Wu (2019). 85 MarketWatch (2020). 86 Bohn (2020), Matney (2019) and Kumparak (2019). 82

492

T. Munk

Devices, such as Amazon Echo and Google Home, have quickly found a way into businesses and private households, and the market is continually expanding to new areas.87 Tech companies are currently embedding voice assistants into cars, smart TVs, headphones, microwaves, thermostats and clocks.88 These new ways of using voice recognition open up for more data being produced and transmitted. Amazon promotes the idea that voice assistants should be incorporated everywhere.89 During the annual 2020 tech showcase “the Consumer Electronics Show” in Las Vegas, Amazon displayed new innovative devices and technologies, which included Alexa in everyday objects,90 For example, Alexa is included in devices spanning from instant pots, motorcycle helmets and electric toothbrushes to electronic beds, Alexaenabled toilets, meditation bands, e-bikes and washing machines.91

5.1

Data Trade

The increased use of these technologies creates a significant data protection concern. The users of, for example, Facebook Messenger, Google Assistant and Amazon Echo can communicate with other devices and databases. In this process, these devices and systems are transmitting sensitive, personal and identifiable data. Therefore, safeguards and protective measures, such as security by design and privacy by design, are paramount principles to include. Initially, data trade was linked to companies’ desire to understand their consumers and improve their services. Technological development has expanded this process, and contemporary data collection is based on a comprehensive but legally challenging process. Online users struggle to understand and engage with the process, which, unfortunately, means they often give consent without clearly knowing what it contains.92 Some data collectors and processors have a direct relationship with the users, whereas, others, such as the infomediary sector, have specialised in hidden data collection and analysis.93 GAFA are deeply involved in developing, selling or supplying voice assistant products worldwide. Data trade is considered as an essential and economically beneficial bi-product of the actual trade of devices. Therefore, these companies have created a market based on the commercialisation of voice-activated devices and products linked to online speech services. This booming market is based on the convenience of users to communicate with a device or chatbot, rather than physically

87

Supra n20. Supra n76. 89 Pierce (2018). 90 Khalid (2020). 91 Ibid. Supra n86. 92 Competition and Markets Authority (2015), pp. 5–6. 93 Ibid, p. 6. 88

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

493

using a computer. Some of these voice recognition technologies are included in already existing platforms and objects. This enables tech companies to sell devices cheaply—or to offer free services in return for the ability to harvest data from the users. GAFA’s global market position places the users in a problematic situation with no real alternative to these free services, such as paying for the service.94 Although these devices and services offer many benefits, they also create commercial, legal and ethical challenges. Tech companies now have in-depth knowledge about their online users from the data processes. Therefore, there are uncertainties about the use of data, data controllers/processors and the third parties – and the aim and the scope of data processing.95

5.2

GAFA and Compliance with the GDPR

GAFA are operating in the European market. As these companies are targeting European citizens, it automatically imposes a request for GDPR compliance. Apple, Facebook and Google have their European headquarters in Ireland, and Amazon is situated in Luxembourg. Authorities in these countries are closely following the activities of the tech companies to ensure that they are complying with the GDPR.96 If a company is processing data in different counties, as with GAFA, the competent data protection authority will take the lead in dealing with other concerned EU authorities. The GDPR “one-stop-shop” mechanism ensures cooperation between the DPAs regarding cross-border data processing. The one-stop-shop mechanism is based on where the processor/controller is situated within the Member States. The company’s establishment determines who is dealing with a case.97 The powers of GAFA derive from their leading position and their ability to process data continually. This position has previously brought GAFA into problems with the European Commission. Other European competition authorities have also launched investigations into GAFA for various business practices.98 On the day the GDPR came into force, Schrems from the “None of Your Business” group (Noyb.eu) filed four lawsuits against Facebook, Google, Instagram and WhatsApp, arguing that tech companies forced their customers to accept the data collection policy in order to use the services. Although these lawsuits were filed with regulators in France, Germany, Austria and Belgium, they were all forwarded to the Irish Data Protection Commissioner (DPC). The DPC subsequently became the EU's

94

Sadowski (2016). Supra n84. Supra n76. 96 Todd (2019) and Rolland (2018). 97 Article 29 Data Protection Working Party (2016), p. 5. 98 Ibid. European Commission (2020) 95

494

T. Munk

leading regulatory authority for these tech companies due to the one-stop-shop mechanism. The Schrems II “Standard Contractual Clauses” (SCC) case is the first draft decision on big tech investigations forwarded by the Irish DPC using the consultation process in collaboration with other EU data protection authorities. In 2020, the Court of Justice of the European Union (CJEU) explained in the Schrems II case the legality of using the SCC mechanisms for personal data transfers out of the EU. The court concluded that Facebook and similar companies could not use SCC to justify data transfers unless these transfers are absolutely necessary in accordance with Article 49 of the GDPR. Moreover, the CJEU also emphasised that the Irish DPC must stop transfers under this instrument and the EU DPAs have a duty to take action.99 GAFA have been involved in other GDPR cases. The French DPA fined Google for failing to comply with the GDPR when new Android users set up a new phone.100 In 2019, Ireland was managing several ongoing cases. More than 20 cross-border investigations are related to complaints and inquiries about data processing practices of tech companies, i.e. Apple, Facebook, Google, Instagram, LinkedIn, Tinder, Verizon and WhatsApp.101 Also in 2019, the Hamburg DPA fined Facebook for failing to communicate the appointment of a data protection officer at the Irish headquarters to the relevant national authority. The Hamburg DPA has repeatedly raised concerns about the data-sharing practices of WhatsApp and Facebook by citing two court decisions that ordered these entities to end their practices.102 Online users should be given an informed choice, and the legislation requires that the consumers are consenting to the data transmission.103 However, the territorial scope of the regulation signifies that it is only relevant to the EU citizens and companies trading within the EU. Yet it is still problematic for the users, even for EU citizens, to get precise information about the data processes—and the actors involved in processing data. They might give consent as a part of the terms and conditions, but it is not specified who the third parties are. Often the consent process is compromised by misleading marketing practices and hidden data trade.

99 Noyb (2020) and InfoCuria (2020). C-311/18 - Facebook Ireland and Schrems. Lomas (2020a, b, d). 100 Dillet (2019). 101 Ibid n99. Data Protection Commission (2019) 102 Vinocur (2019), Bryant (2020), Toor (2016), ICO (2018) and Smith (2016). 103 Supra n45.

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

495

6 Data Processing Practices: The Google Case Study The technology underpinning voice assistants are on a low level of the evolution of artificial intelligence (AI) and machine learning (ML). Therefore, the devices are still profoundly imperfect, and there has been an increase in reports regarding system errors, which should raise a significant amount of concern about the level of security inbuilt in these devices. There have been reports about voice assistants’ recording without the wake word being triggered; inaccurate interpretations of commands; failure to consider different languages, accents, tones and contexts; and data transcripts sent to other people.104 Amazon Echo/Alexa are managing well with simple tasks, such as setting the alarm and fulfilling one-off commands. However, these devices are struggling to speak and understand many explicit commands. Speech is an inherently social mode of interaction, and the algorithms are not on the stage where it can differentiate between different voices, accents and slang and mirror a human conversation.105 Therefore, GAFA argue that automated systems need to be monitored and controlled by humans to enhance the accuracy of languages and interactions.106 Nevertheless, using humans to monitor and review personal data generated by voice recognition technologies and voice assistants are concerning. The human review practices open up for a misuse of data by the manual workers, the companies and/or states when it mirrors a surveillance apparatus, i.e. hacking, espionage, social surveillance and other potential violations of privacy.107 Mass media, the EU DPAs and insiders/whistle-blowers have revealed information about procedures where human workers are central to the process by carrying out manual reviews on recorded snippets for quality control, maintenance or future developments.

6.1

Errors and Privacy Concerns with Voice Recognition Technologies and Voice Assistants

GAFA, in particular Amazon, Apple and Google, have been widely criticised for their data processing practices in relation to voice recognition technologies in 2019. Yet the use of these voice recognition technologies is polarising. There are privacy concerns linked to the widespread use of these technologies and devices. Some people consider these technologies as too intrusive into the private sphere, threatening the right to privacy. Other people perceive them useful for managing various

104

Supra n76. Vhalos (2018). 106 Supra n76. 107 Supra n11, p. 18. Supra n76. 105

496

T. Munk

tasks more efficiently.108 Nevertheless, if a company holds a nameless individual for behavioural targeting, the content will link the person to the profile. For example, behavioural targeting may also relate to a person because of its result. If a company forwarding a targeting advert to a specific person based on personal information, the company treats this person differently from others. The core element here is if a person can be directly or indirectly identified based on the data processed.109 In 2019, a report from Bloomberg revealed that Amazon Echo/Alexa devices transmitted data back to the company, facilitating a manual review without the users’ knowledge. The actual audio recordings were transcribed and assessed by human beings to improve the AI system. Another problem revealed in 2019 showed that there were several system errors enabling devices to record conversations accidentally without the use of the wake word.110 Similar to other computer technologies and devices, these voice assistants and voice technologies are always opt-in by default. The voice assistant is designed to monitoring everything said waiting for being called to action by the wake word. The actual recordings are stored on the device’s app cloud, together with other information from online users’ Google or Amazon accounts.111 Amazon’s marketing and privacy policy were not clear about this practice. The policy did not state that human contractors were involved in the review process. Instead, the policy says that voice requests to Alexa are collected to train the speech recognition and natural language understanding systems.112 Amazon claims that the company allows customers to opt out of this practice of having their voice recordings added to the pool for manual review. Nevertheless, this is a new option introduced after several issues were revealed in 2019 regarding the company’s data collection practice.113 Apple and Google made similar changes in 2019, stating that the change of practice is based on their continuous review practices and procedures to comply with online privacy regulation.114

6.2

Google and Human Reviews

In 2019, information about Google’s data collection practices was published by the Belgian news site VRT NWS. VRT NWS revealed that 1000 Dutch- and Flemish-speaking Google Assistant recordings were leaked to the news site.115

108

Supra n76. Supra n80, p. 260. 110 Day et al. (2019), Vincent (2019) and Simonite (2019). 111 Johnson (2019). 112 Supra n110. 113 Ibid. 114 Supra n22. 115 Van Hee et al. (2019). 109

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

497

The news report showed that Google employees systematically listened to audio files recorded by Google Home smart speakers and the Google Assistant smartphone app.116 Although the manual review was introduced globally, VRT NWS exposed that the practice violated the provisions of the GDPR. Most of the recordings were made consciously by invoking the wake word; However, the Google transcripts also included conversations that were not meant to be recorded without the user’s knowledge.117 Similar to Amazon’s terms and conditions, Google’s privacy statements revealed that the company collected data to improve its services.118 Nevertheless, Google’s practice of manually reviewing audio was not outlined in the privacy policy.119 The leaked audio snippets showed a wide range of sensitive personal information as well as embarrassing and disturbing incidents that were circulated beyond the private household. For example, private conversations about sensitive medical conditions, domestic violence, sexual relationships and drug dealings. All these audio snippets were monitored and analysed by Google contractors around the world. Based on the information from the audio snippets, VRT NWS could identify online users, their physical addresses and contact information.120

6.3

The Use of Article 66

This revelation by VRT NWS prompted the Hamburg DPA121 to invoke the emergency powers under GDPR’s Article 66 to stop the human review of voice recordings from Google. The DPA commissioner ordered Google to cease manual reviews of audio snippets generated by its voice AI. This is an important decision, and the case marks the first use of Article 66 powers since the GDPR was implemented in 2018.122 Evoking Article 66 requires that there is a clear, present and urgent danger to the privacy of EU citizens.123 Based on the news report and the preliminary investigation by DPA, these requirements were fulfilled. The DPA has the power to stop the practices to protect online users’ privacy where the authority can demonstrate an imminent danger to privacy. The GDPR allows for concerned authorities within the Member States to issue an Article 66 orders for up to 3 months. The German DPA argued that the intended proceedings against Google were directly linked to the requirement of protecting privacy rights of

116

Ibid. Supra n110 (2019); Supra n22, p. 9. Supra n115. Verheyden (2019). 118 Ibid. Google Nest Home (2020). 119 Ibid. 120 Supra n76. Supra n115. Supra n117. 121 Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit 122 Lomas (2019), Supra n76; Scott (2019). 123 Ibid. 117

498

T. Munk

affected users.124 The DPA Commissioner stated: “The use of automatic speech assistants from providers such as Google, Apple and Amazon is proving to be highly risky for the privacy of those affected.”125 The privacy concerns are not limited to the actual users but extend to the rights of visitors in homes where these devices were operational.126 Google claimed that they stopped the practices of listening to and transcribing recordings for at least 3 months across the EU countries while the regulators investigated the practice.127 Moreover, Google responded to the German DPA’s Article 66 action by stating that they already had ceased the practice after learning about the actual data leak.128 Nevertheless, it is essential to recognise that this change of practice was not imposed because of the company’s own concern about protecting its consumers or a willingness to improve their compliance with the GDPR. It was a direct response to public criticism in various news media and the interference by the DPA, which influenced Google’s international brand and market dominance. Google responded to the media attention and the Article 66 restriction by stating that manual reviews of Google Assistant commands were a critical part of the processes of developing and improving speech technologies. This practice is central to creating such products as the reviews help make voice recognition technologies more inclusive of different accents and dialects across languages. Google attempted to justify the human review practice by claiming that these audio clips were not linked to any user accounts during the review process. Google also claimed that the practice only included reviews of approximately 0.2% of all clips.129 The German DPA raised further questions about the functioning of speech analysis systems. This underlying practice needed a more in-depth clarification before the Commissioner would remove the Article 66 emergency powers. Then the DPA would decide on definitive measures necessary for a privacy-compliant operation.130 Additionally to the territorial use of Article 66, the DPA urged other EU authorities to prioritise investigations into other providers of voice recognition technologies and voice assistants. These investigations would also include checking the practices of Apple and Amazon’s voice AI.131 The remarkable outcome of this Google case study is that there could be broader ramification to rival tech giants’ use of similar practices in Europe. This DPA’s action creates legal precedence for halting

124

Supra n121. Supra n76. Supra n107. Supra n121. 126 Lecher (2019). 127 Supra n8, Art. 66. 128 Supra n121. Supra n125. Bradshaw (2019). 129 Ibid. 130 Supra n121. Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI) (2019). 131 Supra n121. 125

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

499

practices based on the GDPR’s emergency powers.132 The use of an Article 66 order sends a clear signal that the use of data from voice recognition software or devices is linked to the protection provided under the GDPR.

6.4

Protection of Online User Data

In reply to Googles’ arguments, the German DPA highlighted that the use of language/voice assistant systems in the EU needs to comply with the data protection requirements of the GDPR. In the Google case study mentioned above, the doubts regarding this practice developed by the company had a widespread effect.133 By referring to the GDPR, it is clear that the use of language assistance systems must be done transparently based on informed consent by the users whenever it is possible. It is also the company’s responsibility to provide online users with enough information about the processing of voice commands. This applies whether or not the data are manual or automatic. One weakness in the use of Article 66 is that it is only imposed within the national jurisdiction and not across the Member States. However, if several national DPAs collaborate, they can extend the emergency powers across the Union, but they need to agree first. The second weakness is the time limit, where the order can only be imposed for 3 months, which puts pressure on the DPAs and other authorities to investigate and communicate the outcome to the company quickly. However, the time limit might be problematic when cases are piling up due to non-compliance and companies circumventing the regulation to process data. After Article 66 was invoked in 2019, the leading privacy regulator in Europe, the Irish DPC, decided to examine the issue underpinning the German order. The DPC’s head of communication stated that Google Ireland filed an Article 33 breach notification for the Google Assistant data, and the company ceased the processing practice.134 Nevertheless, the GDPR has made a legal change by evoking Article 66 as an emergency brake. Of course, fines can be issued up to as high as €20 million, or 4% of a company's globale annual turnover. Yet this is not the groundbreaking part of this case study.135 The essential part is that the EU Member States’ DPAs have a regulatory option to stop data processes based on a suspicion that the process might violate the GDPR requirements. Moreover, the DPA has sent a powerful signal that they are willing to use the provision.136 It is a clear violation of the GDPR when companies are using this practice in Europe without the users’ consent. Voice assistant providers need to ensure that they

132

Supra n121. Supra n127. Supra n129. 134 Supra n121. Supra n125. 135 Supra n8, Art. 33. 136 Supra n121. 133

500

T. Munk

have explicit consent for data collection and that the data collection does not happen beyond that. The problem area regarding data processing is also linked to the lack of user information about the concrete aims and scope of the data collection or the consent not being freely given.137 The reaction to the use of human reviews might encourage developers to make data processing practices clearer to the users who hand over aspects of their privacy. Despite the GDPR requirements for privacy notices to be concise and transparent, there is still a tendency that information regarding these practices is not particularly digestible for users.138 The data processes can only fulfil the GRPR requirements if the practices used are fair and transparent. Therefore, there must be more openness about the data processes on all levels. This openness can only be obtained through effective communication with online users, including the information notice and the procedures regarding content. This means that the companies need to introduce a tailored, reflective and dynamic approach by moving away from the legal tickbox compliance practices.139 Due to the growing legal and regulatory pressure, Amazon, Google and Apple have all stopped the practices of using human review of recordings from these voice assistants and voice recording technologies.140 Adopting and subsequently using the GDPR have intensified the focus on data protection, which can inspire other countries to introduce similar legislative frameworks. This would, over time, provide online users with a better privacy framework.141

6.5

Critique of the DPAs’ Management of Cases

Although GAFA have ceased its use of human reviews, the case study has shown that there are issues regarding GDPR investigations. The EU has implemented strict privacy laws, yet there is a growing concern about the Member States’ ability to enforce, cooperate and investigate potential data protection violations.142 The largest tech companies are established in two EU Member States, Ireland and Luxemburg. However, these countries’ DPAs have not finalised any significant cases concerning US tech companies. The Irish regulator that oversees companies, such as Google, Facebook, Microsoft and Twitter, is facing delays in finalising cases against these tech companies.143 The Irish DPA, the DPC, stated in its 2019 annual report that

137

Supra n7. Supra n22, p. 10. 139 Supra n 28, p. 705. 140 Supra n76. 141 Supra n111. 142 Supra n102. 143 Supra n96. Supra n99. 138

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

501

investigations into big tech companies continued to progress in 2019 with the first two inquiries moving from the investigative to the decision-making stage. Across the EU, only three minor cross-border cases have resulted in moderate fines since the introduction of the GDPR to the end of 2019.144 Concerns have been raised about the implementation processes and the investigatory burden imposed on smaller Member States, such as Ireland and Luxemburg. These two counties are facing both a considerable number of cases that are disproportionate to the funding available.145 The Irish DPC has defended the slow progress, stating that this is an untested area of EU law, and it takes time to implement this correctly. Moreover, the novelty creates challenges regarding cooperation and consistency where the cases are open for scrutiny by all Member States and national courts.146 However, the DPC admits that the implementation of new processes has taken longer than expected, such as the one-stop-shop mechanism. It is notable that the 2019 annual report does not mention the use of Article 66 and the deferral of the Google case to Ireland. The slow implementation of rules, the lack of transparency regarding the processes and the inconsistent way the different DPAs are dealing with complaints are problematic. In the Google case study, the German DPA triggered the emergency procedure in Article 66 to protect the rights of the citizens regarding the manual reviews.147 The actions taken by the German DPA and the subsequent slow investigation procedure invoked by the Irish DPC indicate three key areas. Firstly, the use of Article 66 illustrates the seriousness of the practice and the need for using emergency measures. Secondly, the Google case study shows that there is a willingness within the Member States to act proactively to protect personal data. Thirdly, the actual architecture of the mechanism is problematic as the case has stalled within the Irish DPC investigative process. Therefore, the case demonstrates gaps in the system as the German DPA could not wait for the lead supervisory authority to take action as outlined in the one-stop-shop mechanism. However, after these measures were taken, the case has not been processed within the 3 months’ time frame.148 This is not an isolated case where the German DPA circumvents its Irish counterpart. For example, the German watchdog also acted alone in the Hamburg DPA case against Facebook in 2019, which had links to the Irish Facebook headquarter.149

144

Supra n99. Supra n101, p. 8. Supra n102. Supra n102. Lomas (2020c), Supra n143. 146 Ibid. Supra n101. 147 Supra n102. Supra n121. Hamburg DPA. 148 Supra n102. 149 Supra n102. 145

502

T. Munk

7 Conclusion IoT devices are becoming an integrated part of everyday life, and the market for voice recognition technologies and devices is booming. This chapter, and particularly the Google case study, highlights only a snapshot of the problems associated with the use of IoT and voice recognition technologies. There are problems regarding companies’ compliance with the GDPR. Firstly, it should be in the manufacturers’, companies’ and administrators’ interest to provide privacy and security to consumers. However, it looks like the consumers are only given a marginal role except for being data producers to generate higher revenue for multinational companies. Secondly, the GDPR does only cover a smaller area of the market. The GDPR protects EU citizens, but this protection is not extended to non-EU citizens. Therefore, the result of the use of Article 66 impact EU citizens’ protection, but this does not mean that the practice has ceased outside Europe. Thirdly, these companies are still collecting a large number of data from their users, and this data trade will be intensified if it is not regulated sufficiently. GAFA might have stopped the manual review based on the use of Article 66, but they are still collecting data reviewed by AI. Fourthly, errors will happen, and if there are not enough safeguards in place, online users will suffer from the breach of privacy and the circulation of sensitive data. Nevertheless, the national DPAs are restricted in how they can stop these practices. Moreover, there are procedural challenges that delay the actual investigation into these potential violations. There is a need to review the measures and the procedures and ensure that the national data protection commissioners have enough funding to progress these cases in a timely manner. The Google case has demonstrated that although the German DPA acted quickly by invoking Article 66, the Irish counterpart has not followed up on this. To increase data protection beyond the scope of GDPR, consumers and online users should pressure manufactures and tech companies. If online users stop buying and using the services because of the lack of privacy and security, the companies will be forced to change practices and value the protection of their customers. GAFA are sensitive to negative mass media attention and consumer pressure. However, to create consumer pressure, IoT users need to be more aware of how their data are being controlled and processed—and the imminent dangers to their privacy. So far, these companies are not very vocal about their internal practices and processes. The companies are protecting their business strategies, the data trade revenue and their market domination by shielding these practices.

References Altman I (1975) The environment and social behavior: Privacy, personal space, territory, crowding. Brooks/Cole Publications, Monterey

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

503

Article 29 Data Protection Working Party (2016) Guidelines for identifying a controller or processor’s lead supervisory authority. 16/EN WP 244 rev.01. Available via European Commission. Justice and Consumers. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_ id¼611235. Accessed 24 July 2020 Articulate (2020) General data protection regulation. Compliance. https://articulate.com/gdpr. Accessed 3 Feb 2020 Bohn D (2020) Amazon says 100 million Alexa devices have been sold – What’s next? Available via the Verge. https://www.theverge.com/2019/1/4/18168565/amazon-alexa-devices-howmany-sold-number-100-million-dave-limp. Accessed 13 Apr 2020 Bradshaw K (2019) Google to cease listening to assistant recordings in EU pending investigation. Available via 9to5Google. https://9to5google.com/2019/08/01/google-to-cease-listening-toassistant-recordings-in-eu-pending-investigation/. Accessed 2 March 2020 Bryant J (2020) Hamburg DPA ‘took the hard line’ in fining Facebook for GDPR violation. Available via the Privacy Advisor. https://iapp.org/news/a/hamburg-dpa-took-the-hard-line-infining-facebook-for-gdpr-violation/. Accessed 25 July 2020 Business Insider Intelligence (2016) There will be 24 billion IoT devices installed on Earth by 2020. Available via Business Insider. https://www.businessinsider.com/there-will-be-34-billion-iotdevices-installed-on-earth-by-2020-2016-5?r¼US&IR¼T. Accessed 4 Apr 2020 Competition and Markets Authority (2015) The commercial use of consumer data. Report on the CMA’s call for information. https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/435817/The_commercial_use_of_consumer_data.pdf. Accessed 6 Apr 2020 Data Protection Commission (2019) Annual Report. 1 January – 31 December 2019. https://www. dataprotection.ie/sites/default/files/uploads/2020-02/DPC%20Annual%20Report%202019.pdf. Accessed 24 July 2020 Day M, Turner G, Drozdiak N (2019) Amazon workers are listening to what you tell Alexa. Available via Bloomberg. https://www.bloomberg.com/news/articles/2019-04-10/is-anyonelistening-to-you-on-alexa-a-global-team-reviews-audio. Accessed 12 Feb 2020 Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI) (2019) Sprachassistenzsysteme auf dem Prüfstand – Datenschutzbehörde eröffnet Verwaltungsverfahren gegen Google. HmbBfDI. https://datenschutz-hamburg.de/ pressemitteilungen/2019/08/2019-08-01-google-assistant. Accessed 12 Feb 2020 Dillet R (2019) French data protection watchdog fines Google $57 million under the GDPR. Available via TechCrunch. https://techcrunch.com/2019/01/21/french-data-protection-watch dog-fines-google-57-million-under-the-gdpr/. Accessed 25 July 2020 ENISA (2014) Threat landscape and good practice guide for smart home and converged media. https://www.enisa.europa.eu/publications/threat-landscape-for-smart-home-and-media-conver gence/at_download/fullReport. Accessed 08 Mar 2020 ENISA (2017) Baseline security recommendations for IoT. https://www.enisa.europa.eu/ publications/baseline-security-recommendations-for-iot. Accessed 19 Feb 2020 ENISA (2018) Good practices for security of Internet of Things in the context of smart manufacturing. https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot. Accessed 19 Feb 2020 ENISA (2020a) Data protection. https://www.enisa.europa.eu/topics/data-protection/privacy-bydesign. Accessed 08 March 2020 ENISA (2020b) IoT and smart infrastructures. https://www.enisa.europa.eu/topics/iot-and-smartinfrastructures/iot. Accessed 16 Feb 2020. Equality and Human Rights Commission (2018) Data protection policy. https://www. equalityhumanrights.com/sites/default/files/data-protection-policy.pdf. Accessed 14 Apr 2020 European Commission (2020) What happens if my company processes data in the different EU Member States? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-businessand-organisations/enforcement-and-sanctions/enforcement/what-happens-if-my-company-

504

T. Munk

processes-data-different-eu-member-states_en#:~:text¼If%20your%20company% 2Forganisation%20is,it%20has%20the%20main%20establishment. Accessed 24 July 2020 European Data Protection Board (2019) Guidelines 4/2019 on article 25 data protection by design and by default, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_ dataprotection_by_design_and_by_default.pdf. Accessed 05 Mar 2020. Accessed 5 Apr 2020 European Data Protection Supervisors (2018a) Guidelines on the protection of personal data in IT governance and IT management of EU institutions. https://edps.europa.eu/sites/edp/files/ publication/it_governance_management_en.pdf. Accessed 8 Mar 2020 European Data Protection Supervisors (2018b) Preliminary opinion on privacy by design. Opinion 5/2018. https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_ privacy_by_design_en_0.pdf. Accessed 5 Mar 2020 Executive Office of the President. President’s Council of Advisors on Science and Technology (2015) Report to the President and the Congress ensuring leadership in Federally funded research and development in information technologies. https://obamawhitehouse.archives.gov/ sites/default/files/microsites/ostp/PCAST/nitrd_report_aug_2015.pdf. Accessed 1 Feb 2020 Fortino G, Trunfio P (eds) (2014) Internet of things based on smart objects: technology, middleware and applications. Springer, London Gartner (2017) Gartner Says 8.4 billion connected “Things” will be in use in 2017, up 31 percent from 2016. https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016. Accessed 4 Apr 2020 Gavison R (1980) Privacy and the limits of law. Yale Law J 89(3):421–471. http://www.jstor.org/ stable/795891. Accessed 13 Apr 2020 GDPR (2018) General data protection regulation (GDPR). Art. 66 GDPR. Urgency procedure. https://gdpr.eu/article-66-urgent-need-determined-by-supervisory-authority/?cn-reloaded¼1. Accessed 5 Mar 2020 Goddard M (2017) The EU general data protection regulation (GDPR): European regulation that has a global impact. Int J Market Res 59(6):703–705. https://journals.sagepub.com/doi/pdf/10. 2 5 0 1 / I J M R - 2 0 1 7 - 0 5 0 ? c a s a _ t o k e n ¼A m T 2 i m j 5 N z c A A A A A % 3 A k L a I u n V B T T 040MBYDB50BikUUZWB9cFFrt-cQJIKlLleCidDpU-sJR-4gdMSls9BSKiIqRq6Nh7QYA&. Accessed 13 Apr 2020 Google Nest Home (2020) More about data security and privacy on devices that work with assistant. https://support.google.com/googlenest/answer/7072285?hl¼en. Accessed 15 Feb 2020 Hogben G (2010) Behavioural biometrics. Available via ENISA. https://www.enisa.europa.eu/ publications/behavioural-biometrics. Accessed 08 Mar 2020. ICO (2018) Blog: A win for the data protection of UK consumers. https://ico.org.uk/about-the-ico/ news-and-events/news-and-blogs/2018/03/blog-a-win-for-the-data-protection-of-uk-con sumers/. Accessed 25 July 2020 ICO (2020a) Data protection by design and default. https://ico.org.uk/for-organisations/guide-todata-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-gover nance/data-protection-by-design-and-default/. Accessed 8 Mar 2020 ICO (2020b) Lawful basis for processing. https://ico.org.uk/for-organisations/guide-to-dataprotection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/. Accessed 8 Mar 2020 ICO (2020c) Personal data breaches. https://ico.org.uk/for-organisations/guide-to-data-protection/ guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/. Accessed 5 Apr 2020 ICO (2020d) Principle (f): Integrity and confidentiality (security). https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ principles/integrity-and-confidentiality-security/. Accessed 12 Feb 2020

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

505

ICO (2020e) What is valid consent? https://ico.org.uk/for-organisations/guide-to-data-protection/ guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/. Accessed 8 Mar 2020 InfoCuria (2020) Case Law. C-311/18 - Facebook Ireland and Schrems. http://curia.europa.eu/juris/ liste.jsf?td¼ALL&language¼en&jur¼C,T,F&parties¼schrems. Accessed 25 July 2020 International Data Corporation (IDC) (2019) The growth in connected IoT devices is expected to generate 79.4ZB of data in 2025. According to a new IDC forecast. https://www.idc.com/ getdoc.jsp?containerId¼prUS45213219. Accessed 4 Apr 2020 IoT Analytics (2018) State of the IoT 2018: Number of IoT devices now at 7B – Market accelerating. https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iotdevices-now-7b/. Accessed 4 Apr 2020 Jain SA, Jain SA (2019) Artificial intelligence: threat to privacy. Nirma Univ Law J 8(2):21–36. https://heinonline.org/HOL/Page?collection¼journals&handle¼hein.journals/nulj8&id¼141& men_tab¼srchresults. Accessed 13 Apr 2020 Johnson E (2019) Think about privacy next time you ask Alexa the weather. Available via TNW. https://thenextweb.com/podium/2019/03/16/think-about-privacy-the-next-time-you-ask-alexathe-weather/. Accessed 15 Feb 2019 Khalid A (2020) Alexa was everywhere at CES. Available via Quartz. https://qz.com/1783414/ amazons-alexa-was-everywhere-at-ces-2020/. Accessed 8 Mar 2020 Kumparak G (2019) Google says Assistant will be on a billion devices by the end of the month. Available via TechCrunch. https://techcrunch.com/2019/01/07/google-says-assistant-will-beon-a-billion-devices-by-the-end-of-the-month/. Accessed 13 Apr 2020 Lecher C (2019) Google will pause listening to EU voice recordings while regulators investigate Available via the Verge. https://www.theverge.com/2019/8/1/20750327/google-assistantvoice-recording-investigation-europe. Accessed 12 Feb 2020 Lindsey N (2019) Amazon, Google, Apple stopping human review of recordings from voice assistants. Available via CPO Magazine. https://www.cpomagazine.com/data-privacy/amazongoogle-apple-stopping-human-review-of-recordings-from-voice-assistants/. Accessed 15 Feb 2020 Lomas N (2019) Google ordered to halt human review of voice AI recordings over privacy risks. Available via TechCrunch. https://techcrunch.com/2019/08/02/google-ordered-to-halt-humanreview-of-voice-ai-recordings-over-privacy-risks/. Accessed 12 Feb 2020 Lomas N (2020a) First major GDPR decisions looming on Twitter and Facebook. Available via TechCrunch. https://techcrunch.com/2020/05/22/first-major-gdpr-decisions-looming-on-twit ter-and-facebook/. Accessed 24 July 2020 Lomas N (2020b) No grace period after Schrems II Privacy Shield ruling, warn EU data watchdogs. Available vis TechCrunch. https://techcrunch.com/2020/07/24/no-grace-period-after-schremsii-privacy-shield-ruling-warn-eu-data-watchdogs/. Accessed 25 July 2020 Lomas (2020c) GDPR’s two-year review flags lack of ‘vigorous’ enforcement. Available via TechCrunch. https://techcrunch.com/2020/06/24/gdprs-two-year-review-flags-lack-of-vigor ous-enforcement/. Accessed 25 July 2020 Lomas N (2020d) Lack of big tech GDPR decisions looms large in EU watchdog’s annual report. Available via TechCrunch. https://techcrunch.com/2020/02/19/lack-of-big-tech-gdpr-deci sions-looms-large-in-eu-watchdogs-annual-report/. Accessed 25 July 2020 Lynskey D (2019) 09.10.2019. Alexa, are you invading my privacy?’ – the dark side of our voice assistants. Available via the Guardian. https://www.theguardian.com/technology/2019/oct/09/ alexa-are-you-invading-my-privacy-the-dark-side-of-our-voice-assistants. Accessed 15 Feb 2020 MarketWatch (2020) Speech and voice recognition market top leading companies, consumption, key drivers, challenges and trends forecast to 2026. https://www.marketwatch.com/pressrelease/speech-and-voice-recognition-market-top-leading-companies-consumption-keydrivers-challenges-and-trends-forecast-to-2026-2020-02-13. Accessed 20 Feb 2020

506

T. Munk

Matney L (2019) More than 100 million Alexa devices have been sold. Available via TechCrunch. https://techcrunch.com/2019/01/04/more-than-100-million-alexa-devices-have-been-sold/. Accessed 13 Feb 2020 Mediartis (2019) Voice is a personal data. https://mediartis.com/blog/gdpr-voice-is-personal-data/. Accessed 15 Feb 2020 Munk T (2015) Cyber-security in the European region. Anticipatory governance and practices. Thesis. The University of Manchester, Manchester Munk T (2020) The Internet-of-Things: a surveillance wonderland. In: Owen T, Marshall J (eds) Rethinking cybercrime: critical debates. Palgrave, London Noyb (2020) CJEU Judgment - First Statement. https://noyb.eu/en/cjeu. Accessed 25 July 2020 Pierce D (2018) Inside the lab where Amazon’s Alexa takes over the world. Available via Wired. https://www.wired.com/story/amazon-alexa-development-kit/. Accessed 8 Mar 2020 Ranger S (2020) What is the IoT? Everything you need to know about the... Available via ZDNet. https://www.zdnet.com/article/what-is-the-internet-of-things-everything-you-need-to-knowabout-the-iot-right-now/. Accessed 12 Feb 2020 Rolland S (2018) After attacking Google, Vestager now turns to Amazon. Available via EuroActiv. https://www.euractiv.com/section/competition/news/apres-google-vestager-attaque-amazon/. Accessed 04 Apr 2020 Romdhani I (2017) Existing security scheme for IoT. securing the Internet of Things. In: Shancang L, Xu LD (eds) Securing the Internet-of-Things. Elsevier, Cambridge Rouse M (2019) What is IoT devices (Internet of things devices)? Available via TechTarget. https:// internetofthingsagenda.techtarget.com/definition/IoT-device. Accessed 12 Feb 2020 Sadowski J (2016) Companies are making money from our personal data – but at what cost? Available from the Guardian. https://www.theguardian.com/technology/2016/aug/31/personaldata-corporate-use-google-amazon. Accessed 20 Mar 2020 Scardina J (2021) Voice recognition (speaker recognition). Available via TechTarget. https:// searchcustomerexperience.techtarget.com/definition/voice-recognition-speaker-recognition. Accessed 10 Mar 2021 Scott M (2019) German authority orders Google to stop harvesting smart speaker data. Avialable via Politico. https://www.politico.eu/article/google-hamburg-smart-speaker-data-privacy/. Accessed 25 July 2020 Simonite T (2019) Who’s listening when you talk to your Google assistant? Available via Wired. https://www.wired.com/story/whos-listening-talk-google-assistant/. Accessed 12 Feb 2020 Smith J (2016) Germany orders WhatsApp to stop sharing user data with Facebook. Available via Zdnet. https://www.zdnet.com/article/germany-orders-whatsapp-to-stop-sharing-user-datawith-facebook/. Accessed 25 July 2020 Smith D (2019) How secure is behavioral biometrics? Available via InfoSecurity. https://www. infosecurity-magazine.com/opinions/secure-behavioral-biometrics/. Accessed 13 Apr 2020 Taddicken M (2014) The ‘privacy paradox’ in the social web: the impact of privacy concerns, individual characteristics, and the perceived social relevance on different forms of selfdisclosure. J Comp Mediated Commun 19(2):248–273. Accessed 13 Apr 2020. https://doi. org/10.1111/jcc4.12052 The Centre for Data Ethics and Innovation (CDEI) (2019) Smart speakers and voice assistants. CDEI Snapshot Series. https://assets.publishing.service.gov.uk/government/uploads/system/ uploads/attachment_data/file/831180/Snapshot_Paper_-_Smart_Speakers_and_Voice_Assis tants.pdf. Accessed 8 Mar 2020 Todd P (2019) ‘Big tech’ and competition law explained. Available via Legal Cheek. https://www. legalcheek.com/lc-journal-posts/big-tech-and-competition-law-explained/. Accessed 06 Apr 2020 Toor A (2016) Germany orders Facebook to stop collecting data on WhatsApp users. Available via the Verge. https://www.theverge.com/2016/9/27/13071330/facebook-whatsapp-user-data-ger many-privacy. Accessed 25 July 2020

20

Does Online Privacy Exist in the GDRP Era? The Google Voice Assistant Case

507

Van Hee L, Baert D, Verheyden T, Van Den Heuvel R (2019) Google employees are eavesdropping, even in your living room, VRT NWS has discovered. Available via VRT NWS. https://www.vrt.be/vrtnws/en/2019/07/10/google-employees-are-eavesdropping-evenin-flemish-living-rooms/. Accessed 12 Feb 2020 Verheyden T (2019) The analysis of our voices by Google is perfectly acceptable, but not listening in to our most intimate moments without our knowledge. Available via VRT NWS. https:// www.vrt.be/vrtnws/en/2019/07/10/the-analysis-of-our-voices-by-google-is-perfectly-accept able-bu/. Accessed 12 Feb 2020 Vhalos J (2018) Inside the Alexa prize. Available via Wired. https://www.wired.com/story/insideamazon-alexa-prize/. Accessed 08 Mar 2020 Vincent J (2019) Yep, human workers are listening to recordings from Google assistant, too. Available via the Verge. https://www.theverge.com/2019/7/11/20690020/google-assistanthome-human-contractors-listening-recordings-vrt-nws. Accessed 12 Feb 2020 Vinocur N (2019) ‘We have a huge problem’: European regulator despairs over lack of enforcement. Available via Politico. https://www.politico.eu/article/we-have-a-huge-problem-euro pean-regulator-despairs-over-lack-of-enforcement/. Accessed 24 July 2020 Walker D (2021) What is data processing. Available via IT Pro. https://www.itpro.co.uk/businessoperations/31681/what-is-data-processing. Accessed 10 Mar 2021 Westin AF (1967) Privacy and freedom. Atheneum, New York Wu A (2019) How chatbots and voice assistants will be affected by data privacy laws. Available via Adweek. https://www.adweek.com/digital/how-chatbots-and-voice-assistants-will-be-affectedby-data-privacy-laws/. Accessed 4 Apr 2020 Zorz M (2017) European businesses not seeking help from the security industry ahead of GDPR. Available via HelpNetSecurity. https://www.helpnetsecurity.com/2017/05/04/mssp-gdpr-com pliance/. Accessed 12 Feb 2020 Zuiderveen Borgesius FJ (2016) Singling out people without knowing their names – behavioural targeting, pseudonymous data, and the new data protection regulation. Comp Law Secur Rev 32 (2):256–271. https://doi.org/10.1016/j.clsr.2015.12.013. Accessed 5 Apr 2020

Chapter 21

3D Printing: Clarifying Legal Principles and Concepts Geraint Howells, Christian Twigg-Flesner, and Chris Willett

Abstract Three-dimensional (3D) printing has the potential to have a major impact on how consumer goods are produced. It raises important legal questions about the status of software and new legal actors such as 3D printing services and platforms. It also might blur the line between a hobbyist and a trader. The paper argues that reflecting on these issues may need some legal rules to be clarified, but that the existing consumer protection values should continue to inform the law’s development. If anything, the consumer might be in a more vulnerable position compared to when purchasing traditionally produced goods, and in particular the responsibilities of platforms need to be evaluated.

1 Introduction In this contribution, we explore the legal issues relating to three-dimensional (3D) printing. After explaining what 3D printing involves, we draw upon our earlier work to summarise the case for maintaining a preference for a legal regime that protects consumers using 3D printing in line with the established consumer protection values. However, we argue that the issues raised by 3D printing should be the occasion to test existing legal doctrine to see if any modifications are necessary.

G. Howells (*) NUI Galway, Galway, Ireland University of Manchester, Manchester, UK e-mail: [email protected] C. Twigg-Flesner School of Law, University of Warwick, Coventry, UK e-mail: [email protected] C. Willett University of Essex, Colchester, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_21

509

510

G. Howells et al.

These arguments are expanded in our earlier work, but this paper is able to take account of the law as updated by the Digital Content Directive.1

2 What Is 3D Printing? 3D printing involves a manufacturing process known as ‘additive manufacturing’ or ‘additive layer manufacturing’. Several different technological processes are grouped together under this heading, with the common feature being that the item is made by very thin layers being built up on top one of the layers already ‘printed’. In order to make an item using an additive manufacturing process, its design is therefore divided into very thin layers so it can be created using a ‘3D-printer’.2 The item to be printed is designed on a computer. A computer-aided-design software (a ‘CAD-file’) holds all the instructions so a 3D printer can produce a tangible item. A 3D printer interprets the CAD file to make the physical item. Various materials can be utilised, particularly plastic and certain metals. Some advanced 3D printers can make items using more than one type of material. A recent innovation, so-called four-dimensional (4D) printing, allows a 3D structure to transform itself using as its energy source heat, water, sound or vibration. 3D printing technology is already well established in an industrial setting, e.g. for prototyping or for manufacturing customised components,3 and more recently, basic 3D printers have become available on the consumer market.

3 Consumer Protection Values What should the technological changes mean for the underpinning values of consumer law, and what, in turn, should this mean for doctrine? ‘Values’ in this context mean ideas as to the general approach to take to the level of consumer protection: in particular, how concerned (or not) should one be about the risks facing consumers or how much or little should one focus on consumer vulnerabilities (in information processing, bargaining strength, loss-bearing abilities etc.). Consumer law can be explained in terms of a tension between rules based on a need ethic (emphasising protecting consumers from their vulnerabilities) and rules based on an ethic that emphasises both business self-interest (e.g. to maximise their profits, minimise their responsibilities) and consumer self-reliance (e.g. to protect

1

Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services: OJ 2019 L136/1. 2 For an explanation of various methods and applications (types of material and end-product), see Barnatt (2014), ch. 2. 3 Sculpteo (2017), p. 19, notes strong growth in the market.

21

3D Printing: Clarifying Legal Principles and Concepts

511

their interests by informing themselves of risks and negotiating better deals with the business).4 In relation to consumer private law rules on goods, the need ethic manifests itself typically in strict (or at least quasi-strict) tort liability being imposed on producers for ‘defective’ products causing injury or property damage,5 as well as strict contractual law liability for front-line suppliers as regards quality, fitness for purpose and compliance with description, model or sample.6 These quasi-strict and fully strict liability regimes indicate an underpinning need ethic that recognises the relative vulnerability of the consumer. Traders, it is assumed, can absorb their liabilities (e.g. through insurance) or distribute them among all customers (e.g. through small price rises). However, consumers have limited capacity to absorb economic losses caused by defective goods,7 and defective goods may have a significant effect on the private life of the consumer. The strict and quasi-strict liability standards are also based on a need ethic in that they recognise that consumers often struggle to protect themselves by the exercise of self-reliance. As consumers are not expert ‘repeat players’, they would not think to bargain for express (strict liability) commitments as to quality/safety. Even if they did, the need-oriented view is that that they would usually not be successful: individual consumers are usually neither sufficiently important to traders nor able to match traders’ bargaining sophistication and experience.8 The risks to consumers may actually be exacerbated by 3D printing innovation. New technical and business models bring new and less well-known risks of failure. There may be a high risk of defective products emerging if the platforms and shops using these commercial printers are not experienced producers, with special expertise in the code, printer, physical materials or the overall process, and these problems are perhaps even more likely in the case of home printer users. The risks may also be increased by the inexperience of hobbyist consumer producers, who write the occasional CAD file code. So it appears that the risk of poor quality and unsafe goods may increase with 3D printing. In our opinion, this reinforces the importance of the need ethic as an underpinning value. There is no reason to suppose that consumers are anymore able to absorb losses caused in the 3D printing market than they are in markets generally: they are no better placed to insure against economic losses, no less likely to suffer consumer surplus losses (distress, inconvenience etc.) when they buy goods produced and supplied in innovative ways such as via 3D printing. Consumers are also not in a position to protect themselves as they will be relatively uninformed about new risks of detriment posed by these innovative technologies.

4

Willett (2018), p. 179. Product Liability Directive (85/374/EEC): OJ 1985 L 210/29. 6 Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods, OJ L136/28 arts 6–7. 7 Willett (2007), pp. 99–100. 8 Brownsword (2006), pp. 79–85 and Willett (2007), pp. 39–46. 5

512

G. Howells et al.

In innovative markets such as 3D printing, there is just as much and probably more reason (than in markets generally) to adhere to the need ethic. The case for legal protection is especially strong in relation to safety concerns. It may be argued that legal liability can have a chilling effect on innovation: however, we believe there should be very strong evidence of a likely chilling effect before it is decided to lower standards to encourage innovation. One also needs to bear in mind that clear liability rules provide enhanced certainty to all operators in the market and facilitate obtaining insurance cover for traders. A values-driven approach recognises that legal doctrine does not exist in a vacuum. It is at least partly shaped by underpinning values, which in our context includes the need ethic that responds to consumer vulnerability.9 It may be that in order to adhere to important underpinning values in times of technological change, there may still be a possible need for doctrinal changes. The advantage of having examined issues from a value-driven perspective (rather than focusing purely on doctrinal tradition) is a greater awareness of the policy choices that need to be made. The law on consumer goods10 is currently based on the need ethic, and there is a strong case for adherence to the values of the need ethic. It is wrong to underestimate perennial risks and consumer vulnerabilities and to ignore the possibility that these risks and vulnerabilities will be exacerbated by the new conditions. The risks are at least as high as before, and consumer vulnerabilities are at least as significant. We consider the threats to innovation of a law reflecting this need ethic should not be overstated. The law can respond to the issues raised by 3D printing in a way that addresses the novel elements and continue to reflect the need ethic through clarifications and modest extensions, but on occasion it will need to deviate from doctrinal tradition, e.g., by imposing liability for quality or safety problems on supply network members who would not be liable for this, or anything analogous to this, under traditional doctrine.

4 Legal Issues There are five particular issues to consider: (i) the use of 3D printing in the commercial production of goods, (ii) the basis for liability for problems related to designs in CAD files, (iii) the potential liability of commercial operators that produce a printed item based on a CAD file, (iii) the blurred boundary between commercial and non-commercial (hobbyist) operators and (iv) whether some of the potential liability gaps created by the very significant role played by hobbyists in this market merit the introduction of some form of network liability. Of these, the first issue is relatively unproblematic. If 3D printing is used as part of the production process, it is

9

Willett (2018) above note 5. I.e. contract, tort and product safety rules applicable to the goods, services or digital content that may play a role in the 3D-printing market. 10

21

3D Printing: Clarifying Legal Principles and Concepts

513

the same as the use of any other equipment in the production process, and liability for the final product will follow traditional liability rules. We will not address this further. The second issue concerns the liability regime to be applied to CD files— the software debate. The third issue refers to when a commercial outfit offers its 3D printing service to produce goods from a third-party-designed CAD file. It raises the question of whether the printing is merely a service or if the printer operator should take more responsibility for the final product. The fourth issue relates to where the boundary is fixed for imposing consumer protection rules on operators based on their business status. The final issue is the most provocative as it questions whether this new environment actually needs new forms of liability to ensure that consumer protection can be enforced in this fluid environment.

5 Software/Digital Content Liability We are concerned here with liability originating from a CAD file when a consumer buys, or acquires, the CAD file in a separate transaction and then either creates the physical product on their own 3D printer or has someone else, such as a professional 3D printing service, print the product for them. The CAD file might be problematic because of a flaw in the design recorded in the CAD file or due to a problem with the CAD file becoming corrupted. Arguably, it would properly reflect the need ethic for there to be strict liability in both contract and tort in such circumstances. When a defective file causes the printed product to be defective, consumers have the same limited abilities to bear losses as with any defective product, meaning the same limited ability to be protected against such losses through self-reliance (e.g. by negotiating express guarantees pre-contractually), and the risks of CAD files leading to defective end products are just as high as with any technology, perhaps higher given the new nature of the technology. There do not seem to be any special reasons for not imposing such liability. The market does not provide reputational signalling, there is no strong evidence of regulatory chilling that would result from liability being imposed and there would appear to be no reasons why commercial digital content writers could not make the same assessments of risk as producers of goods. It is likely that some industry interests will argue that strict liability for code may threaten the development of an innovative industry. There have indeed already been moves to create a new form of liability reflecting traditional sales law but adapted to the needs of digital products such as CAD files. The UK led the way with the Consumer Right Act 2015, which has a specific chapter on the supply of digital content.11 This imposes strict liability obligations analogous to those for goods, i.e. supplying digital content of satisfactory quality and fit for any

11

See Part 1, ch. 3 Consumer Rights Act 2015 (ss. 33–47).

514

G. Howells et al.

particular purpose made known.12 The EU has also now adopted Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services.13 This follows the model of the recently revised Consumer Sales Directive14 in specifying both subjective and objective aspects of conformity that are adapted to the digital environment; also, the concept of incorrect integration is used instead of installation.15 Similar remedies of cure, price reduction and termination are available as for consumer goods, with the preference being for cure in the first instance.16 The Digital Content Directive makes it clear that the rules cover ‘any tangible medium which serves exclusively as a carrier of digital content’.17 The issue of CAD files is directly addressed in recital 26, which makes it clear that the Directive should also apply to the supply of electronic files required in the context of 3D printing of goods, to the extent that such files fall under the definition of digital content or digital services within the meaning of this Directive. However, it is also made clear that the Directive should not regulate any rights or obligations related to goods produced with the use of 3D printing technology. These developments in the law involve a relatively modest doctrinal extension: in that contractual suppliers are made strictly liable not only (as previously) for qualitatively defective goods but also (by analogy) for qualitatively defective digital content. So while the approach taken can be said to be a value-driven approach in that the changes manage to ensure that the law responds to innovation by retaining an underpinning ethic of need, this is achievable here without a radical deviation from doctrinal tradition. The practical result is that consumers have recourse where a CAD file to be used for 3D printing has shortcomings with regard to the quality and fitness for the purpose of the design or the integrity of the file itself. However, this leaves unresolved at least some instances where, for example, a CAD file supplied to a consumer leads to the consumer producing (on a home printer) a product that causes injury. Now, of course, in many cases consumers will be able to claim for the injury based on there being a breach of the (above-discussed) strict liability contractual conformity obligations owed by the supplier: if the condition of digital content is such that it makes the finally produced goods unsafe, this will normally mean that this digital content (the CAD file) is of unsatisfactory quality. However, this form of recourse will not be available to the consumer injured by the finally produced goods where the supplier of the CAD file has since become insolvent, and it will not be available where the party injured by the defect did not actually buy the goods under a contract with the supplier but, for instance, received it as a gift. Equally, bystanders

12

Sections 34 and 35 Consumer Rights Act 2015. OJ 2019 L136/1. 14 Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods, OJ L136/ 28. 15 Arts. 8–10. See Twigg-Flesner (2020). 16 Arts. 14–18. 17 Art. 3(3). They are likewise excluded from the Consumer Sales Directive: art. 3(4)(a). 13

21

3D Printing: Clarifying Legal Principles and Concepts

515

injured by the goods will not have contractual rights. In such cases, it will be important to know whether there is strict (tort-based) product liability on the producer. In this connection, in particular, there is the question of whether a CAD file (or indeed any form of digital content) is a ‘product’ for the purpose of strict (tort) product liability law. There is no clear answer to this.18 Indeed, product liability law has long remained unreformed, but the need to address issues relating to the digital age may be a spur for it to be seriously reviewed.19 It would therefore be desirable to clarify/extend the current product liability regime such that it clearly applies to digital content,20 which would mean that a CAD file would be treated in the same way as a product. So there would be strict tort product liability, for instance, in cases where a consumer acquires a CAD file that causes a home-printed item to be defective and leads to injury. This is a position advocated by many scholars21 and indeed implemented by some product liability regimes.22 However, this is not a radical change but merely clarifies that the software falls under the same rules as products generally. As with introducing strict contract liability, the introduction of a strict tort liability for digital content (including CAD files) would be value driven (responding to innovation by retaining an underpinning ethic of need). Yet, also, as in the case of contract law reform, this would be achievable without radically departing from doctrinal tradition: producers are already strictly liable in tort for tangible products, and all that is proposed is to make them liable by analogical extension (or perhaps even clarification) for digital content.

6 Status of 3D Printing Services 3D printing services are likely to develop to allow a consumer to have the physical item printed from a CAD file, which they have created themselves or obtained from a third party. Under the Consumer Sales Directive, ‘Contracts between a consumer and a seller for the supply of goods to be manufactured or produced shall also be deemed sales contracts for the purpose of this Directive’.23 The previous Consumer

18

See Whittaker (2005), p. 477. There is an indication that this issue will be addressed by the European Commission in due course: see European Commission, Artificial Intelligence for Europe COM (2018) 237 final, p. 15. But no reform seems imminent. 20 Cf. European Parliament Resolution of 3 July 2018, Three-dimensional printing: intellectual property rights and civil liability, paras 11–12. 21 For a discussion see inert alia, Whittaker (1989), p. 125; Alheit (2001), p. 188; Howells et al. (2017), pp. 183–195. 22 Under the Australian Consumer Law goods includes software, Sched. 2 S.2. 23 Art.3(2). 19

516

G. Howells et al.

Sales Directive (99/44/EC)24 had absolved a seller from liability for non-conformity where ‘the lack of conformity has its origin in materials supplied by the consumer’.25 This might have allowed the 3D printing service to avoid liability where the file had been supplied by the consumer. However, the 2019 Directive instead merely gives Member States the freedom to require consumers to be warned about the suitability of materials supplied by the consumer. This does not seem to affect the substantive obligations, although as we note, suppliers may be able to fashion the expectations of the consumer by appropriate warnings. It might seem unfair to impose strict liability for what is essentially a service provided by a 3D printing site where reasonable care is the normal standard. However, there should be fewer objections in this context as the only task is to properly follow the instructions on the CAD file and use correct materials and processing procedures. This may be particularly true when the final product can be checked. It might nevertheless be considered harsh (and potentially to chill innovation by discouraging businesses from offering this sort of service) to impose liability on a printing service for defects that have their origin in a CAD file acquired elsewhere by the consumer, or even written personally by them. This is, of course, not dissimilar to the plight of sellers generally, which may not have knowledge of the design and no ability to quality control products but are nevertheless strictly liable for their defects.26 Nevertheless, the problem is probably manageable under the strict liability standards in such a way as to protect the trader through the modification of consumer expectations. The core strict liability standards27 can be modified by the supplier noting that any particular characteristic was deviating from the normal standards. This might allow the 3D printing service to put forward a defence where they had agreed to produce in accordance with the CAD file but were not vouching for the quality of the final product. However, reference in the Consumer Sales Directive to a defence related to a specific deviation from the objective requirements for conformity may prevent such a general disclaimer. In any event, the consumer must agree to this.28 What of strict (tort) liability for a product that is defective in the sense of actually being unsafe? In such cases, the 3D printing service would also be a producer for the purposes of the Consumer Protection Act 1987 (as someone who ‘makes’ goods using the code and the printer) and, therefore, liable under the strict tort product liability regime to

24 Directive 1999/44/EC on certain aspects of the sale of consumer goods and associated guarantees: OJ 1999 L 171/12. 25 Art. 2(3) Consumer Sales Directive (99/44/EC). 26 Sellers have recourse against manufacturers in a way printing services may not if the CAD file is produced by the consumer, though they may also have redress against a third party CAD-file supplier. 27 Arts. 6 and 7. 28 Art.7(5).

21

3D Printing: Clarifying Legal Principles and Concepts

517

the injured (non-contracting) consumer.29 The service supplier/producer may again try to warn the consumer that all that can be expected in terms of safety is what is written in the CAD file—with whatever flaws this may contain. Although producers can modify consumer expectations of safety in the product liability context, given that the right to physical safety deserves higher protection than the right to quality, it seems likely that the courts would insist upon a basic threshold of safety in such cases and hold the supplier/producer liable for failure to meet this notwithstanding any warnings given based on the CAD file. Need-based strict liability solutions appear entirely appropriate in this context. From the consumer’s perspective, the situation does not differ a great deal from the purchase of an already manufactured item. Consumer vulnerabilities to defective outcomes remain the same for these as for any other products, and there appears to be no greater prospects for consumer self-reliant protection than in other contexts. Furthermore, there is no evidence that in this situation the market solves problems via especially fierce competition between businesses offering this sort of service or through novel techniques such as especially strong reputational signalling. It is true that 3D printing service providers may not engage in mass production so that there is less scope to internalise costs, and this might have a chilling effect. However, though each product is made individually to order, there can be many orders for some particular products, and the 3D printing process itself will be a regular activity for the business. Moreover, small-scale production should not be a reason for accepting a lower level of consumer protection. There is no evidence that liability is having a chilling effect on the development of the 3D printing industry. Such arguments are easily made but hard to prove and run counter to the rationales for protection.

7 Threshold for Business Liability Strict liability rules are normally only imposed on professional sellers where there is typically a considerable imbalance of power and resources between consumer and professional, justifying a need-oriented consumer protection regime. In contrast, individuals not acting commercially are normally only liable for express commitments or where negligent. The digital revolution and sharing economy are disruptive as they allow individuals to compete with traditional forms of commerce. While 3D printing services are mainly commercial operations, the 3D printing economy does give individuals more options to become CAD-file designers and, eventually, producers of finished items (especially once more sophisticated 3D home printers become available).30

It goes without saying that the regulatory consumer safety laws should apply to the final products produced, especially the powers to take remedial action. 30 Anderson (2013). 29

518

G. Howells et al.

The question then is what is to become of the need ethic in these circumstances. The risks of defects are possibly even higher with hobby designers, producers and sellers involved. The consumer customer is as vulnerable as ever in terms of having limited resources to absorb losses. However, another key justification for the need ethic is power imbalance. Professional producers and suppliers are better placed to protect their interests by quality control, by bargaining and perhaps by issuing warnings to consumers that may restrict their responsibilities. They typically have the resources to absorb the losses they suffer when required to provide remedies to consumers. In the 3D printing economy, there are more opportunities for individuals to come closer (than hobbyists in the ‘old’ economy) to looking like professionals: e.g. in terms of level of profit, capacity to bear losses etc. This poses a challenge for the law. The Consumer Sales Directive imposes strict contractual liability on a ‘seller’, defined as ‘any natural person or any legal person, irrespective of whether privately or publicly owned, that is acting, including through any other person acting in that natural or legal person's name or on that person's behalf, for purposes relating to that person's trade, business, craft or profession, in relation to contracts covered by this Directive’.31 Whether a person is carrying on a trade is often assessed by the regularity or volume of transactions entered into by an individual with a view to gaining profit—the greater the regularity and volume are, the more likely the activities are to be considered to be related to trade, business etc.32 Yet the effect of digital technology is such that an individual who has designed a CAD file for an item and offers this for purchase via a website for a few pounds might suddenly ‘sell’ that file many times over.33 If demand for a CAD file goes viral, someone might be converted into a trader (by events outside their control) after they had completed their act of supply. A more nuanced approach to regularity might be required, whereby the questions would be how often the ‘hobbyist’ in question actually takes steps to supply designs (e.g. how regularly they post files), what evidence there is of marketing or advertising to promote sales and whether the hobbyist posts and promotes different designs. These indicatively business patterns of behaviour might justify the imposition of strict liability, not least because regular engagement is likely to bring greater experience and therefore perhaps more awareness of the need to self-protect, e.g., by insuring against liability to consumers. Also, of course, larger

31

Art.2(3) Directive 2019/771/EU. There has been recent CJEU guidance for determining in the context of EU law whether activities are of a business nature. These do not mention explicitly the factors suggested here in the text but are certainly broad enough to encapsulate them: in particular whether transactions are carried out in an organised manner; whether they are intended to generate profit; whether the seller has relevant expertise that the buyer lacks; the legal status of the seller; whether the seller received remuneration or another incentive for conducting transactions; whether the seller purchased new or second hand goods to re-sell them; and whether the goods were al of the same type (C-105/17 Komisia za zashtita na potrebitelite v Evelina Kamenova ECLI:EU:C:2018:808 (judgment of 4 October 2018), paras [38]–[40]. 33 Osborn (2014), pp. 553, 573. 32

21

3D Printing: Clarifying Legal Principles and Concepts

519

profits are likely to be generated enabling the suppliers to absorb the costs of providing remedies to consumers if things go wrong. So there is a case for providing some form of clarification that elaborates on the statutory test to include these sorts of criteria. This might be achieved by guidance that would involve not doctrinal disruption, but rather a simple clarification to adapt the legal standard to the new conditions of this particular aspect of the digital economy. Under strict product liability, a producer has a defence only where they are not acting in the course of a business or with a view for profit.34 So the defence is unavailable where a product is distributed with a view to gaining profit even if the producer does not act like a business in any of the other ways discussed above (e.g. no regularity of production and supply, no advertising and promotion etc.). This might be considered a harsh outcome for a hobbyist who designs a file or makes a product only once for profit and is unlucky enough for there to be a defect and for someone to be injured. However, this has always been the case for products in general under this regime. If the current approach is maintained, there may be a case for an education campaign to inform hobbyists of the risks involved.

8 Network Liability There may still be some suppliers in the 3D economy to whom strict liability rules do not attach. So what can be done to fill the potential strict liability gap and retain a strong need ethic? A solution might be a type of ‘network’ liability, fixing parties in the production and supply network with liabilities they would not traditionally have, to plug gaps caused by the presence of non-professional hobbyist sellers and producers. One form of network liability could involve extending the liability of the printing service/producer: to include liability for pure quality defects. Beyond this, the role of platforms should be considered. Platforms also play an important role in the 3D printing economy. Could the platform be made strictly liable for the safety and/or quality of the goods? It would certainly be a somewhat radical deviation from doctrinal tradition; as such, selling intermediaries do not traditionally bear any sort of responsibility for the quality or safety of goods. However, this doctrinal innovation may be required in order to help ensure that the law continues to reflect the need ethic by filling the gap caused by the lack of liability of hobbyist sellers/producers. In particular, it would also channel liability towards a party with better resources and the ability to obtain insurance cover in respect of such liability. The platform party may ‘only’ be an intermediary, but they clearly benefit from their position in the network. Network liability would not be a complete leap into the unknown, of course. There is, of course, the well-known example of connected lender liability in consumer credit law. This imposes liability on some creditors, such as a credit card

34

S. 4(1)(c) Consumer Protection Act 1987.

520

G. Howells et al.

company, which is concurrent to that of a seller of goods or supplier of services to consumers, and allows consumers to have recourse against the credit card company on the same terms as against the seller/supplier.35 Likewise, tour operators have been made liable for the acts of the parties providing services under the contract.36 However, it is more likely that the platforms will simply have to follow increased information rules. For instance, the Consumer Rights Directive37 has had a new art. 6a inserted by the Consumer Law Better Enforcement and Modernisation Directive,38 which requires a platform on the basis of a third-party declaration to state if a supplier is a trader or not and, if not a trader, to explain that European consumer law rights might not apply. Unfortunately, the new Directive does not provide for any guidance as to how that distinction should be applied beyond the general definitions of ‘trader’ and ‘consumer’.

9 Conclusions 3D printing has the potential to disrupt traditional manufacturing and distribution practices. However, the consumer protection needs of consumers remain constant, and some aspects of 3D printing may even increase risks as more non-professionals or parties with limited experience of 3D printing become involved in the production process. Therefore, the case for strict liability remains valid, and consumer protection may even call for some new forms of liability to capture the significance of the supply network and the crucial role of platforms. In addition, the new developments may make it more urgent for the law to determine the liability regimes for software and the correct dividing line to distinguish between a mere hobbyist and a trader. These are issues that are long overdue for review. The law can be updated without discarding its core values. Acknowledgment This chapter draws upon and updates the authors earlier work (Howells et al. 2019).

35

Directive 2008/48/EC on credit agreements for consumers and repealing Council Directive 87/102/EEC: OJ 2008 L133/66. 36 Directive (EU) 2015/2302 on package travel and linked travel arrangements, amending Regulation (EC) No 2006/2004 and Directive 2011/83/EU of the European Parliament and of the Council and repealing Council Directive 90/314/EEC: OJ 2015 L 171/12. 37 Directive 2011/83/EU on consumer rights: OJ 2011 L304/64. 38 Directive (EU) 2019/2161 as regards the better enforcement and modernisation of Union consumer protection rules: OJ 2019 L328/7.

21

3D Printing: Clarifying Legal Principles and Concepts

521

References Alheit K (2001) The applicability of the EC product liability directive to software. Comp Int Law J South Afr 34:188 Anderson C (2013) Makers – the new industrial revolution. Random House Barnatt C (2014) 3D printing, explaining the Future.Com, 2nd edn., ch. 2 Brownsword R (2006) Contract law: themes for the twenty first century, 2nd edn. Oxford University Press, Oxford European Commission (2018) Artificial Intelligence for Europe, COM 237 final, p 15 European Parliament Resolution of 3 July 2018, Three-dimensional printing: intellectual property rights and civil liability, paras 11–12 Howells G et al (2017) Product liability and digital products. In: Synodinou T et al (eds) EU internet law: regulation and enforcement. Springer Nature, pp 183–195 Howells G et al (2019) Protecting the values of consumer law in the digital economy: the case of 3D-printing. In: Franceschi De A, Schulze R (eds) Digital revolution – new challenges for law. Beck, Nomos, pp 214–243 Osborn LS (2014) Regulating three-dimensional printing: the converging world of bits and atoms. San Diego Law Rev 51:553, 573 Sculpteo (2017) The state of 3D printing, p 19 Twigg-Flesner C (2020) Conformity of goods and digital content/digital services. In: Arroyo Amayuelas E, Cámara Lapuente S (eds) El Derecho privado en el nuevo paradigma digital. Marcial Pons Whittaker S (1989) European product liability and intellectual products. LQR 105:125 Whittaker S (2005) Liability for products. Oxford University Press, p 477 Willett C (2007) Fairness in consumer contracts. Ashgate, Aldershot Willett C (2018) Re-theorising consumer law. Camb Law J 77:179

Chapter 22

Private Law Considerations in the Context of Apps’ Distribution via App Stores Ioannis Iglezakis, Vasiliki Samartzi, Ria Papadimitriou, and Evgenia Smyrnaki

Abstract Mobile applications (mobile apps or apps) underpin the use of mobile devices as phones, tablets, or watches and enable users to take advantage of the benefits of mobile technology. The ubiquitous nature of apps makes their commercial exploitation immensely important for their owners. The commercial exploitation of apps is dictated by private law, which is traditionally informed by notions of autonomy and freedom of contract. Accordingly, this chapter identifies the role of the various stakeholders involved in the distribution of apps and examines the legal relations formed among them. The focus for the legal interpretation of the relations formed between the stakeholders and for the contract typology classification is both on app stores as online platforms—marketplaces—and on the end user (consumer). The terms and conditions used by app stores, their organizational structure, the types of apps “sold” or “licensed” and the payment methods applied are examined. In terms of exploitation of intellectual property rights (IPRs), this chapter discusses copyright in apps that can be exploited by means of licensing or assignment, while technological protection measures (TPMs) and Creative Commons licenses are also considered. Restrictive license terms used in the context of app distribution are also discussed. The chapter concludes that the existing legal framework is inadequate to deal with the triangular relationships formed and restrictive license terms, and thus there is a need for a proper legal regulation of app distribution via app stores.

This chapter is based on the research project “Legal Issues related to the development, making available and use of mobile applications” (MIS 5004703) of Operational Program ‘Human Resources, Development, Education and Lifelong Learning’ – NSRF 2014-2020, which is co-financed by the ESF and national funds. I. Iglezakis (*) · V. Samartzi · R. Papadimitriou · E. Smyrnaki Faculty of Law, The Aristotle University, Thessaloniki, Greece © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_22

523

524

I. Iglezakis et al.

1 Introduction Mobile applications (hereinafter “mobile apps” or “apps”) are for the information industry what oil was for the industrial revolution. Apps are computer programs specifically designed for mobile devices such as mobile phones, tablets, or watches. Since they were first launched in 2008, they have found widespread application and are now used not only for general productivity, information retrieval, email, and other auxiliary services but also for purposes normally handled by desktop application software packages.1 These include also many popular uses of mobile devices such as social networks, gaming, listening to radio and/or music, and watching videos. Mobile devices are equipped with apps that come as preinstalled software, e.g., web browsers, email client, calendar, maps, music player, etc. Apps that are not preinstalled are available through particular distribution platforms, i.e. app stores. These are managed by the proprietor of the operating system, such as Apple App Store,2 Google Play Store,3 Microsoft Store,4 Amazon Appstore5 and BlackBerry World,6 but there are also independent app stores, such as Cydia,7 F-Droid,8 Opera Mobile Store,9 etc. However, the most important app stores are the first two. The existence of app stores has contributed greatly to the development of the mobile app market since an app store has greater capacity to connect users to apps compared to independent software providers, whereas it provides security of transactions, allowing users to trust a platform from a renowned company such as Google or Apple. There are different types of mobile apps, depending on the platform on which they run; in particular, apps that are used on a particular operating system, such as Android or iOS operating systems, are called native, while hybrid apps are those developed to be used across multiple platforms, and web-based apps are hosted on the web and do not require installation, that is, they do not need to be downloaded from Apple App Store or Google Play Store. Apps offered on different platforms are either free or sold at a price lower than ordinary software. Apps, however, may cost a different price when sold on different mobile platforms. Consumers are divided as to the purchasing of apps as many only download free apps, whereas others pay for quality apps with more features than

1

https://en.wikipedia.org/wiki/Mobile_app. https://www.apple.com/ios/app-store/. 3 https://play.google.com/store. 4 https://www.microsoft.com/en-gb/store/apps/windows?source¼lp. 5 https://www.amazon.com/gp/mas/get/android/ref¼get_appstore?ie¼UTF8&ref_¼mas_rw_ldg. 6 https://appworld.blackberry.com/webstore/?countrycode¼GR&lang¼en. 7 https://cydia-app.com. 8 https://www.f-droid.org. 9 http://html5.oms.apps.bemobi.com/en_gr/. 2

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

525

those offered for free. App developers that offer free mobile apps gain revenue from in-app advertising or from in-app purchases. The mobile app ecosystem is considered today as one of the biggest industries.10 The number of mobile app downloads amounted to 197 billion in 2017 and is predicted to rise up to 352.2 billion in 2021.11 The number of apps available is also rising exponentially. The iOS App Store had only 500 apps on its launch, while in January 2017 it offered 2.2 million apps. The Android App Store, i.e., Google Play, experienced more growth than the iOS App Store and reached three million apps by June 2017. The revenue from end users was forecast to increase from 10.3 billion dollars in 2013 to 25.2 billion dollars in 2017.12 As a new information technology (IT) product, mobile apps raise various legal issues related to their commercial exploitation, which are similar to some extent to those related to computer software, but also present certain peculiarities. In this chapter, some of the main legal issues related to the commercialization of mobile apps, found in the private law sphere, will be scrutinized, mainly from an end-user perspective. In particular, in Sect. 2 attention will be ascribed to important contract-law related issues, whereas in Sect. 3 copyright-law related matters will be furthermore discussed. Finally, in Sect. 4 the authors will bring forward their concluding remarks.

2 Mobile Apps and Contract Law Considerations: Distribution of Apps Through App Stores Apps are classified as a type of digital content.13 They are mainly sold online crossborder, a parameter that creates legal uncertainty both for traders and consumers. In order to harmonize basic legal rules and strengthen certainty and trust in cross-border transactions, the European Union (EU) has already enacted directives, such as the Digital Content Directive,14 the E-commerce Directive,15 and the Consumer Rights

10

http://www.businessofapps.com/data/app-statistics/. https://www.statista.com/statistics/271644/worldwide-free-and-paid-mobile-app-store-down loads/. 12 Ghose and Han (2014). 13 Recital 19 Consumer Rights Directive 2011/83/EC: “Digital content means data which are produced and supplied in digital form, such as computer programs, applications, games, music, videos or texts, irrespective of whether they are accessed through downloading or streaming, from a tangible medium or through any other means. . .”. 14 Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services, OJ L 136. (‘Digital Content Directive’). 15 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178. 11

526

I. Iglezakis et al.

Directive.16 More specifically, the recently adopted Digital Content Directive aims to mitigate risks arising from the complexity of the legal framework. These directives provide for specific obligations for the traders and respectively for specific rights for the consumers. Member States are the ones that need to implement these legal instruments in their national laws. It shall be noted, though, that the EU legislator does not intend to interfere with national contract law and determine whether a contract is to be considered as a sale of goods contract, service contract, rental contract, or sui generis contract.17 This part of the chapter focuses on the contractual relationships formed when apps are sold, distributed, or accessed.

2.1

Key Actors in the Distribution of Apps

The distribution of an app involves the contribution of various actors,18 including but not limited to (a) network providers, providing access to the Internet and web platforms; (b) hosting providers (where applications, platforms are hosted); (c) platform providers (i.e., app stores), which include either (i) platforms used by programmers to develop apps locally on their devices or in the cloud or (ii) mobile app distributors/stores (e.g., Apple App Store, Google Play Store, Microsoft Store, BlackBerry World, etc.); (d) app provider-intellectual property owners (who may be the developer himself/herself or a person/entity having outsourced the services of a developer); (e) app developers-designers (in case the app provider-intellectual property owners have outsourced the services of a developer); (f) end users (consumers) (who interact directly with the app store and download/are granted access to the app that has been uploaded or made available by the app provider). For the purposes of this chapter and due to space limitation, the authors will examine the contractual relationship of the two main actors, that is, the app store (i.e., platform provider as per the categorization of the stakeholders above) and the app provider (i.e., intellectual property owner as per the aforementioned categorization), both between them and between each one of them and the consumer/end user of the app.

16 Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council, OJ L 304. 17 See Digital Content Directive, Recital 12: “This Directive should also not determine the legal nature of contracts for the supply of digital content or a digital service, and the question of whether such contracts constitute, for instance, a sales, service, rental or sui generis contract, should be left to national law.” 18 Baumgartner and Ewald (2016), pp. 31–32. See also Solmecke et al. (2013), p. 25 et seq., Niemann and Paul (2014), p. 160 et seq.

22

2.2

Private Law Considerations in the Context of Apps’ Distribution via App. . .

527

Counterparty of the End User

As already explained, the promotion and sale of apps is conducted via online app stores, such as Apple App Store, Galaxy Store, Microsoft Store, Amazon App Store and Google Play Store, etc., or through web pages (with the app stores being the most popular way, though). App stores are online platforms operating as marketplaces19 (therefore, the terms “app stores,” “app markets,” and “online platform”/ “platform provider” are used interchangeably in this chapter) where each app has its own page. The European Commission has defined a platform as “an undertaking operating in two (or multi)-sided markets, which uses the Internet to enable interactions between two or more distinct but interdependent groups of users so as to generate value for at least one of the groups.”20 The app is uploaded by the app provider, and the user can use the search engine of the app store to find apps of his/her choice. On each app page, the user is informed mainly about the app provider, the general and special characteristics and the price of the apps, and reviews from other users of the apps. The whole process of purchase (order, payment, downloading) is concluded via the app store. First, in order to download an app, the user has to register with the app store without any charge (as is the case in most app stores) and be granted access to its technical infrastructure and content. The app store provides the user with a service by offering access to its online environment, hosted on its own servers. Therefore, it has been argued that the legal relation between the app store and app provider and the consumer/end user of the app falls under the concept of services contracts.21 In terms of German private contract law, it has been suggested in particular that this is a mandate contract22 rather than a donation contract.23 The reason is that the app store provides access to a service, which cannot be qualified as ‘goods’ whose ownership is transferred to another party gratuitously.24 The question arising pertains to who the app provider is and who has the burden to comply with relevant consumer laws and can therefore be held liable in case of contract violation or defective performance. In many cases, the app store makes available its own apps, so contractual relations between the two parties (app store and end user) are not difficult to be defined and respectively regulated. However, the existing legal framework has been criticized as inadequate to deal with the triangular relationships created on an online platform environment.25 In between the traditional seller (e.g., app provider) and buyer (e.g., app user) 19

OECD (2019). Jacques Delors Institut (2018). 21 Vorndran (2018), p. 236. 22 Ibid. 23 Ibid. 24 Part H Donation – 1: 101: Contracts Covered, in Principles, Definitions and Model Rules of European Private Law—Draft Common Frame of Reference (DCFR). 25 Busch et al. (2016), p. 4. 20

528

I. Iglezakis et al.

intervenes the online platform provider (e.g., Apple App Store), holding—at least— the role of a mere facilitator of the transaction. App stores have a dominant position in the marketplace, leaving the impression to the end users that they are their actual counterparts and suppliers of the applications or relevant services. After all, app stores do determine the standard terms and other key elements of the contractual relations with app providers and end users and even act as payment service providers.26 However, in their terms and conditions (T&Cs), app stores tend to restrict their roles to mere intermediaries or “agents,” which do not sell or supply services directly to end users. For instance, Apple clearly states in its T&Cs that it does not sell apps directly to the users as it merely holds the role of an agent and that it is “not a party to the sales contract or user agreement” between the consumer/user and the app provider.27 Such or similar written declarations are not the ultimate factor that shall be considered to determine the app store’s legal role, and such terms can be declared invalid for several reasons.28 Indicative is the Uber case, where the T&Cs indicated that “Uber UK is not a party to the Transportation Contract and acts as a disclosed agent for the Transportation Provider in communicating the Transportation Provider’s agreement to enter into the Transportation Contract.”29 However, the Court indicated that Uber is not a mere platform with the purpose to connect, by means of a smart phone app, non-professional drivers with persons who wish to make urban journeys but was instead regarded as being inherently linked to a transport service.30

26

Ibid. Apple Media Services Terms and Conditions: “Apple acts as an agent for App Providers in providing the App Store and is not a party to the sales contract or user agreement between you and the App Provider”. “You acquire Apple Books Content from the third-party provider of such Content (the “Publisher”), not Apple. Apple acts as an agent for the Publisher in providing Apple Books Content to you, and therefore Apple is not a party to the Transaction between you and the Publisher”. 28 An interesting approach has already been made by the respondents in the Apple Inc. (petitioner) v. Robbert Pepper (respondents) even though the case relates to violation of antitrust laws. The respondents indicate that Apple cannot use ‘the agency label to avoid remedy for anticompetitive conduct’. They argue that Apple has control in the relationship between App developers and app users. The prominent role of Apple is supported by the nature of the T&Cs as ‘take it or leave it’, by imposing the policy that all prices ‘end in 99 cents’ and by reserving the right to amend contractual terms any time and at will. See Apple Inc. (petitioner) v. Robbert Pepper et al. (respondents), In the Supreme Court of the United States, Brief for Respondents. 29 Uber Terms and Conditions, Last updated: 14/03/2018, available online at https://www.uber.com/ legal/terms/gb/. 30 CJEU, Asociación Profesional Elite Taxi v Uber Systems Spain, SL, Case C-434/2015, Judgment of 20 December 2017, where it is stated “In addition, Uber exercises decisive influence over the conditions under which that service is provided by those drivers. On the latter point, it appears, inter alia, that Uber determines at least the maximum fare by means of the eponymous application, that the company receives that amount from the client before paying part of it to the non-professional driver of the vehicle, and that it exercises a certain control over the quality of the vehicles, the drivers and their conduct, which can, in some circumstances, result in their exclusion. (40) That 27

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

529

According to basic principles of contract law, the type of the contract and the relevant duties of the parties are the result of contract interpretation and the assessment of multiple parameters and factors. There is a need to define and interpret the intentions of the parties involved and their statements or conduct.31 In addition, the design of the app store and the technical way of distribution of apps shall also be considered.32 In most cases, the end user qualifies as a consumer, and their legal relationship is therefore subject to consumer law, where it is clearly stated that the consumer shall be informed in clear and comprehensible manner about the identity of the trader.33 So it would be helpful toward role classification to identify who is named as a trader in the relevant section of the official app web page available on the Apple App Store. It shall be noted that academics have suggested that the app store may well be acting as a representative of the app supplier/provider.34 In common law, the principal authorizes the agent to act on his behalf, and the agent agrees to do so. The agent has the authority to legally bind the principal by concluding contracts with third parties.35 In civil law countries, agency is commonly referred to as “representation.”36 Such intent to act on behalf of another shall be evident. Otherwise, the lack of intent on the part of the agent (app store) to act on his/her own behalf is not taken into consideration,37 and as a result the app store could be considered as the trader/direct counterparty to the consumer.

2.3

Trader–End User

The contractual type of the relationship formed between the trader (either app provider or app store) and the end user cannot be predefined but constitutes, instead, the result of a careful analysis of multiple parameters, such as the type of the app, the technical way to acquire the app, the business/payment model, and the offered services.

intermediation service must thus be regarded as forming an integral part of an overall service whose main component is a transport service. . .”. 31 Article 2: 102 “The intention of a party to be legally bound by contract is to be determined from the party's statements or conduct as they were reasonably understood by the other party”. Principles of European Contract Law. 32 Baumgartner and Ewald (2016), p. 49. 33 Article 6, Par. 1b, Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights. 34 Baumgartner and Ewald (2016). 35 Hugh Beale et al. (2010). 36 Acquis Group (2009), p. 205. 37 Ibid. DCFR Chapter 6:106: Representative acting in own name. See also Artikel 164: Wirkung der Erklärung des Vertreters, Bürgerliches Gesetzbuch (BGB), Article 212 of the Greek Civil Code.

530

I. Iglezakis et al.

Both the types of apps available and the payment models vary. Apps may be distributed free of charge where the user downloads them without being charged. If the user can add additional functionalities to the free app under a fee, then the trader has adopted the so-called freemium payment policy. In case of apps offered under a once fully paid fee, the user can download and permanently use the app on his/her device (tablet, PC, cell phone, etc.). In order to acquire additional functionalities inside the paid apps (in-app purchases), the provider may charge extra fees. In case of free apps, the relationship between the trader and the end user could be legally characterized as donation.38 If additional functionalities can be purchased (freemium model), the contract type, as far as the additional functionalities are concerned, is that of sale. Where the user is entitled to use the app by paying a one-time (fully paid-up) fee (remuneration), the contractual relation falls within the framework of the purchase/ sales law.39 The user downloads the app on his/her device permanently and enjoys functionalities he/she has paid for. In case an app offers the possibility of in-app purchases, these shall be treated as different contracts40 and will qualify as either sales or lease, depending on the type of service offered. The approach in the case of cloud or online apps is somehow different. The user simply accesses the app online via his/her browser or downloads an app on his/her device. The downloaded app does not function autonomously. Rather, it serves as a tool to gain access to the online service.41 The use of the app is provided against a periodically or fully paid-up fee (either monthly, yearly, etc.) for a period of time, and thus such a contract may be classified as lease.42 Should access to the service be terminated, the downloaded application loses its functionality. In cases of online and cloud apps, it is advisable to firstly identify the main services offered. It is common that the trader may offer additional services, such as software maintenance, updates, backups, technical support, and helpline,43 which leads to the formation of a mixed contract. While analyzing mixed contracts, it is important to identify the main/ principal contract element that outweighs the others (ancillary services). If the services are of equal value, then the legal provisions pertaining to each separate service shall be applied.44

38

Baumgartner and Ewald (2016), pp. 44–45. Bundesgerichtshof Urt. v. 04.11.1987, Az.: VIII ZR 314/86. 40 Vorndran (2018), p. 114. 41 Baumgartner and Ewald (2016), p. 43. See also, Vorndran (2018), p. 232. 42 Bundesgerichtshof Urt. v. 15.11.2006, Az.: XII ZR 120/04. 43 Solmecke et al. (2013), p. 111. See also Bundesgerichtshof Urt. v. 15.11.2006, ibid. 44 Solmecke et al. (2013), p. 31. 39

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

531

3 Mobile Apps and Copyright Law Considerations: Commercializing Copyright in Apps Apps are essentially software, graphical user interfaces (GUIs) and application program interfaces (APIs) that are protected by intellectual property rights (IPRs) and, most importantly, copyright, to which the discussion in this chapter shall focus. In their capacity as software, apps are protected under the Software Directive.45 As far as GUIs and APIs are concerned, they are considered copyright content instead.46 As a result, they are protected under the InfoSoc Directive by means of the communication to the public right and, in particular, the making available to the public right of works in such a way that members of the public may access them from a place and at a time individually chosen by them (Article 3(1)).47 App owners, namely both app providers and app stores, want to make the most out of IPRs in apps in terms of IPR exploitation/commercialization. The most important ways of exploiting copyright in apps are by means of licensing or assignment. Other ways of exploiting copyright in works like apps distributed digitally is by means of technological protection measures (TPMs), Creative Commons licenses, and compulsory licenses. As far as app stores are concerned, they are TPM protected, that is, they use technology to prevent users from installing paid apps without paying for them and in general dictate how many devices an app can be installed on, how many copies of an app can be installed at a particular time, etc. With regard to Creative Commons licensed content, it can be generally used within apps on app stores, while compulsory licensing is generally not applicable to the issue under discussion. Via an app store can be distributed the app store’s own apps (native apps) and also third-party apps. A native app is developed by a developer that is at the same time the manufacturer of the device the app runs on or the owner of the website that offers it, while third-party apps are created by parties not affiliated with the device or operating system manufacturer or owner of the website offering the app, such as apps created for the official app stores of Apple and Google by vendors other than Apple or Google. In the case of native apps, the app store itself is the IPR holder, while in the case of third-party apps, the rightholder is the third party developing the app usually in the context of an agreement for the development of software (“developer agreement”). The question of sale versus license is relevant only to the extent that a transfer of a copy of software to the licensee, in either physical or digital form, to the licensee is concerned. In the case of services offered in cloud environments, since the copies of

45

Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs, OJ L 111 (Software Directive). 46 CJEU, BSA v. Ministerstvokulturi, Case C-393/09, Judgment of 22 December 2010; Oracle Am., Inc. v. Google, Inc. (2014) 750 F. 3d 1339, 1364 (Fed. Cir). 47 Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, OJ L 167 (InfoSoc Directive).

532

I. Iglezakis et al.

software remain within the cloud service provider, the cloud contract is neither a sale of goods/service contract nor a software license (see Sect. 2.3 above). Establishing copyright infringement, as opposed to breach of contract, has clear advantages for the rightholder in terms of both available remedies and the regulation of actions of third parties, that is, parties that do not have a contractual relationship with the rightholder. On the contrary, sales or service contracts are effective and might be enforceable only against a party to the contract. The reason is that contracts have an in personam character since they are enforceable only against the parties involved in the contract,48 whereas copyright is a “right against the world” (i.e., in rem),49 granting exclusive rights. The agreements concluded between the app user and the app provider and app market, respectively, explicitly provide that they constitute a license rather than a sale; app markets act as intermediaries, and no assignment of copyright takes place. Although the terms and conditions of several app stores provide that the apps are licensed and not sold,50 the Court in the UsedSoft case, which involved software downloads, held otherwise and stipulated that the term “sale” with the meaning of Article 4(2) of Directive 2009/24 must be given a broad interpretation as encompassing all forms of product marketing characterized by the grant of a right to use a copy of a computer program, for an unlimited period, in return for payment of a fee designed to enable the copyright holder to obtain a remuneration corresponding to the economic value of the copy of the work of which he is the proprietor in order not to enable suppliers to undermine the effectiveness of that provision by simply calling the contract a “license” rather than a “sale,” thus circumventing the exhaustion doctrine.51

3.1

Licensing Arrangements Between Stakeholders

As far as the relationship between the Android app developer and the Google Play Store is concerned, by means of the Google Play Developer Distribution Agreement,52 the developer grants to Google a non-exclusive, worldwide, and royalty-free license to reproduce, perform, display, analyze, and use his/her apps in connection with (a) the operation and marketing of Google Play; (b) the marketing of devices and services that support the use of the apps; (c) the provision of hosting services to 48

Griffin (2011). ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996). 50 “Apps made available through the App Store are licensed, not sold, to you”, Apple Media Services Terms and Conditions, LICENSED APPLICATION END USER LICENSE AGREEMENT “Software and other digital content made available through the Stores are licensed, not sold, to you”, MICROSOFT TERMS OF SALE. 51 CJEU, UsedSoft GmbH v. Oracle International Corp, Case C-128/11, Judgment of 3 July 2012, par. 49. 52 Google Play Developer Distribution Agreement (Effective as of 12 June 2020). 49

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

533

the developer and on his/her behalf to allow for the storage of and user access to the apps and to enable third-party hosting of such apps; (d) the making of improvements to Google Play, Play Console, and Android platforms; and (e) the checking of compliance with the Google Play Developer Distribution Agreement and the Developer Programme Policies53 (s. 5.1 of the Agreement). Moreover, the developer grants Google a non-exclusive and royalty-free license to distribute his/her app in the manner indicated in the Play Console.54 Google is appointed as the developer’s agent or marketplace service provider to make his/her apps available in Google Play. As far as the relationship between the Apple app developer and Apple App Store is concerned, Apple by means of the Apple Developer Agreement grants the developer a limited, non-exclusive, personal, revocable, non-sublicensable and non-transferrable license to use Apple software for developing and testing apps, while Apple retains the right to limit the number of devices this software may be installed on.55 The Developer grants to Apple a non-exclusive and royalty-free intellectual property license to allow for the distribution of the app to end users, including hosting and displaying the app, making copies thereof, and allowing end-user downloads and also allowing Apple to use excerpts of an app in its promotional materials (unless the developer notifies Apple that the developer itself does not possess these rights due to incorporated third-party intellectual property).56 As far as the relationship between the user of the app and the Google Play Store is concerned, the developer grants to the user a non-exclusive, worldwide, and perpetual license to perform, display, and use the app, and if he/she chooses, he/she may include a separate end-user license agreement (EULA) in his/her app that will govern the user’s rights to the app and shall operate only between the developer and the user, but, to the extent that EULA conflicts with the Google Play Developer Distribution Agreement, the latter will supersede EULA (s. 5.3 of the Google Play Developer Distribution Agreement).57 As far as the relationship between the user of the app and the Apple App Store is concerned, the use by users of Apple’s apps available on the Apple App Store is regulated by the Apple Media Services Agreement (hereinafter “AMS ToU”), which provides that such apps are licensed to users either by Apple or 3rd-Party App Providers under either (a) the “Standard End User License Agreement” (“Standard EULA”) or (b) a “Custom End User License Agreement” (“Custom EULA”).58 Apple grants to the user a non-transferable license to use the Licensed Application on any Apple-branded products that he owns or controls and as permitted by the Usage Rules that are part of the AMS ToU. Contrary to what is provided in Google Play Store, Apple is a third-party beneficiary of the Standard

53

Google Play Developer Program Policies. The Play Console terms. 55 Apple Developer Agreement, p. 7. 56 Apple Developer Program License Agreement. 57 Google Play Developer Distribution Agreement. 58 Apple Media Services Terms and Conditions. 54

534

I. Iglezakis et al.

EULA or Custom EULA applicable to each 3rd-Party App and may therefore enforce such agreement (s. G of AMS ToU).

3.2

Impact of Commercializing Copyright in Apps on Traditional European and American Copyright Doctrines

Both at EU and national level, restrictive license terms are regulated by copyright and related rights legislation only in so far as they relate to copyright exceptions; i.e., the Software Directive,59 the InfoSoc Directive, and the Database Directive60 forbid the contractual overridability of certain exceptions and limitations to copyright.61 Moreover, mandatory provisions, from which parties cannot deviate irrespective of the content of their T&Cs, relating to contract interpretation and inapplicability/ nullity of contractual clauses are available regarding, in particular, contracts of adhesion/standard form contracts.62 By way of contrast, both at EU and national levels, there is no regulation of restrictive license terms as far as they relate to the exhaustion of rights doctrine. The exhaustion of rights doctrine in copyright law provides that once a product protected by an IPR has been marketed (in the EU/US) with the rightholder’s consent, then the IPRs of commercial exploitation over this product can no longer be exercised by the rightholder as they are exhausted.63 According to the said doctrine, end users to whom ownership of a copy has been transferred are allowed to engage in certain acts that are, in principle, not allowed under the copyright exclusive rights reserved to rightholders.64 Contracting around the doctrine of exhaustion of rights is desirable by app providers and app stores that

59

Software Directive, supra n.45. InfoSoc Directive, supra n.47; Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, OJ L 77, Article 15. 61 Software Directive, supra n.45; InfoSoc Directive, supra n.47. 62 See LG Frankfurt, Urteil v. 06.06.2013, Az. 2-24 O. 246/12, where it is stated: “In Ziffer 7.1 heißt es, dass die Applikationen nur lizenziert, aber nicht verkauft werden. . . . Der Vertrag ist nach dem Leitbild eines Kaufvertrages zu beurteilen. Ein durchschnittlicher Verbraucher, der allgemeine Geschäftsbedingungen sorgfältig liest, geht davon aus, dass er einen Kaufvertrag schließt, wenn die Bedingungen als solche für ‘Käufer’ bezeichnet werden, es in Ziffer 6 heißt, dass er Applikationen in einem ‘Store’ bestellen kann und an vielen Stellen die'Art und Weise der Bezahlung geregelt ist” (translation in English by the author: “In Section 7.1 it is mentioned that the applications are only licensed and not sold. . . . The contract is considered to fall under the type of contract of sale. The average consumer who carefully reads the terms and conditions, assumes that he/she has concluded a contract of sale, where the terms refer to him as ‘buyer’; and as In paragraph 6 is mentioned that he can place orders for applications in a ‘Store’, and in many places the way of payment is regulated.”). 63 See the WIPO official website on “International Exhaustion and Parallel Importation”. 64 Nimmer (2011), pp. 1311–1312. 60

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

535

want to eliminate the resale of apps in the context of a business model of unconditional app exploitation. The Licensed Application End User License Agreement (EULA) included in the AMS ToU provides that the user “may not transfer, redistribute or sublicense the Licensed Application and, if [he] sell [s his] Apple Device to a third party, [he] must remove the Licensed Application from the Apple Device before doing so.”65 Given that an app incorporates both software and copyright content protected under the InfoSoc Directive, the exhaustion of rights doctrine applies to both software and copyright content at the same time but with different “outcomes,” as will be shown below. App providers and/or app stores could argue that they exercise the making available to the public right in Article 3(1) InfoSoc Directive66 when offering apps for download from end users/consumers. Therefore, the question is raised whether the contractual relationship at issue is covered by the concept “communication to the public” within the meaning of Article 3(1) of the InfoSoc Directive67 or by the Software Directive,68 which does not recognize such a right, and, if yes, to what extent. Depending of the viewpoint, several outcomes arise indicating the evolution of traditional copyright concepts in the particular area of apps. Depending on whether a particular feature of an app is protected under the Software Directive or under the InfoSoc Directive, different outcomes can be reached; in particular, to the extent apps are considered as software, the EU exhaustion of rights doctrine can be considered applicable, while to the extent apps are considered digital content to which the making available to the public right applies, there is no applicability of the EU exhaustion of rights doctrine. In the US, with regard to software, there is limited guidance in relation to the application of the so-called first sale doctrine in the area of software, while in relation to digital works the Capitol Records, LLC v. ReDigi, Inc. judgement, examining whether consumers of digital works have the right “to sell or otherwise dispose of” the digital files they possess in the same way they do physical media, is of importance.69 In that instance, the Court held that it was impossible to digitally transfer the “particular” copy purchased and that any digital transfer creates a new copy of the work, even if the original file is deleted during the transfer. The Second Circuit, where the Capital Records case was on appeal, held that plaintiffs’ exclusive rights under 17 United States Code 106(1) were infringed by the defendants, who reproduced their copyrighted works, and such reproduction did not constitute fair use under section 106(1).70

65

Apple Media Services Terms and Conditions (2019). Supra n.47. 67 Ibid. 68 Supra n.45. 69 Capitol Records, LLC v. ReDigi, Inc., 934 F.Supp.2d 640 (S.D.N.Y. 2013). 70 Capitol Records, LLC v. ReDigi Inc., No. 16-2321 (2d Cir. 2018). 66

536

I. Iglezakis et al.

According to the Court of Justice of the European Union’s (CJEU’s) decision in UsedSoft,71 digital exhaustion applies in the case of software. Under Article 4(2) of the Software Directive, the first sale in the EU of a copy of a computer program by the rightholder or with his/her consent exhausts the distribution right within the EU of that copy.72 In UsedSoft, the Court held that a person who does not hold a user right in the computer program granted by the rightholder but relies on the exhaustion of the right to distribute a copy of the computer program is a “lawful acquirer” of that copy within the meaning of Article (5)1 of the Software Directive and, thus, benefits from the right of reproduction provided for in that provision. However, for digital exhaustion to apply in software and for secondhand software to be permitted, several conditions must have been cumulatively met: (1) the copyright holder must have authorized, even free of charge, the downloading of the copy of the computer program from the Internet onto a data carrier in the EU; (2) the copyright holder must have conferred, in return for payment of a fee intended to enable him to obtain a remuneration corresponding to the economic value of the copy of the work of which he is the proprietor, a right to use that copy for an unlimited period; and (3) the first lawful acquirer of the computer program must have erased his computer program copy or must no longer use it. The Court also rejected the argument put forward by Oracle and the Commission that the making available of a computer program on the copyright holder’s website constitutes a “making available to the public” within the meaning of Article 3(1) of InfoSoc Directive,73 which cannot give rise to the exhaustion of the right of distribution of the copy, as provided for in Article 3(3) of the same Directive, which has been recently amended by the Directive on Copyright in the Digital Single Market.74 The reason lies in the relationship between the InfoSoc Directive and the Software Directive and, in particular, in Article 1(2)(a) of the InfoSoc Directive, which provides that the Directive “leave[s] intact and [. . .] in no way affect[s] existing [. . .] [European] provisions relating to [. . .] the legal protection of computer programs,” a provision that has been preserved in the recent Directive on Copyright in the Digital Single Market (Article 1(2) of the new Directive). The provisions of the Software Directive and, in particular, Article 4(2), thus, “constitute a lex specialis in relation to the provisions of Directive 2001/29, so that even if the contractual relationship at issue in the main proceedings or an aspect of it might also be covered by the concept of ‘communication to the public’ within the meaning of Article 3(1) of the latter directive, the ‘first sale . . . of a copy of a program’ within the meaning of Article 4(2) of Directive 2009/24 would still give rise, in accordance

71

Supra n.51. Supra n.45. 73 Supra n.47. 74 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, OJ L 130. 72

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

537

with that provision, to exhaustion of the right of distribution of that copy.”75 Based on the above, given the capacity of apps as software, even if the distribution of apps via app markets fall under the “making available to the public right,” the exhaustion of rights doctrine might still apply. The CJEU in UsedSoft held that allowing customers to download software from the Internet for remuneration, which they can use for an unlimited period, constitutes a sale. In that case, Oracle submitted that its practice does not constitute a sale but, rather, licensing, since it submitted that it makes available to its customers, free of charge, on its website a copy of the program concerned, which they can download. The copy downloaded can only be used by the customers if they have concluded a non-exclusive and non-transferable license agreement with Oracle for use of the computer program for an unlimited period. The Court did not accept Oracle’s submissions that “neither the making available of a copy free of charge nor the conclusion of the user license agreement involves a transfer of the right of ownership of that copy”76 and, on the contrary, held that this situation “[. . .] examined as a whole, involves the transfer of the right of ownership of the copy of the computer program in question.”77 Interestingly, the Court said that “[i]t makes no difference [. . .] whether the copy of the computer program was made available to the customer by the rightholder concerned by means of a download from the rightholder’s website or by means of a material medium such as a CD-ROM or DVD.”78 The Court held that both the operation of downloading a computer program from a material medium such as CD-ROM or DVD and the operation of downloading a computer program from the rightholder’s website when combined with the conclusion of a license agreement providing the right to use a copy for an unlimited period in return for payment of a fee involve the transfer of the right of ownership of that computer program copy.79 The CJEU in the Aleksandrs Ranks and Jurijs Vasilevics case80 confirmed the application of the digital exhaustion principle to software and also clarified that the exhaustion of right applies to the original copy of the software, not to the backup copy. Regarding the United States and in relation to the application of the US first sale doctrine, equivalent to the EU exhaustion of rights doctrine, an analysis similar to the one made for the EU exhaustion of rights doctrine can be made. In that context, as far as digital goods are concerned (in case one accepts that apps are digital goods rather than software), in the case of ReDigi Inc.,81 the Second Circuit held that an online “reseller” of preowned digital music files, i.e. enabling the resale of lawfully

75

Supra n.51, par. 51. Ibid, par. 43. 77 Ibid, par. 46. 78 Ibid, para 47. 79 Ibid, para 47. 80 CJEU, Aleksandrs Ranks and Jurijs Vasiļevičs v Finanšu un ekonomisko noziegumu izmeklēšanas prokoratūra and Microsoft Corp, Case C-166/15, Judgment of 12 October 2016. 81 Capitol Records, LLC v. ReDigi Inc., No. 16-2321 (2d Cir. 2018). 76

538

I. Iglezakis et al.

purchased digital music files by hosting such resales on its platforms, was infringing rightholder’s exclusive rights under 17 U.S.C. 106(1) to reproduce their works and that the first sale doctrine did not apply. Moreover, in the Disney Enterprises, Inc. v. Redbox, Automated Retail, LLC case,82 the California Central District Court granted a preliminary injunction barring the defendant from reselling Disney movie download codes from “Combo Packs” since it held that it was likely to be established that the defendant’s actions constituted contributory copyright infringement under Disney’s revised terms of use. As far as the application of the US first sale doctrine in software is concerned, there is no clear approach (as is the case in the EU). In Vernon v. Autodesk, the Court stated that a transaction will be classified as a license where the copyright owner (1) specifies that the user is granted a license; (2) significantly restricts the user’s ability to transfer the software; and (3) imposes notable use restrictions.83 In an earlier case, Softman v. Adobe, in which the plaintiff argued that the defendant was selling through its website unbundled versions of the plaintiff’s products, the Court considered whether the first sale doctrine applied and stated that in order to characterize a given transaction as a “license” or a “sale,” one has to first assess the economic realities of the specific transaction.84 In that particular case, the Court was of the opinion that the transaction in question was looking more like a sale rather than a license since the purchaser obtained a copy of the software and paid at the time of the transaction a lump sum and the software could be used for an indefinite period without a need for renewal. In an old case, Microsoft v. Harmony, the defendant was selling Microsoft products in a stand-alone basis, which were not installed on PCs.85 In deciding whether an unauthorized party could legitimately sell Microsoft products, the Court held that the first sale doctrine was not applicable in the particular case since the defendants did not establish a chain of title going back to Microsoft and since Microsoft presented evidence according to which it never seeks to sell its products but rather to license them.

4 Concluding Remarks Apps are widely used every day, and their adoption is increasing, making the app market one of the biggest and most popular industries. Successful commercialization of apps is a demanding task from various aspects, especially considering the crossborder and multijurisdictional nature of the online environment. Proper regulation of the formed relationships is imperative, though difficult to successfully accomplish,

82 Disney Enters. v. Redbox Automated Retail, LLC, No. CV 17-08655 DDP (AGRx), 2018 U.S. Dist. LEXIS 148489 (C.D. Cal. August 29, 2018). 83 Vernor v. Autodesk, Inc. 621 F.3d 1102 (9th Cir. 2010), 1111. 84 Softman Products Company v. Adobe Systems Inc. 171 F. Supp.2d 1075 (C.D. Cal 2001). 85 Microsoft Corp. v. Harmony Computers & Electronics, Inc. 846 F. Supp.208 (E.D.N.Y 1994).

22

Private Law Considerations in the Context of Apps’ Distribution via App. . .

539

for the successful commercialization of apps. For the time being, questions that arise do not have predefined answers with rare ad hoc cases to follow. Rather, the solution must be sought on a case-by-case basis. Multiple factors must be carefully considered and weighed upon, such as the role of the engaged actors, the type of apps, and the payment model adopted in relation to the applicable legal framework. Contract formation is concluded online among parties residing at different (or even unknown at the time of conclusion) locations. The apps are made available to an undefined number of people, who have rights but at the same time obligations to comply with. In case of disputes, the consumer/end user is important to be certain about the contractual relations that have been created, its counterparty, and the provisions that apply in terms of contract typology on a national law level. Proper legal approach requires good knowledge on the technical and organizational operations of online platforms, such as app stores, and interpretation of the contracts formed by considering multiple parameters interrelated with the online environment. Application providers have proprietary rights to protect and specific standards to meet (for instance, quality, consumer protection, etc.). The existing legal framework has been criticized as inadequate to deal with the triangular relationships created on an online platform as well as with the contractual relationship formed between the trader (either app provider or app store) and the end user, and the legal characterization of these contractual relationships requires, instead, a careful analysis of multiple parameters, such as the type of the app, the technical way to acquire the app, the business/payment model, and the offered services. In terms of rights afforded by copyright to the parties to a transaction concerning apps, the preceding analysis illustrates that commercializing copyright to the realm of apps is far from easy and predictable and can affect traditional legal concepts/doctrines such as the ones of “exhaustion of rights” and “first sale.” It is suggested that there is a need for the proper regulation of restrictive license terms in so far as they relate to the exhaustion of rights doctrine as far as app distribution is concerned, and this requires taking into consideration their technical characteristics, the contractual provisions, and the terms of use provided by app providers and/or app stores and also the court interpretations of existing legislation.

References Apple Developer Agreement, Available at: https://developer.apple.com/terms/apple developeragreement/. Accessed 20 July 2020 Apple Developer Program License Agreement, Available at: https://developer.apple.com/terms/. Accessed 20 July 2020 Apple Media Services Terms and Conditions (Last Updated: May 13, 2019). Available at: https:// www.apple.com/legal/internet-services/itunes/us/terms.html. Accessed 20 July 2020 Apple Media Services Terms and Conditions, LICENSED APPLICATION END USER LICENSE AGREEMENT, Available online at https://www.apple.com/legal/internet-services/itunes/us/ terms.html. Accessed 20 July 2020

540

I. Iglezakis et al.

Artikel 164: Wirkung der Erklärung des Vertreters, Bürgerliches Gesetzbuch (BGB) Available online at http://www.gesetze-im-internet.de/bgb/__164.html. Accessed 20 July 2020 Baumgartner M, Ewald U (2016) Apps und Recht. C.H. Beck, München Beale H et al (2010) Cases, materials and text on contract law, Ius Commune casebooks for the common law of Europe, 2nd edn. Hart Bundesgerichtshof Urt. v. 04.11.1987, Az.: VIII ZR 314/86, Available online at https://www.jurion. de/urteile/bgh/1987-11-04/viii-zr-314_86/. Accessed 20 July 2020 Busch C, Schulte-Nölke H, Wiewiórowska-Domagalska A, Zoll F (2016) The rise of the platform economy: a new challenge for EU consumer law? J Eur Consum Mark Law 5:1 Capitol Records, LLC v. ReDigi, Inc., 934 F.Supp.2d 640 (S.D.N.Y. 2013) Capitol Records, LLC v. ReDigi Inc., No. 16-2321 (2d Cir. 2018) Disney Enters. v. Redbox Automated Retail, LLC, No. CV 17-08655 DDP (AGRx), 2018 U.S. Dist. LEXIS 148489 (C.D. Cal. August 29, 2018) Ghose A, Han SP (2014) Estimating demand for mobile applications in the new economy. Management Science, Available via SSRN: https://ssrn.com/abstract¼2378007. Accessed 20 July 2020 Google Play Developer Distribution Agreement (Effective as of 12 June 2020). Available at https:// play.google.com/about/developer-distribution-agreement.html. Accessed 20 July 2020 Google Play Developer Program Policies. Available at: https://support.google.com/googleplay/ android-developer/answer/9904549. Accessed 20 July 2020 Griffin JGH (2011) The interface between copyright and contract: suggestions for the future. Eur J Law Technol 2(1) Jacques Delors Institut, Berlin (2018) Policy paper No.227, Online Platforms and how to regulate them: an EU overview. European Commission, Regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy, Survey document in preparation of a Communication LG Frankfurt, Urteil v. 06.06.2013, Az. 2-24 O Microsoft Corp. v. Harmony Computers & Electronics, Inc. 846 F. Supp.208 (E.D.N.Y 1994) Niemann F, Paul J-A (Hrsg) (2014) Rechtsfragen des Cloud Computing. Herausforderungen für die unternehmerische Praxis. De Gruyter Praxishandbuch Nimmer RT (2011) Copyright first sale and the overriding role of contract. Santa Clara Law Rev 51:1311 OECD, An Introduction to Online Platforms and Their Role in the Digital Transformation, 13 May 2019, Available online at https://www.oecd.org/innovation/an-introduction-to-online-plat forms-and-their-role-in-the-digital-transformation-53e5f593-en.htm. Accessed 20 July 2020 Oracle Am., Inc. v. Google, Inc. (2014) 750 F. 3d 1339, 1364 (Fed. Cir) Pepper R et al (respondents), In the Supreme Court of the United States, Brief for Respondents, Available online at https://www.supremecourt.gov/DocketPDF/17/17-204/64643/ 20180924150810273_17-204bs.pdf. Accessed 20 July 2020 ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996) Softman Products Company v. Adobe Systems Inc. 171 F. Supp.2d 1075 (C.D. Cal 2001) Solmecke C, Taeger J, Feldmann T (2013) Mobile Apps, Rechtsfragen und rechtliche Rahmenbedingungen, De Gruyter Praxishandbuch Study Group on the European Civil Code and Research Group on EC Private Law (Acquis Group) (2009) Principles, definitions and model rules of European private law - draft common frame of reference (DCFR), Outline Edition. European Law Publishers GmbH The Play Console terms (Effective as of April 29, 2020) Available online at: https://play.google. com/about/console/terms-of-service/. Accessed 20 July 2020 Vernor v. Autodesk, Inc. 621 F.3d 1102 (9th Cir. 2010), 1111 Vorndran A (2018) Die Verwendung Allgemeiner Geschäftsbedingungen beim Vertrieb von Apps. Duncker & Humblot, Berlin

Part VI

Consumer and Corporate Protection in the Digital Environment

Chapter 23

The Notion of “Online Intermediation Services” Found in the New EU Platform Regulation: Who Is Caught After All? Thalia Prastitou-Merdi

Abstract As part of the European Union’s (EU) Digital Single Market (DSM) Strategy, on 11 July 2019, Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services, otherwise known as the Platform to Business Regulation entered into force. In practice, this Regulation introduces new transparency obligations for providers of online intermediation services. What is really interesting to note is that this Regulation does not offer a definition of online platforms but rather uses the notion of providers of “online intermediation services.” Looking in detail at this notion, it seems that the first out of the three cumulative requirements that must be met for a service to be considered as such is that it must constitute an “information society service” within the meaning of the Information Society Services Directive. After providing a brief account of the preparatory steps that led to the adoption of this Regulation, by way of background as well as of the Regulation’s most important provisions, this chapter proceeds with presenting in detail the notion of “online intermediation services” as provided by the EU legislator. It then moves on to examine in detail the Uber Spain, Uber France, and Airbnb Ireland rulings of the Court of Justice of the European Union that interpret and apply the notion of “information society service” attempting to provide a response as to who is caught after all by this Regulation and what are, if any, the problems and questions remaining.

T. Prastitou-Merdi (*) School of Law, European University Cyprus, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_23

543

544

T. Prastitou-Merdi

1 Introduction As part of the European Union’s (EU) Digital Single Market (DSM) Strategy,1 on 11 July 2019, Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services, otherwise known as the Platform to Business Regulation (P2B Regulation or Regulation) entered into force. The “P2B Regulation finds its origin in the increasing importance of online intermediary platforms.”2 In recent years, online platforms “have become key gatekeepers of the Internet, intermediating access to information, content and online trading. Online platforms organize the Internet ‘ecosystem’ and this is a profound transformation of the World Wide Web.”3 In practice, although until the adoption of the P2B Regulation online platforms were subject to various legal provisions, no substantive rules existed at the EU, or in most cases, at national level to regulate, at least, the most important aspects, of this new business model. More importantly, a question mark existed as to whether this new business model fits into the existing legal framework and whether there is a need to adjust the EU regulatory framework to the new platform economy.4 The P2B Regulation attempts, under its Preamble, to fill in this gap by bringing forward “a targeted set of mandatory rules. . . .at Union level to ensure a fair, predictable, sustainable and trusted online business environment within the internal market”.5 More specifically the Regulation introduces new obligations for providers of online intermediation services (or OIS) including, inter alia, the clarity and content of their terms and conditions, the possible restriction, suspension and termination of their online intermediation services, transparency over ranking, differentiated treatment and data as well as dispute resolution and complaint handling. What is really interesting to note is that the Regulation does not offer a definition of online platforms, as one would expect, considering the terminology used in the European Commission’s (Commission) Mid Term Review on the implementation of the Digital Single Market Strategy.6 Instead, it employs the notion of “online intermediation services.” More specifically, it applies to providers, meaning natural or legal persons, of OIS to business users. Although at first glance this notion appears to be able to apply, as the Commission aims, “to the entire online platform economy –

1 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Digital Single Market Strategy For Europe, COM (2015) 192 final. 2 Cauffman (2019), p. 474. 3 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on the Mid-Term Review on the implementation of the Digital Single Market Strategy, A Connected Digital Single Market for All, COM(2017) 228 final, p. 7. 4 Busch (2018a), p. 172. 5 Para. 7. 6 Supra n3.

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

545

approximately 7000 online platforms or market places operating in the EU – which include world giants as well as very small start-ups, but having often an important bargaining power vis-a-vis business users”7 in practice this might not be the case. Looking in detail at this notion, it seems that one of the three cumulative requirements that must be met for a service to be considered as such is that it must constitute an “information society service” within the meaning of Article 1(1) (b) of Directive (EU) 2015/1535 (Information Society Services Directive).8 Although one would claim that this latter notion covers clearly “the activities of platforms doing nothing more than bringing in touch (professional) services providers with clients”9 such as Booking.com, in other cases this notion has proven to be much more complex to be applied in practice. Specifically, the Court of the Justice of the European Union (CJEU or Court) has had the chance, at least, in three different cases, namely Uber Spain,10 Uber France,11 and Airbnb Ireland12 to look in detail at this notion, regarding online platforms, and attempted to fill in this complex legislative notion introduced by the EU legislator. Based on the CJEU rulings it is now clear that Uber does not fall under the scope of the P2B Regulation although Airbnb does. Yet, is the reasoning provided by the CJEU in distinguishing between these two platforms convincing enough? What will happen in the future in case of other platforms that fall somewhere in the middle of the CJEU test? And more importantly is this what the Commission aspired when it suggested the introduction of such a legislative instrument? After providing a brief account of the preparatory steps that led to the adoption of this Regulation, by way of background as well as of the Regulation’s most important provisions, this chapter proceeds in presenting in detail the notion of “online intermediation services” as provided by the EU legislator. It then proceeds to examine in detail the three cases of the CJEU regarding this notion attempting to answer the aforementioned questions, providing a response as to who is caught after all by this Regulation and what are, if any, the problems and question remaining.

7

European Commission (2019). Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society service (codification), OJ L 241/1 (Information Society Services Directive). 9 Van Cleynenbreugel (2019). 10 CJEU, Asociación Profesional Élite Taxi v Uber Systems Spain SL, Case C-434/15, Judgment of 20 December 2017. 11 CJEU, Criminal proceedings against Uber France, Case C-320/16, Judgment of 10 April 2018. 12 CJEU, Criminal proceedings against X, Case C-390/18, Judgment of 19 December 2019. 8

546

T. Prastitou-Merdi

2 Background: How Did We Get Here? The P2B Regulation adoption does not come as a surprise. Quite the opposite could be said. In a theoretical context, the importance of online platforms for the expansion of the digital single market is constantly growing. There is no doubt that more and more online platforms offer unrivaled access to cross border markets for the provision of different services, activities and goods. “They play an important role in the development of the online world and create new market opportunities, notably for SMEs.”13 In practice, such online platforms operate as two-sided markets: the more suppliers use a particular platform, the more attractive it becomes for consumers; the more consumers use a particular platform, the more attractive it becomes for suppliers. This results to the concentration of supply and demand on specific platforms that businesses want to have access to, thus leading to new dependencies and imbalances of market power between businesses and platforms.14 While the Commission fully acknowledged the importance of online platforms for entrepreneurship, trade and innovation it was concerned with the dependence of businesses on those platforms. Furthermore, apart from Article 102 of the Treaty on the Functioning of the European Union (TFEU), that only targets platforms in a dominant position as well as specific consumer protection law directives,15 that are limited to business to consumer (B2C) transactions, no substantive rules existed at the EU, or in most cases, at national level to regulate, at least, the most important aspects, of this new business model. Based on the above, the Commission, in its Communication on a DSM Strategy for Europe, which was released in May 2015,16 committed to undertake a comprehensive assessment of the role of platforms. Based on this commitment, a public consultation on the Regulatory environment for Platforms, Online Intermediaries and the Collaborative Economy took place between September 2015 and January 2016.17 After its results were released it became clear that although many respondents acknowledged that online platforms bring forward significant benefits, they additionally raise particular problems. Specifically, the absence of a level playing field, lack of transparency, concerns around personal data collection and imbalanced bargaining power between online platforms and suppliers which could lead to unfair

13

Supra n3, p. 7. Evans and Schmalensee (2008). 15 Directive 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules, OJ L 328/7 (Omnibus Directive). 16 Supra n1. 17 https://ec.europa.eu/digital-single-market/en/news/public-consultation-regulatory-environmentplatforms-online-intermediaries-data-and-cloud. Accessed 20 August 2020. 14

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

547

practices vis-à-vis consumers and businesses were mentioned.18 Furthermore a “key cross cutting issue” referred to in all the responses related to the responsibility and liability of platforms. In its Communication on Online Platforms, which followed in May 2016,19 the Commission identified two main areas for further actions: first, ensuring a fair and innovation—friendly platform economy, and second, fighting illegal content online. In this context, in its Mid Term Review on the implementation of the DSM Strategy, the Commission committed itself in preparing actions “to address the issues of unfair contractual clauses and trading practices identified in platform-tobusiness relationships. . .These actions could. . .take the form of a legislative instrument.”20 Delivering on its promise the Commission brought forward in April 2018 a Proposal for a Regulation on promoting fairness and transparency for business users of online intermediation services.21 In February 2019, the European Parliament, the Council of the EU and the Commission reached a political agreement on the legislative proposal. On July 11, 2019, the P2B Regulation was published in the Official Journal of the EU. The Regulation came into full effect on July 12, 2020.

3 Content: What Is This Regulation About? Having a general overview of the Regulation, the EU legislator applies some of the principles found in the consumer acquis communautaire, yet now to the contractual relationship between businesses and platforms, rather than businesses and consumers, stepping in this way upon a new legal battlefield. More specifically the Regulation lays down specific obligations for platforms, formally titled as providers of “online intermediation services”22 vis-à-vis their business users. These obligations can be divided in seven main categories which are explained immediately below. Terms and conditions:23 These must be drafted in plain and intelligible language and must be easily available to business users. Furthermore they must set out the objective grounds for decisions to suspend or terminate or impose any other kind of restriction upon the provision of their OIS to the business user. Changes to these terms and conditions must be communicated on a durable medium subject to a 18

https://ec.europa.eu/digital-single-market/en/news/full-report-results-public-consultation-regula tory-environment-platforms-online-intermediaries. Accessed 20 August 2020. 19 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Online Platforms and the Digital Single Market Opportunities and Challenges for Europe, COM(2016) 288 final. 20 Supra n3, p. 9. 21 Proposal for a Regulation of the European Parliament and of the Council on promoting fairness and transparency for business users of online intermediation services, COM(2018) 238 final. 22 Please see Sect. 4 of this Chapter for further guidance on this notion. 23 Article 3.

548

T. Prastitou-Merdi

15-day notice period. Failure to provide sufficient notice renders the changes null and void. Restriction, suspension and termination of online intermediation services:24 Providers of OIS shall provide business users concerned with a statement of reasons for that decision on a durable medium. In case of termination that statement must be given at least 30 days prior to the termination taking effect. Furthermore the statement must include the applicable ground or grounds for that decision, initially included in the terms and conditions. Transparency over ranking:25 Providers of OIS must set out in their terms and conditions the main parameters determining ranking and the reasons for the relative importance of those main parameters as opposed to other parameters. “Given that search engines lack a contractual relationship with the websites they rank, they must make their parameters available publicly. Importantly, it must be clear to what extent and how any remuneration can influence the ranking.”26 Examining closely this obligation, it seems that this is complementary to a similar obligation found in the Omnibus Directive,27 which amends, inter alia, Directive 2005/29 and Directive 2011/83, and requires traders to inform consumers using online marketplaces about the main parameters determining the ranking of offers. Differentiated treatment:28 Providers of OIS have to disclose any advantage they give to their own goods or services, in case they operate for example as app stores, in competition with those of their business users. Access to data:29 Providers of OIS must include in their terms and conditions a description informing their business users what personal and/or other data are received through the use of the OIS as well as whether these data are afterwards shared with its business users. As explained in the Preamble of the Regulation “such data could include ratings and reviews accumulated by business users on the OIS. Altogether, the description should enable business users to understand whether they can use the data to enhance value creation, including by possibly retaining thirdparty data services.”30 Restrictions on using other platforms:31 In case providers of OIS restrict the ability of business users to offer the same goods and services under different conditions through other means than through those services, they shall include the grounds for that restriction in their terms and conditions and make those grounds

24

Article 4. Article 5. 26 Bostoen (2018). 27 Supra n15. 28 Article 7. 29 Article 9. 30 Para. 33. 31 Article 10. 25

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

549

easily available to the public. “This is, in effect, another attack on ‘most favoured nation clauses’ in that it attempts to bring their existence into the public domain.”32 Effective redress:33 Unless they constitute small enterprises,34 providers of online intermediation services shall provide for an internal system for handling the complaints of business users. Such an obligation is an important addition regarding claims of infringements in intellectual property rights. Furthermore they shall identify in their terms and conditions two or more mediators with which they are willing to engage to attempt to reach an agreement with business users on the settlement, out of court, of any disputes between the provider and the business user arising in relation to the provision of the OIS concerned. Having a general overview35 of these seven categories of obligations, it seems that these are generally, and at certain points ambiguously,36 drafted and, more importantly, are mostly concerned as to how transparent these terms and conditions must be rather than what they may or may not cover. The Regulation therefore does not prohibit any unfair practices as such. Yet, it offers business users effective redress options when these unfair practices arise. One may therefore ask, inter alia, why is the P2B Regulation limited to transparency issues and is not moving one step further in providing, for example, a general unfairness test as the one given in Directive 93/13/EC37 or a black list of unfair commercial practices as the one found in Directive 2005/29/EC?38 First, this relates to the innovation potential of platforms that is recognized by the Regulation itself as a priority.39 Second, as it has been suggested40 in cases of platforms in a dominant position, competition law rules already exist at the EU level, such as Article 102 TFEU, that may be applied in such cases, although procedures of this kind are most of the times delayed. Therefore, it could be claimed that the extent to which this limitation of provisions to specific transparency obligations would be regarded as sufficient, for regulating platform to business relationships in the future, and specifically whether this would be regarded as enough for providing businesses the desired protection, is an issue left to be practically assessed.

32

Dunleavy (2019). Articles 11 and 12. 34 Within the meaning of the Annex to Recommendation 2003/361/EC. 35 A closer assessment of these provisions falls outside the scope of this chapter. For a closer examination and analysis of the proposal for a P2B corresponding provisions, see Twigg Flesner (2018). 36 For example what do these “objective grounds” cover? Who assesses their objectivity? 37 Council Directive 93/13/EC of 5 April 1993 on unfair terms in consumer contracts, OJ L 95/29. 38 Directive 2005/29/EC of the European Parliament and Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market, OJ L 149/22. 39 Paragraph 8 of the P2B Regulation Preamble reads “those rules should recognise and safeguard the important innovation potential of the wider online platform economy and allow for healthy competition leading to increased consumer choice.” 40 Bostoen (2018). 33

550

T. Prastitou-Merdi

4 Scope: To Whom Does the P2B Regulation Apply To? 4.1

The Target Group Under the P2B Regulation Provisions

Under Article 1(2) of the Regulation, this legislative instrument “shall apply to online intermediation services and online search engines provided, or offered to be provided, to business users and corporate website users, respectively, that have their place of establishment or residence in the Union and that, through those online intermediation services or online search engines, offer goods or services to consumers located in the Union, irrespective of the place of establishment or residence of the providers of those services and irrespective of the law otherwise applicable.” Reading this provision one main point, becomes, at first glance, clear; this Regulation covers business to business relationships (B2B) solely. More specifically, on one side of this relationship spectrum lies the “business user.” Under Article 2(1) of the Regulation, “business user” means any private individual acting in a commercial or professional capacity who, or any legal person which, through online intermediation services offers goods or services to consumers for purposes relating to its trade, business, craft, or profession. This notion which resembles almost per se the notion of “trader” or “business” found in the consumer law acquis does not bring forward any new or unknown problems. Yet, on the other side, instead of providing a definition of online platforms as one would expect, the new and quite challenging notion of provider of “online intermediation services”41 can be traced. Under Article 2(3) of the P2B, “provider of online intermediation services” means any natural or legal person which provides, or which offers to provide, online intermediation services to business users. More importantly, under Article 2(2) of the Regulation, “‘online intermediation services’ means services which meet all of the following requirements: (a) they constitute information society services within the meaning of point (b) of Article 1 (1) of the Information Society Services Directive; (b) they allow business users to offer goods or services to consumers, with a view to facilitating the initiating of direct transactions between those business users and consumers, irrespective of where those transactions are ultimately concluded; (c) they are provided to business users on the basis of contractual relationships between the provider of those services and business users which offer goods or services to consumers.” At first glance, this notion appears to be quite a broad one. This was indeed, as it has been mentioned, the Commission’s initial aim when bringing forward the Proposal for a P2B Regulation targeting to cover “the entire online platform economy.”42 And this was additionally one of the comments initially received by academics. As Twigg Flesner noted, when looking specifically at the wording of this notion’s second requirement, this legislative instrument would be able to “cover not only the market-place type of platforms or hotel-booking platforms (on which 41 42

Along the notion of “online search engines.” European Commission (2019).

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

551

contracts are actually concluded), but also other platforms which simply allow business users to advertise their products and to provide hyperlinks to their websites.”43 Yet, in practice, this might not turn out to be the case. Looking in detail at this notion, it seems that the first out of three cumulative requirements that must be met for a service to be considered as such is that it must constitute an “information society service” within the meaning of Article 1(1) (b) of the Information Society Services Directive. Under this Article “information society service” means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Although it could be claimed that this notion covers clearly “the activities of platforms doing nothing more than bringing in touch (professional) services providers with clients”44 such as Booking.com, in other cases, examined by the CJEU, this notion has proven to be much more complex to be applied in practice in cases of other platforms offering composite services. More specifically, the CJEU has had the chance, three times, at least up to now, in cases Uber Spain, Uber France, and Airbnb Ireland, to discuss in detail this legislative notion, regarding online platforms, yet arriving to different conclusions.45 This chapter will now proceed to examine in detail these rulings aiming to understand who is caught in practice after all in practice by this vague and complex notion and consequently by the P2B Regulation.

4.2 4.2.1

The Notion of “Information Society Services” as Interpreted by the CJEU Uber Spain and Uber France

In both cases an intermediation service, the purpose of which is to connect, by means of a smartphone application provided by Uber Technologies Inc, well known as UberPOP, non-professional drivers, using their own vehicle, in contact with persons who wished to make urban journeys, was at issue. In Uber Spain, the case referred to the civil proceedings brought against Uber by Elite Taxi, a taxi drivers’ association, based on general rules on unfair competition. By contrast, Uber France dealt within proceedings before a criminal court in a private prosecution and a civil action brought against Uber by Mr Nabil Bensalem, a taxi driver, based on a newly, at

43

Twigg Flesner (2018), p. 225. See additionally Busch (2018b). Van Cleynenbreugel (2019). 45 One must not yet forget that the notion of “information society service” was discussed by the CJEU in the Ker-Optika case (CJEU - Ker-Optika bt v ÀNTSZ Dél-dunántúli Regionális Intézete, Case C-108/09, Judgment of 2 December 2010). In this case, the Court addressed for the first time the concept of “mixed services” and concluded that the sale of contact lenses—forming the online service—could be regarded as an information society service. Yet, the delivery of contact lenses— forming the offline service—could not. 44

552

T. Prastitou-Merdi

the time, introduced provision of French criminal law. More specifically, under this law providing a service such as the one provided by Uber was considered as a crime in case drivers were not licensed to provide transport services under French national law. Fundamentally, in both cases the CJEU was asked to clarify if, under the EU law, services provided by Uber were regarded as “transport services,” “information society services,” or a combination of both. In both cases, Uber sought to rely on the EU law to protect its freedom to provide information society services across the EU. “Indeed, under EU law, if Uber provided merely an information society service, no authorization could be required and no (relevant) barriers to freedom of services could be imposed by Member States. But if they were ‘transport services’, they would not benefit from the freedom to provide services, but would instead be under the common transport policy.”46 In the latter scenario, national authorities would then be allowed to impose upon them specific licensing requirements. The Court held initially that an intermediation service, such as the one provided through the UberPoP application, meets in principle the criteria for classification as an “information society service” within the meaning of Article 1(2) of Directive 98/3447 meaning any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Yet, irrespective of the above finding, the Court held that in practice the intermediation service at issue “was more than an intermediation service consisting of putting, by means of a smartphone application, non-professional drivers using their own vehicles in contact with persons who wish to make an urban journey.”48 The Court then explained that such an intermediation service, was inherently linked to the offer by that company of non-public urban transport services based on a two-element test. First, the Court claimed that Uber was a market maker explaining that it “provided an application without which those drivers would not have been led to provide transport services, and the persons who wished to make an urban journey would not have used the services provided by those drivers.”49 Second, it stated that Uber exercised decisive influence “over the conditions under which services were provided by those drivers, inter alia by determining the maximum fare, by collecting that fare from the customer before paying part of it to the non-professional driver of the vehicle, and by exercising a certain control over the quality of the vehicles, the drivers and their conduct, which could, in some circumstances, result in their exclusion.”50 Based on the above reasoning, the Court concluded that, the intermediation service at issue in both cases, “had to be regarded as forming an integral part of an overall service the main component of which was a transport service and,

46

Ferro (2019). That has been now repealed and replaced by the Information Society Services Directive. 48 Uber Spain, para. 37; Uber France, para. 20. 49 Uber Spain, paras. 38–39; Uber France, para. 21. 50 Ibid. 47

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

553

accordingly, had to be classified, not as an ‘information society service’ within the meaning of Article 1(2) of Directive 98/34, but as a ‘service in the field of transport’ within the meaning of Article 2(2)(d) of Directive 2006/123.”51 It must not be forgotten that the Court arrived to this conclusion irrespective of the fact that the intermediation service in question fulfilled the four cumulative conditions laid down in Article 1(2) of Directive 98/34.52 The Uber judgments divided the academic world to two opposite sides. While some agreed with the Court’s position,53 others have heavily criticized its approach. Schaub argued: “the decision of the CJEU to exclude the booking application from the scope of the e-Commerce Directive is incorrect and unnecessary. Possibly, this decision was prompted by the desire to ensure that Member States can apply and enforce national rules relating to transport services. Yet, classification of Uber as an information society service would not have precluded this.”54 On the practical application of the P2B Regulation when examined in conjunction with this CJEU double ruling, it becomes clear that services such as the ones provided by Uber do not meet the requirement of an information society service and consequently do not qualify as a provider of an OIS. Therefore, in such a case, they are automatically excluded from the scope of the said Regulation, despite the Commission’s original idea and intended scope of application on this new and modern legislative instrument. This can be argued to be disappointing from an EU law perspective. In a more general perspective, after this double ruling, a question was raised as to the extent of this exclusion to other online platforms. The CJEU had the chance to set the boundaries, at least in theory, for this exclusion in the Airbnb Ireland case. 4.2.2

Airbnb Ireland

In AirBnB Ireland the French Tourism Association (AHTOP) lodged a complaint, inter alia, for the practice of activities concerning the mediation and management of buildings and businesses without a professional licence, under the Hoguet Law. In support of its complaint, AHTOP claimed that Airbnb Ireland did not merely connect two parties through its platform, yet it offered additional services which amount to an intermediary activity in property transactions. After the complaint had been lodged, the Public Prosecutor, attached to the Regional Court of Paris, brought charges for handling monies for activities concerning the mediation and management of 51

Uber Spain, para. 40; Uber France, para. 22. Moreover what must be additionally highlighted at this point is that another preliminary reference concerning Uber’s transport services in Germany, and more specifically, the UberBlack app was lodged by the German Bundesgerichtshof in June 2017. However, following the Uber Spain judgment, the German court decided to withdraw its request. See CJEU, Uber BV v Richard Leipold, Case C-371/17. 53 See Geradin (2017). 54 See Schaub (2018), p. 109. 52

554

T. Prastitou-Merdi

buildings and businesses by a person not in possession of a professional licence. Airbnb Ireland denied acting as a real estate agent arguing that Hogeut Law was inapplicable in its case. The investigating judge of the Paris Regional Court, being uncertain, inter alia, as to whether the services provided by Airbnb formed “an information society service” referred the case to the CJEU. The Court, following the Uber approach, after examining the four cumulative conditions laid down in the Information Society Services Directive explained that the Airbnb service in question met the said four conditions55 and therefore, in principle, constitutes an “information society service” within the meaning of Directive 2000/31. Second, following once again the Uber reasoning, highlighted that an intermediation service which satisfies in principle all four conditions, cannot yet be classified as an “information society service,” if it appears that it forms an integral part of an overall service whose main component is a service coming under another legal classification. Yet, at this point the Court explained why, in contrast to Uber, Airbnb did not fall in this exception. First, the Court, using a new criterion, held that the essential feature of the electronic platform managed by Airbnb Ireland is the creation of a structured list of places of accommodation corresponding to the criteria selected by the persons looking for short-term accommodation, that facilitates the conclusion of contracts concerning future interactions.56 Because of its importance the Court explained that such a service cannot be regarded as merely ancillary to an overall service coming under a different legal classification, namely provision of an accommodation service.57 Second, the Court applying the market maker criterion employed in Uber claimed that, in contrast to the previous cases, Airbnb was in “no way indispensable to the provision of accommodation services, both from the point of view of the guests and the hosts who use it, since both have a number of other, sometimes long-standing, channels at their disposal, such as estate agents, classified advertisements, whether in paper or electronic format, or even property lettings websites.”58 Finally, the Court applying the decisive influence criterion, employed again in Uber stated that Airbnb does not set or cap the amount of the rents charged by the hosts using its electronic platform. As the Court claimed, “at most, it provides them with an optional tool for estimating their rental price having regard to the market averages taken from that platform, leaving responsibility for setting the rent to the host alone.”59 With this argument, the Court highlighted the importance attached to the fact that Airbnb enjoys a reduced level of control over the conditions under which its services are provided vis-à-vis that of Uber.

55

Paras. 44–49. Para. 53. 57 Para. 54. 58 Para. 55. 59 Para. 56. 56

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

555

Based on the above, the CJEU concluded that such an intermediation service cannot be regarded, in contrast to Uber, as forming an integral part of an overall service, the main component of which is the provision of accommodation.60 Examining the above judgment, it becomes clear that in this recent ruling the Court did not “distance itself”61 from the Uber judgment. It employed the two criteria developed therein, along that of essential feature, yet their application in the facts of the latter case let it arrive to the opposite conclusion. On one side, the Airbnb Ireland judgment should be welcomed as it puts an end to the uncertainty created after the Uber double judgment as to the extent of this exclusion to services other than urban passenger transport. Through its judgment, the Court aims, at least in theory, to draw a line between particular platform operators. It therefore becomes clear, with great relief, that services such as the one provided by Airbnb form part of the OIS notion, and therefore fall within the ambit of the P2B Regulation. Yet, it cannot be doubted that various questions still exist. 4.2.3

Questions Remaining

First, although no one doubts that Airbnb is actually an information society service one could comment on how convincing or satisfactory were the arguments put forward by the CJEU to distinguish this platform from Uber. Especially on the market maker element, many commentators have claimed that the distinction made between the two type of platforms “doesn’t make much sense. Uber, after all, doesn’t provide an indispensable way for drivers to pick up passengers, either. Many of them receive orders through several platforms or in old-fashioned ways, by phone and through arrangements with hotels.”62 Therefore, this element appears to be “a problematic requisite, since it’s never met in absolute terms. The decision as to whether a platform creates or merely expands/optimizes the market will always be a matter of degree.”63 As it has been additionally stated “while it is true that several tools were already available to let accommodation short-term, Airbnb opened up the market for normal house owners and renters to (sub)let their property.”64 It therefore remains unclear whether “the CJEU [after all] applied the theory or whether it rather reverse engineered the facts to make them fit within the theory.”65 Furthermore, in a more general perspective, it could be claimed that this judicial test ignores the fact that “the value to suppliers lies in the platform itself – the usability and market reach of Airbnb and Uber. Both enjoy a position of influence over their end-service

60

Para. 57. Jabłonowska (2019). 62 Bershidsky (2019). 63 Ferro (2019). 64 Van Acker (2020), p. 79. 65 Ibid. 61

556

T. Prastitou-Merdi

suppliers because without them, success would diminish considerably.”66 Furthermore, examining this judgment in detail, it seems that the Court arrives to the conclusion that Airbnb is an information society service as it follows, in contrast to Uber, a more “hands off approach”67 therefore not being able to influence the persons using its platform, to the extent Uber is able to influence its platform corresponding visitors. It could be claimed that this is an unsatisfactory finding as it renders the regulation of the DSM much more difficult. It further casts doubts on the practical importance of introducing legislative initiatives in this area of law and more specifically on that of the P2B Regulation. Second, the practical applicability of the Court’s test in future cases can be additionally debated. In practice, it becomes clear from the judicial approach taken by the CJEU that decisions shall be taken on a case-by-case basis. Although this is the best way forward, two points must not be forgotten. Initially, consistency over results as to which platforms would be caught, after all, by the P2B Regulation, thus being regarded as providers of OIS, fulfilling, inter alia, the four criteria of the “information society services” notion as well as the CJEU relevant test would therefore become a matter of application and interpretation at national level. This approach opens up the possibility of the creation of national asymmetries taking additionally into consideration that the relative importance of the criteria employed has not been explained by the Court, although this has been the suggestion of Advocate General Szpunar.68 Furthermore, as Savin rightly notes, “there is no doubt that a variety of cases would arise in the future where it would be difficult to apply the Court’s criteria. This would be a result of the complexities that the reality presents. Different parts of composite services are often intermingled to an extent that calls legal simplifications into question. National courts would then have to look into the level of control that platforms exercise over non-electronic parts and that exercise is not necessarily a simple one.”69 Here, examples may be easily given, i.e., food delivery platforms, such as Deliveroo or Uber Eats, or luxury goods delivery platforms, such as Farfetch. On the one hand, it must be noted that such platforms do not exert control over food or clothes preparation.70 Furthermore, the restaurants and boutiques found in such platforms exist and function additionally independently from these platforms.71 Yet, these platforms bring in touch restaurant and boutique owners with potential clients based on structured list of places selling food/luxury goods corresponding to the criteria selected by those potential clients. More importantly such online platforms additionally enjoy partial control over the transaction process as they set the delivery price for the transportation of food/luxury

66

Poyton (2019). Ibid. 68 CJEU, Criminal proceedings against X, Case C-390/18, Opinion of Advocate General Szpunar of 30 April 2019, paras 61–68; See on this point Chapuis-Doppler and Delhomme (2020). 69 Savin (2019). 70 Becchis (2020). 71 Ibid. 67

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

557

goods to the customer’s address. Can it therefore be claimed that such online platforms are found somewhere in between Uber and Airbnb based on the CJEU judicial criteria?72 In practice, it remains to be seen whether such online platforms would be, after all, regarded as providing services in the field of transport, similarly as in Uber or whether they would be regarded as information society services, similarly as in Airbnb. Depending on the approach taken by national authorities and national courts on this matter, the practical importance and effectiveness of the P2B Regulation in real life remains questionable. It must not be forgotten that the Commission undertook this legislative initiative aiming to regulate the activities of all type of online platforms vis-à-vis their business users. Therefore excluding a number of such platforms would be once again a disappointing outcome from an EU law perspective.

5 Conclusion: Who Is Caught After All? This chapter has attempted to look in detail at the scope of the new P2B Regulation and answer the question of who is caught after all by the notion of “online intermediation services” found therein. Certain conclusions can therefore be drawn on the matters discussed herein. At first, it can be concluded that the European legislator, and especially the Commission, must, in theory, be overall applauded for their first attempt to work in this new and innovative area of law. The P2B Regulation forms a first step in building an EU regulatory framework for online platforms, which constitute in practice a modern business model, and their relationship with business users, or even consumers, that now, more than ever, use their services endlessly. The above analysis has more interestingly shown that having a closer look at the P2B Regulation and more specifically at the notion of “online intermediation services,” the European legislator has selected a composite notion, encompassing three different criteria, to capture online platforms in its provisions. More importantly, the above analysis has revealed that this notion appears to be a, practically, quite complex one, involving, after all, a four-level assessment encompassing both legislative and judicial elements. In detail, by employing, as its first element, the notion of “information society service” the European legislator obliges interested parties to examine, first, whether the additional legislative requirements found in the Information Society Service Directive, on this latter notion, are fulfilled or not. Yet, even if it can be concluded that these legislative requirements are actually fulfilled as the CJEU has exemplified, through its rulings in the Uber Spain, Uber France, and Airbnb Ireland cases, a second test must be additionally attempted as to whether the specific “intermediation service forms an integral part of an overall service whose main component is a

72

Ibid. See additionally Van Cleynenbreugel (2019).

558

T. Prastitou-Merdi

service coming under another legal classification.” In detail, for passing this judicial test the specific service must meet, another three requirements, namely that of “essential element,” “market maker,” and “decisive influence,” as they have been explained and applied by the CJEU in the aforementioned cases. Provided that the first two levels of assessment, on the “information society service” criterion, are successfully completed, the specific service must be additionally examined as to whether it fulfills, the remaining legislative criteria of this notion. In detail, whether it fulfills, third, the criterion of facilitating the initiating of direct transactions in B2C relationships, and fourth, the criterion of the existence of a contractual relationship between its provider and its business users, found in Article 2(2)(b) and (c) of the P2B Regulation accordingly. It therefore becomes clear that who is caught after all by this Regulation becomes a question that cannot readily be answered with certainty in advance. It is a question that will be answered in practice on a case-by-case basis. And it is a difficult question to be answered especially when considering, first, the CJEU ambiguous judicial criteria and second, the complexities that reality presents, having in mind the different composite online services existing. “The conclusion must be that modern services simply do not lend themselves to “legacy” solutions designed for a different world.”73 The application of the P2B Regulation in practice will guide the EU legislator as to whether this notion as it currently stands is able to be actually applied to different service providers found in the entire online platform economy and therefore whether Uber was just an exception, or whether it appears to form after all, in practice, the general rule. Depending on the results, it may be considered necessary to modify this notion or even agree on new rules specific to different platforms. At this time, as Savin concludes, no one knows if this is a case “but is, at best, a warning that a time may come where the patching up of the present regime will no longer be sufficient.”74

References Becchis F (2020) Uber and Airbnb: the decisions of the European Court of Justice on digital platforms, Turin School of Regulation https://turinschool.eu/files/turinschool/Uber_%26_ Airbnb_European_Court_Justice.pdf. Accessed 20 Aug 2020 Bershidsky L (2019) Airbnb Is a Tech Company, But Uber Is a Taxi Company, Blooberg Opinion, https://www.bloomberg.com/opinion/articles/2019-12-20/airbnb-isn-t-uber-says-europeancourt-of-justice. Accessed 20 Aug 2020 Bostoen F (2018) The Commission proposes a Regulation on platform-to-business trading practices. https://www.lexxion.eu/en/coreblogpost/the-commission-proposes-a-regulation-on-plat form-to-business-trading-practices/. Accessed 20 Aug 2020 Busch C (2018a) The sharing economy at the CJEU: does Airbnb pass the ‘Uber test’? Some observations on the pending case C-390/18 – Airbnb Ireland. EuCML 7(4):172–174

73 74

Savin (2019). Ibid.

23

The Notion of “Online Intermediation Services” Found in the New EU. . .

559

Busch C (2018b) Fairness und Transparenz in der Plattformökonomie: Der Vorschlag für eine EU-Verordnung über Online-Plattformen IWRZ 147–152 Cauffman C (2019) New EU rules on business-to-consumer and platform-to-business relationships. Maastricht J Eur Comp Law 26(4):469–474 Chapuis-Doppler A, Delhomme V (2020) A regulatory conundrum in the platform economy, case C-390/18 Airbnb Ireland. https://europeanlawblog.eu/2020/02/12/a-regulatory-conundrum-inthe-platform-economy-case-c-390-18-airbnb-ireland/. Accessed 20 Aug 2020 Dunleavy R (2019) The regulators are coming: new EU online Platforms Regulation. https://www. lexology.com/library/detail.aspx?g¼90d37e9c-6e44-4a92-a735-ee83c598fa2c. Accessed 20 Aug 2020 European Commission (2019) Digital Single Market: EU negotiators agree to set up new European rules to improve fairness of online platforms' trading practices, Press Release https://ec.europa. eu/commission/presscorner/detail/en/IP_19_1168. Accessed 20 Aug 2020 Evans DS, Schmalensee R (2008) Markets with two-sided platforms. Issues in Competition Law and Policy (ABA Section of Antitrust Law), vol 1, Ch:28 Ferro MS (2019) Uber Court: a look at recent sharing economy cases before the CJEU. UNIO EU Law J 5(1):68–75 Geradin D (2017) For a facts-based analysis of Uber’s activities in the EU: addressing some misconceptions. Competition Policy International (CPI). Jabłonowska A (2019) Airbnb scores a victory before the Court of Justice. http://recent-ecl. blogspot.com/2019/12/airbnb-scores-clear-victory-before.html. Accessed 20 Aug 2020 Poyton D (2019) What makes Uber and Airbnb different in the eyes of the EU – and why it matters. https://theconversation.com/what-makes-uber-and-airbnb-different-in-the-eyes-of-the-eu-andwhy-it-matters-121708. Accessed 20 Aug 2020 Savin A (2019) The CJEU AirBnB Judgment: another look at composite services in the EU. Available via EU Internet Law & Policy Blog - Understanding EU Cyberlaw https:// euinternetpolicy.wordpress.com/2019/12/19/the-cjeu-airbnb-judgment/. Accessed 20 Aug 2020 Schaub MY (2018) Why Uber is an information society service. EuCML 7(3):109–115 Twigg Flesner C (2018) The EU’s proposals for regulating B2B relationships on online platforms – transparency, fairness and beyond. EuCML 7(6):222–233 Van Acker L (2020) C-390/18 – the CJEU finally clears the Air(bnb) regarding information society services. EuCML 9(2):77–80 Van Cleynenbreugel P (2019) Will Deliveroo and Uber be captured by the proposed EU platform Regulation? You’d better watch out. . . https://europeanlawblog.eu/2019/03/12/will-deliverooand-uber-be-captured-by-the-proposed-eu-platform-regulation-youd-better-watch-out/. Accessed 20 Aug 2020

Chapter 24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance Purchases in Videogames Juan Salmerón

Abstract Videogames are one of the most common pastimes in the developed world, and represent one of the largest sectors of the entertainment industry. Collectively, they generate annual revenues that dwarf those of professional sports and cinema. Game publishers have developed new strategies to monetize their games, particularly through so-called microtransactions. A particularly controversial type of microtransactions are loot boxes, random chance purchases in which a player pays for the chance to receive a random in-game item. Due to their functional similarities with gambling, some have argued that loot boxes should fall under gambling rules, and therefore be banned from mass-market videogames. This is the approach taken by The Netherlands, whose gambling authority largely banned loot boxes in 2018. Gambling authorities in the United Kingdom, on the other hand, have used a stricter reading of their gambling laws, reaching the conclusion that loot boxes are not a form of gambling. Nonetheless, a recent report by the House of Lords suggests that the United Kingdom’s apparent tolerance of loot boxes might soon be over.

Here is a fact: 80% of alcohol sales are paid for by alcoholics. Using slot machine tactics, freemium games are able to make millions off of an even smaller percentage of mobile gamers.—South Park’s Canadian Minister of Mobile Gaming1

Special thanks to Jon Burkan for his assistance. 1

“Freemium Isn’t Free,” South Park, Season 18, Episode 6.

J. Salmerón (*) Hague University of Applied Sciences, The Hague, Netherlands e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_24

561

562

J. Salmerón

1 Introduction Videogames are one of the most common pastimes in industrialized nations, with 65% of American homes including at least one gamer. Although, historically, because of technical limitations, videogames were mostly an offline experience, modern games are anything but. Reliant on broadband Internet access, new games are largely dependent on interconnectivity, making it possible for users to play with others from around the world, and allowing them to alter their playing experience by buying additional content.2 The increasing reliance of videogame companies on the sale of additional content has not been free of controversy. It has been argued, for example, that some games, particularly some of the so-called “freemium” or “free to play” games, have become little more than just delivery systems for the sale of additional content (through microtransactions), structured in a way that constantly nudges players to buy more, exploiting their psychological weaknesses and triggers.3 Increased scrutiny has been devoted to loot boxes, a type of microtransaction where a player buys a chance to receive a random in-game item. The argument has been made that loot boxes, at least some of them, should be considered a form of gambling.4 Due to the fact that a significant part of the audience for videogames is made up of minors, some have argued that there is an urgent need to regulate this type of transaction.5 In Sect. 2 of this Chapter, the changes in the videogame market that have led to the current landscape are reviewed, with special attention paid to the monetization strategies that videogame publishers have developed to extend the profitability of their games. In Sect. 3, the analysis moves to loot boxes, a controversial type of microtransaction in which players pay real money for a chance at winning virtual prizes. An analysis is then made on whether loot boxes, due to their characteristics and mechanics, can be understood as a type of gambling. Finally, in Sect. 4, the regulatory approaches taken by the Netherlands and the United Kingdom are analyzed and compared.

2 The Perpetual Monetization of Videogames 2.1

The Current Videogame Market

No longer limited by the constraints of physical media, the videogame industry has shifted its business model from one that predominantly relied on the sale of the games themselves, to one that largely relies on the additional sale of virtual goods to 2

Evers et al. (2015), pp. 20–21. Neely (2019), p. 3. 4 Brooks and Clark (2019), p. 26. 5 Castillo (2019), p. 177. 3

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

563

players.6 Activision Blizzard, for example, one of the largest videogame companies in the world, reported in 2017 that microtransactions alone were responsible for 4 billion USD in revenue (more than half of their annual income).7 Since 2007, sales of this type of virtual goods have gone from 2 billion USD to over 20 billion USD.8 Within this new reality, publishers are able to continue extracting value from a game well after it was first acquired by the player, in a cycle of continuous commodification.9 Some have argued that this change in the industry has negatively affected game design. They argue that, for some publishers, this has created a race to the bottom, as they try to find ways in which to nudge the player into making additional purchases.10

2.2

The Rise of Microtransactions

When videogames were still an offline experience, videogame publishers would often release so-called expansion “packs” or “sets.” These were bundles of additional content that a user could buy to modify the way they played the game, and to patch bugs in the game’s code. Since, at the time, automatic updates and online sales were not possible, publishers had to add enough content to motivate players to not only spend their money on an expansion for a game they already owned, but also to physically go to a store and buy it.11 As Internet access became more widespread, however, and broadband Internet made online delivery of games a real possibility, expansion packs were replaced by paid downloadable content (hereafter “DLC”).12 At first, DLC largely fulfilled the same role as expansion packs, only replacing the physical delivery with digital delivery. Eventually, however, the industry became less focused on creating the kind of content that used to be included in expansion packs, and which significantly altered the game (v.gr. by adding whole new stories or areas to explore), offering instead small alterations to the games, for a much smaller price.13 Although DLCs akin to “traditional” expansion packs are not altogether extinct (some games continue to use them) the industry has largely moved away from them, opting instead to deliver content in the form of so-called microtransactions.14 This move by the

6

Lizardi (2012), p. 34. King and Delfabbro (2018), p. 1967. 8 On the rise in revenue, see Evers et al. (2015), p. 21 and Castillo (2019), p. 168 (noting the 22 billion USD revenue). 9 Lizardi (2012), p. 36. See also MacPhee (2020), p. 138; Lee et al. (2015), p. 238. 10 Ball and Fordham (2018), p. 3. See also Hamari (2015), p. 299. 11 MacPhee (2020), pp. 145–146. 12 Tyni and Sotamaa (2011), p. 311. 13 Castillo (2019), p. 168. 14 MacPhee (2020), pp. 145–146. 7

564

J. Salmerón

industry is not surprising, since it is much more profitable for a company to constantly release small pieces of content, charging a small amount for each (ensuring a wider appeal), than it is to release large and expensive bundles (which would cost much more to produce, and would only be purchased by a tiny fraction of players).15 It is worth pointing out that, despite their frequent use in the specialized press, neither “DLC” nor “microtransaction” have standard and widely-accepted definitions.16 Since “microtransactions” have a rather negative reputation among gamers, who perceive them as predatory, publishers have often tried to distance themselves from the term, labeling their downloadable products as “DLC.”17 This suggests that the term “microtransaction” is often used not so much as term of art, but as a moral statement, with the real difference between a microtransaction and a DLC being just about how it was received by the fans and the specialized press. Instead of focusing on all-encompassing definitions, a better approach to distinguish between “microtransactions” and “DLC” is to focus on what the player actually obtains, and what are the effects of the purchase. From that perspective, microtransactions should only be understood as those electronic purchases (regardless of the price), usable only after a game has been acquired (freemium or paid), whether the purchase was made in-game or not, that fall into any of the following four categories: (1) In-Game Currencies; (2) Expiration; (3) In-Game items; and (4) Random chance purchases. In-game currencies are units of value that are purchased by gamers to use within the game to “buy” items. Expiration microtransactions are those that allow the player to continue playing after they are “killed” within the game (akin to the “insert coin” mechanism on arcade games). In-game items are virtual goods that a player buys to use within the game (e.g., a weapon or a powerup). Finally, random chance purchases are “boxes,” “bags,” “crates,” or “packs” that give the player a random chance of obtaining certain in-game items.18

2.3

The Controversy Surrounding Microtransactions

The increasing reliance on microtransactions by videogame publishers has raised some concerns on whether their mechanics, which can be predatory, put players at risk.19 Indeed, it has been argued that certain industry practices represent such a high risk for players (many of whom are minors) that they should be banned altogether.20

15

Ball and Fordham (2018), p. 2. For some examples of this lack of consistency, see O’Connell (2015) and Crecente (2017). 17 Martin (2017). 18 Wood (2020), p. 279. 19 Neely (2019), p. 5. 20 King and Delfabbro (2018), p. 1967. 16

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

565

As the argument goes, some publishers engage in predatory monetization, i.e. they structure their games in a way that exploits the human psyche as a way to extract revenue. They achieve this by devising a system that disguises or withholds the longterm costs of the purchases, constantly prodding the player to purchase more, and attempting to secure their psychological commitment to the game and its marketplace.21 In fact, some industry whistleblowers have confirmed that, in their specific companies, the monetization mechanics are designed to adapt to individual players, tailoring prompts and in-game content in a constant cycle of revenue-extraction.22 As publishers gather more data from players, and are even able to purchase additional data from third-party aggregators, they can devise extremely effective methods of revenue-extraction, exploiting all of a player’s individual behavioral and psychological weaknesses.23 As an example of this, it has been reported that Facebook data has been used by publishers to identify and target players who already struggle with gambling issues, and who are therefore much more vulnerable to such prompts, both in-game as well as in their social media environments.24 Predatory monetization can create a perpetual cycle of commodification within a game, with users constantly making small purchases (albeit large when put together) that, in turn, create the need for further purchases.25 As the individual price of a microtransaction tends to be quite low (although exceptions apply), and digital platforms (such as Xbox Live, Steam, Google Play, or the PlayStation Store) often maintain the player’s credit card information on record, the system is built around making these purchases as seamless as possible.26 Combined with the fact that the video game audience is largely made up of minors, who are less likely to be able to control their impulses, lack a sense of financial responsibility, and are more likely to engage in risky behavior, this gives publishers a clear opportunity to use microtransactions in a predatory manner.27 Nowhere is the risk of predatory monetization more evident than in the case of random chance purchases (hereafter “loot boxes”), and which not only create ethical issues, but also legal ones.28 Since loot boxes exhibit concerning similarities with gambling, a highly regulated activity, gamers, commentators, and even some regulators, have become more vocal about the risks that they represent.29

21

Ibid. King et al. (2019), p. 132. 23 King and Delfabbro (2018), pp. 1967–1968. 24 Halverson (2019). 25 Lizardi (2012), p. 37. 26 MacPhee (2020), p. 140. 27 See Cermak (2020), p. 320; King and Delfabbro (2018), pp. 1967–1968; MacPhee (2020), p. 140. 28 Castillo (2019), p. 166. See also Neely (2019), p. 2. 29 Lui et al. (2020), p. 18. 22

566

J. Salmerón

3 Loot Boxes and Gambling 3.1

Background

Loot boxes are a type of microtransaction consisting of purchases made in a videogame, where the player receives a randomized reward. In practice, they are virtual crates, packs, or boxes, that a player can buy using real-world money, and which give the player a random chance of receiving valuable items to use within the game.30 Unlike what happens with other types microtransactions, where the player is fully aware and cognizant of what will be received, loot boxes offer no such certainty. Instead, the player purchases the box (or, alternatively, a key to open a box that was obtained while playing the game), not knowing what items are contained inside.31 While the player might receive a rare and valuable item, the odds are against such an outcome, as common items of low value are much more frequent.32 After becoming popular in several Asian multiplayer games, and proving to be highly lucrative for their publishers, loot boxes made their way to Western markets, often as part of freemium games.33 They have since become a very common feature of videogames, including mainstream titles such as Overwatch, CS:GO, Star Wars Battlefront II, and FIFA 18. As of 2020, around a third of computer games, and most mobile games, feature loot boxes.34 It is estimated that by the year 2022, loot boxes alone will generate an annual revenue of around 50 billion USD.35

3.2

The Controversy

Unlike previous videogame controversies, and which came from outside the videogame community (often from scandalized parents or politicians), the controversy around loot boxes first arose within the community itself.36 The topic only reached mainstream attention in the west in 2017, when the game Star Wars Battle Front II was released by Electronic Arts (hereafter “EA”), packed with

30

Wood (2020), p. 271. For the sake of simplicity, this chapter will refer to the purchase of loot boxes, although strictly speaking, some games do indeed only sell keys that can then be used to open such boxes. Any argument made in purchasing loot boxes directly should also be understood to apply, mutatis mutandis, to the purchase of such keys. 32 MacPhee (2020), p. 139. 33 Castillo (2019), p. 169. See also MacPhee (2020), pp. 157–158. 34 Zendle et al. (2020), p. 3. 35 Level (2019), pp. 201–202. 36 Castillo (2019), p. 175. 31

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

567

microtransactions and loot boxes.37 EA’s use microtransactions was particularly egregious, since the game appeared to be structured around forcing players to buy loot boxes to unlock the content of the game they had already bought.38 Indeed, any player who wanted to unlock all of the game’s content, would only have two choices: spending about 2100 USD (35 times the price they had already paid for the game) in microtransactions, or dedicating about 4500 h of playtime.39 The controversy was such that Chris Lee, a Democratic member of the Hawaii House of Representatives, referred to the game as a “Star Wars-themed online casino designed to lure kids into spending money.”40 Although, under increasing public pressure, EA finally opted to remove loot boxes from the game, the damage was already done: By the time loot boxes were removed, EA’s stock had lost 3.1 billion USD in value, the company had lost significant goodwill from consumers and investors, and it had shined a spotlight on the real need for regulating (or banning) loot boxes.41 Beyond the general dislike for the apparently excessive monetization that was present in games like Star Wars Battlefront II, there was a concern that, using loot boxes, videogame companies were ostensibly running an illegal gambling venture.42 Of special concern was the fact that, beyond their already questionable mechanics based on chance, loot boxes seemed to be designed to simulate the same kind of experience that people encountered in a casino. Indeed, the opening of a loot box in a videogame generates the kind of audiovisual feedback that seems more appropriate for a slot machine than a videogame, seeking to trigger very specific emotional responses from players, and inspire them to continue participating.43 Since videogames are not supposed to be the same as gambling, the fear was that, by design, the main participants in these activities would be minors and other vulnerable populations, and who are precisely the audience that gambling regulation seeks to protect. A further source of controversy came from the underground economy that developed around the virtual items obtained through loot boxes. Nowhere is this more visible than in first-person-shooters like Overwatch, or CS:GO, where some companies and individuals have amassed large fortunes through the trading and selling of so-called “skins.” These are cosmetic items that alter the appearance of the player’s character or their weapons, and which, although offer no competitive advantage, are traded and sold by players, both in official as well as unofficial marketplaces.44 Such is the popularity of these trades and sales, that indexes have been developed to keep track of the fluctuation in prices. Skins have also been used 37

Wood (2020), p. 282. Tomić (2018), p. 19. 39 McDonough (2019), p. 62. 40 Quoted in Lui et al. (2020), p. 8. 41 Schwiddessen and Karius (2018), p. 17. See also Wood (2020), p. 283. 42 Castillo (2019), p. 176. 43 Brooks and Clark (2019), p. 26. 44 Holden and Ehrlich (2017), p. 566. 38

568

J. Salmerón

in so-called “skin betting,” where players gamble over eSports matches by betting skins, which then become a kind of fiat currency for the parties involved.45 Although players are not supposed to be able to convert these skins into hard currency, unofficial marketplaces have developed, where players are able to “cash out” their skins for actual money.46

3.3

The Psychology of Loot Boxes

Research shows that players who spend large amounts on loot boxes appear to be much more likely to develop and/or exhibit the kind of psychological issues associated with gambling addiction and problem gambling.47 Furthermore, it has been shown that game developers build their loot boxes around operant conditioning to induce players to engage in gambling-like behavior.48 Operating in a similar fashion to Skinner boxes, loot boxes condition players to expect rewards, and to spend more money in an attempt to finally obtain the dopamine hit that comes from finding a desirable item.49 The variable-ratio reinforcement created by these loot boxes, and which essentially means that players will be rewarded for their actions at irregular rates, is at the very core of gambling, as these randomized rewards are responsible for the rush experienced by players (and gamblers) once they receive the prize they wanted.50 With loot boxes, publishers then rely on players engaging in sunk-cost fallacies and loss aversion to continue buying more loot boxes, in search of a reward.51 While some have argued that the fact that the mechanics of loot boxes trigger emotional responses like those of gambling is an unintended effect, the design of loot boxes themselves makes this hard to believe.52 Several games deploy sensory inputs that are deliberately made to make the player more susceptible. In the game Overwatch, for example, the prizes from the loot boxes glow in different colors, depending on the rarity of the obtained item, while they also produce sounds of crashing coins (like a slot machine) and triumphant music.53 This is not an anomaly, as other games also deploy the same kind of sensory stimulation, down to roulettelike graphics presenting the items in loot boxes.54

45

See, generally, Holden and Ehrlich (2017). Coutu (2015). 47 Brooks and Clark (2019), p. 31. 48 Liu (2019), p. 773. 49 Lui et al. (2020), pp. 16–17. 50 MacPhee (2020), p. 158. 51 Azin (2020), p. 1589. 52 Ibid., p. 1588. 53 Lui et al. (2020), pp. 19–20. 54 MacPhee (2020), p. 146. 46

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

3.4

569

Loot Boxes and Gambling

In general terms, gambling is an activity in which a person uses money to take an uncertain risk, in the hopes of gaining something of value in the future, based completely or largely on chance.55 Although legal definitions differ between jurisdictions, some common elements seem to be generally accepted as identifying gambling: (1) Chance; (2) Consideration; and (3) A thing of value as prize.56 While there is no dispute that consideration exists in loot boxes (a player must make a purchase to use or open the loot box), some dispute exists in the remaining two elements. 3.4.1

Game of Chance

Some have argued that loot boxes are not really games of chance, since players always know that they will receive something.57 This was the argument put forward by the Electronic Software Rating Board (hereafter “ESRB”) an industry group tasked with rating videogames, stating that “[w]hile there’s an element of chance in these mechanics [of loot boxes], the player is always guaranteed to receive in-game content (even if the player unfortunately receives something they don’t want). We think of it as a similar principle to collectible card games: Sometimes you’ll open a pack and get a brand-new holographic card you’ve had your eye on for a while. But other times you’ll end up with a pack of cards you already have.”58 The argument put forward by the ESRB is neither logical nor accurate. Indeed, following such approach, a slot machine that always pays the player one dollar (even if they paid ten dollars to play), would not be considered a form of gambling, since the player receives “something” in return. Furthermore, while there are indeed similarities between trading cards and loot boxes, they are not the same, nor they function in the same way. First, and as was already mentioned, loot boxes are designed to trigger psychological responses that are akin to those resulting from gambling and, as such, put vulnerable users at a much higher risk.59 This phenomenon is not present in trading card games. Second, while a secondary market for trading cards does exist, its size, value, and demographics are vastly different from that of loot boxes.

55

Lam (2007), p. 815. Cermak (2020), p. 278. For other forms in which these elements can be presented, see Drummond and Sauer (2018), p. 531; Griffiths (2018), pp. 52–53. 57 Wood (2020), pp. 287–288. 58 Quoted in Level (2019), p. 209. See also Castillo (2019), p. 176. 59 Lui et al. (2020), p. 16. 56

570

3.4.2

J. Salmerón

In-Game Items as Things of Value

While, for the players themselves, the item obtained from a loot box has a subjective value, that value is not always financial. For example, if the prize items cannot be transferred to a third party (a “closed-loop” loot box), nor can they be redeemed into money, then it is not so clear that they can be considered “valuable.” The difficulty of attaching value to in-game items is one of the arguments that has been put forward by publishers, arguing that loot boxes should not be considered gambling, even those where the items are transferrable.60 Since publishers do not offer a method to cash-out the items, and they nominally forbid such transactions, their argument has been that these items are actually worthless.61 The problem with this logic, however, is that transferrable items do have a financial value, determined by the laws of supply and demand. While it is true that mainstream videogame publishers do not offer means to exchange in-game items for currency, the fact remains that there exists an underground economy that has been built around these items, which easily allows players to redeem their winnings for hard currency.62 The question of value is perhaps the most important obstacle towards adequately addressing the loot box phenomenon. While gambling laws can certainly be used to address loot boxes with transferrable prizes, the same cannot be said with certainty about closed-loop loot boxes, since the value of the prizes is so subjective that it is virtually impossible to assess. At the same time, however, loot boxes often feature mechanics designed to make players spend as much money as possible, and have been linked with problem gambling.63 The question then becomes whether closed-loop loot boxes are so dangerous that they should be treated as a form of gambling, although the “value” of the prize cannot be quantified. Supporters of this idea argue that closed-loop loot boxes represent an “emergent form of gambling” that regulators have simply failed to keep up with.64 They suggest that reading the “value” requirement of the prize as excluding closed-loop loot boxes is unnecessarily strict, since all the other relevant elements of gambling (including the prize itself, even if its value cannot be asserted) are present there.65 Furthermore, they argue that “real” closed-loop loot boxes are rare, since, as was mentioned above, even when a game nominally forbids the sale of in-game items to third parties, there is a plethora of online marketplaces where such transactions are made possible.66

60

King and Delfabbro (2018), p. 1967. Brooks and Clark (2019), pp. 26–27. See also Lui et al. (2020), p. 13. 62 Lui et al. (2020), pp. 14–15. 63 Brooks and Clark (2019), p. 33. 64 Lui et al. (2020), p. 34. 65 Ibid., pp. 11–12. 66 Ibid., p. 15. 61

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

571

4 Regulatory Responses to Loot Boxes As shown in Sect. 3, loot boxes exhibit several significant similarities with gambling. This created a growing concern on the part of parents, who feared their children could become problem gamblers.67 At the same time, videogame players have expressed their concern about what they perceive to be the growing use of predatory monetization techniques in videogames.68 Within that context, authorities in different nations have sought to examine the manner in which loot boxes function to determine how (and if) they should be regulated. Since, despite their similarities, loot boxes do exhibit some differences with traditional gambling, various approaches have been observed. In this Part, the approach taken by the Netherlands is contrasted with the one taken by the United Kingdom, highlighting the way in which these States were able to reach (apparently) opposing decisions.

4.1 4.1.1

The Netherlands The Dutch Gambling Framework

In the Netherlands, gambling is regulated by the Betting and Gambling Act (“Wet op de kansspelen,” hereafter “Dutch Gambling Act”). Since 2012, enforcement and regulation of gambling-related activities is in charge of the Netherlands Gambling Authority (“De Kansspelautoriteit,” hereafter NGA), an organization established with the goal of ensuring consumer protection and addiction prevention, as well as to combat illegal and criminal activities.69 Although the Dutch Gambling Act does not expressly define what “games of chance” are, a definition can be inferred from Article 1.1.a, which makes it illegal “to provide an opportunity to compete for prizes or premiums if the winners are designated by means of any random process over which the participants are generally unable to exercise a predominant influence,” unless a license has been obtained. From this norm, “a game of chance” would then be one in which players compete for a prize, with the outcome depending largely or exclusively on chance. Since the above definition is rather broad, and would ban activities that the legislator certainly did not seek to eradicate, the NGA applies a 4-prong test to determine whether a given activity or game falls within its purview.70

67

Azin (2020), p. 1584. King and Delfabbro (2018), p. 1967. 69 Netherlands Gambling Authority (March 2018), p. 4. 70 Ibid., p. 5. 68

572

J. Salmerón

a. Risk and Relevance: The activity must meet a certain threshold of risk and relevance considering the principles and goals of the NGA.71 Games where gambling is rare, and which do not represent a risk to society, or are not commercially open to the public would not warrant the attention of the NGA, as per Art. 2 of the Dutch Gambling Act. b. Competence and jurisdiction: If the activity is already regulated by a special rule or regulation, and which places it under the purview of a different authority, then the special law will take precedence.72 c. Prize: Players must compete for a prize or premium, in exchange for payment. For the outcome of a game to be considered a prize, it must represent, or be able to represent, economic value, in accordance with Art. 3.2 and Art. 3.3 of the Dutch Betting and Gaming Tax Act (“Wet op de Kansspelbelasting).73 Art. 3.2 of this Act defines prizes as “all goods to which economic value can be assigned,” while Art. 3.3 adds that “where they do not exist in cash, prizes shall be taken into consideration at their economic value.”74 If participation in the game does not require the players to pay a stake, and/or does not offer the possibility of winning a prize, then the activity would fall outside of the purview of the NGA. d. Skill and Randomness: In accordance with the above quoted Art. 1.1.a of the Dutch Gambling Act, the activity or game must determine the winners “by means of any random process over which the participants are generally unable to exercise a predominant influence.” Based on this norm, and to determine whether a game will be understood as “of chance,” the NGA makes a distinction between jeux de contrapartie (games played “against the house”), and jeux de cercle (games played against other participants). While games in the first category (those played against commercial operators) are usually considered as games of chance by the NGA, the second category requires an ad hoc analysis of the role that a player’s skill has in the outcome of the game and the determination of the winners. 4.1.2

Loot Boxes and Dutch Gambling Law

In 2018, in response to increasing concerns raised by parents, gamers, and addiction specialists, the NGA conducted a study on loot boxes. This was less than a year after the release of Star Wars Battlefront II, a game that amplified the controversy surrounding loot boxes and brought it to mainstream attention. It was therefore unavoidable for the NGA to decide whether loot boxes should be understood as a

71

Ibid., p. 7. Ibid., p. 8. 73 Ibid., p. 10. 74 For the special guidelines established for intangible prizes, see Sect. 4.1.2 below. 72

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

573

form of gambling, as concerns had been raised that they represented a “great damage to people, family and society.”75 As the NGA made this determination by applying the 4-prong test outlined above, the same approach will be taken here. a. Risk and Relevance: The NGA found that loot boxes met the relevance threshold, acknowledging the concerns raised by addiction specialists on how loot boxes could pose a risk to vulnerable populations.76 While stating that, so far, there were no indications that loots boxes were being disproportionately affecting addicted or problematic players, it noted that “major problems could arise.”77 Employing the same assessment tool that it uses to analyze other forms of gambling, the NGA determined that loot boxes have, on average, between moderate and high risk potential, particularly due to their design (e.g. the graphics, sounds, and other elements that are present when loot boxes are opened), as well as the seamless way in which players move from a game of skill (the videogame itself) to a game of chance (the loot box), blurring the lines separating the two.78 b. Competence and Jurisdiction: Since there are no special rules or regulations applicable to loot boxes, they would fall under the supervision of the NGA. c. Prize: When it comes to intangible prizes (such as the ones awarded by loot boxes), whether or not they have an economic value will depend on the laws of supply and demand. In general, the NGA will determine the value based on the amount that “a well informed buyer and seller would have agreed.”79 In the case of loot boxes, the NGA looked at the transferability of the prizes themselves to determine whether they have a market value. The NGA determined that if the in-game item awarded by the loot box was transferrable, then the market value threshold had been met.80 The NGA also expressly addressed the question of whether loot boxes could be considered a form gambling if every participant gets a prize.81 Citing a 2002 decision of the Amsterdam District Court, the NGA stated that although, on the surface, a player will always get a prize, this does not prevent a loot boxes to be considered a form of gambling.82 To make this determination, the NGA argued that, in fact, there is no question that “the real winner is the person who wins the major, valuable prize with a high market value.”83

75

Quoted in Castillo (2019), pp. 178–179. Netherlands Gambling Authority (April, 2018), p. 5. 77 Ibid., p. 7. 78 Ibid., pp. 9–10. 79 Ibid., p. 13. 80 Ibid., p. 14. 81 On how this argument has been put forward, see Level (2019), p. 209; Castillo (2019), p. 176. 82 Amsterdam District Court, 17 April 2002, KG02/617 OdC, ECLI:NL:RBAMS:2002:AE2131. 83 Ibid., p. 14. 76

574

J. Salmerón

d. Skill and Randomness: While videogames themselves are games of skill, the NGA confirmed that the loot boxes contained therein are actually games of chance, as players have no impact on the outcome of the loot box itself.84 From its analysis, the NGA determined that loot boxes that result in transferrable prizes, contravened Article 1 of the Dutch Gambling Act, as they would be a form of gambling operating without a license. Since no license for loot boxes exists in the Netherlands, the NGA decision effectively banned (some) loot boxes in the country. Although the NGA expressly excluded closed-loop loot-boxes from its purview, ostensibly due to the impossibility of determining the value of an item that cannot be traded, it did express some concern about them. Indeed, echoing the growing scientific data on the topic, the NGA noted that, although closed-loop loot boxes were not illegal, they could “nevertheless foster the development of addiction.”85

4.2 4.2.1

The United Kingdom The UK’s Gambling Framework

In the United Kingdom (hereafter “UK”), gambling is regulated through the Gambling Act of 2005. This act also established the Gambling Commission as the public body in charge of regulating and supervising gambling in the UK, with the express goal (under Section 24 of the UK Gambling Act) of ensuring fairness in gambling, protecting vulnerable populations, and preventing and combatting crime. Under Section 3 of the UK Gambling Act, gambling is understood as meaning; (1) gaming; (2) betting; and/or (3) participating in a lottery. As bets and lotteries are outside the scope of this chapter, the focus will be on “gaming,” as this is the category that better fits loot boxes.86 Section 6 of the Act defines gaming as “playing a game of chance for a prize,” and which must consist of “money or money’s worth.” 4.2.2

Gambling and Loot Boxes in the UK

In response to the growing concern expressed by the public, in August of 2016 the Gambling Commission issued a discussion paper on emergent forms of gambling, seeking to promote debate on some apparent intersections of gambling and videogames.87 This was followed by a position paper issued in March 2017,

84

Ibid., p. 15. Ibid., p. 15. 86 Lui et al. (2020), p. 10. 87 Gambling Commission (2016), p. 1. 85

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

575

containing the conclusions that the Gambling Commission had reached based on the discussion started by its previous paper.88 In its conclusion, the Gambling Commission reached what is basically the same decision as the one reached by the NGA: Loot boxes where the items can be transferred to third parties, are in contravention of the Gambling Act, since they can be considered “money or money’s worth.”89 Closed-loop loot boxes, on the other hand, since the items cannot be transferred, and therefore have no value, fall outside of the Gambling Act.90 Despite this superficial similarity with the decision of the NGA, however, the way in which the Gambling Commission understood the mechanics of closed-loop loot boxes, meant that its decision had drastically different consequences. For the Gambling Commission, a closed-loop loot box is one in which the items obtained via the box “are confined for use within the game and cannot be cashed out.”91 What matters here, however, is not whether the items can be cashed out at all, but rather whether the game itself offers such possibility. As the Gambling Commission’s executive director stated in an interview, as long as a game does not “contain a facility to be able to cash-out within the game itself,” then it would not be “crossing that line into becoming gambling.”92 In other words, if the game itself does not offer a way to cash-out those items, even if third-party services to that end do exist, then the loot box would not be a form of gambling. From the moment it was issued, the Gambling Commission’s report was met with significant criticism, as different stakeholders argued that such interpretation left gamers unprotected.93 As one commentator noted, “having established that the closed-loop loot box is in essence a legal form of underage gambling, the sole reliance on the technicality of its definition under the 2005 Act is effectively allowing unimpeded, unrestricted, and unregulated access to potentially harmful activities for children and young people. To put it bluntly, both the [Gaming Commission] and the 2005 Act have failed to uphold a crucial component of the tripartite licensing objectives. Regardless of how effective it may have been in regulating traditional forms of gambling while generating revenue for the state, they have failed to adapt to emergent forms of gambling.”94 It is worth noting that although the Gambling Commission did not find that loot boxes are a form gambling (unless the game itself allows for cashing out the winnings), it stated that it did seek to take steps towards mitigating their potential impact.95 In fact, together with delegates from 15 other countries, Commission

88

Gambling Commission (2017), p. 1. Ibid., p. 1. 90 Ibid., p. 5. 91 Schwiddessen and Karius (2018), p. 24. 92 Ibid., p. 24. 93 Ibid., p. 24. 94 Lui et al. (2020), p. 21. 95 Liu (2019), p. 780. 89

576

J. Salmerón

announced in 2018 that it would investigate the “blurring of lines” between gambling and loot boxes, paving the way for what might be a widespread future regulation.96 Recently, in July 2020, and perhaps marking the beginning of a new stage for loot boxes in the United Kingdom, the House of Lords issued a report by its Select Committee on Social and Economic Impact of the Gambling Industry (hereafter “the Committee”), entitled “Gambling Harm – Time For Action.”97 In this report, the Lords acknowledged the limitations established by the Gambling Act on a prize being “money or money’s worth,” while also reviewing the growing evidence about the risks created by loot boxes.98 In light of this analysis, the Committee proposed amending the Gambling Act in a way that would expressly include loot boxes as games of chance, even closed-loop loot boxes.99 Although in the report the UK Government expressed some concern about the risks of extending gambling regulation too much, the Lords argued that the evidence showed “the urgency of taking action, and has not drawn attention to any unintended consequences.”100 Although the Committee’s report is merely a series of non-binding recommendations, the difference with the Gambling Commission’s report is striking. Departing from the literalism of the Gambling Commission, the House of Lords expressly sought to avoid any future situation in which mere technicalities would allow gambling-like activities to avoid regulation or scrutiny, increasing the discretion that the competent authority could use when facing “any activity which in their view has the characteristics of gambling.”101

5 Conclusion The current videogame market is shaped by the presence of microtransactions. This has created several challenges for regulators, as a commercial activity that used to be limited to a single purchase, has turned into one where constant and continuous purchases have become the rule. While, in and of itself, the appearance of this new market should not be a cause for concern, the way microtransactions have been implemented, represents a serious risk for a large segment of the intended audience of videogames. Due the enormous financial rewards that publishers have been able to extract from microtransactions, especially loot boxes, the industry has dragged its feet in

96

Cermak (2020), p. 295. Select Committee on Social and Economic Impact of the Gambling Industry (2020). 98 Ibid., pp. 112–115. 99 Ibid., p. 115. 100 Ibid., p. 114. 101 Ibid., p. 116. 97

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

577

developing any kind of usable self-regulation.102 Although the industry has established labeling requirements for games that contain random-chance purchases, it is debatable whether such measures actually have any effect on player’s behavior.103 The same can be said about disclosure requirements established by some countries, where players are entitled to know the odds of obtaining a certain item through a loot box.104 There does not seem to be any evidence showing that telling their odds to gamblers actually decreases their likelihood of gambling, and it is therefore unlikely that such a measure would achieve such result when it comes to loot boxes. The way both the Netherlands and the UK have approached the issue of loot boxes is illuminating, as it highlights some of the challenges of regulating novel activities that are similar (bot not equal) to gambling. In principle, both the Dutch as well as the UK Gambling authorities are correct in arguing that closed-loop loot boxes should fall outside of gambling regulations, as financial value does seem to be an essential part of any “prize.” Nevertheless, it would be illogical if such a strict understanding of value were to get in the way of the goals of gambling regulation, and which seeks precisely to prevent the exploitation of players. As the evidence for the danger posed by loot boxes continues to grow, particularly its role in turning gamers into gamblers, and considering the absence of specific regulation, authorities should take a cautious approach towards loot boxes. To this end, it would be wise to follow the approach of the NGA on the value of the prize itself, using the transferability of the item to determine whether or not it is a thing of value. It would be ill-advised to require that in-game items should only be redeemable for cash within the same game itself to apply gambling standards, as this would create an artificial and unnecessary limitation for the role of gambling authorities. Once closed-loop loot boxes are understood as being those in which the items cannot be transferred at all, however, the question remains as to whether they should be understood as a form of gambling. As was mentioned above, that seems to be the position put forward by the House of Lords, and which defended the idea of empowering authorities to label as gambling activities that have “the characteristics of gambling” even if they do not strictly meet the legal definition.105 If the aim of gambling regulation is to prevent addiction, and if someone’s likelihood of gambling addiction can significantly increase by regularly using loot boxes, then applying gambling laws would be the right approach. Before such measures are taken, however, and considering the financial impact that such regulation would have, it is important that adequate studies are conducted on the precise risk and danger of loot boxes, even in the absence of financial prizes. After all, if the exploitation of human psychological weaknesses to make someone purchase something was to be considered illegal, the entire field of marketing would have to go underground. 102

Lui et al. (2020), pp. 12–13. On the labeling requirements, see MacPhee (2020), pp. 149–150. 104 Cermak (2020), p. 296. 105 Select Committee on Social and Economic Impact of the Gambling Industry (2020), p. 116. 103

578

J. Salmerón

References Azin K (2020) How pay-to-win makes us lose: introducing minors to gambling through loot boxes. Boston Coll Law Rev 61:1577–1612 Ball C, Fordham J (2018) Monetization is the message: a historical examination of video game microtransactions. In: DiGRA ’18 – Abstract Proceedings of the 2018 DiGRA International Conference: The Game is the Message, pp 25–28 Brooks G, Clark L (2019) Associations between loot box use, problematic gaming and gambling, and gambling-related cognitions. Addict Behav 96:26–34. https://doi.org/10.1016/j.addbeh. 2019.04.009 Castillo D (2019) Unpacking the loot box: how gaming’s latest monetization system flirts with traditional gambling methods. Santa Clara Law Rev 59:165 Cermak D (2020) Micro-transactions, massive headaches: international regulation of video game loot boxes. Mich State Int Law Rev 28:273 Coutu S (2015) Here’s how you make $12,000 in profit a day selling virtual guns, Available via Motherboard. https://www.vice.com/en_us/article/wnj935/heres-how-you-make-12000-inprofit-a-day-selling-virtual-guns. Accessed 1 Aug 2020 Crecente B (2017) What are DLC, loot boxes and microtransactions? An explainer. Available via Variety. https://perma.cc/CNF5-QJ6E. Accessed 20 July 2020 Drummond A, Sauer J (2018) Video game loot boxes are psychologically akin to gambling. Nat Hum Behav 2:530–532. https://doi.org/10.1038/s41562-018-0360-1 Evers E et al (2015) The hidden cost of microtransactions: buying in-game advantages in online games decreases a player’s status. Int J Internet Sci 10:20–36 Gambling Commission (2016) Virtual currencies, eSports and Social Casino Gaming – Discussion Paper. Available via the Gambling Commission. https://perma.cc/NEF2-JZBT. Accessed 2 Aug 2020 Gambling Commission (2017) Virtual currencies, eSports and Social Casino Gaming – Position Paper. Available via the Gambling Commission. https://perma.cc/9BBX-HEEK. Accessed 1 Aug 2020 Griffiths M (2018) Is the buying of loot boxes in video games a form of gambling or gaming? Gaming Law Rev 22:52–54. https://doi.org/10.1089/glr2.2018.2216 Halverson N (2019) How social casinos leverage Facebook user data to target vulnerable gamblers. Available via PBS. https://www.pbs.org/newshour/show/how-social-casinos-leveragefacebook-user-data-to-target-vulnerable-gamblers. Accessed 2 Aug 2020 Hamari J (2015) Why do people buy virtual goods? Attitude toward virtual good purchases versus game enjoyment. Int J Inf Manag 35:299–308. https://doi.org/10.1016/j.ijinfomgt.2015.01.007 Holden J, Ehrlich S (2017) Esports, skins betting, and wire fraud vulnerability. Gaming Law Rev 21:566–574. https://doi.org/10.1089/glr2.2017.2183 King D, Delfabbro P (2018) Predatory monetization schemes in video games (e.g. ‘loot boxes’) and internet gaming disorder. Addiction 113:1967–1969. https://doi.org/10.1111/add.14286 King D et al (2019) Unfair play? Video games as exploitative monetized services: an examination of game patents from a consumer protection perspective. Comput Hum Behav 101:131–143. https://doi.org/10.1016/j.chb.2019.07.017 Lam D (2007) An exploratory study of gambling motivations and their impact on the purchase frequencies of various gambling products. Psychol Market 24:815–827 Lee J et al (2015) The problem of additional content in video games. JCDL ‘15 Proceedings of the 15th ACM/IEEE-CS Joint Conference on Digital Libraries, pp 237–240. https://doi.org/10. 1145/2756406.2756949 Level M (2019) Unboxing the issue: the future of video game loot boxes in the US. Univ Kans Law Rev 68:201 Liu K (2019) A global analysis into loot boxes: is it virtually gambling. Pac Rim Law Policy J 28:763–800

24

Loot Boxes, Gambling, and the Challenge of Regulating Random Chance. . .

579

Lizardi R (2012) DLC: perpetual commodification of the video game. Democratic Communiqué 25:33–45 Lui D et al (2020) Blurring lines: loot boxes and gambling in the video game industry. York Law Rev 1:7–35 MacPhee M (2020) A new form of addiction: a practical regulatory approach towards randomized reward systems in video games to protect consumers from gambling-like practices. Washburn Law J 59:137 Martin M (2017) For a game that promised no microtransactions, the division sure does have a lot of microtransactions (last visited 15 Feb 2019) McDonough R (2019) Loot boxes: it’s a trap. North Ky Law Rev 46:62–86 Neely E (2019) Come for the game, stay for the cash grab: the ethics of loot boxes, microtransactions, and freemium games. Games Cult 155541201988765. https://doi.org/10. 1177/1555412019887658 Netherlands Gambling Authority (March 2017) Guide on assessing games of chance. Available via the NGA. https://www.kansspelautoriteit.nl/publish/library/6/guide_on_assessing_games_of_ chance.pdf. Accessed Aug 2020 Netherlands Gambling Authority (April 2017) Study into loot boxes: a treasure or a burden? Available via the NGA. https://kansspelautoriteit.nl/publish/library/6/study_into_loot_boxes__a_treasure_or_a_burden_-_eng.pdf. Accessed 2 Aug 2020 O’Connell J (2015) The difference between microtransactions and DLC. Available via Hardcore Gamer. https://perma.cc/APA8-XNCY. Accessed 27 July 2020 Schwiddessen S, Karius P (2018) Watch your loot boxes! – Recent developments and legal assessment in selected key jurisdictions from a gambling law perspective. Interactive Entertain Law Rev 1:17–43. https://doi.org/10.4337/ielr.2018.01.02 Select Committee on Social and Economic Impact of the Gambling Industry (2020) Gambling Harm – Time For Action Tomić N (2018) Economic model of microtransactions in video games. J Econ Sci Res 1:17–23 Tyni H, Sotamaa O (2011) Extended or exhausted: how console DLC keeps the player on the rail. In: Lugmayr A, Franssila H, Safran C, Hammouda I (eds) Proceedings of the 15th International Academic MindTrek Conference Envisioning Future Media Environments. ACM, New York, NY, pp 311–313 Wood T (2020) Rigging the game: the legality of random chance purchases (loot boxes) under current Massachusetts gambling law. J High Technol Law XX:270–303 Zendle D et al (2020) The prevalence of loot boxes in mobile and desktop games. Addiction:1–5

Chapter 25

Third-Party Liability of Manufacturers of Automated Vehicles for Over-the-Air Updates Michael Chatzipanagiotis

Abstract Automated vehicles combine software and hardware components in an integrated system. Over-the-air (OTA) updates are a practical method for manufacturers to rapidly deliver system updates. However, such updates may create legal implications, because they may not function properly or create malfunctions or not be delivered in time to solve critical problems. This chapter examines such implications from the perspective of manufacturer third-party liability, under the Product Liability Directive (Directive 85/374/EEC) and the tort of negligence, as applied by English courts. The special statutory rules enacted in the UK and Germany are also considered. It is concluded that claimants will face significant challenges in establishing liability for OTA updates, especially from an evidentiary perspective, and that the most appropriate solutions should be insurance based.

1 Automated Vehicles and Over-the-Air Updates Automated vehicles (AV), commonly known as self-driving cars, are most probably the future of the car industry and driving. They are expected to dramatically decrease accidents and make roads safer, given that 94% of grave accidents are due to human error, while at the same time reduce significantly traffic congestion, driving down costs and CO2 emissions.1 AV are the result of combining and integrating multiple sensors into a single system that help the vehicle adjust its road behaviour to the environment in which it is moving.2 AV combine sensors and software to control, navigate, and drive the

1 See, e.g. Automated vehicles for safety, https://www.nhtsa.gov/technology-innovation/automatedvehicles-safety (last visited 5 May 2020); Goldin (2018). 2 See, e.g. Gilbertsen (2017).

M. Chatzipanagiotis (*) Law Department, University of Cyprus, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_25

581

582

M. Chatzipanagiotis

vehicle.3 Some of these sensors are already in use, e.g. satellite-navigation sensors and ultra-sonic sensors used to detect obstacles in the immediate vicinity of the vehicle. However, they are currently being used either isolated from each other or combined in low-level automation mode, just assisting the human driver, e.g. lane centring assist systems or adaptive cruise-control systems. New sensors are also expected to be widely introduced, such as Lidar, which use light beams to exactly identify obstacles around the car. Over-the-air (OTA) updates are software enhancements transmitted wirelessly to software embedded in a device. They are used to improve system functionality and/or remedy vulnerabilities. This paper will examine the potential applicability of the Product Liability Directive (PLD) and the law of negligence, as applied mainly by English courts, to third-party liability of AV manufacturers, i.e. non-contractual liability of the manufacturer towards persons other than the owner or the driver of the vehicle, for OTA updates on death and bodily injury claims. Property damage and pure mental injury will not be examined. Moreover, the potential role of Event Data Recorders will be briefly presented, alongside the statutory regulation of AV in the UK and Germany.

1.1

Levels of Automation

There are different levels of automation, which vary from simple driver assistance to driverless operation. SAE International, a worldwide association of engineers and technical experts in the aerospace, automotive and commercial-vehicle industries,4 has developed a widely-recognised taxonomy of AV in six classes:5 The human driver performs all or part of the Dynamic Driving Task (DDT)6 Level 0—No Automation: The human driver performs the entire DDT. Level 1—Driver Assistance: The driving automation system executes, in a sustained manner and as specified in the vehicle’s Operational Design Domain (ODD),7

3 Self-Driving Cars Explained https://www.ucsusa.org/clean-vehicles/how-self-driving-cars-work#. W2xOmSQzapo (last visited 5 May 2020). 4 http://www.sae.org/about/ (last visited 5 May 2020). 5 Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles, at 19 (16 Jan. 2014, latest revised 15 June 2018). See general info thereon https://www. sae.org/standards/content/j3016_201806/ (last visited 5 May 2020). 6 The Dynamic Driving Task (DDT) comprises all real-time operational and tactical functions required to operate a vehicle in on-road traffic, e.g. steering, acceleration/deceleration, monitoring the driving environment etc. Strategic functions, such as trip scheduling and selection of destinations and waypoints, are not included in the DDT. See definition in SAE Standard J3016_201806, supra note 5, par.3.13. 7 The Operational Design Domain (ODD) are the operating conditions under which a given driving automation system or feature thereof is specifically designed to function—see definition in SAE Standard J3016_201806, Supra n5, par.3.22.

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

583

either the lateral (steering) or the longitudinal (acceleration/deceleration) vehicle motion, while the driver performs the remainder of the DDT. Level 2—Partial Automation: The driving automation system executes, in a sustained and ODD-specific manner, both the lateral and longitudinal vehicle motion, while the driver completes the subtask of the Object and Event Detection Response8 and supervises the driving automation system. The Automated Driving System (ADS),9 while engaged, performs the entire DDT Level 3—Conditional Automation: The ADS performs, in a sustained and ODD-specific way, the entire DDT, while the human driver has the role of the fallback-ready user, i.e. she is receptive to intervene and respond appropriately following ADS-issued requests or DDT performance-relevant system failures. Level 4—High Automation: The ADS performs, in a sustained and ODD-specific way, the entire DDT and DDT fallback. Level 5—Full Automation: The ADS performs, in a sustained and unconditional way the entire DDT and DDT fallback. AV are complex systems comprised of sophisticated hardware and software components.10 Moreover, AV employing high levels of automation demonstrate non-deterministic behaviour, in the sense that such behaviour depends not only on the user input, but also on the input they receive from their sensors, combined with learning algorithms that enable modification of the current behaviour. As a result, AV can act upon their environment without being fully controlled by a human being, while their actions and the potential consequences are not fully defined and predictable when they are used.11 The above-mentioned issues play a role in apportioning liability between the driver and the manufacturer: The higher the automation level, the more likely it is for

8

The Object and Event Detection Response (OEDR) is comprised by the subtasks of the Dynamic Driving Task (DDT) that include monitoring the driving environment (detecting, recognising, and classifying objects and events and preparing to respond as needed) and responding appropriately to such objects and events, i.e. as needed to complete the DDT and/or DDT fallback—see definition in SAE Standard J3016_201806, Supra n5, par.3.20. The DDT fallback is the response by the user to either perform the DDT or achieve a minimal risk condition after a malfunction has occurred in the performance of the DDT or if the vehicle has exited Operational Design Domain (ODD), or the response by an Automated Driving System to achieve minimal risk condition, given the same circumstances—see definition in SAE Standard J3016_201806, Supra n5, par.3.14. 9 Automated Driving System (ADS) means the hardware and software that are collectively capable of performing the entire DDT on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD); this term is used specifically to describe a level 3, 4, or 5 driving automation system—see definition in SAE Standard J3016_201806, Supra n5, par.3.2. 10 Barbero et al. (2018), p. 105. 11 Ibid., pp. 104–105.

584

M. Chatzipanagiotis

the manufacturer to be held liable. Furthermore, some pieces of legislation may not be applicable to all levels of automation.12

1.2

Over-the-Air Updates and Product Liability

Generally speaking, liability for OTA updates can have two main forms: (1) Installation of defective updates, which can relate not only to the failure to appropriately improve software performance, but also to the creation of an additional vulnerability. The defect may refer either to the update itself or to the interaction of the update with other software components of the system. (2) Failure to issue updates for known/ discovered defects, e.g. security vulnerabilities. Liability in such cases will relate mainly to the delay in issuing appropriate updates. We shall begin with the examination of the Product Liability Directive (PLD) and then proceed with negligence under the UK law.

2 Liability of Manufacturers Under the Product Liability Directive The Product Liability Directive (PLD)13 aims at striking a balance between protection of consumers and manufacturers through a fair apportionment of the risks of technological production.14 It is a full harmonisation Directive, which means that EU Member States (MS) are not allowed to lay down, in their harmonisation legislation, more stringent rules to protect victims. However, Art. 13 PLD clarifies that the Directive does not affect contractual or non-contractual liability or special product-liability regimes that were in force at the date when the PLD was notified (7 August 1985). The Court of Justice of the EU (CJEU) has underlined that the PLD seeks to exhaustively harmonise only the liability aspects for defective products regulated by it.15

12

See infra, Sect. 5 on the special legislation enacted in the UK and Germany. Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, OJ L 210/33. 14 Recitals (2) and (7). 15 CJEU W and Others v Sanofi Pasteur MSD SNC and Others, Case C-621/15, Judgment of 21 June 2017, par. 20–21; CJEU Novo Nordisk Pharma GmbH v S, Case C-310/13, Judgment of 20 November 2014, par. 23–24. 13

25

2.1

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

585

Elements of Liability

The Directive imposes strict liability on the ‘producer’ for ‘damages’ caused by a ‘defect’ in its ‘product’ (Art. 1). A ‘product’ is any movable, despite being incorporated into another movable or into an immovable, including electricity (Art. 2). A ‘producer’ can be the manufacturer of the end product, the component manufacturer, the producer of any raw material, as well as persons who, by putting their name, trade mark or other distinguishing feature on the product, present themselves as its producer [Art. 3(1)]. The importer of the product in the EU is also deemed a ‘producer’ [Art. 3(2)], while suppliers may also be treated as producers in specific circumstances, which would be rather rare in the motor vehicle sector [Art. 3(3)]. All these persons are liable jointly and severally, without prejudice to the provisions of national law concerning the rights of contribution or recourse (Art. 5). ‘Damage’ means damage caused by death or personal injuries, and damage to property items other that the defective product, which were intended for private use and were indeed used by the claimant for such use, provided that it exceeds € 500 (Art. 9). A ‘defect’ exists when the product does not provide the safety which a person is entitled to expect, considering all circumstances of the case (Art. 6). Producers are not liable, if they prove, among others, that it is probable that the defect which caused the damage did not exist at the time when the product was put into circulation or that this defect arose after that time, or that the state of scientific and technical knowledge at the time the product was put into circulation did not enable the discovery of the defect (Art. 7). Thus, under the PLD crucial is the time at which the particular product was placed in the market. Defects that arose after that point or that could not have been detected at that point do not trigger the producer’s liability. Claims against the producer must be brought before the court within three years from the date when the claimant became aware, or should reasonably have become aware, of the damage, the defect and the identity of the producer (Art. 10). No action can be initiated upon the expiry of a 10-year period from the date on which the producer put into circulation the actual product which caused the damage (Art. 11).

2.2

‘Product’

The notion of product, i.e. all movables including electricity, is one of most disputed elements of the PLD.

586

2.2.1

M. Chatzipanagiotis

Software as a ‘Product’

It is disputed whether the PLD covers software. As long as software is embedded in movables, software can be seen as a ‘product’.16 For non-embedded software, the prevailing view in some EU MS17 seems to consider it a ‘product’: on the one hand, there is no distinction in the PLD between material substance and information; on the other hand, the objective of the PLD to protect end users would be undermined if the claimant had to prove that the damage came from a hardware defect and not from a software defect, because the damaging effect is the same for claimants in both cases.18 It has also been suggested that the crucial element should be whether the software undertakes action in itself, in which case it would be a ‘product’, or merely produces information and is then acted upon a person, in which case it would not be a ‘product’.19 An extensive interpretation of ‘product’ to cover software could be supported by the fact that electricity, which is also intangible, is a ‘product’.20 Since electricity is included in the definition of ‘product’, the general definition includes incorporeal products and the addition of other intangibles is permissible.21 Besides, at the time of the drafting and negotiation of the Directive such technological advances could hardly have been foreseen. Therefore, it can be argued that an evolutive, wide interpretation of ‘product’ is necessary, to align the PLD with modern needs. The counter-argument would be that electricity is mentioned as an exception to the rule; therefore, and given that exceptions should be interpreted strictly, other exceptions are not permissible.22 Moreover, introducing new exceptions could undermine legal certainty and disturb the balance of interests stricken by the PLD. English courts have held that software can be classified as a tangible ‘good’, only if it is incorporated into a physical medium, which means that downloaded software is not a ‘good’.23 In addition, English courts have been reluctant to accept wider policy arguments, such as that the practically accidental fact of software incorporation may lead to different legal treatment of essentially similar cases or the need to interpret legal terms in the light of modern technological development: such issues

16

Barbero et al. (2018), p. 119; Rott (2018), p. 15; Howells et al. (2017), p. 188. See Rott (2018), p. 16. See also Alheit (2001), pp. 194–195. 18 Rott (2018), p. 16. 19 Howells et al. (2017), pp. 191 and 193, albeit making suggestions rather de lege ferenda; Markou (2019), pp. 93 and 202. 20 Whittaker (1989), p. 129. 21 Ibid. 22 Whittaker (1989), p. 129. 23 St Albans D.C. v. International Computers Ltd [1996] 4 All ER 481; Your Response Ltd. v. Datateam Business Media Ltd. [2014] EWCA Civ 281; Computer Associates UK Ltd v Software Incubator Ltd [2018] EWCA Civ 518. 17

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

587

are for the legislator, not the courts to solve.24 As a result, only software incorporated in an AV would be ‘product’. In any case, the issue is unclear and is being currently debated in the framework of the Directive’s evaluation and possible amendment.25 2.2.2

Consequences for AV and Software Updates

AV as such are tangible movables and are undoubtedly ‘products’. However, the situation on software used in AV is less certain. Such uncertainty is increased in cases of software updates and functionality revisions, especially when these are conducted by third parties.26 To the extent that software or software updates can be seen as a service, they will not be covered by the PLD, which regulates only ‘products’.27 In that case, software producers would be subject to liability for service provisions under national law, which EU MS are free to determine, in principle.28 The situation as to software updates is more complicated. The unchallenging scenario is that the producer, before putting newly produced vehicles into circulation, either fails to install software updates or installs defective updates. In that case the updates would be treated as any other incorporated piece, i.e. there would be no distinction between basic software and software updates of software, and the whole product (vehicle) would be defective. Nevertheless, since updates most often regard products already into circulation, in which the software update is distinct from the basic software, the most important scenario in practice regards such cases. One option would be to accept that software updates are also a ‘product’. This would extend victim protection. Nevertheless, software producers would still not be liable under the PLD for failure to release software updates after the product has been put into circulation, since the Directive does not impose a product-monitoring duty. Hence, software producers would be liable for defects in software updates, but not for failure to release the updates. This could create a counterincentive to promptly release software updates to avoid strict liability. Another option would be to deem software updates as a ‘service’, which is not covered by the PLD scope. This would not risk altering the behaviour of producers as to the time of the update release. It would also be better aligned with current practice of maintenance service of motor vehicles: just like traditional motor vehicles 24

See Your Response Ltd. v. Datateam Business Media Ltd. [2014] EWCA Civ 281, at [27]; Computer Associates UK Ltd v Software Incubator Ltd [2018] EWCA Civ 518, at [55]. 25 See European Commission (2016). 26 Barbero et al. (2018), p. 122. 27 Id. 28 I.e. provided that such national rules do not impair the effectiveness of the PLD, especially by excluding the redress rights against producers of ‘products’ for eventual liability under the PLD— see CJEU, Centre hospitalier universitaire de Besançon v Thomas Dutrueux and Caisse primaire d’ assurance maladie du Jura, Case C-495/10, Judgment of 21 December 2011, par. 29–30.

588

M. Chatzipanagiotis

are checked for defects in their mechanical components and are repaired, software components are checked for faults that are repaired via an update. Under this option, EU MS would be free to determine the liability regime for software updates, as already mentioned. Therefore, it is submitted that software updates are not and should not be covered by the PLD. However, even if software updates are deemed a ‘product’, there are additional challenges in applying the PLD to software updates.

2.3

Additional Challenges

The notion of ‘product’ is central in the liability system of the PLD. All other elements of liability are affected therefrom. A major challenge is calculation of the liability time limits. If a software update is a separate ‘product’, then the 10-year period for bringing an action against the producer (Art. 11 PLD), will be calculated with reference to the time the particular update was released. This could extend the producer’s liability way beyond the 10 years from the time the AV was put into circulation. Moreover, there are software updates that bring about minor fixes in the system and major (or critical) updates that solve important issues. It is unclear whether all updates would be seen as ‘products’. It can be argued that only major updates are separate products, but then we should define which updates are ‘major’. Given that motor vehicles and their components are subject to safety approvals,29 and the same goes for any important alterations to their original form, an idea would be to consider ‘products’ only updates that render necessary a regulatory safety re-assessment of the whole vehicle. Yet, again definitional problems arise. Such definitional deficiencies might tempt some manufacturers to avoid characterising updates as ‘major’ or ‘critical’. Then, given (a) the complexity of software systems and updates, (b) the evolving behaviour of AV thanks to their ‘self-learning’ abilities, (c) that users often ignore that OTA updates are installed in their AV and (d) that no absolute safety can be expected by any system, it may be very challenging in some instances to determine the reasonable expectations of users on each software update—and hence the existence of a ‘defect’. Similar issues arise also in other aspects of the producer liability, e.g. the state-ofthe-art defence, and causation between the defect and the damage. Consequently, it is submitted that the strict liability system established in the PLD is inappropriate for software updates.

29

See infra, Sect. 3.2.3.

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

589

3 Liability of Manufacturers for Negligence Beside the PLD, manufacturers of software updates may be liable for negligence.

3.1

Duty of Care

The landmark case Donoghue v Stevenson established the duty of care of manufacturers towards end users/consumers.30 Such duty applies to products that are intended to reach end users in the form that these left the manufacturer’s premises, when there is no reasonable possibility of intermediate examination of the product and the manufacturer knows that the absence of reasonable care in the manufacturing process could result in an injury to the end user or property damage. The duty of care is owned not only to end users, but also to persons in their proximity.31 Liable persons can be end manufacturers,32 component manufacturers,33 suppliers whose functions exceed simple distribution,34 repairers35 etc. 3.1.1

Goods and Services

Contrary to the PLD, in negligence the distinction between goods and services has limited importance, because there is a general duty to exercise reasonable care to avoid causing injury to end users and to people in their vicinity. Besides, issuing OTA updates for AV systems could be seen as a form of vehicle service and repair, since software is an integral component of the whole system. Therefore, the case law on negligence for repairs and maintenance can also be applied on OTA updates.36

30

[1932] AC 562, 599 (Lord Atkins) (HL). E.g. Abouzaid v Mothercare (UK) Ltd [2000] EWCA Civ 348—underage son of buyer of baby pushchair component; Carroll v Fearon [1998] P.I.Q.R. P416 passengers in the car and other road users; Stennett v Hancock [1939] 2 All E.R. 578—pedestrian hit by flange of lorry wheel; Brown v Cotterill [1934] 51 T.L.R. 21—child injured by falling tombstone. 32 E.g. Donoghue v Stevenson [1932] AC 562 (HL). 33 E.g. Divya v Toyo Tire and Rubber Co Ltd (t/a Toyo Tires of Japan) [2011] EWHC 1993; Evans v Triplex Ltd [1936] 2 All ER 283. 34 E.g. Fisher v Harrods [1966] 1 Lloyd’s Rep 500—chemist wholesaler failed to make inquiries to the manufacturers and to warn end users; Herschtal v Stewart and Ardern Ltd [1939] 4 All ER 123—car dealer providing vehicles that he had reconditioned. 35 Donoghue v Stevenson [1932] AC 562, 577 (per Lord Buckmaster); Haseldine v CA Daw & Son Ltd, [1941] 2 KB 343 (CA)—repairer of an elevator that caused injury. 36 See Supra n35. 31

590

3.1.2

M. Chatzipanagiotis

Intermediate Examination

The duty of care arises specifically in the context of latent defects, where there is no opportunity for intermediate examination that would have revealed the defect.37 Intermediate examination is unlikely in the case of OTA updates, which are installed directly to the end user’s vehicle. However, such examination might play a role in case of updates to software components that are developed by suppliers but are examined by the end manufacturer, before being released for installation. 3.1.3

Continuous Duty

The manufacturers’ duty is continuous. This means that manufacturers must monitor their products even after they have been placed in the market for dangers that may arise from their use, issue adequate post-marketing warnings where necessary, and, in extreme cases, recall defective products.38 The post-sale monitoring duty does not necessarily entail that a manufacturer is under a duty to issue software updates—that should be examined mainly in the examination of a potential breach of duty. The point here is that software updates may form part of the post-marketing duty of care. 3.1.4

Foreseeability

The risks posed by the product must have been known or at least reasonably foreseeable by the manufacturer.39 Reasonable foreseeability may be a challenging requirement in case of software updates of highly complex systems, such as AV, in which different software components interact not only with each other but also with other systems (V2X connectivity). Such foreseeability will probably exist, where customer complaints, reports from its distribution network, scientific publications etc. suggest that certain software components may pose safety or security risks under specific circumstances. Nonetheless, the foreseeability requirement would be more important in establishing breach of duty and causation.

37

Grant v Australian Knitting Mills Ltd [1935] All ER Rep 209, 218 (Lord Wright) (PC); Carroll v Fearon, Bent and Dunlop Ltd [1998] PIQR P416, 421. 38 Wright v Dunlop Rubber Co (1972) 13 KIR 255; Carroll v Fearon [1999] E.C.C. 73; Hobbs (Farms) v Baxenden Chemicals [1992] 1 Lloyd’s Rep 54. 39 M/S Aswan Engineering Establishment Co v Lupdine Ltd [1987] 1 W.L.R. 1; Muirhead v Industrial Tank Specialities Ltd, [1986] QB 507 (CA).

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

3.2

591

Breach of Duty

A breach of duty occurs when the defendant omits to do something which a reasonable person, guided upon those considerations which ordinarily regulate the conduct of human affairs, would do, or doing something which a prudent and reasonable person would not do.40 On negligence for OTA updates, the following factors are important when establishing the appropriate standard of care. 3.2.1

No Absolute Safety

Manufacturers owe a duty to exercise reasonable care, which means that they do not have to ensure absolute safety of their products.41 However, in some circumstances the ‘highest level’ of care will be required by the manufacturer.42 In the context of AV, software failures cannot be excluded, especially in view of the complexity and interaction among different software components. However, it is very likely that AV manufacturers will be required to exercise the ‘highest level’ of care towards third parties, as has been the case in accidents involving conventional vehicles.43 3.2.2

Foreseeability of Harm and Circumstances of the Case

The risk of the damage must have been foreseeable at the time that the damage occurred.44 Thus, there will be no liability where the scientific and technical knowledge at that time did not enable the discovery of the defect.45 Moreover, in establishing the appropriate standard of care in negligence, courts consider all circumstances of the case, including the degree of the risk involved,46 the gravity of the harm47 and the cost of precautions as compared to the potential risk.48 It is generally foreseeable that any complex software will have shortcomings (‘bugs’). The problem is that it is not foreseeable exactly what those shortcomings

40

Blyth v Birmingham Waterworks Co. (1856) 11 Ex. 781, 784 (per Alderson B). Holmes v Ashford [1950] 2 All Eng 76 (CA). 42 Divya v. Toyo Tire and Rubber Co. Ltd (t/a Toyo Tires of Japan) [2011] EWHC 1993 (QB), which regarded defective car tyre. 43 Ibid. 44 M/S Aswan Engineering Establishment Co v Lupdine Ltd [1987] 1 W.L.R. 1, 22. 45 A v National Blood Authority [2001] EWHC 446 (QB); Abouzaid v Mothercare (UK) Ltd [2000] WL 1918530. 46 Northwestern Utilities Ltd v London Guarantee and Accident Co Ltd [1936] AC 108; Bolton v Stone [1951] AC 850. 47 Paris v Stepney Borough Council [1951] 1 KB 320. 48 Latimer v AEC Ltd [1953] AC 643. 41

592

M. Chatzipanagiotis

will be, or what their exact impact will be.49 Nonetheless, the reasonable manufacturer of a vehicle, whether automated or not, is expected to collect evidence on the function of the software components, evaluate them and attempt to remedy them as promptly and efficiently as possible. Prior incidents of hacked software that enabled remote control of the vehicle50 should have alerted all manufacturers. Besides, newer models of AV often collect data on the vehicle function and use, and transmit them to the manufacturer.51 At the same time, a variety of factors on software updates should be considered when determining the appropriate standard of care.52 Among them are technical issues of software updates, such as: – Specific software shortcomings need to be identified. Software codes used in automated vehicles have millions of lines,53 while a fully autonomous vehicle is estimated to require around 1 billion lines of code,54 which need to be checked one-by-one to identify the problem. In this regard, it is likely that a software flaw remains undiscovered by the manufacturer and other persons interested in fixing it and is first revealed at the time of a cyberattack (zero day vulnerabilities). Whether such flaw could have actually been discovered earlier may be hard to tell in practice.55 – The discovery of software shortcomings is different than their ability to repair them. Repairing a software problem means that the existing code should be altered. Any alterations need to be appropriate in the sense that they fix the problem, without creating new ones. Thus testing is required, which requires time and money. It is also likely that the creation of new problems is unavoidable, in which case these problems require remedial action as well.56 – An update may solve one problem, e.g. remedy a security vulnerability, but affect the system in other terms, e.g. speed or stability. These parameters require testing too, which may be quite extensive. However, rigorous testing is not always practicable because it may take too long.57 – There is often a trade-off between functionality and security. The more secure a system the more resources it needs, which may affect its functionality.58

49

Scott (2008), pp. 443–444. Solon (2016) and Greenberg (2015). 51 See, e.g. Miller (2019). 52 For a brief overview of the pertinent issues see Automotive security: 10 biggest challenges https:// argus-sec.com/automotive-security-10-biggest-challenges-facing-oem-cisos/ (last visited 5 May 2020). 53 Busnelli (2014). 54 Accelerating Autonomous Vehicle Technology, https://spectrum.ieee.org/transportation/selfdriving/accelerating-autonomous-vehicle-technology (last visited 5 May 2020). 55 See Schneier (2018). 56 See Kurkal (2019), Emma (2019) and Radichel (2017). 57 Ibid. 58 See, e.g. Wolter and Reinecke (2010). 50

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

593

The above-mentioned parameters show that establishing the appropriate standard of care can be quite complicated, despite the abstract foreseeability of injury caused by software deficiencies. 3.2.3

Certification, Standards and Best Practices

The role of standards, to the extent that they exist, will also be very important.59 There are different categories of standards, which may play a role in establishing the appropriate standard of care. There are mandatory regulatory standards to be met for a whole vehicle, a vehicle system or a vehicle component to be certified as safe (type approval). These are established on the one hand in special EU regulations relating to motor vehicles in the EU MS,60 on the other hand in UN regulation developed in the framework of the World Forum for the harmonisation of vehicle regulations (WP.29).61 However, currently there are no such standards as to software updates of automated vehicles. The UN WP.29 has established a special Working Party on Automated/ Autonomous and Connected Vehicles (GRVA), whose priorities include cyber-security and software updates, and is currently working on the development of related regulatory standards.62 A challenging aspect is the effect that one or more OTA updates may have on the certification of the vehicle. An AV may have been certified as roadworthy, yet software updates could influence the overall system functionality and require additional certification. The problem is worsened by the evolving behaviour of AV in the context of their ‘self-learning’ abilities, which may interact with software updates. Compliance with regulatory standards will be a strong indication, but not conclusive proof, of reasonable care, while failure to comply with governmental standards will most likely constitute a breach of duty of care.63 Apart from regulatory standards, industry standards and professional best practices may also provide indications on the applicable standard of care. English courts

59

See for the situation under US law, Hubbard (2014), pp. 1836–1837. Directive 2007/46/EC of the European Parliament and of the Council of 5 September 2007 establishing a framework for the approval of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, OJ L 263/1. With effect from 1 Sept. 2020, this Directive will be repealed by Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, OJ L 151/1. For an overview of the EU technical regulations see https://ec.europa.eu/ growth/sectors/automotive/legislation/motor-vehicles-trailers_en. Accessed 5 May 2020. 61 For an overview of the current system in the UK see https://www.vehicle-certification-agency. gov.uk/vehicletype/type-approval-for-ca.asp. Accessed 5 May 2020. 62 http://www.unece.org/trans/main/wp29/meeting_docs_grva.html. 63 Lambson Aviation v Embraer Empresa Brasiliera de Aeronautica [2001] All ER (D) 152; Cuninghame (1991), para. 55. 60

594

M. Chatzipanagiotis

have held that abiding by professional practice is a factor to be considered,64 provided that such practice is reasonable.65 It has been correctly suggested that implementing best practices in secure software development and testing should be the minimum requirement to avoid a negligence claim.66 There are also instances of practices being recommended by regulatory bodies, which would be an intermediate category between industry practice and regulatory standards. On software security of AV, good practices have been published by the EU Agency for Cybersecurity (ENISA).67 Such practices are not legally binding, but failure of defendants to conform therewith will weigh significantly against them. 3.2.4

Duration of the Duty to Update

Another issue is for how long a manufacturer should be required to issue updates. On the one hand, software technology is progressing very rapidly, on the other hand the expected life expectancy of cars is more than ten years.68 In this regard, we should also consider the high cost of obtaining a vehicle with sophisticated automation technologies, which makes it unlikely that users will replace it in relatively shorter periods. Nonetheless, the cost of replacement of AV will diminish in importance as technology progresses. It is generally accepted that those involved with AV and their components must keep systems secure over their lifetime, which includes timely providing software updates when new threats or vulnerabilities are discovered.69Automotive businesses must consider cybersecurity over the entire product life cycle, because new technical vulnerabilities can emerge at any time and have a direct impact on customers and vehicles already on the road.70 Although such approach is correct in principle, its implementation may not be easy in practice. Software updates need to be accompanied by hardware updates after a certain point—state-of-the-art software cannot run on outdated hardware.71 Therefore, it is likely that a general overhaul of the AV-system is necessary, instead of

64

See Bolam v Friern Hospital [1957] 1 WLR 582—doctor not negligent if he proves that his practice accorded with a substantial body of professional opinion in the field; Lloyd’s Bank v Savory [1933] AC 201—general banking practice followed by the defendant in handling cheques was no defence. 65 Bolitho v City and Hackney Health Authority [1998] AC 232. 66 Scott (2008), p. 446. 67 ENISA (2019). 68 Budd (2018). 69 See Report of the Task Force on Ethical Aspects of Connected and Automated Driving established by the 2nd High Level Structural Dialogue in Frankfurt/M. on 14 and 15 September 2017, June 2018, p. 15, available at https://www.bmvi.de/SharedDocs/EN/publications/reportethics-task-force-automated-driving.pdf?__blob¼publicationFile. 70 Dechman et al. (2019). 71 Schneier (2018).

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

595

mere software updates. In this case, the manufacturer will have to notify users in time that their hardware needs upgrade for their system to remain operational. 3.2.5

Proof of Breach

As to proof of breach of duty, English courts are hesitant to accept the application of res ipsa loquitur in product liability cases, because the defendant has no exclusive control of the product.72 Nevertheless, in some instances they accept the use of inferences from known facts for the establishment of the defendant’s negligence.73 The claimant does not have to indicate the particular individual responsible for the defect in the product nor the particular act of negligence.74 Proving breach of duty of care will be challenging in some cases, considering also the self-learning abilities of AV. The reluctance of English courts to accept application of the res ipsa loquitur in product liability cases75 is expected to increase in highly complex products like AV, which are nevertheless under the control of their owners and drivers. Yet, this does not preclude that English courts will accept inferences to establish the manufacturer’s negligence.

3.3 3.3.1

Causation General Rules

Recoverable are only damages for which the claimant establishes, on the balance of probabilities (but for test), that they are a reasonably foreseeable consequence of the breach of duty.76 No causation is proven, if other probable causes have not been eliminated.77 Where the defendant failed to take preventive measures to avoid the claimant’s injury and such failure is only one among several possible causes, then no causation is established.78

72

See Carroll v Fearon, Bent and Dunlop Ltd [1998] PIQR P416, 421. Grant v Australian Knitting Mills Ltd [1935] All ER Rep 209, 216 (Lord Wright) (PC); Carroll v Dunlop Ltd [1998] PIQR P416, 421; Mason v. Williams & Williams Ld. and Another [1955] 1 W.L.R. 549, 551–552. 74 Grant v Australian Knitting Mills Ltd [1935] All ER Rep 209, 216 (Lord Wright) (PC); Carroll v Dunlop Ltd [1998] PIQR P416, 421. 75 Carroll v. Fearon, Bent & Dunlop Ltd. [1998] EWCA (Civ) 3833. 76 See McTear v Imperial Tobacco Ltd, [2005] Scots CSOH 69; Carroll v Fearon, Bent and Dunlop Ltd [1998] PIQR P416, 426–427. 77 Evans v Triplex Safety Glass Co Ltd [1936] 1 All ER 283, 286. 78 Wilsher v Essex Area Health Authority [1988] AC 1074. 73

596

M. Chatzipanagiotis

Proving causation becomes increasingly difficult as the software in question becomes longer and more complex.79 Besides, reasonable foreseeability is a dynamic concept, because it is based on policy and perception, which change over time. What is ‘reasonably’ foreseeable depends on custom and what people generally believe. In a technological context, foreseeability depends on the perception of people about what technology can do.80 AV will combine a variety of software from different vendors, integrated in the whole system. Part of this software may be pre-installed, yet other pieces of software (apps) may have been installed by the user. A vulnerability in one software component may affect the whole system. Furthermore, vehicles may be connected to public infrastructure and to communicate with each other (V2X connectivity), all of which could cause a software component to malfunction. These factors raise serious challenges as to proof of causation. 3.3.2

Material Contribution to the Risk

An alternative to the ‘but for test’ has been accepted to English courts in a series of cases, related mainly to asbestos litigation on employer liability.81 Under certain circumstances, a court may accept proof of causation, if claimants prove that the defendant’s behaviour significantly increased their risk of harm. The common element of these cases was the existence of a single causative agent, yet the link to the behaviour of the specific defendant could not be sufficiently established.82 Moreover, policy factors were significant.83 Although some judges have underlined that these exceptions are limited to very specific cases,84 other judges have not excluded a potential wider application.85 Legal doctrine seems to also favour a wider approach.86

79

Scott (2008), p. 449. Karnow (1996), pp. 180–181. 81 McGee v National Coal Board [1973] 1 WLR 1; Fairchild v Glenhaven Funeral Services Ltd [2003] 1 AC 32; Barker v Corus [2006] UKHL 20; Sienkiewicz v Greif (UK) Ltd [2011] UKSC 10; Zurich Insurance plc UK Branch v International Energy Group Ltd [2015] UKSC 33. 82 Barker v Corus [2006] UKHL 20, at [24] (Lord Hoffmann); Zurich Insurance plc UK Branch v International Energy Group Ltd [2015] UKSC 33 at [127] (Lord Sumption). 83 Fairchild v Glenhaven Funeral Services Ltd [2003] 1 AC 32 at [34] (Lord Bingham); Deakin and Adams (2019), p. 214. 84 See, e.g. Sienkiewicz v Greif (UK) Ltd [2011] UKSC 10, at [113] (Lord Rodger) and [187] (Lord Brown); Zurich Insurance plc UK Branch v International Energy Group Ltd [2015] UKSC 33 at [1] (Lord Mance, with whom Lord Clarke, Lord Carnwath and Lord Hodge agreed). 85 Fairchild v Glenhaven Funeral Services Ltd [2003] 1 AC 32 at [34] and [74] (Lord Bingham); Zurich Insurance plc UK Branch v International Energy Group Ltd [2015] UKSC 33 at [98] (Lord Hodge) and [127] (Lord Sumption). 86 Deakin and Adams (2019), p. 216; Mulheron (2016), p. 430. 80

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

597

In the case of an accident involving an AV, it might be possible to implement the approach of material contribution to risk, provided that a specific software malfunction has been identified as the cause of the accident, but the exact person or entity responsible for the malfunction cannot be specified. However, where multiple causes had the potential to bring about the accident, then proof of causation is unlikely to be established.

4 Event Data Recorders Event Data Recorders (EDRs), are devices that record basic vehicle data and user input to the system right before, during and right after the accident, such as the vehicle’s speed, braking, position and tilt of the vehicle on the road, the state and rate of activation of all its safety systems etc. They are a useful tool to establish some basic facts surrounding an AV accident. Motor vehicle manufacturers use widely EDRs on a voluntary basis.87 In the EU, Regulation 2019/214488 will make their deployment mandatory for granting type approval and for placing them on the market.89 Although the data recorded by an EDR may not always be able to give answers as to the role of any software updates in the accident, it is likely that certain elements could be at least inferred by the recorded data. From a legal standpoint, important is also access to the data, which under Art. 6(4) Reg. 2019/2144 is restricted to national authorities solely for the purpose of accident research and analysis. Nonetheless, motor vehicle insurers already use such data for claim settlement, while requesting from governments to include their involvement in AV regulations.90

87 According to the US National Highway Traffic Safety Administration 99.6% of manufacturers use some form of EDR in their vehicles. Therefore, the US decided to refrain from prescribing their mandatory use—see 84 FR 2804 (8 February 2019). 88 Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, OJ L 325/1. 89 Art. 6(1), (4) and (5). 90 See, e.g. Association of British Insurers and Thatcham Research (2019), paras 80–82.

598

M. Chatzipanagiotis

5 Statutory Responses in Europe 5.1

UK

In the UK, the Automated and Electric Vehicles Act 2018 (AEVA) has been enacted, which establishes strict liability of insurers of AV. This is a remarkable feature under the UK law, in which strict liability is treated as anomalous.91 5.1.1

The Provisions of the AEVA

The Act applies to ‘automated vehicles’, i.e. vehicles that the Secretary of State has included in a list, and (a) are capable to safely drive themselves, at least in certain situations and (b) may lawfully be used when driving themselves, in at least some circumstances or situations, on roads or other public places in Great Britain.92 A vehicle is ‘driving itself’, if it is operating in a mode in which it is not being controlled, and does not need to be monitored, by an individual.93 Thus, the scope AEVA seems to cover mainly SAE automation levels 4–5.94 Without prejudice to any other person’s liability in respect of an accident, insurers of AV are liable for damage caused to an insured person or any other person by an AV when driving itself on the road, provided that the vehicle is insured at the time of the accident.95 Insurers may not contractually limit their liability, unless the accident was due to unauthorised software alterations or failure to update the software.96 On the latter, s. 4 AEVA contains extensive provisions. Insurance policies may exclude or limit the insurer’s liability towards the insured person, if (a) software alterations were made by the insured persons or with their knowledge and such alterations were prohibited or (b) there was a failure of the insured persons to install safety-critical updates that the they know or ought to reasonably know of being safety critical. The Act clarifies that software updates are ‘safety-critical’, if it would be unsafe to use the vehicle in question without the updates being installed.97 However, if the insured is other than the policyholder, then liability limitations and exclusions are only permitted, if the insured knew of ought to have known that such alterations are prohibited under the policy.98 These provisions do not affect

91

Oliphant (2019), p. 196. AEVA s. 1(1) and (4). 93 AEVA s. 8(1)(a). 94 See in detail Chatzipanagiotis and Leloudas (2020), pp. 169–170. 95 AEVA s. 2(1) and (7). 96 AEVA s. 2(6). 97 AEVA s. 4(6)(b). 98 AEVA s. 4(2). 92

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

599

liability of the insurers towards third parties, yet insurers have a right of redress against the insured in such cases.99 In addition, the Act clarifies that the Law Reform (Contributory Negligence) Act 1945 is applicable.100 The insurer or owner of an automated vehicle is not liable to the person in charge of the vehicle where the accident was wholly due to that person’s negligence in allowing the vehicle to begin driving itself when it was not appropriate to do so.101 5.1.2

Discussion as to Software Updates

Under the AEVA software updates play a significant role in insurer’s liability towards policyholders or insured persons.

5.1.2.1

Safety Critical Updates

Under s. 4 AEVA, an insurer may limit or exclude its liability towards policyholders or insured persons, if they have failed to install software updates, which they know or ought to know that they are ‘safety critical’. The AEVA’s definition of ‘safety critical’, i.e. that it would be unsafe to use the vehicle in question without having installed such updates, is not very helpful. However, we can deduce that without such updates there is a significantly increased risk of the AV being involved in an accident. Safety must be interpreted as comprising (cyber) security, i.e. protection from acts of unlawful interference with the AV. In any case, positive knowledge or at least constructive knowledge of the users is required. In practice, such knowledge will depend on the information that the manufacturer or software developer makes available to the users. Hence, ‘safety critical’ will be the updates that the manufacturer or software developer labels as such, when prompting the user to install them. Such labelling must be clear and conspicuous. Therefore, negligence liability of the manufacturer could be triggered for failure to (adequately) warn on the need to install specific critical updates. Moreover, given that installation of updates may be unsafe while the vehicle is in motion, there will also be grey areas, in which the user is aware of the need to install safety critical updates, but has not been able yet to install them.102 In such cases, it may not always be fair for the insurer to be able to totally exclude its liability.

99

AEVA s. 4(4) and (5). AEVA, s. 3(1). 101 AEVA, s. 3(2). 102 Marson et al. (2019), p. 17. 100

600

M. Chatzipanagiotis

5.1.2.2

Prohibited Alterations

Another instance in which software updates may play a role on the insurer’s liability are alterations to AV prohibited under the policy. The provisions and construction of the policy will be crucial in such instances. The most usual cases are expected to be installation of third-party updates that enhance the automation capabilities of their AV. To the extent that such updates have not been approved by the manufacturer of the AV, they could interfere with the normal operation of the vehicle and create serious safety risks. Besides, such updates are likely to require certification/ approval from the UK Vehicle Certification Authority. In all these cases, the insurance policy may provide for limitation or exclusion of liability towards the policyholder or the insured.

5.2

Germany

In Germany, liability issues for AV have been regulated in the Road Traffic Act (StVG), which provides for third-party liability of the vehicle keeper and driver. Under the Act, the keeper, who is not always the owner of the vehicle, bears strict limited liability,103 while the driver bears limited liability for presumed negligence.104 The Act applies to vehicles of SAE automation levels 2–4.105 When the vehicle is operated in automated mode, the driver is the person who activates and employs the automated mode.106 Under the Act, the keepers and drivers of AV are liable for up to twice as much as the keepers of conventional vehicles.107 Furthermore, the Act contains on provisions on EDR.108 The vehicle keeper must grant access to the recorded data that are necessary for legal claims.109 Although the Act mentions nothing on manufacturer liability, in effect it channels liability for AV accidents to motor vehicle insurers, since motor vehicle insurance is mandatory under the EU law and victims are entitled to turn directly against the insurer.110 Thus, at least concerning third-party claims, Germany has adopted a solution, not radically different than the UK.

§ 7 and 12 StVG. § 17(1) StVG. 105 See §1a (2) StVG. 106 § 1a (4) StVG. 107 § 12(1) StVG. 108 § 63a StVG. 109 § 63a (3) StVG. 110 See Arts 3 and 18 Directive 2009/103/EC of the European Parliament and of the Council of 16 September 2009 relating to insurance against civil liability in respect of the use of motor vehicles, and the enforcement of the obligation to insure against such liability, OJ L 103 104

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

601

6 Conclusion In conclusion, liability for OTA updates can have the form of either releasing defective updates or failure to timely release updates for known vulnerabilities. Under the strict product liability regime of the PLD, software as such is probably not a ‘product’. Furthermore, the frequent release of software updates raises questions as to when the product was ‘put into circulation’, which is interwoven with questions of time limits and defences. Failure to timely issue software updates is not covered. In any case, there will also be significant challenges in establishing causation. Under negligence, the distinction between ‘products’ and ‘services’ diminishes in importance. The challenge lies in proving breach of duty, in view of the inherent complexity of software components, the need to balance safety with functionality, and of the particularities of cybersecurity in which malicious third parties are involved. Technical standards, once established, are expected to significantly affect the establishment of the appropriate standard of care. Duration of the duty to monitor the product and release updates is also a factor, given i.a. that software updates may not be supported by outdated hardware. Proving causation between the breach and the injury will be perhaps the most significant hurdle to be overcome by claimants. Establishing a significant increase in the risk of injury due to the software update, or failure to timely release, would be a helpful alternative to the but-for test, although English courts seem to accept it in very limited circumstances. From an evidentiary perspective, the use of Event Data Recorders will help clarify some critical events and perhaps determine whether a software defect caused or contributed to the accident. The statutory responses of the UK and Germany focus on the insurance aspects of AV and their components. In the UK, direct liability of the insurer of AV is established, but tampering with software or failure to install critical updates may result in limitation or exclusion of the insurer’s contractual liability. In Germany, similar results are achieved by channelling third-party liability for AV to the vehicle’s keeper, who bears strict limited liability, or its driver, who is limitedly liable for presumed negligence. Given the mandatory nature of the motor vehicle insurance, in effect the vehicle insurers are called to clarify the complex liability relations among keepers, drivers and manufacturers. Consequently, claimants are likely to face significant challenges in pursuing claims related to software updates. Insurers will play a crucial role in compensating third parties, but problems related to recourse claims will remain. This is likely to bring about a paradigm shift in insurance products, which AV manufacturers are likely to offer as part of their product.111 At the same time, regulatory standards on 263, 7.10.2009, pp. 11–31. The respective provisions under German law are § 1 of the Act on mandatory motor vehicle insurance (Gesetz über die Pflichtversicherung für Kraftfahrzeughalter) and § 115 of the Insurance Contract Act (Versicherungsvertragsgesetz). 111 Chatzipanagiotis and Leloudas (2020), pp. 167–168.

602

M. Chatzipanagiotis

AV and software updates may contribute to a change in the current model of vehicle ownership: ownership of an AV may become a less attractive option owing to the rapid development of software technology, which could make maintenance more complicated and necessitate more frequent replacement by modernised or newer versions.112 Liability, regulation and insurance can have also economic repercussions. As a result, liability for software updates poses multifaceted challenges, especially from an evidentiary perspective. Regulatory standards on OTA updates and EDR, combined with mandatory insurance will alleviate some practical difficulties for injured persons, but further problems will remain. Potential solutions to such problems might lie in business models, outside the legal field.

References Alheit K (2001) The applicability of the EU Product Liability Directive to software. CILSA 34:188–209 Association of British Insurers and Thatcham Research (2019) Joint Response to the Law Commission and Scottish Law Commission’s Joint Preliminary Consultation Paper on Automated Vehicles. https://s3-eu-west-2.amazonaws.com/lawcom-prod-storage-11jsxou24uy7q/uploads/ 2019/06/AV001-ABI-and-Thatcham-Research-joint-response.pdf. Accessed 5 May 2020 Barbero M et al (2018) Study on emerging issues of data ownership, interoperability, (re-) usability and access to data, and liability, Final Report prepared for the European Commission. https://ec. europa.eu/digital-single-market/en/news/study-emerging-issues-data-ownership-interoperabil ity-re-usability-and-access-data-and. Accessed 5 May 2020 Budd K (2018) How today’s cars are built to last. https://www.aarp.org/auto/trends-lifestyle/info2018/how-long-do-cars-last.html. Accessed 5 May 2020 Busnelli A (2014) Car software: 100M lines of code and counting. https://www.linkedin.com/pulse/ 20140626152045-3625632-car-software-100m-lines-of-code-and-counting/. Accessed 5 May 2020 Caminska I (2020) Why Uber won’t own its autonomous cars. https://ftalphaville.ft.com/2020/02/ 04/1580812662000/Why-Uber-won-t-own-its-autonomous-cars/. Accessed 5 May 2020 Chatzipanagiotis M, Leloudas G (2020) Automated vehicles and third-party liability: a European perspective. Univ Ill J Law Technol Policy 2020:109–199 Cuninghame J (1991) Liability in tort. In: Medvinkaia A et al (eds) Miller: product liability and safety encyclopaedia. LexisNexis, London Deakin S, Adams Z (2019) Markesinis and Deakins’ tort law, 8th edn. OUP, Oxford Dechman J et al (2019) The race for cybersecurity: protecting the connected car in the era of new regulation. https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/therace-for-cybersecurity-protecting-the-connected-car-in-the-era-of-new-regulation#. Accessed 5 May 2020 Deloitte (2019) Urban Mobility and Autonomous Driving in 2035. https://www2.deloitte.com/ content/dam/Deloitte/de/Documents/Innovation/Datenland%20Deutschland%20_Autonomes %20Fahren_EN_Safe.pdf. Accessed 5 May 2020 Emma W (2019) The problems with patching. https://www.ncsc.gov.uk/blog-post/the-problemswith-patching. Accessed 5 May 2020

112

Cf. Caminska (2020), Stocker and Shaheen (2017) and Deloitte (2019).

25

Third-Party Liability of Manufacturers of Automated Vehicles for. . .

603

ENISA (2019) Good practices for security of smart cars. https://www.enisa.europa.eu/publications/ smart-cars. Accessed 5 May 2020 European Commission (2016) Evaluation of the Directive 85/374/EEC concerning liability for defective products – Roadmap. http://ec.europa.eu/DocsRoom/documents/18842/. Accessed 5 May 2020 Gilbertsen C (2017) Here’s how the sensors in autonomous cars work. http://www.thedrive.com/ tech/8657/heres-how-the-sensors-in-autonomous-cars-work. Accessed 5 May 2020 Goldin P (2018) 10 advantages of autonomous vehicles. http://www.itsdigest.com/10-advantagesautonomous-vehicles. Accessed 5 May 2020 Greenberg A (2015) Hackers remotely kill a jeep on the highway—with me in it. https://www. wired.com/2015/07/hackers-remotely-kill-jeep-highway/. 5 May 2020 Howells G et al (2017) Product liability and digital products. In: Synodinou T et al (eds) EU Internet law. Springer International Publishing, pp 183–195 Hubbard P (2014) Sophisticated robots: balancing liability, regulation, and innovation. Fla Law Rev 66:1803–1872 Karnow C (1996) Liability for distributed artificial intelligence. Berkeley Technol Law J 11:147–204 Kurkal V (2019) Want to overcome patching challenges once and for all? Automation is the key. https://www.helpnetsecurity.com/2019/10/30/overcome-patching-challenges/. Accessed 5 May 2020 Markou C (2019) Consumer protection on shopping agent and automated marketplace platforms under EU law. Routledge Marson J et al (2019) The Automated and Electric Vehicles Act 2018 Part 1 and Beyond: a critical review. Stat Law Rev XX:1–22 Miller J (2019) What Tesla knows about you. https://www.axios.com/what-tesla-knows-about-you1f21d287-a204-4a6e-8b4a-0786b0afac45.html. Accessed 5 May 2020 Mulheron R (2016) Principles of tort law. CUP, Cambridge Oliphant K (2019) Liability for road accidents caused by driverless cars. Sing Comp Law Rev:190–196 Radichel T (2017) Why patching software is hard: technical challenges. https://www.darkreading. com/vulnerabilities-and-threats/why-patching-software-is-hard-technical-challenges-/a/d-id/ 1330181. Accessed 5 May 2020 Rott P (2018) Rechtspolitischer Handlungsbedarf im Haftungsrecht, insbesondere für digitale Anwendungen. https://www.vzbv.de/sites/default/files/downloads/2018/05/04/gutachten_ handlungsbedarf_im_haftungsrecht.pdf. Accessed 5 May 2020 Schneier B (2018) Patching is failing as a security paradigm. https://www.vice.com/en_us/article/ 439wbw/patching-is-failing-as-a-security-paradigm. Accessed 5 April 2020 Scott M (2008) Tort liability for vendors of insecure software: has the time finally come? Md Law Rev 67:425–484 Solon O (2016) Team of hackers take remote control of Tesla Model S from 12 miles away. https:// www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-hack-remote-controlbrakes. 5 May 2020 Stocker A, Shaheen S (2017) Shared automated vehicles: review of business models, International Transport Forum Discussion Paper No 2017-09, https://www.itf-oecd.org/sites/default/files/ docs/shared-automated-vehicles-business-models.pdf. Accessed 5 May 2020 Whittaker S (1989) European product liability and intellectual products. LQR 105:125–139 Wolter K, Reinecke P (2010) Performance and security tradeoff. In: Aldini A et al (eds) Formal methods for quantitative aspects of programming languages. Springer, Berlin, Heidelberg, pp 135–167

Chapter 26

The Nature of Rights Upon Cryptocurrencies Evripidis Rizos

Abstract The chapter deals with the issue of the legal nature of the cryptocurrency ownership, from a European and comparative law perspective. After some technical remarks, it is examined first whether a legally recognised right on cryptocurrencies can indeed be established. Second, the exact legal nature of the said right is researched with respect to common and civil law jurisdictions and it is pointed out that the nature of cryptocurrency ownership seems much clearer in common law jurisdictions. As far as the civil law jurisdictions are concerned, the chapter proposes that in a lot of them the cryptocurrency ownership should be perceived as a sui generis absolute right, similar (but not identical) to the traditional ownership on tangible objects, while it is also proposed that, for the sake of clarity, such a right should be explicitly statutorily established in all of the said jurisdictions on the occasion of the transposition of the Directive 2019/713/EU.

1 Introductory Remarks The recent EU Directives 2018/843 (5th Anti-Money Laundering Directive)1 and 2019/7132 have adopted the same definition for virtual currency, as ‘a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal

1

Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU [2018] OJ L 156/43. 2 Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA [2019] OJ L 123/18. E. Rizos (*) Law Faculty, Aristotle University Thessaloniki, Thessaloniki, Greece e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_26

605

606

E. Rizos

persons as a means of exchange and which can be transferred, stored and traded electronically’.3 A lot of virtual currencies, as above defined, are ‘cryptocurrencies’, i.e. virtual currencies whose function relies, more or less, on cryptography. The aim of this paper is to examine whether a legally recognised right or interest upon virtual currencies is indeed established and if so, what is the legal nature of such a right or interest.4 The answers to these questions depend on the legislation of each jurisdiction, since there is no uniform European regulation on the specific matter of cryptocurrency ownership and its legal nature. However, specific legal regulation on virtual currencies in general or on these issues in specific seems not to exist in the domestic legislations as well, since virtual currencies are scarcely regulated. Therefore, the answers to the questions depend more on the relevant domestic general principles and rules, which differ from jurisdiction to jurisdiction. This paper distinguishes between common and civil law jurisdictions, aims to research how these issues are or could be dealt with, in each of these two legal systems in general and in some certain jurisdictions in specific, attempts to discover any common ground or common principles with respect to these particular issues and, finally, proposes a solution concerning certain civil law jurisdictions with respect both the de lege lata and the de lege ferenda understanding of these issues. The question of whether there is at all a legally recognised interest or right on cryptocurrencies is addressed mainly from an EU law perspective, while the question of the exact nature and kind of such a right or interest is addressed from a comparative perspective with respect to common and civil law jurisdictions. This paper focuses mainly on cryptocurrencies for two reasons. First, the cryptocurrencies (such as the Bitcoin) are the virtual currencies of greater economic importance and, most likely, the majority of virtual currencies are cryptocurrencies. Second, the nature of the right or interest on a virtual currency issued by a specific natural or legal person and functioning in a non-decentralised manner is usually not hard to conceive, since it shall most likely represent a claim of the currency owner against the issuer of this currency, depending on the specific function of this currency.5 On the contrary, these issues arise in a much more different manner with respect to the cryptocurrencies, due to their decentralised structure.

2 Technical Remarks Cryptocurrencies typically function on a peer-to-peer blockchain basis that relies on cryptography. A basic understanding of the blockchain function is essential for the understanding of the legal issues that concern the nature of cryptocurrencies and of

3

Article 1(1) d of the Directive 2018/843/EU and Art. 2d of the Directive 2018/843/EU. See however also Lehmann (2019), pp. 93, 123 who argues that it is not ‘necessary to enquire into the ownership of bitcoin or other cryptocurrencies’. Compare also Reyes (2017), pp. 384, 412–413. 5 See Bacon et al. (2018), pp. 1, 92; Piller (2017), pp. 1426, 1428. 4

26

The Nature of Rights Upon Cryptocurrencies

607

the potential rights upon them. Thus, some critical, for the purposes of this paper, issues concerning the blockchain function and the issuance and circulation of cryptocurrencies are to be examined. Not all cryptocurrencies use the same blockchain pattern and in the same manner. However, some common principles can be found among the various blockchain variants. The Bitcoin function and blockchain shall be used for the purposes of this paper as an example of the cryptocurrency function, since it was the first cryptocurrency,6 while many other cryptocurrencies used followingly its (decentralised) structure and manner of function as a model.7 Like every currency, decentralised currencies must deal, inter alia, with two problems: How can we be sure that a person who wishes to transact by spending some currency units is indeed their owner and how can we be sure that this person shall not spend the same currency units many times? 8 In tangible forms of money, these problems are solved by the possession of currency tokens. A person who possesses some currency tokens can be deemed as their owner (regardless of the way that these tokens came to his/her possession) and spend them by delivering their possession and in that way he/she cannot spend the same tokens twice. With respect to scriptural money, an entity (most likely a bank) keeps record of the transactions and the accounts of money owners, so that each transaction increases or decreases the amount of money that each account is entitled to. In digital forms of decentralised money, there is something similar to a bank account, i.e. an address,9 but there is no entity to keep record of the transactions in a centralised manner. This task is undertaken by the whole community of users, who are interconnected via a decentralised, peer to peer, network.10 All transactions of a blockchain-based cryptocurrency (such as Bitcoin or Ethereum) are registered in a publicly accessible digital ledger, the ‘blockchain’,11 which operates by means of a peer-to-peer network.12 A transaction is concluded only by means of its registration in the blockchain.13 The real identities of the payer or the payee are not revealed publicly in the blockchain, since the blockchain records only the addresses of the owners, i.e. ‘essentially a string of letters and numbers’,14 which are used to identify ownership of a certain amount of cryptocurrencies.15 Each person can have an address (actually more than one, like bank accounts) and cryptography has a crucial

6

See Nakamoto (2009), https://bitcoin.org/bitcoin.pdf. accessed 18 May 2020. See also Chason (2018), pp. 129, 139. 8 See Kaplanov (2012), pp. 111, 117; Fairfield (2015), pp. 805, 817. 9 See Hari (2019), pp. 185–214, 188. 10 Nakamoto (2009), p. 3. See also Antonopoulos (2017), p. 25; Brito et al. (2014), pp. 144, 147. 11 See Hoegner (2015), pp. 1–16, 5; Dowd (2014), p. 39; Fairfield (2015), p. 821. 12 Kaplanov (2012), p. 113. 13 See Nakamoto (2009), p. 5. 14 Antonopoulos (2017), p. 64; Raskin (2015), pp. 969, 975; Dion (2013), pp. 165, 168. 15 See Kaplanov (2012), p. 117; Turpin (2014), pp. 335, 338. 7

608

E. Rizos

role to play concerning the function of the addresses.16 One must have first a cryptocurrency ‘wallet’17 and a common way is receiving wallet services from a provider.18 The wallet could be owned physically by the owner, i.e. stored in a disc or even (albeit quite rarely) in a piece of paper or stored by some provider. The wallet generates a private cryptographic key,19 by which a public cryptographic key is derived according to some certain mathematical relationship.20 The address is further derived from the public key.21 This procedure cannot be reversed, namely one cannot find out a private key just by knowing the respective address or the public key,22 something that guarantees that other people than the wallet owner cannot use the private key that corresponds to a particular address. Depending on the transactions registered in the blockchain, each address is entitled to a certain amount of cryptocurrency units. A person who wants to proceed to a transaction, i.e. who wishes to send a certain cryptocurrency amount (e.g. some bitcoins) from one address to another broadcasts a message to the peer-to-peer network23 along with the encrypted digital signature.24 This procedure requires the use of the private key by which the message is signed. Then the decentralised network must decrypt the signature and verify that the message comes indeed from the rightful owner, i.e. the address that wishes to send the amount of the cryptocurrency and that the amount to be spent is indeed owned by this address. Apart from the digital signature and the transaction message, the public key is also necessary for the decryption and the verification of the authenticity of the transaction.25 Thus, while the private key used for the encryption and the signature remains secret, the signature itself and the public key are known to the network. As far as the verification is concerned, individuals who participate in this decentralised network verify that the cryptocurrency amount to be spent is indeed entitled to the address of the payer. With the use of the public cryptographic key the signature is decrypted and it is certified that the message was indeed signed by the same private key that corresponds to this public key and, respectively, to the address of the payer.26 This means that the message was not falsified by a non-authorised person. However, the transaction is not yet concluded. Certain users with the proper software (the ‘miners’) compete using computers’ processing power to solve a very

16

See Fairfield (2015), p. 820. See Chason (2018), p. 141. 18 See Tu (2018), pp. 505, 548. 19 See Antonopoulos (2017), p. 55. 20 See Chason (2018), p. 142. 21 See Antonopoulos (2017), p. 65; Chason (2018), p. 142. 22 See Antonopoulos (2017), p. 57; Chason (2018), p. 149. 23 Badev and Chen (7 October 2014) Finance and Economic Discussion Series 2014-104, 12 https:// doi.org/10.2139/ssrn.2544331 accessed 18 May 2020; Chason (2018), p. 148. 24 Badev and Chen (2014), p. 14; Brito et al. (2014), p. 149. 25 Antonopoulos (2017), p. 57; Chason (2018), p. 150. 26 See Antonopoulos (2017), p. 57. 17

26

The Nature of Rights Upon Cryptocurrencies

609

hard algorithmic test (‘proof of work’).27 This test is produced by the protocol on which the operation of the blockchain is based. Its solution is a prerequisite to the conclusion of the transaction, while the quick solution depends actually on luck and processing power (in fact, a huge amount of processing power is usually necessary).28 The first miner to solve this test actually presents the solution to the network of miners, while the verification of the correct solution is very easy, as in a very complicated Sudoku puzzle where its solution is quite hard, but its verification by a third person is very easy.29 The rest of the miners confirm that the test was indeed solved (more precisely, the majority of the total amount of CPUs is needed for this confirmation)30 and then the transaction is registered with a ‘timestamp’ in the decentralised blockchain31 (in fact each network user has a copy of the blockchain)32 as a part of a block (a block consists of more transactions concluded in a short while).33 Then the address of the recipient is entitled to the amount of the bitcoins sent. This verification procedure is known as ‘mining’.34 The miner who solved the puzzle is rewarded with a certain amount of newly produced cryptocurrency units,35 as a motive to participate in the mining procedure and a reward for the consumption of the amount of energy and computational power required for the solution of the test.36 All of the above are being conducted in an automated way by computers. The human mind just takes the necessary decisions, i.e. to conclude a transaction, to participate in mining etc. The encryption, decryption etc. are highly sophisticated procedures that require a lot of energy and computational power. So, what is practically a cryptocurrency unit and what is factually its ownership? Cryptocurrencies are essentially information registered in this decentralised digital ledger (the blockchain)37 and their circulation depends, on the one hand, on the use of the private keys by which any alteration of the information registered in the blockchain is initiated and, on the other hand, on the function of the peer-to-peer protocol by which this alteration is concluded. An address is entitled to a certain amount of cryptocurrency units, if this is verified by the registrations in the blockchain, and a person can spend this amount by using the respective private key. Thus, ownership of an amount of cryptocurrency units means essentially ‘the ability to transfer it to others’.38 Therefore, a person who holds in fact a private key

27

See Nakamoto (2009), p. 3. Fairfield (2015), p. 822; Chason 2018 p. 151. 29 Antonopoulos (2017), p. 26. 30 Nakamoto (2009), p. 3. 31 Nakamoto (2009), p. 2; Kaplanov (2012), p. 118. 32 Kaplanov (2012), p. 118. 33 See Kaplanov (2012), p. 118; Halaburda and Sarvary (2016), p. 107. 34 See e.g. Böhme et al. (2015), pp. 213, 217; Doguet (2013), pp. 1119, 1128. 35 See Kaplanov (2012), p. 121. 36 Nakamoto (2009), p. 4. 37 See Engelhardt and Klein (2014), pp. 355, 356. 38 Pflaum and Hateley (2014), pp. 1169, 1176. 28

610

E. Rizos

to an address is the person who can initiate transactions concerning the respective address and the person who can benefit from the value of the cryptocurrency units to which this address is entitled.39 However, cryptocurrency units are not identical to private keys. A private key is useless without the blockchain. The ability to transfer cryptocurrency units to others does not consist only of the ability to use the private key.40 It also requires the protocol, i.e. the software that organises the operation of the blockchain and the mining. Hence, holding a private key to an address indicates indeed the factual ownership of the respective cryptocurrency units,41 provided there is a functional blockchain.

3 Legal Recognition of Cryptocurrency Ownership After having described the technical function of cryptocurrencies, the first question to be answered is whether ownership of cryptocurrencies is legally recognised and protected. Only in case of a positive answer to this question, the discussion could be then expanded on the legal meaning of this ownership, namely on the kind of right or interest that the cryptocurrency owner has on a certain amount of cryptocurrencies, according to the registrations in the respective blockchain. If this ownership is not at all legally protected, then there can be no right upon a cryptocurrency at all.42 As already noted, this question shall be addressed from a European perspective. Cryptocurrencies are scarcely regulated, as such, in the jurisdictions of EU Member States, while the CJEU case law indicates rather indirectly that cryptocurrency ownership is indeed legally protected.43 However, there is a recent breakthrough, with respect to this very issue, at an EU law level. Considering the recent EU Directive 2019/713, it could be argued that the ownership of virtual currencies is undoubtedly legally recognised as some form of legally protected property, and that there is a legally protected right on this property—more specifically under Article 6 of the Directive 2019/713/EU. Member States shall take the necessary measures to ensure that performing or causing a transfer of money, monetary value or virtual currency44 and thereby

39

Lehmann (2019), p. 108; The LawTech Delivery Panel - UK Jurisdiction Taskforce (2019), para 43 https://35z8e83m1ih83drye280o9d1-wpengine.netdna-ssl.com/wp-content/uploads/2019/11/6. 6056_JO_Cryptocurrencies_Statement_FINAL_WEB_111119-1.pdf accessed 26 April 2020; Völkel (2017), pp. 385, 387. 40 Bischoping (2018), pp. 239, 255; UK Jurisdiction Taskforce (n 39), para 60. See however also Kütük and Sorge (2014), pp. 643, 644. 41 See Straus and Cleary (2015), pp. 178–216, 186. 42 See e.g. Weiss (2019), pp. 1050, 1054–1055 who rejects the existence of a right on cryptocurrencies. See also Omlor (2017), pp. 754, 760. 43 Judgment of the Court of Justice of the European Union (CJEU), Case C-264/14, ECLI:EU: C:2015:718, Skatteverket v David Hedqvist [2015]. 44 Emphasis added.

26

The Nature of Rights Upon Cryptocurrencies

611

causing an unlawful loss of property45 to another person in order to make an unlawful gain for the perpetrator or a third party is punishable as a criminal offence when committed intentionally by: (a) without right, hindering or interfering with the functioning of an information system; (b) without right, introducing, altering, deleting, transmitting or suppressing computer data. Despite the fact that this is a rule whose primary purpose is the criminalisation of offences, inter alia, against the property on virtual currencies, it is clear that the ownership on virtual currencies (cryptocurrencies consist the most common type of virtual currencies) is treated as some form of legally protected property. While it is true that cryptocurrency ownership was treated by the prevailing opinion as some form of legally protected property even before the Directive46 and even from a constitutional perspective as well,47 the aforementioned provision is a clear proof of the legal recognition of the cryptocurrency ownership.

4 Potential Kinds of Rights on Cryptocurrencies 4.1

Cryptocurrency Ownership As Some Form of Claim?

Unlike the property of scriptural money, i.e. money that has the form of balances in certain bank accounts (checking and savings), which stands for a claim against a bank,48 the property of cryptocurrencies does not represent a contractual (or any other) claim against a person who has an obligation or a duty to perform or omit something.49 The miners are by no means obliged to keep performing the mining procedure, which, as above-mentioned, is necessary in general for a functional blockchain and each cryptocurrency transaction. Nor is the producer of the blockchain, on which each cryptocurrency is based, obliged against the owners of cryptocurrencies to perform payments of any kind. 45

Emphasis added. See AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556 (Comm); Vorotyntseva v MONEY-4 Ltd (t/a nebeus.com) & Ors [2018] EWHC 2596 (Ch); McGrath (25 April 2016), TLI Think! Paper 22/2016, 18 https://doi.org/10.2139/ssrn.2786206 accessed 28 April 2020; Bacon et al. (2018), p. 87; Bilal (2019), pp. 32–34. For similar judgements outside the EU, see the judgement of the Singapore International Commercial Court B2C2 Ltd v Quoine Pte Ltd [2019] SGHC(I) 03 and the judgement of the US District Court of Southern District of Florida Kleiman v. Wright 9:18-cv-80176-BB https://casetext.com/case/kleiman-v-wright accessed 28 April 2020. Compare however also Lehmann (2019), p. 119; Weiss (2019); Kütük and Sorge (2014), p. 644; Piller (2017), p. 1429. 47 Hillemann (2019), p. 830; Schroeder (2014), paras 33–40 https://doi.org/10.7328/ jurpcb2014296103 accessed 28 June 2017. 48 Low and Teo (2017), pp. 235, 242. 49 Bayern (2014), pp. 22, 32; Boehm and Pesch (2014), pp. 43–54, 49; McGrath (2016), p. 27; Bacon et al. (2018), p. 92; Low and Teo (2017), p. 246; Omlor (2017), p. 758; Ammann (2018), pp. 379, 380; Walter (2019), pp. 3609, 3611. 46

612

E. Rizos

On the other hand, the cryptocurrency owners may have claims against wallet service providers for the delivery of services such as the storage of the private key, but these claims are not identical to a cryptocurrency unit itself (for example, a claim against a wallet service provider for the storage of bitcoins is not itself a bitcoin). First, as already indicated, the private key is crucial for the ownership of a cryptocurrency, but a cryptocurrency unit does not comprise only a private key, since the cryptocurrency itself cannot practically exist without an operating blockchain. Second, the wallet provider undertakes only the duty of storage50 and does not become owner of the private key.51 Unlike the cash that one deposits in a bank (the bank has the right to use it and is obliged to pay back the same monetary value, not the exact same banknotes), the wallet provider has no right to use the private key and conduct payments using the stored key, which is absolutely unique and non-replaceable (unlike cash).52 Thus, a property right in the form of a claim, in a similar form of a monetary claim against a bank on the grounds of savings or checking account, should be excluded.53

4.2

Cryptocurrency Ownership As Some Form of Intellectual Property or Personal Data Protection?

Moreover, the possibility of some form of intellectual property rights on cryptocurrency units should be examined. The blockchain protocol is a software, i.e. an original product of human intelligence and could be an object of intellectual property right, although the concept of software is rather narrowly interpreted (for instance, a graphic user interface is not protected as a computer program).54 Notwithstanding, the blockchain protocol is not to be identified with any single cryptocurrency unit produced by means of the blockchain function and meant to be used to convey purchasing power.55 Each single cryptocurrency unit is neither a product of human intelligence,56 nor original per se;57 they are meant to circulate freely without restrictions or permissions by the software creator. The owner of a

50

See Kaplanov (2012), p. 124. See however also Bayern (2014), p. 26. 52 See Raskin (2015), p. 994. See also Schroeder (2016), pp. 1, 23. 53 Raskin (2015), pp. 993–995; Tu (2018), p. 549; Weiss (2019), p. 1054; Hillemann (2019), p. 831; Engelhardt and Klein (2014), p. 356. 54 Judgment of the Court of Justice of the European Union (CJEU), Case C-393/09, ECLI:EU: C:2010:816, Bezpečnostní softwarová asociace – Svaz softwarové ochrany v Ministerstvo kultury, [2010]. 55 Omlor (2017), p. 758. See also Hillemann (2019), p. 833. 56 Shmatenko and Möllencamp (2018), pp. 495, 497; Walter (2019), p. 3610; Hillemann (2019), p. 832. 57 See Boehm and Pesch (2014), p. 49. 51

26

The Nature of Rights Upon Cryptocurrencies

613

certain amount of any cryptocurrency units does not hold intellectual property rights upon them.58 Besides, it would be accurate to say that intellectual property is ‘enormously inefficient for those who prefer to own rather than license’,59 as in the case of cryptocurrency ownership. Furthermore, an amount of any cryptocurrency is not a database to be protected as such. The blockchain is indeed a database60 (albeit not a typical one),61 since it contains all transactions in a certain cryptocurrency.62 However, a cryptocurrency unit is not identical to the blockchain, as each separate piece of information that a database contains is not identical to the database as a whole. Besides, the private key, which is crucial for the control of the amount of cryptocurrency units that each address is entitled to, is not an element of the registrations in the blockchain and therefore not a part of the database. Nor the ownership of cryptocurrencies is similar to the right of a database user to retrieve and use information that the database contains. The right to retrieve information from the blockchain is not a privilege of the cryptocurrency ownership and, usually, cryptocurrency blockchains are publicly accessible.63 Furthermore, the value of some specific cryptocurrency units lies not only in the information registered in the blockchain but also (and mainly) in the combination of the private key (which is not a part of the database) with the protocol that dictates the way that this key can be used for conveying cryptocurrency units from one address to another.64 A potential interest or right to apply for a certain registration in a database (as a cryptocurrency owner practically does so that a transaction could be concluded) is not identical to the right to retrieve and use information from the database (as the database users have the right to do). Finally, the sui generis right of the maker of a database requires ‘a substantial investment in either the obtaining, verification or presentation of the contents’65 of the database. It is highly doubtful that the owner of a certain amount cryptocurrency amount has invested substantially in this sense, namely for the database development, just by obtaining some cryptocurrencies (the amount of money spent for the acquirement of cryptocurrencies is irrelevant).66 The ledger is maintained not by the cryptocurrency owners, but by the miners; hence, substantial investment, if any, would be provided by them and not by the owners of each cryptocurrency unit.

58 Engelhardt and Klein (2014), p. 356; Kütük and Sorge (2014), p. 644; Omlor (2017), p. 758; Weiss (2019), p. 1054; Shmatenko and Möllencamp (2018), p. 497. See however also Bischoping (2018), p. 253. 59 Fairfield (2015), p. 839. See also Schroeder (2014), para 30. 60 Walter (2019), p. 3610; Möllenkamp and Shmatenko (2019), para 26. 61 See Paulus (2019), p. 1049. 62 See however also Weiss (2019), p. 1053. 63 Compare also Bacon et al. (2018), pp. 97–98. 64 UK Jurisdiction Taskforce (n 39), para 61. 65 Article 7 of Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases [1996] OJ L 77/20. 66 Walter (2019), p. 3611. See also Möllenkamp and Shmatenko (2019), para 27.

614

E. Rizos

As far as the private key itself is concerned, it was already stated above that the possession and use of the private key is necessary for the possession of cryptocurrencies. This private key could be described as data,67 but not as a database, as it could not possibly be understood as a ‘a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means’.68 Therefore, the private key could not be protected as a database. Furthermore, despite being data, the private key is most certainly not personal data.69 Cryptocurrency ownership cannot thus fall under the scope of any legally recognised intellectual property right.

4.3

Cryptocurrency Ownership As Some Form of Personal Property? (Common Law)

In general, property in common law jurisdictions (not necessarily in all of them) is traditionally distinguished in real property (property on immovable things, such as land and buildings) and personal property (property on non—immovable things).70 Personal property rights are to be further distinguished in choses (or things) in possession and choses (or things) in action.71 A chose in possession requires possession on tangible objects. It is clear, thus, that cryptocurrency ownership cannot be neither real property nor a chose (or thing) in possession.72 With respect to choses (or things) in action, according to a very commonly used definition choses in action are ‘all personal rights of property which can only be claimed or enforced by action and not by taking physical possession’.73 The conceptual core of this term seems to be clear and it contains claims, whether

67

Meisser et al. (2018), p. 6 https://www.zora.uzh.ch/id/eprint/153360/1/Jusletter-IT_ VerfuegungsmachtundVerfuegungsrechtanBitcoins-Froriep-Mai2018.pdf accessed 17 May 2020. 68 Article 1 of Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases [1996] OJ L 77/20. 69 See also Schrey and Thalhofer (2017), pp. 1431, 1433. 70 See Clairke (2020), p. 266; Bacon et al. (2018), p. 88. 71 Colonial Bank v Whinney [1886] 11 App. Cas. 426. See also Waterlow & Sons Ltd v Banco de Portugal [1932] UKHL 1; Perry & Ors v Serious Organised Crime Agency [2012] UKSC 35. 72 Bacon et al. (2018), p. 89; UK Jurisdiction Taskforce (n 39), para 67. See however also Raskin (2015); Bilal (2019), p. 35. Compare also Schroeder (2016), p. 28. 73 Torkington v Magee [1902] 2 KB 427.

26

The Nature of Rights Upon Cryptocurrencies

615

contractual or not,74 while it seems to include also non-monetary claims.75 It can contain also other forms of intangible property which in turn contain also some form of an enforceable right or claim76 (such as shares77 or intellectual property rights78), while sometimes a broader understanding of the choses in action can also be found including any intangible form of property.79 As already stated, cryptocurrency ownership stands not for a claim or an enforceable right of action against anyone. However, if the broadest possible concept of choses in action is to be adopted, then there seems to exist no barrier to the classification of cryptocurrency ownership as a chose in action. In fact, it has been argued that cryptocurrency is a chose in action.80 On the other hand, according to another opinion,81 cryptocurrency ownership should not fall under the category of choses in action, since it does not represent a claim. Notwithstanding, the distinction between choses in possession and choses in action does not preclude, according to the same opinion, a third kind of property rights on other intangibles.82 Consequently, if a third kind of property rights can be recognised, including other forms of intangible property,83 cryptocurrency ownership could be classified as such, i.e. this third personal property type.84 Recent case law seems to accord with that very opinion.85 Briefly, there seems to be a consensus in common law jurisdictions that cryptocurrency ownership is some form of legally protected property and, more precisely, it is some form of personal property,86 whether chose in action or another separate kind of personal property. This means that the cryptocurrency owner can, for instance, legally convey this ownership to other persons. It means also that the 74 Lipkin Gorman v Karpnale [1988] UKHL 12; Simpson v Norfolk & Norwich University Hospital NHS Trust [2011] EWCA Civ 1149 (2012) 124 BLMR 1; Williams (1894), p. 143; Holdsworth (1920), pp. 997, 998. See however also Elphinstone (1893), pp. 311, 315. 75 See John Smith & Son v. Inland Revenue [1921] UKHL 313; Clairke (2020), p. 272; Holdsworth (1920), p. 998. See however also Elphinstone (1893); Investors Compensation Scheme v. West Bromwich Building Society [1997] UKHL 28. 76 Clairke (2020), p. 272. 77 Colonial Bank v Whinney [1886] 11 App. Cas. 426; Singer v. Williams [1920] UKHL 386; Inland Revenue v. Laird Group Plc [2003] UKHL 54. See however also Colonial Bank v Whinney [1885] 30 ChD 261. 78 Williams (1895), p. 223; Hackett (2020), p. 13. See however also Brodhurst (1895), p. 64. 79 See also Tolhurst (2016), p. 15. 80 McGrath (2016), pp. 23–27. 81 Bayern (2014), p. 33; UK Jurisdiction Taskforce (n 39), para 86a. Compare also Bilal (2019), p. 35. 82 See Armstrong v Winnington [2012] EWHC 10, [2013] Ch 156; Green and Randall (2009), p. 131. 83 See however also Your Response v Datateam Business Media [2014] EWCA Civ 281, [2015] QB 41. 84 UK Jurisdiction Taskforce (n 39), paras 69–86. See also Bayern (2014), pp. 33–34. See however also Bacon et al. (2018), p. 94. 85 AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556 (Comm). 86 See also Tu (2018), p. 550.

616

E. Rizos

cryptocurrency owner has tortious claims against tortfeasors who unlawfully manage to take control of this property (e.g. by depriving the private key from its owner)87 or unlawfully cause harm to the owner with respect to this property, in a way that tort liability could be established, even if the inflicted harm regarded also other forms of property (e.g. by extortion/blackmail).88

4.4

Cryptocurrency Ownership As Some Form of Jus In Re? (Civil Law)

In civil law systems, there is typically a distinction between absolute ( jura in rem) and relative ( jura in personam) rights.89 A right is absolute if anyone could technically interfere with it (such as the right on someone’s own physical integrity) and, thus, should be respected (at least principally) by anyone. A relative right is a right aimed only against a specific person and only this person is obliged to comply with the content of the right (e.g. a contractual claim). Property rights on things ( jura in re), such as ownership on things and mortgage, are a typical example of absolute rights. There is usually a numerus clausus of absolute rights,90 although there is some discussion on the matter of the existence and the potential meaning of this numerus clausus of absolute rights in general,91 while there is no doubt concerning the existence of a numerus clausus of jura in re.92 This means that there can be no other jura in re (or eventually even absolute rights in general), other than those legally provided. Furthermore, the object of jura in re is typically a ‘thing’. What consists a thing from a legal perspective is usually a matter of a statutory definition and various civil law jurisdictions have adopted different definitions. While there is no dispute that tangible objects, movable or immovable, fall under the concept of thing, some legal definitions are so narrow as to exclude all intangibles from the definition. For instance, according to the German definition ‘only corporeal objects are things as

87

See Lehmann (2019), p. 121. See also Zaytoun (2019), pp. 395, 419. See AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556 (Comm). 89 See e.g. Tuhr (von) A (1923), p. 13; Medicus (2006), p. 31. See for a similar distinction in common law Langdell (1900), pp. 537, 538. 90 Larenz and Wolf (2004), p. 252; Engelhardt and Klein (2014), p. 356. 91 See Heinze (2018), para 96; Karibali-Tsiptsiou (2003), pp. 48–50. 92 Gaier (2020), para 11; Heinze (2018), paras 94–109; Shmatenko and Möllencamp (2018), p. 497. 88

26

The Nature of Rights Upon Cryptocurrencies

617

defined by law’.93 In other jurisdictions (e.g. Italy,94 Switzerland95 and Greece96), the definition of the thing is broader, as it includes also intangible forms of energy that human beings can limit within some certain space and control, such as electricity. There are also legal definitions, such as the Austrian, which are much more flexible (‘everything, that is separate from a person, and can be of use for human beings, is a thing from a legal perspective’),97 although it is argued that it is not perfectly clear, even by these broad definitions, whether intangible objects fall under their scope.98 With respect to cryptocurrency ownership, in jurisdictions (as in Germany) that adopt a narrow legal definition of a thing, excluding all intangibles, it is rather clear that there can be no jura in re on cryptocurrencies, since they are not tangible,99 although a different opinion was expressed quite recently.100 In jurisdictions with a very broad legal definition of things (e.g. Austria), it could be argued that cryptocurrency ownership is indeed in re ownership on things.101 The situation seems more complicated in jurisdictions (as in Switzerland and Greece) where an intermediate definition is adopted, according to which even confineable energy could be legally a thing. The reason is that digital data could be perceived (and from a pure physics point of view, this could be true)102 as some form of energy that is controlled and confined by human beings. Therefore, it could be argued that a jus in re in the form of ownership is possible on cryptocurrencies as well, since they are substantially digital data,103 although the prevailing view seems to reject this classification due to the lack of tangibility.104 Anyway, the categorisation of the 93

Article 90 of the German Civil Code (translation author’s own). ‘Natural forms of energy which have some economic value are considered mobile things’ (translation author’s own). 95 ‘Movable corporeal objects and forces of nature that may be subjects of legal rights and which do not form part of immovable property are the objects of chattel ownership’. Article 713 of the Swiss Civil Code (translation author’s own). 96 ‘Forces of nature and forms of energy, especially electricity and heat, are considered things, provided that they can be subject to control, when they are confined in some certain space’. Article 947 para 2 of the Greek Civil Code (translation author’s own). 97 Article 285 of the Austrian Civil Code (translation author’s own). 98 See Pittl and Steiner (2020), pp. 81, 85. 99 Engelhardt and Klein (2014), p. 356; Kütük and Sorge (2014), p. 644; Boehm and Pesch (2014), p. 49; Ammann (2018), p. 380; Omlor (2019), pp. 289, 290; Beck and König (2015), pp. 130,133; Kirschbaum and Stepanova (2019), pp. 286, 288; Weiss (2019), p. 1054; Schroen (2019), pp. 1369, 1371; Omlor (2017), p. 758; Shmatenko and Möllencamp (2018), p. 497. 100 John (2020), p. 76; Walter (2019), p. 3613. 101 See Piska and Völkel (2017), pp. 97, 98; Völkel (2017), pp. 387–388; Vonkilch and Knoll (2019), p. 139. 102 On the contrary Meisser et al. (2018), pp. 5–6. 103 Eckert (2016), p. 245. See also Meisser et al. (2018), p. 8 (in favor of an analogous implementation of jura in re principles). Compare Raskin (2015), p. 991; Bilal (2019), p. 35. 104 See e.g. Bericht des Bundesrates (14 December 2018), pp. 46–49 https://www.admin.ch/gov/de/ start/dokumentation/medienmitteilungen.msg-id-73398.html accessed 17 May 2020; Piller 2017 94

618

E. Rizos

ownership on cryptocurrencies as a jus in re meets a rather insuperable hindrance, with the possible exception of jurisdictions, such as the Austrian, where a broad definition of the objects of a jus in re could be much helpful.105 The concept of a thing, as an object of jura in re, requires the capacity to control it106 and a cryptocurrency owner has control only over the private key that relates to an address. Only the private key could be perceived as digital data subject to the control of a certain person.107 A cryptocurrency amount credited to an address is not identical to the private key to the address, in the same manner that a key to a house is not the house itself (it is necessary for the possession of the house but not the house itself). The private key is necessary for the use of the address, i.e. the conclusion of transactions with the cryptocurrency amount credited to this address, but this use is impossible without a blockchain protocol and a functional blockchain. The cryptocurrency owner has practically no control over the protocol or the decentralised blockchain, nor a claim against the miners to keep mining, i.e. helping him/her concluding the transactions. Unlike, for example a land register,108 which keeps record of rights on tangible objects that may be of practical use irrespective of the rights on them and of their registration (property rights are not to be mixed with their object),109 cryptocurrencies have no other practical existence than being a registration in a ledger.110 They can be of no other use than being transferred by means of a registration in this ledger.111 Unlike the objects of jura in re, which exist irrespective of a property information system about them,112 the objects of cryptocurrency ownership, i.e. the cryptocurrencies, for all practical purposes do not exist without a blockchain113— i.e. the property information system about them—while the cryptocurrency owner has virtually no control over the existence and function of the blockchain, even in the form of an enforceable right against the person who keeps record of the transactions.114 This is a plausible hindrance for the recognition of a jus in re ownership on a cryptocurrency as a whole entity.115

p. 1429; Fröhlich and Bleuler (2017) https://datenrecht.ch/gianni-froehlich-bleuler-eigentum-andaten-in-jusletter-6-maerz-2017/ accessed 16 May 2020. 105 See Völkel (2017), p. 387. 106 See Stieper (2017), para 1. 107 See Hillemann (2019), p. 833. 108 For a thorough comparison between Bitcoin and real property information and transaction systems see Chason (n 7). Compare also Wilsch (2017), p. 761; Ammann (2018), p. 381. 109 Fairfield (2015), p. 811. 110 See Low and Teo (2017), p. 252; Shmatenko and Möllencamp (2018), p. 497. 111 See UK Jurisdiction Taskforce (n 39), para 60. 112 Compare also Fairfield (2015) for a very interesting argument that property is actually information. 113 See Weiss (2019), p. 1052. 114 See also Möllenkamp and Shmatenko (2019), para 36. 115 See also McGrath (2016), p. 20.

26

The Nature of Rights Upon Cryptocurrencies

619

With respect to the private key itself, it is true that it would be hard to conceive a jus in re ownership on the private key itself,116 since it is not to be identified with the material that contains it, may that be a hard disk, a USB stick, a server or even a piece of paper.117 Even if one sees digitalised information as energy contained and controlled by human beings, the energy is only the material that contains the information, but not the information per se.118 From an exclusivity perspective, a cryptocurrency owner could (or even should) have several copies of a private key in several material forms and/or in several digital archives. The multiplication of the copies of the private key does not mean multiplication of the private key itself, as its function remain the same and even one copy is enough to initiate a transaction. Moreover, a ‘thief’ could deprive one’s cryptocurrencies not just by removing the possession of the material which contains the private key, but even by making a copy of it. In that case, both the legal owner and the ‘thief’ have control over the private key and potential control over the respective address. Whoever uses the private key first to initiate a transaction shall be the person who will actually reap the benefits of the factual ownership on the cryptocurrency.119 This may seem essentially different to the ownership on things. Nonetheless, the private key is in fact what the term declares: a key. All of the above could happen even in physical forms of keys to a house, a car, a safe etc. One could have multiple copies of the same key, yet the multiplication of keys does not lead to the multiplication of the thing to be unlocked. Furthermore, a thief could steal a car not just by depriving the owner from the key to the car but also by making a copy of it. However, the thief has not concluded the car theft just by having the key to the car. The car’s owner may drive it first beyond the thief’s reach, as the cryptocurrency owner may use the private key first. There is no essential functional difference between the private key and a tangible key. If the key to lock/unlock a thing is a serious indication that this thing is rivalrous, then there is no difference from that perspective (despite the mentioned differences) between a cryptocurrency and, e.g. a house or a car.120 It might be noticed that each copy of the tangible key is a different thing, as it has a separate physical existence from the other copies. However, there seems to be no reason why there cannot be an analogy to the various copies of private keys. While there is no doubt that information is not to be perceived as identical with its material carriers,121 nevertheless there is some material ‘imprint’ of the information. An empty hard disk differs from the same hard disk if there is some data in it even from a pure material/physical perspective;122 the information has its own physical imprint even in the form of intangible energy. Therefore, although this categorisation is far from being perfect, in jurisdictions

116

See Low and Teo (2017), p. 247. See Antonopoulos (2017), p. 88. 118 See also Fairfield (2015), p. 841. 119 See Zaytoun (2019), p. 414. 120 Compare Zaytoun (2019), p. 413; Fairfield (2015), p. 864. 121 See Hillemann (2019), p. 833. 122 Compare Engelhardt and Klein (2014), p. 357. 117

620

E. Rizos

where energy could be classified as a thing, the private key itself could be perceived as a thing and, thus, object of a jus in re ownership. From a functional and teleological perspective, this might be the most plausible analogy available up to now.123 There remain two final remarks considering this issue. First, the private key is actually a random number.124 There can be no property right on the number as such;125 the property right can be acknowledged on the private key only from a functional perspective.126 It is the potential function and use that makes a private key an object of legal property and legal protection.127 This functional perspective is no novelty even in civil law systems. In fact, the question of whether an object, even a tangible one, is a thing often requires some further consideration with respect to the functions of this object128 or its trading use.129 Second, the recognition of a right on the private key does not solve the problem of the legal categorisation of cryptocurrency ownership at all. The private key is no more than a key and what is to be unlocked by it—i.e. the address that holds some cryptocurrency units— differs essentially from all things (houses, safes, cars etc.) that are typically unlocked by keys.

4.5

Cryptocurrency Ownership Protection by Means of Tort Law Mechanisms

With respect to common law, it was pointed out above that since cryptocurrency ownership is indeed deemed as some form of personal property, there is no doubt that unlawful intrusions to this property (such as the unlawful detachment of the private key) establish tort liability. In civil law jurisdictions, where, as above indicated, the exact legal nature of cryptocurrency ownership appears less clear, it is however argued (in fact there seems to be no doubt about it) that the cryptocurrency owner can be protected by means of tort law mechanisms, in cases that someone inflicts her/him damages in an unlawful manner. More specifically, in civil law systems, tort liability is not regulated based on a list with some specifically provided torts, but by means of few general clauses, which, in a highly general and abstract manner, provide usually that tort liability is established in cases of unlawful infliction of damage, whether willfully or negligently. Apart from the few general clauses, there are also a few special provisions considering 123

See also John (2020), p. 80; Walter (2019), p. 3613; Meisser et al. (2018), p. 8. Antonopoulos (2017), p. 58. 125 See also Low and Teo (2017), p. 247; Meisser et al. (2018), p. 7. 126 See Meisser et al. (2018), p. 8. Compare also Bayern (2014), p. 34. 127 Compare Low and Teo (2017), p. 248. 128 See John (2020) p. 78; Piller (2017), p. 1429. See also Walter (2019), p. 3611. 129 Karibali-Tsiptsiou (2003), p. 92. 124

26

The Nature of Rights Upon Cryptocurrencies

621

special tort liability in cases such as the animal keeper’s liability where a stricter or even purely strict liability is established.130 Concerning ‘unlawfulness’, in some jurisdictions (e.g. France131 and Spain132) this is not an explicit prerequisite to the tort liability in the respective general clauses, although it is widely accepted that unlawfulness, even in a broad sense of the term, is implied by the term ‘fault’ and, thus, an unlawful act or omission is required for the establishment of tort liability.133 In other jurisdictions (e.g. Switzerland,134 Italy,135 Greece136), the unlawfulness is provided as a tort prerequisite in a most abstract manner, and terms such ‘unlawfully’ or ‘in an unjustified manner’ are used to indicate this separate prerequisite. Finally, in other jurisdictions (e.g. Germany), unlawfulness, as a tort condition, is further detailed in the form of some specific rights that must have been infringed by a generally unlawful conduct137 and/or it is also defined as the violation of some statute, that aims to protect rights or interests of another person.138 Concerning the infringement of cryptocurrency ownership, it is not disputed that, as a principle, the infliction of harm to the owner is a tort. However, until the recent Directive 2019/713/EU and its imminent transposition, it was not a given why this harm infliction is unlawful (even in the form of a criminal offence),139 since not every harm infliction is unlawful per se. The Directive 2019/713/EU provides explicitly the criminalisation of unauthorised infringements of cryptocurrency ownership. When transposed, there shall be specific criminal law rules in each Member State, upon which the said unlawfulness would easily be established, as even the breach of some criminal law rule suffices for this prerequisite. Up to now, it has been argued that the tort liability could be justified on the grounds of a legally protected,

130

See e.g. Article 833 of the German Civil Code. ‘Any human action whatsoever which causes harm to another creates an obligation in the person by whose fault it occurred to make reparation for it’. Article 1240 of the French Civil Code (translation at https://www.trans-lex.org/601101/_/french-civil-code-2016/ accessed 16 May 2020). 132 ‘The person, who as a result of an action or omission, causes damage to another by his fault or negligence shall be obliged to repair the damage caused’. Article 1902 of the Spanish Civil Code (translation at http://derechocivil-ugr.es/attachments/article/45/spanish-civil-code.pdf accessed 16 May 2020). 133 See van Dam (2013), p. 57. 134 ‘Any person who unlawfully causes damage to somebody else, whether willfully or negligently, is obliged to compensation‘. Article 41 of the Swiss Code of Obligations (translation author’s own). 135 ‘Any act, willful or negligent, that causes unlawful damage to somebody else establishes an obligation of the person who has committed this act to compensate for the damage’. Article 2043 of the Italian Civil Code (translation author’s own). 136 ‘Any person who causes damage to somebody else, unlawfully and at fault, is obliged to compensation’. Article 914 of the Greek Civil Code (translation author’s own). 137 ‘Any person who, willfully or negligently, injures unlawfully the life, body, health, freedom, property or some other right of another person is obliged to compensate the injured person for the arising damages‘. Article 823 para 1 of the German Civil Code (translation author’s own). 138 ‘The same obligation is held by any person who breaches a statute intending to protect somebody else’. Article 823 para 2a of the German Civil Code (translation author’s own). 139 See e.g. Boehm and Pesch (2014), pp. 49–50. 131

622

E. Rizos

against foreign intrusion, interest on a person’s data, based on the provision of the unauthorised intrusion into foreign digitalised data as a criminal offence. For example, in Germany, these criminal rules serve for the classification of cryptocurrency ownership as ‘another property right’, whose infringement establish tort liability under Article 823 of the German Civil Code.140 According to a similar perspective, this tort liability is similar to the liability of a person that infringes another person’s de facto possession on a thing, since in both cases there is legal protection of a mere de facto possession, which nevertheless is not recognised as a right.141 Notwithstanding, the specific provisions of the Directive about cryptocurrency ownership, when transposed, shall clearly solve the issue of tort law protection.

4.6

A New Sui Generis Right? (Civil Law)

Setting the tort law mechanisms in action may solve a lot of practical issues of the cryptocurrency ownership protection, but it still does not answer to the main question on the legal nature of the cryptocurrency ownership, albeit a question of rather theoretical value since at least protection by means of tort law is a given. From the brief analysis above, we can conclude that ownership on the cryptocurrency as a whole, and not just on the private key, cannot fit in any of the existing civil law figures, since it is neither a claim, nor some kind of the already established absolute rights (e.g. intellectual property rights, jura in re etc.). Accepting a new kind of absolute right on cryptocurrencies is not as simple as it may appear, due to the numerus clausus of absolute rights.142 Contrary to rights in personam (e.g. contractual rights), an absolute right (right in rem) should be statutorily established due to its capacity to be enforceable against any person interfering with that. The Directive 2019/713/EU itself or the relevant future criminal law provisions in the national jurisdictions shall not establish a private law property right on cryptocurrencies,143 since in the traditional civil law understanding of rights (at least private law rights), a right consists not only of a legally protected interest but also of some specific power that serves this interest (normally enforceable).144 Therefore, criminal law protection does not mean recognition of some concrete

140

Engelhardt and Klein (2014), p. 358; Weiss (2019), p. 1054; Shmatenko and Möllencamp (2018), p. 498; Martiny (2018), pp. 553, 557. See also Meisser et al. (2018), p. 7. 141 See Möllenkamp and Shmatenko (2019), para 37; Lehmann (2019), p. 128; Walter (2019), p. 3612. 142 See however also Ammann (2018), p. 382. 143 Compare Engelhardt and Klein (2014), p. 356. 144 Larenz and Wolf (2004), pp. 242–243; Below (1960), p. 15; Raiser (1961), p. 465; Gschnitzer (1966), p. 61.

26

The Nature of Rights Upon Cryptocurrencies

623

private law right. Notwithstanding, the protection of a certain private interest even by means of a specific criminal law rule means that this interest is not a mere factual interest, but at least a legally recognised interest. However, even the recognition of a stricto sensu private law right with respect to a certain cryptocurrency should not be totally excluded, at least in jurisdictions with a broad legal understanding of ‘things’. As indicated above, a jus in re on the private key could be justified in the said jurisdictions. This right could contain the power to use this key or even transfer it (positive aspect of the right) and the power to prevent interference by other persons (negative aspect of the right). Furthermore, there is a legally protected interest concerning the proper function of the blockchain,145 albeit not a right since the cryptocurrency owner has no claim against the miners or the software developer or an absolute right on the blockchain records whatsoever.146 However, the cryptocurrency owner should be protected against any malicious interference in the blockchain, such as attempts to falsify the transaction records or disrupt the continuity of the blocks. Combining the above remarks, it could be argued that, from a civil law perspective, the cryptocurrency ownership could be considered as a sui generis right147 that consists of two sub-components, i.e. an absolute right on the private key and a legal interest concerning the proper blockchain function, the infringement of which may establish tortious and/or restoration claims. These two sub-components form the absolute (in the sense of jus in rem) right of cryptocurrency ownership as a whole. Its positive aspect relates to the conduction of cryptocurrency transactions with the use of the private key, while its negative aspect relates to the protection of the private key from unauthorised interference and to the functionality of the blockchain concerning any malicious or irregular tampering. As a whole, however, this right is not a mere sum of its components. It is a sui generis, new kind of right, since it fits in none of the existing property rights forms or classifications,148 although it could be pointed out that it is akin, from a functional and teleological perspective, to the traditional jus in re ownership.149 Its recognition does not oppose the numerus clausus of the absolute rights ( jura in rem), since both its components have a sufficient legal foundation. For the sake of clarity, cryptocurrency ownership should be explicitly established as a private law right,150 in a similar way to the jura in re property rights, during the Directive 2019/713/EU transposition. This seems more necessary in the civil law jurisdictions where the legal definition of things is the narrowest possible (as in Germany) and the recognition of a right might be hindered by the numerus clausus of absolute rights.

145

Compare also Shmatenko and Möllencamp (2018), p. 498. Compare Low and Teo (2017), pp. 252–254. 147 See also Meisser et al. (2018), p. 5. 148 See also Bayern (2014), p. 33. 149 Compare Walter (2019), pp. 3613–3614; Piller (2017), p. 1429; Meisser et al. (2018), p. 8. 150 See Engelhardt and Klein (2014), p. 360. 146

624

E. Rizos

5 Conclusion The cryptocurrency ownership shall be, beyond any reasonable doubt, legally protected and recognised as such with the transposition of the Directive 2019/713. Despite the fact that even before this Directive there could be little doubt on the legality of cryptocurrency ownership (at least in the absence of a rule that forbids it), the specific criminal law provision protecting the cryptocurrency ownership leaves no room for dispute on this issue. With respect to the nature of cryptocurrency ownership from a private law perspective, there seems to be a consensus in common law jurisdictions that this is some form of personal property, although there is no unanimity if this is a chose in action or a third type of personal property. With respect to civil law jurisdictions, things seem more complicated. There is consensus that the cryptocurrency owner may have damage claims on a tort law basis in case of unlawful interference and harm infliction concerning this ownership, but the classification of this ownership into the existing forms appears not easy at all, if not impossible. In the light of the Directive 2019/713 the establishment and the recognition of a new, sui generis right with two components (a right on the private key and an interest on the proper blockchain function) might seem as a way out of the problems related to the cryptocurrency ownership phenomenon.

References Ammann T (2018) Bitcoin als Zahlungsmittel im Internet. Rechtliche Fragestellungen und Lösungsansätze. Computer und Recht 34(6):379–380 Antonopoulos A (2017) Mastering Bitcoin, 2nd edn. O’ Reilly Media, Massachusetts, p 25 Bacon J, Michels JD, Millard C, Singh J (2018) Blockchain demystified: a technical and legal introduction to distributed and centralized ledgers. Richmond J Law Technol 25(1):92 Badev A, Chen M (2014) Bitcoin: technical background and data analysis. Finance and Economic Discussion Series, (7 October 2014), 104, 12 available at https://doi.org/10.2139/ssrn.2544331. Accessed 18 May 2020 Bayern S (2014) Dynamic common law and technological change: the classification of Bitcoin. Washington Lee Law Rev Online 71(2):22–32 Beck B, König D (2015) Bitcoin: Der Versuch einer vertragstypologischen Einordnung von kryptographischem Geld. Juristenzeitung 70(3):130–133 Below K-H (1960) Bürgerliches Recht. Allgemeiner Teil. Springer Fachmedien, Wiesbaden, p 15 Bericht des Bundesrates (2018) Rechtliche Grundlagen für Distributed Ledger-Technologie und Blockchain in der Schweiz. Eine Auslegeordnung mit Fokus auf dem Finanzsektor. 14 December 2018, pp 46–49, available at https://www.admin.ch/gov/de/start/dokumentation/ medienmitteilungen.msg-id-73398.html, Accessed 17 May 2020 Bilal M (2019) What would be the consequences in private law of treating cyber-currencies as money. De Lege Ferenda 2(27):32–34 Bischoping (2018) Prosecuting cryptocurrency theft with the defend trade secrets act of 2016. Univ Pa Law Rev 167(1):239–255 Boehm F, Pesch P (2014) Bitcoin: a first legal analysis with reference to German and US-American Law. In: Böhme R, Brenner M, Moore T, Smith M (eds) Financial cryptography and data

26

The Nature of Rights Upon Cryptocurrencies

625

security: FC 2014 Workshops, BITCOIN and WAHC 2014, Christ church, Barbados, March 7, 2014. Revised Selected Papers. Springer, Berlin, pp 43–54 Böhme R, Christin N, Edelman B, Moore T (2015) Bitcoin: economics, technology, and governance. J Econ Perspect 29(2):213–217 Brito J, Shadab H, Castillo A (2014) Bitcoin financial regulation: securities, derivatives, prediction markets and gambling. Columb Sci Technol Law Rev 16(Autumn issue):144–147 Brodhurst S (1895) Is copyright a chose in action. Law Q Rev 11(1):64 Chason E (2018) How Bitcoin functions as property law. Seton Hall Law Rev 129, 49(1):139 Clairke A (2020) Principles of property law. Cambridge University Press, Cambridge, p 266 Dion D (2013) I’ll gladly trade you two bits on tuesday for a byte today: Bitcoin, regulating fraud in the E-conomy of hacker-cash. Univ Illinois J Law Technol Policy 2013:165–168 Doguet J (2013) The nature of the form: legal and regulatory issues surrounding the Bitcoin digital currency system. Louisiana Law Rev 73(4):1119–1128 Dowd (2014) New private monies: a bit-part player? The Institute of Economic Affairs, London, p 39 Eckert M (2016) Digitale Daten als Wirtschaftsgut: digitale Daten als Sache. Schweizerische Juristen-Zeitung 112(10):245 Elphinstone H-W (1893) What is a chose in action? Law Q Rev 9(4):311–315 Engelhardt C, Klein S (2014) Bitcoins — Geschäfte mit Geld, das keines ist: Technische Grundlagen und zivilrechtliche Betrachtung. Multimedia und Recht 17(6):355–356 Fairfield J (2015) Bitproperty. Southern California Law Rev 88(4):805–817 Fröhlich, Bleuler G (2017) Eigentum an Daten? in: Jusletter 6. März 2017 available at https:// datenrecht.ch/gianni-froehlich-bleuler-eigentum-an-daten-in-jusletter-6-maerz-2017/. Accessed 16 May 2020 Gaier R (2020) Einleitung zum Sachenrecht. In: Gaier R (ed) Münchener Kommentar zum Bürgerlichen Gesetzbuch, Band 8, 8th edn. Verlag C.H.Beck, Munich, para 11 Green S, Randall J (2009) The Tort of Convrcersion. Hart Publishing, Oxford, p 131 Gschnitzer F (1966) Allgemeiner Teil des Bürgerlichen Rechts. Springer, Berlin, p 61 Hackett S (2020) The ownership of goods and chattels. Hart Publishing, Oxford, p 13 Halaburda H, Sarvary M (2016) Beyond Bitcoin: the economics of digital currencies. Palgrave Macmillan, London, p 107 Hari O (2019) The protection of the owners of cryptocurrencies, in particular bitcoin: selected aspects of Swiss financial market and insolvency law. In: Kraus D, Obrist T, Hari O (eds) Blockchains, smart contracts, decentralised autonomous organisations and the law. Edward Elgar Publishing, Cheltenham, pp 185–214, 188 Heinze C (2018) Einleitung BGB. In: Herrler S (ed) J. von Staudingers Kommentar zum Bürgerlichen Gesetzbuch mit Einfühurungsgesetz und Nebengesetzen, Buch 3 : Sachenrecht, Einleitung zum Sachenrecht, §§ 854 – 882, Neubarbeitung. Sellier – de Gruyter, Berlin Hillemann D (2019) Bitcoin und andere Kryptowährungen – Eigentum i.S.d. Art. 14 GG? Computer und Recht 35(12):830 Hoegner S (2015) What is Bitcoin? In: Hoegner S (ed) The law of Bitcoin. iUniverse, Indiana, pp 1–16, 5 Holdsworth WS (1920) The history of the treatment of choses in action by the common law. Harv Law Rev 33(8):997–998 John D (2020) Zur Sachqualität und Eigentumsfähigkeit von Kryptotoken - eine dogmatische (Neu)Betrachtung. Zeitschrift für Bank- und Kapitalmarktrecht 20(2):76 Kaplanov N (2012) Nerdy money: Bitcoin, the private digital currency, and the case against its regulation. Loyola Consumer Law Rev 111, 25(1):117 Karibali-Tsiptsiou Y (2003) Property and trust law in Hellas. Ant. N. Sakkoulas Publishers, Athens, pp 48–50 Kirschbaum B, Stepanova O (2019) Widerrufsrecht beim Handel mit Kryptowährungen. Zeitschrift für Bank- und Kapitalmarktrecht 19(6):286–288

626

E. Rizos

Kütük M, Sorge C (2014) Bitcoin im deutschen Vollstreckungsrecht: Von der “Tulpenmanie” zur “Bitcoinmanie”. Multimedia und Recht 17(10):643–644 Langdell CC (1900) Classification of rights and wrongs. Harv Law Rev 13(7):537, 538 Larenz K, Wolf M (2004) Allgemeiner Teil des Bürgerlichen Recht, 9th edn. Verlag C.H.Beck, Munich, p 252 Lehmann G (2019) Who owns Bitcoin? Private law facing the blockchain. Minnesota J Law Sci Technol 93, 21(1):123 Low K, Teo E (2017) Bitcoins and other cryptocurrencies as property? Law Innov Technol 9 (2):235–242 Martiny D (2018) Virtuelle Währungen, insbesondere Bitcoins, im Internationalen Privat- und Zivilverfahrensrecht. Praxis der Internationalen Privat- und Verfahrensrechts 38(6):553–557 McGrath (2016) Transacting in a vacuum of property law. TLI Think! Paper 22/2016, 18 available at https://doi.org/10.2139/ssrn.2786206. Accessed 28 Apr 2020 Medicus D (2006) Allgemeiner Teil des BGB, 9th edn. C.F.Müller, Heidelberg, p 31 Meisser C, Meisser L, Kogens R (2018) Verfügungsmacht und Verfügungsrecht an Bitcoins im Konkurs. Eine auf den Eigenschaften der neuartigen Technologie aufgebaute rechtliche Einordnung unter geltendem Schweizer Recht. in: Jusletter IT 24. Mai 2018, 6 available at https://www.zora.uzh.ch/id/eprint/153360/1/Jusletter-IT_ VerfuegungsmachtundVerfuegungsrechtanBitcoins-Froriep-Mai2018.pdf, Accessed 17 May 2020 Möllenkamp S, Shmatenko L (2019) Teil 13.6. Blockchain und Kryptowährungen. In: Hoeren T, Sieber U, Holznagel B (eds) Handbuch Multimedia-Recht. Rechtsfragen des elektronischen Geschäftsverkehrs, 50. Ergänzungslieferung. Verlag C.H.Beck, Munich. Oktober 2019 Nakamoto S (2009) Bitcoin: a peer-to-peer electronic cash system. Bitcoin Project, 24 May 2009, Available at https://bitcoin.org/bitcoin.pdf. Accessed 18 May 2020 Omlor S (2017) Geld und Währung als Digitalisate. Normative Kraft des Faktischen und Geldrechtsordnung. Juristenzeitung 72(15–16):754–760 Omlor S (2019) Digitaler Zahlungsverkehr Sonderheft FinTech. Juristische Schulung 59:289–290 Paulus D (2019) Was ist eigentlich . . . eine Blockchain? Juristische Schulung 59(11):1049 Pflaum I, Hateley E (2014) A bit of a problem: national and extraterritorial regulation of virtual currency in the age of financial disintermediation. Georgetown J Int Law 45(4):1169–1176 Piller F (2017) Virtuelle Währungen – Reale Rechtsprobleme? Aktuelle Juristische Praxis 26 (12):1426–1428 Piska C, Völkel O (2017) Blockchain und Kryptorecht. Regulierungs-Chancen de lege lata und de lege ferenda. Zeitschrift für Energie- und Technikrecht 7(3):97–98 Pittl R, Steiner C (2020) Blockchain-based financial services and virtual currencies in Austria. J Consumer Market Law 9(2):81–85 Raiser L (1961) Der Stand der Lehre vom subjektiven Recht im Deutschen Zivilrecht. Juristenzeitung 16(15/16):465 Raskin M (2015) Realm of the coin: bitcoin and civil procedure. Fordham J Corp Financ Law 20 (4):969–975 Reyes C (2017) Conceptualizing cryptolaw. Nebraska Law Rev 384, 96(2):412–413 Schrey J, Thalhofer T (2017) Rechtliche Aspekte der Blockchain. Neue Juristische Wochenschrift 70(20):1431–1433 Schroeder M (2014) Bitcoin: Virtuelle Währung — reelle Problemstellungen. 104/2014 Internet — Zeitschrift für Rechtsinformatik und Informationsrecht paras 33–40, available at https://doi.org/ 10.7328/jurpcb2014296103, Accessed 28 June 2017 Schroeder J (2016) Bitcoin and the uniform commercial code. Miami Bus Law Rev 1, 24(1):23 Schroen OC (2019) Sind Bitcoin und Co. Wirtschaftsgüter gemäß der gefestigten BFH Rechtsprechung? Deutsches Steuerrecht 57(26):1369–1371 Shmatenko L, Möllencamp S (2018) Digitale Zahlungsmittel in einer analog geprägten Rechtsordnung. A bit(coin) out of control – Rechtsnatur und schuldrechtliche Behandlung von Kryptowährungen. Multimedia und Recht 21(8):495–497

26

The Nature of Rights Upon Cryptocurrencies

627

Stieper M (2017) Artikel 90. In: Herrler S (ed) J. von Staudingers Kommentar zum Bürgerlichen Gesetzbuch mit Einfühurungsgesetz und Nebengesetzen, Buch 1: Allgemeiner Teil: §§ 90-124; §§ 130-133, Neubarbeitung. Sellier – de Gruyter, Berlin Straus R, Cleary M (2015) The United States. In: Hoegner S (ed) The law of Bitcoin. iUniverse, Indiana, pp 178–216, 186 The LawTech Delivery Panel - UK Jurisdiction Taskforce (2019) Legal statement on cryptoassets and smart contract. Available at https://35z8e83m1ih83drye280o9d1-wpengine.netdna-ssl.com/ wp-content/uploads/2019/11/6.6056_JO_Cryptocurrencies_Statement_FINAL_WEB_1111191.pdf, Accessed 26 Apr 2020 Tolhurst G (2016) The assignment of contractual rights, 2nd edn. Hart Publishing, Oxford, p 15 Tu K (2018) Perfecting Bitcoin. Georgia Law Rev 52(2):505–548 Tuhr (von) A (1923) Bürgerliches Recht, Allgemeiner Teil, Verlag von Julius. Springer, Berlin, p 13 Turpin J (2014) Bitcoin: the economic case for a global, virtual currency operating in an unexplored legal framework. Indiana J Global Legal Stud 21(1):335–338 van Dam C (2013) European tort law, 2nd edn. Oxford University Press, Oxford, p 57 Völkel O (2017) Privatrechtliche Einordnung virtueller Währungen. BankArchiv - Zeitschrift für das gesamte Bank- und Börsenwesen (ÖBA) 65(6):385–387 Vonkilch A, Knoll M (2019) Bitcoins und das Sachenrecht des ABGB. Juristische Blätter 141 (3):139 Walter A (2019) Bitcoin, Libra und sonstige Kryptowährungen aus zivilrechtlicher Sicht. Neue Juristische Wochenschrift 72(50):3609, 3611 Weiss A (2019) Zivilrechtliche Grundlagenprobleme von Blockchain und Kryptowährungen. Juristische Schulung 1050, 59(11):1054–1055 Williams C (1894) Is a right of action in tort a chose in action? Law Q Rev 10(2):143 Williams TC (1895) Property things in action and copyright’ law. Q Rev 11(3):223 Wilsch H (2017) Die Blockchain-Technologie aus der Sicht des deutschen Grundbuchrechts. Deutsche Notar-Zeitschrift 116(10):761 Zaytoun H (2019) Cyber Pickpockets: blockchain, cryptocurrency, and the law of theft. North Carolina Law Rev 97(2):395–419

Chapter 27

Consumer Protection and Digital Currencies in the EU: A Comparative Analysis Between Fiat Currencies and Blockchain Payment Methods Anna Plevri

Abstract Despite the fact that “bitcoin” as a digital currency is not a new term anymore, its actual legal nature remains unclear and unregulated. Bitcoin could be defined as a decentralized, peer-to-peer version of electronic cash that facilitates the purchase of online goods and services without an intermediate financial institution”. Bitcoins and other digital currencies are used online and in practice payments via these “currencies” for selling of goods and services are made through a blockchain network. Users of digital currencies are not only people with a high level of expertise in online technology but additionally consumers. The use of digital currencies and blockchain technology raises many legal questions and has implications that are yet unknown to in consumers The main research question of this chapter regards the “ecosystem” of digital currencies, and the legal risks and implications of blockchain payment methods for consumers. More specifically it attempts to define the notion of “digital currencies,” as well as other related terms, to identify key differences between digital and traditional currencies and commonly used forms of online payment, such as credit and debit cards, to analyze the legal nature of digital currencies and to discuss relevant regulation with a focus on Europe. Lastly, it explores the legal issues, risks, and implications of the use of digital currencies by consumers mostly in terms of consumer protection and legal recourse.

1 Introduction Despite the fact that “bitcoin” as a digital currency is not a new term anymore, its actual legal nature remains unclear and unregulated. In general, bitcoin could be defined as a decentralized, peer-to-peer version of electronic cash that facilitates the purchase of online goods and services without an intermediate financial institution.

A. Plevri (*) School of Law, University of Nicosia, Nicosia, Cyprus e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 T.-E. Synodinou et al. (eds.), EU Internet Law in the Digital Single Market, https://doi.org/10.1007/978-3-030-69583-5_27

629

630

A. Plevri

Bitcoins and other digital currencies are used online and in practice payments via these “currencies” for selling of goods and services are made through a blockchain network. Users of digital currencies are not only people with a high level of expertise in online technology but additionally consumers. The use of digital currencies and blockchain technology raises many legal questions and has implications that are yet unknown to in consumers The main research question of this chapter regards the “ecosystem” of digital currencies, and the legal risks and implications of blockchain payment methods for consumers. More specifically, this chapter attempts to define the notion of “digital currencies” as well as other related terms, to identify key differences between digital and traditional currencies and commonly used forms of online payment, such as credit and debit cards, to analyze the legal nature of digital currencies and to discuss relevant regulation with a focus on Europe. Lastly, it explores the legal issues, risks, and implications of the use of digital currencies by consumers mostly in terms of consumer protection and legal recourse. The “digital age”, also referred to as the “information age”, is defined as the time period starting in the 1970s spurred by the introduction of personal computers and subsequent technological developments resulting in the ability to transfer information freely and quickly. This new capability led to revolutionary developments in many aspects of the economy, the financial system, the media and the law.1 The rapid application of machine learning technology and distributed computing has massively affected, among other areas, financial transactions, the banking sector as well as investments. The first area to systematically apply of the blockchain technology was the financial sector2 and digital finance, where virtual currencies have emerged. While blockchain systems predicate themselves on creating “order without law”,3 it is clear that new developments in the realm of digital currencies have raised new possibilities, if not need, for regulation. Over the past 3 years, regulators and policy – makers have turned their attention to blockchain technology, and, in particular, cryptocurrencies.4 The EU aims to facilitate a healthy competitive marketplace, innovation and to further develop the European financial sector. In this 1

See https://www.yourdictionary.com/digital-age and https://dictionary.cambridge.org/dictionary/ english/digital-age, Accessed May 24, 2020. 2 Hacker et al. (2019), p. 3. 3 De Filippi and Wright (2018). 4 See European Parliament (2016) Virtual Currencies, Resolution of 26 May 2016, 2016/2007 (INI), where it is noted, among others: “2. Notes that VCs and DLT schemes entail risks which need to be addressed appropriately so as to enhance their trustworthiness, including in the present circumstances, namely: (a) the absence of flexible, but resilient and reliable, governance structures or indeed a definition of such structures, especially in some DLT applications such as Bitcoin, which creates uncertainty and consumer or—more broadly—user protection problems, especially in the event of challenges unforeseen by the original software designers; (b) the high volatility of VCs and potential for speculative bubbles, and the absence of traditional forms of regulatory supervision, safeguards and protection, issues which are especially challenging for consumers; (c) the sometimes limited capacity of regulators in the area of new technology, which may make it difficult to define appropriate safeguards in a timely manner in order to ensure the proper and reliable functioning of DLT applications when or even before they grow so large as to become systemically relevant;

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

631

way, blockchain technology is a pivotal element in the European Commission’s “FinTech Action Plan.”5 At this point, blockchain is referred to as the most important type of a distributed ledger technology (DLT), i.e., a decentralized form of record keeping that can store many kinds of information ranging from monetary transactions to land titles, or digital identities.6 Blockchain technology has also been applied to smart contracts7 and blockchain based organizations that are funded by Initial Coin Offering (ICOs).8,9 Smart contracts are software programs embedded in a blockchain that can receive and send assets as well as information.10 In the framework of a smart contract, the distribution of information and assets is entirely predefined in code and triggered by the fulfilment of certain conditions. Moreover, blockchain technology has been used to develop digital financial marketplaces, particularly in conjunction with the “Internet of Things,” bypassing financial middlemen and allowing almost any asset to be digitalized and traded over a decentralized computer network, e.g., Bitshares.11 Consumer markets are also very much affected by “utility tokens” providing access to platform services of any kind.12 The revolutionary element of new technologies, such as blockchain, is the fact that they can mathematically provide trust in a network rather than in a person or an authority. The technology of blockchain could be viewed as the object of trust. Trust has been shifted away from humans in favor of a cryptographic system, where one must simply trust the cryptographic algorithm. The technology of blockchain has been described as a chain or string of blocks in the framework of a technology designed to maintain continuity. In this context, an “object,” e.g., a right, may be tokenized and registered in the blockchain. The tokens may belong to certain categories, such payment tokens like bitcoin, bitcoin cash, litecoin, utility tokens, non-fungible tokens, etc.

(d) the legal uncertainty surrounding new applications of DLT”; European Commission (2017) Consumer Financial Services Action Plan: Better Products, More Choice, COM/2017/013 final. 5 Communication from the Commission to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions, FinTech Action Plan: For a More Competitive and Innovative European Financial Sector, COM (2018) 109 final. 6 See Hacker et al. (2019), p. 3. 7 See Christidis and Devetsikiotis (2016). 8 Also called “token sales.” 9 The so-called “blockchain 2.0.” 10 See Brown (2015) and Grundmann and Hacker (2017). 11 Hacker et al. (2019), p. 5. 12 The Brooklyn Project (2018).

632

A. Plevri

2 Crypto Assets: Crypto Currencies—Digital Currencies— Virtual Currencies Crypto assets represent one of the most high-profile financial products in the world, and fastest growing financial products in history. The term “cryptocurrency” is often used by the industry and technology sector, whereas the “legal literature” generally utilizes the terms “virtual currency” (VC) and “digital currency.”13 Τhe term “virtual currencies,” which is synonymous with the term “digital money,” refers to digital representations of value, issued by private developers and not by a central bank, credit institution or e-money institution, denominated in their own units of account14 which in some circumstances can be used as an alternative to money.15 According to the International Monetary Fund (IMF), virtual currencies “can be obtained, stored, accessed, and transacted electronically, and can be used for a variety of purposes, as long as the transaction parties agree.”16 Virtual currencies are nowadays invariably accepted by many companies, like Amazon, eBay, etc.17 The possibility of state issued fiat money as the predominant means of payment for retail goods being replaced by virtual currencies which are not restricted to national borders and flow freely across international borders, has attracted attention and has been addressed by central bankers, the media and legal (and other) scholars. Whether or not virtual currencies are considered to be “money” can be address from both an an economic and legal perspective.18 From an economic perspective, money refers to as everything that is generally accepted as payment for goods and services and/or repayment of debts.19 In the framework of this economic concept, money has three essential functions. These are: (1) unit of account, (2) medium of exchange and (3) store of value. On the other hand, in a legal sense, money is identified as official currency to which national monetary law has conferred the status of legal tender.20 The legal perspective of money, contains three different theories of what constitutes money. More specifically, the dominant theory is that of “state theory of money” which asserts that money is whatever the state as a sovereign declares it to be. Furthermore, the “societary theory of money” suggests that money is whatever society accepts as money and the “institutional theory of money” deals with money

13

See Dimitropoulos in Hacker et al. (2019), pp. 112–113. See Zimmermann in Hacker et al. (2019), p. 99. 15 See Janczuk-Gorywoda in Hacker et al. (2019), p. 260. 16 IMF Staff Discussion Note (2016). 17 For example the University of Nicosia accepts bitcoins for payments of fees, see https://www. unic.ac.cy/el/kritiria-eisdochis/oikonomikes-plirofories/tropoi-pliromis/, Accessed Jun 20, 2020. 18 See in detail, Zimmermann in Hacker et al. (2019), pp. 100–103; Janczuk-Gorywoda in Hacker et al. (2019), p. 262. 19 See among others on the economic concept of money, Smithin (2000); For further citations see Zimmermann in Hacker et al. (2019), p. 100, footnote no 4. 20 See Vardi (2016), p. 59. 14

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

633

as an institution.21 The legal theory of virtual currencies discusses and analyses the mentioned theories to determine whether virtual currencies qualify as “money,” which has further legal implications. No national law has yet conferred the status of legal tender to Bitcoin or any other virtual currency. Crypto assets are a type of private financial asset that depend primarily on cryptography and distributed ledger technology as part of their perceived or inherent value. A wide range of crypto assets exist, including payment/exchange tokens, e.g., the so-called virtual currencies (VCs), investment tokens, tokens to access a good or service (utility tokens). In 2012, the European Central Bank stated that virtual currency schemes did not pose a risk to price stability; the money creation continued to stay at a low level. The European Central Bank defines “virtual currency” as: “a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community.”22 Therefore, a virtual currency is a form of unregulated digital money that is not issued or guaranteed by a central bank and that can act as means of payment. Virtual currencies begun as currencies within online computer gaming environments and social networks and developed into means of payment accepted “offline” or in “real life.” Today, there are many forms of virtual currencies and it is possible to use virtual currencies to pay for goods and services with retailers, restaurants, and entertainment venues. These transactions often do not incur any fees or charges, and do not involve a bank, which is very important in the field of e-commerce.23 An assessment of the applicability and suitability of the EU law to crypto assets is at this point worth mentioning. A relatively low level of crypto asset activity is currently observed in the EU, and does not appear to give rise to implications for financial stability. However, typically activities involving crypto assets do not constitute regulated services within the scope of the EU and therefore fall outside the scope of EU banking, payments, and electronic money regulation. Therefore, clear risks exist for consumers that are not addressed at the EU level. In light of these issues and risks (including money laundering), the European Banking Authority (EBA) recommended that the European Commission carry out further analysis to determine the appropriate EU-level response. The EBA also identified several actions to be taken in 2019 to enhance the monitoring of financial institutions crypto asset activities and consumer-facing disclosure practices. As a result of the development of national regulatory responses, divergences between Member States have started to emerge, presenting risks to the level playing field. Market developments also point to the need for a further review of EU anti-money laundering legislation. For the above reasons, the EBA set out, in its recent report on crypto assets,24 its

21 See in detail Zimmermann in Hacker et al. (2019), pp. 101–103, Janczuk-Gorywoda in Hacker et al. (2019), p. 263. 22 European Central Bank (2012). 23 See European Banking Authority (2013, 2014). 24 European Banking Authority (2019).

634

A. Plevri

advice to the European Commission on the need for a comprehensive cost/benefit analysis, considering the issues inside and outside the financial sector, to determine what action, if any, is required at the EU level at this stage. Moreover, EBA's Executive Director, Adam Farkas stated that: “The EBA’s warnings to consumers and institutions on virtual currencies remain valid. The EBA calls on the European Commission to assess whether regulatory action is needed to achieve a common EU approach to crypto assets. The EBA continues to monitor market developments from a prudential and consumer perspective.”25 Crypto assets are a type of private financial asset that depend primarily on cryptography and distributed ledger technology as part of their perceived or inherent value. A wide range of crypto assets exist, including payment/exchange tokens (for example, so-called virtual currencies (VCs)), investment tokens and tokens to access a good or service (so-called “utility” tokens). Recognizing the rapid evolution in the use of crypto assets, the EBA examined in its report of 9 January 2019:26 (1) the application of current EU banking, payments, e-money and anti-money laundering laws to crypto assets, (2) crypto asset custodian wallet providers and crypto asset trading platforms, building on the EBA’s July 2014 Opinion on virtual currencies and (3) credit institutions, investment firms, payment institutions and electronic money institutions’ activities involving crypto assets and regulatory and supervisory issues.

3 Virtual Currencies in the Framework of the Anti-Money Laundering Directive (AMLD) On July 2016, the European Commission presented a legislative proposal to amend the Fourth Anti-Money Laundering Directive (AMLD) Directive (EU) 2015/849. This proposal brought custodian wallet providers and virtual currency exchange platforms within the scope of the AMLD which means that there is an obligation to fulfil due diligence requirements and have in place policies and procedures to detect, prevent, and report money laundering and terrorist financing. The above-mentioned proposal contained a definition of virtual currencies, which are described as: “a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency, but is accepted by natural or legal persons as a means of payment and can be transferred, stored or traded electronically.”27 In addition, in March 2018, the European Commission presented an Action Plan on how to take advantage of the opportunities presented by technology-enabled innovation in financial services (FinTech), like blockchain, artificial intelligence, 25

Ibid. Ibid. 27 European Banking Authority (2014), pp. 10–11. 26

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

635

and cloud services. The FinTech Action Plan28 included the recently launched EU Blockchain Observatory and Forum, which will report on the challenges and opportunities of crypto assets and is working on a comprehensive strategy on distributed ledger technology and blockchain addressing all sectors of the economy. Furthermore, the 5th Anti-Money Laundering Directive (AMLD) (EU) 2018/ 84329 (entered into force on 9 July 2018) has extended anti-money laundering and counter terrorism financing rules to virtual currencies, tax related services, and traders in works of art. The 5th AMLD became applicable across the EU on 10 January 2020. Briefly, the 5th AMLD extended the scope to cryptocurrency exchanges and wallet provider. More specifically, the 5th AMLD Directive, submits wallet providers and cryptocurrency exchange operators to anti money laundering provisions30 and contains the first legal definition of virtual currencies: “virtual currencies means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons, as a means of exchange, and which can be transferred, stored an traded electronically”31 The 5th AMLD also lowered the thresholds for electronic money and prepaid instruments like anonymous payment cards and further improved the transparency on beneficial owners. In any case, virtual currencies should not to be confused with electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC,32 with the concept of “funds” as defined in point (25) of Article 4 of Directive (EU) 2015/2366,33 with monetary value stored on instruments exempted as specified in points (k) and (l) of Article 3 of the same Directive,34 and lastly, with in-games currencies, that can be used exclusively within a specific game environment. Moreover, although virtual currencies can frequently be used as a means of payment, they could also be used for other purposes and find broader applications such as means of exchange, investment, store-of-value products or use in online casinos.35 In this framework, the objective of

28

See https://ec.europa.eu/info/publications/180308-action-plan-fintech_en, Accessed Jun 15, 2020. 29 The 5th Directive to address the threat of money laundering amending Directive (EU) 2015/849, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri¼uriserv:OJ.L_.2018.156.01. 0043.01.ENG, Accessed Jun 20, 2020. 30 In the USA, cryptocurrency exchange operators and wallet providers has been submitted to anti money laundering requirements in 2013. 31 See Article 1 (2) (d) (18) of the 5th AMLD. 32 Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC, OJ L 267. 33 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ L 337. 34 Ibid. 35 See the preamble of the 5th AMLD, no 10).

636

A. Plevri

the 5th AMLD is to cover all the potential uses of virtual currencies. Furthermore, there is already lined up Directive 2018/1673,36 a 6th EU Money Laundering Directive (6th AMDL) that was published on 23 October 2018. The EU’s Member States have until 3 December 2020 to transpose it into national law; therefore, the clock is ticking. One key aspect of the 6th AMLD is the focus on criminal activity and criminal offences. The minimum term is set for more than 6 months with graver cases calling for a punishment of a maximum term of imprisonment of at least 4 years.

4 Regulation of Cryptocurrencies in Europe The issue of the regulation of cryptocurrencies has concerned policy and law makers in and outside Europe. Although a broad analysis of all related issues is not possible in this chapter, a comparative summary of an important report titled: “Regulation of Cryptocurrency Around the World” of June 2018, conducted by the Law Library of Congress, (Global Legal Research Center 2018),37 contributes significantly to this point. The report surveys the legal and policy landscape surrounding cryptocurrencies around the world and it covers 130 countries as well as some regional organizations that have issued laws or policies on cryptocurrency. Over the past years cryptocurrencies have become ubiquitous prompting more national and regional authorities to grapple with their regulation. Various jurisdictions are handling the fast-growing cryptocurrency market and it is already possible to identify emerging patterns. One interesting aspect of the fast-growing cryptocurrency market is the fluidity of the terms used to describe the different products that fall within its ambit. Some of the various terms used by countries or jurisdictions to reference cryptocurrency include: (1) “digital currency,”38 (2) “virtual commodity,”39 (3) “crypto token,”40 (4) “payment token,”41 (5) “cyber currency,”42 (6) “electronic currency,”43 and (7) “virtual asset.”44 One of the most common actions identified across the surveyed jurisdictions is government-issued notices about the pitfalls of investing in the cryptocurrency

36 Directive 2018/1673 of the European Parliament and of the Council of 23 October 2018 on combating money laundering by criminal law, OJ L 284. 37 Report prepared by the Staff of Global Legal Research Directorate. 38 Argentina, Thailand, and Australia. 39 Canada, China, and Taiwan. 40 Germany. 41 Switzerland 42 Italy and Lebanon. 43 Colombia and Lebanon. 44 Honduras and Mexico.

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

637

markets. Warnings, mostly issued by central banks, are largely designed to educate the citizenry and consumers about the difference between actual currencies, which are issued and guaranteed by the state, and cryptocurrencies, which are not. Most government warnings note the added risk resulting from the high volatility associated with cryptocurrencies and the fact that many of the organizations that facilitate such transactions are unregulated. Most also note that citizens who invest in cryptocurrencies do so at their own personal risk and that no legal recourse is available to them in the event of loss. Furthermore, many of the warnings issued by various countries also note the opportunities that cryptocurrencies create for illegal activities, such as money laundering and terrorism. Some of the countries surveyed go beyond simply warning the public and have expanded their laws on money laundering, counterterrorism, and organized crimes to include cryptocurrency markets, and require banks and other financial institutions that facilitate such markets to conduct all the due diligence requirements imposed under such laws, e.g. Australia, Canada, and the Isle of Man. Some jurisdictions have gone even further and imposed restrictions on investments in cryptocurrencies while others such as Algeria, Bolivia, Morocco, Nepal, Pakistan, and Vietnam ban any and all activities involving cryptocurrencies, something that is not really actually achievable. There are also countries that, while not banning their citizens from investing in cryptocurrencies, impose indirect restrictions by barring financial institutions within their borders from facilitating transactions involving cryptocurrencies.45 In addition, some countries that have issued warnings to the public about the pitfalls of investments in cryptocurrencies have also determined that the size of the cryptocurrency market is too small to be cause for sufficient concern to warrant regulation and/or a ban at this juncture, e.g., Belgium, South Africa, and the United Kingdom. In any case, not all countries see the advent of blockchain technology and cryptocurrencies as a threat, albeit for different reasons. Some of the jurisdictions, while not recognizing cryptocurrencies as legal tender, see a potential in the technology behind it and are developing a cryptocurrency-friendly regulatory regime as a means to attract investment in technology companies that excel in this sector. In this class are countries like Spain, Belarus, Luxemburg and the Cayman Islands. This potential is something that Greece and Cyprus could focus on. Some others jurisdictions are seeking to go even further and develop their own system of cryptocurrencies. This category includes a diverse list of countries, such as the Marshall Islands, Venezuela, the Eastern Caribbean Central Bank (ECCB) member states and Lithuania (an EU Member State). One of the many questions that arise from allowing investments in and the use of cryptocurrencies is the issue of taxation. In this regard, the challenge appears to be how to categorize cryptocurrencies and the specific activities involving them for taxation. Whether gains made from mining or selling cryptocurrencies are categorized as income or capital gains invariably determines the applicable tax bracket. For

45

E.g., Bangladesh, Iran, Thailand, Lithuania, China, and Colombia.

638

A. Plevri

example, in Israel, cryptocurrencies are taxed as assets in Bulgaria as financial asset, in Switzerland as foreign currency, in Argentina and Spain, there are subject to income tax, in Denmark they are subject to income tax and losses are deductible, in the United Kingdom, corporations pay corporate tax, unincorporated businesses pay income tax and, individuals pay capital gains tax and in Russia mining that exceeds a certain energy consumption threshold is taxable.46 Although one could argue that whether cryptocurrencies are considered an asset or foreign currency for tax purposes does not determine whether they are considered income or capital; an asset can be either income or capital depending on whose hands it is in. On 22 October, 2015, the Court of Justice of the European Union (CJEU) (Fifth Chamber) held in its judgment Skatteverket v David Hedqvist,47 that transactions to exchange a traditional currency for bitcoin or other virtual currencies and vice versa constitute the supply of services for consideration, but fall under the exemption from value-added tax (VAT), therefore buying or selling bitcoin is exempt from VAT in all EU Member States. The UK Jurisdiction Taskforce (UKJT), which is part of the LawTech Delivery Panel, recently issued a legal statement on the status of crypto assets and smart contracts under the law of England and Wales, providing legal certainty for the first time.48 This legal statement provides confirmation that, under English law: (a) crypto assets are capable of being owned and (b) smart contracts can be, or be part of, binding legal contracts. Thus, if a crypto asset can be owned, what exactly is the asset? The answer is that “the asset is the set of arrangements that gives rise to the ability to update or spend (i.e., render inert or retire) certain data, to the exclusion of another party.”49 Additionally, the above legal statement notes that the asset is not any of the public or private keys of the digital wallet or the distributed ledger data itself. None of those constitute property but rather they are mere information, according to the legal statement. Instead, the asset is something that arises from their combination with the relevant system rules (including the embedded cryptography), which is the exclusive ability to update or spend transaction data. Having said that, the control of a private key sometimes confers ownership of a crypto asset, but not always.

46

See the report prepared by the Staff of Global Legal Research Directorate. See the CJEU Skatteverket v David Hedqvist, Case C 264/14, Judgment of 22 October 2015. 48 See Linklaters (2019) the UK confirms legal status of crypto assets and smart contracts. 49 Ibid. 47

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

639

5 Legal Nature of Cryptocurrencies The pivotal question whether crypto assets are property is not easy to address. The nature of crypto assets is peculiar given that, under the traditional view enunciated in the case Colonial Bank v Whinney50 property can have only two forms, either (a) as a “thing in possession” (i.e., tangible assets) or (b) as (2) “thing in action” (e.g., debt or contractual rights). Crypto assets are neither a “thing in possession,” because they are virtual and cannot be possessed or a “thing in action,” because they do not embody any right capable of being enforced. However, after considering the detail analysis of the legal statement of the UK jurisdictional Task Force on “CryptoAssets and Smart Contracts” dated 11 November 2019 (“UKJT Legal Statement”) a UK judgement (AA v Persons Unknown) concluded that while a crypto asset might not be a “thing in action” on the narrow definition of that term, this does not preclude its treatment as property.51 So the important legal issue arising from the emergence and use of cryptocurrencies is their legal nature. The question relates to whether cryptocurrencies are, from a legal point of view, considered to be money, assets, property, commodities, etc. The answer is connected with the specific law which will apply in each different case and how this is determined by private international law. For example, where a consumer chooses to make a payment with bitcoin will this hinder their consumer protection rights, under EU consumer protection law? In some jurisdictions, cryptocurrencies are considered as a means of payment, e.g., in the Swiss Cantons of Zug cryptocurrencies are accepted as a means of payment even by government agencies, and in the Isle of Man and Mexico the use of cryptocurrencies as a means of payment along with their national currency is also permitted.52 Some interesting classifications of cryptocurrencies in European countries on the various ways countries and jurisdictions deal with cryptocurrencies,53 are highlighted below, all coming out of a report prepared by the Staff of Global Legal Research Directorate. The following classifications are very interesting since they demonstrate certain legal views and policies in different legal orders. In addition, these classifications show the regulation of cryptocurrencies, if any, in each country: • In the UK, an English High Court judgment paved the way for crypto litigation. In case of AA v Persons Unknown,54 the English High Court concluded that crypto assets, in this case Bitcoin, can be treated as “property” and can therefore be the subject of a proprietary injunction. • In Austria, the Austrian Ministry of Finance (Bundesministerium der Finanzen, BMF) does not qualify cryptocurrencies as legal tender or as financial

50

[1885] 30 Ch.D 261. See Lytras (2020). 52 See the report prepared by the Staff of Global Legal Research Directorate. 53 Ibid. 54 [2019] EWHC 3556 (Comm). 51

640

• • •

•

• • • • •

A. Plevri

instruments. Instead, it classifies them as other (intangible) commodities and has stated that cryptocurrencies are treated like other business assets for income tax purposes. In Belgium cryptocurrencies remain unregulated, and they appear to have been very few official pronouncements on the subject. In Cyprus, the Central Bank of Cyprus has issued a warning stating that virtual currencies are not legal tender, there are no specific regulatory protection measures to cover losses from their use, and that their prices are subject to volatility. In France cryptocurrencies remain largely unregulated, with two ordinances on blockchain technology being the only legislative action taken so far. However, the French government is actively moving towards establishing a regulatory regime. In Germany, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) qualifies virtual currencies/ cryptocurrencies as units of account and therefore financial instruments. Online trading platforms, among others, are generally required to obtain authorization from BaFin in advance. Ireland does not appear to have any laws that specifically regulate cryptocurrencies. In Lithuania, on 6 March 2018, the Bank of Lithuania announced that it plans to issue the world’s first digital collector coin using blockchain or other equivalent technologies. In Luxembourg cryptocurrencies remain largely unregulated, although the Duchy’s government appears to display a more welcoming attitude towards the phenomenon than some of its European counterparts. In Greece, the Bank of Greece has issued announcements on two occasions adopting the views of European supervisory authorities warning consumers of the risks of virtual currencies. In Spain, the Spain’s National Securities Commission, and the Bank of Spain issued a joint statement on the use of bitcoin in February 2018 noting that cryptocurrencies are not issued, registered, authorized, or verified by any regulatory agency in Spain.

6 Bitcoin Bitcoin is the most important and well known form of digital or virtual currency. Bitcoin has set the scene for a new generation of decentralized, peer-to-peer virtual currencies (crypto currencies). Today, there is a strong view that bitcoin has become store of value. Virtual currencies can be bought at an exchange platform using conventional (fiat) currency. Virtual currencies are then transferred to a personalized bitcoin account known as a “digital wallet.” Using this wallet, consumers can send bitcoins online to anyone else willing to accept them, or convert them back into a conventional (fiat) currency (e.g., euro, pound, or dollar). New bitcoins are created

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

641

online using computer-intensive software known as “bitcoin miners.” This software allows consumers to “mine” small amounts of the currency through solving deliberately complex algorithms. However, the increase in the money supply is fixed so only small amounts are released over time. This “production” takes place in a decentralized manner and its value derives only from the fact that there is a growing community that attributes value to it and chooses to transact using this innovative mean of payment/payment token at least at the beginning of bitcoin.

7 Use of Virtual Currencies and Consumer Adoption It is argued that virtual currencies offer many advantages in comparison to traditional payments. The main argument of this view is that virtual currencies offer anonymity to their users and are safer, cheaper, and quicker than traditional payments. According to another view, virtual currencies are only safer, cheaper, and quicker in comparison to international payments services, not when compared to domestic payments.55 In addition, virtual currencies do not “offer” many of the advantages of traditional domestic payments, such as stability of value, legal certainty, consumer protection, and the ability to be employed within and by well-known business models. In this framework, a displacement of existing payment services providers for domestic transactions by decentralized virtual currencies is not likely to take place in the near future. Bitcoin has achieved some notoriety as a financial asset, low-cost payment instrument and potential alternative monetary policy instrument. However, relatively little is known about actual consumer adoption and use of bitcoin—the main purpose for which it was created. According to a 2014–2015 survey of the Consumer Payment Choice (SCPC), about half of U.S. consumers have heard of bitcoin or any of the hundreds of other so-called virtual currencies. Most consumers who are aware of virtual currencies are unfamiliar with them and struggle to answer survey questions accurately. Awareness, adoption, and use of virtual currencies are correlated with various demographic and economic characteristics of consumers. Moreover, a recent survey shows consumers and investors remain bullish on the future of “cryptos.”56 According to the survey, consumers and investors are still positive about the long-term value of leading cryptocurrencies. Researchers from the Financial Industry Regulatory Authority (FINRA)57 emphasize that people have recently become more optimistic about digital assets and plan to increase their holdings.

55

Janczuk-Gorywoda in Hacker et al. (2019), pp. 267, 269. See Redman (2019). 57 The Financial Industry Regulatory Authority (FINRA) is an independent, nongovernmental organization that writes and enforces the rules governing registered brokers and broker-dealer firms in the United States. 56

642

A. Plevri

On 5 March 2019, researchers from Sharepost disclosed data they have recorded from a survey that involved 1,018 consumers and 96 accredited and institutional investors. More than 30% of investors surveyed revealed, that they owned at least $25,000 in bitcoin (BTC), and 20% polled owned a similar amount of ethereum (ETH). Individuals surveyed also revealed the most popular coins they own mimic the current cryptocurrency market cap, with BTC, ETH, and XRP58 dominating respectively. Most surveyed participants asserted there was a great likelihood of crypto prices rebounding. Another interesting discovery was that 39% of the investors and 46% of the consumers surveyed believe that one day their employers will use blockchain technology to some degree. Other key findings are that “money transfer and payments” are the top categories for blockchain’s ultimate disruption. Surveyed investors believe widespread crypto and blockchain adoption will take place in 2025. A good majority of folks polled said they want governments to give better clarity on industry regulations as well. In addition, 43% of investors expect regulations governing cryptocurrencies to improve looking ahead and nearly 75% of those surveyed expect greater clarity from regulators about cryptocurrency, states the report. The survey concludes that investors are willing to bet big on BTC and consumers are diversifying. 80% or more of investors see Coinbase as the most successful exchange,” while Binance held second place for both groups of participants surveyed.

8 Consumer Risks Associated With Cryptocurrencies The EBA has identified several risks that consumer should be aware of when buying, holding, or trading virtual currencies: These are the following: • Consumers may lose their money on the exchange platform. To purchase virtual currencies, one may buy virtual currencies directly from someone who owns them or through an exchange platform which tend to be unregulated and may go out of business or even failed - in some instances due to hacking. This way, there is a high risk for consumers to lose money held on these platforms.59 • Exchange platforms are not banks that hold their virtual currency as a deposit, which means that if an exchange platform loses any money or fails, there is no specific legal protection (e.g., through a deposit guarantee scheme) that covers losses arising from any funds consumers may have held on the exchange platform, even when the exchange is registered with a national authority.

58 XRP is an independent digital currency that is used to facilitate transactions on the Ripple Network. The technology behind the cryptocurrency is called XRP Ledger and acts as the blockchain in which the XRP token reside. The ledger is community-based which means only users can decide whether it succeeds or fails. 59 See European Banking Authority (2013) p. 2.

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

643

• Virtual currencies which a consumer has bought are stored in a “digital wallet,” on a computer, laptop, or smart phone. Digital wallets have a public key and a private key or password that allows access. Those digital wallets however are not impervious to hackers, so similar to conventional wallets, money may be stolen from “digital wallets” too. According to an EBA warning, cases have been reported of consumers losing virtual currency of more than US $1 million, with little prospect of having it returned.60 More over the loss of the key or password of a “digital wallet,” means that the virtual currency may be lost forever since there are no central agencies that record passwords or issue replacement ones. • When using virtual currencies as a means of payment for goods and services there is no protection by any refund rights under the EU law, for example, for transfers from a conventional bank or other payment account. Having said, that unauthorized or incorrect debits from a “digital wallet” cannot usually be reversed. Acceptance of virtual currencies by retailers is also not permanently guaranteed and is based on their discretion and/or contractual agreements, which may cease at any point and with no notice period.61 • There is no doubt that the value of virtual currencies can change quickly and could even drop to zero. It is well known that the price of bitcoins and other virtual currencies has risen sharply. This has prompted some consumers to choose to invest in them. However, the value of virtual currencies is subject to extreme price volatility and have shown clear signs of a pricing bubble; it can easily go down as well as up. Should the popularity of a particular virtual currency go down, e.g., if another virtual currency becomes more popular), then it is quite possible for the value of virtual currencies to drop sharply and may be permanently. The currencies’ price volatility affects consumers who buy virtual currencies as a means of payment, so consumers should be aware that there is a high risk that they will lose a large amount, or even all, of the money invested. Unlike money paid into a traditional bank or payment account denominated in a fiat currency, consumers cannot be assured that the value of the virtual currency funds remains largely stable.62 • Another important risk consumers should be aware of is that transactions in a virtual currency may be misused for criminal activities, including money laundering. Transactions in virtual currencies are actually public but this is not the case for the owners and recipients of these transactions. Moreover, transactions in a virtual currency are largely untraceable, and provide virtual currencies consumers with a high degree of anonymity, so it is possible that the virtual currency network will be used for transactions associated with criminal activities, including money laundering. For the above misuse, law enforcement agencies may decide to close exchange platforms and prevent consumers from accessing or using any funds that the platforms may be holding for them.

60

Ibid. Ibid pp. 2–3. 62 Ibid, p. 3. 61

644

A. Plevri

• The fact that decentralized digital transactions are anonymous and irreversible means that an erroneous transaction, e.g., if the payment sent to the wrong payee, can never be reimbursed.63 • Lastly, consumers should be aware that holding virtual currencies may have tax implications, such as value added tax or capital gains tax. Another consideration relates to whether tax liabilities are incurred in the country where the consumer uses virtual currencies64 as opposed to their country of residence. More recently, on 12 February 2018, the European Supervisory Authorities (ESAs) for securities (ESMA), banking (EBA), insurance and pensions (EIOPA) have warned consumers of risks in buying virtual currencies via a pan-EU warning.65 More specifically, ESAs have noted that “VCs currently available are a digital representation of value that is neither issued nor guaranteed by a central bank or public authority and does not have the legal status of currency or money” and warned consumers that virtual currencies are highly risky and unregulated products and are unsuitable as investment, savings or retirement planning products. As already noted, virtual currencies and exchanges where consumers can trade are not regulated under the EU law. On the contrary they are extreme volatile, entail a “bubble risk” and are absence of protection. Consequently, consumers buying virtual currencies do not benefit from any protection associated with regulated financial services. For example, if a virtual currency exchange goes out of business or consumers have their money stolen because their virtual currency account is subject to a cyber-attack, there is no EU law that would cover their losses. Moreover, virtual currency exchanges have been subject to severe operational problems in the past. During these disruptions, consumers have been unable to buy and sell their virtual currencies when they wanted to (lack of exit options) and have suffered losses due to price fluctuations during the period of disruptions (lack of price transparency, misleading information, etc.). Considering the above, the ESAs are concerned that an increasing number of consumers are buying virtual currencies while unaware of the risks involved.

9 Conclusion The goal of establishing a monetary payment system free of intermediaries, in particular free of the involvement of established financial institutions and independent of governments, “gave birth” to blockchain technology which has developed faster than the law. As of yet, there are no EU-specific regulations targeting cryptocurrencies, resulting in legal uncertainty and facilitating unlawful actions.

63

Janczuk-Gorywoda in Hacker et al. (2019), p. 268. European Banking Authority (2013), p. 3. 65 European Banking Authority (2018). 64

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

645

Legal certainty on the status of crypto assets, their ownership, their “transportation” as well as on the nature of smart contracts is crucial. When determined this certainty will be a critical step in the future application of private law to transactions involving cryptocurrencies. Legal certainty is yet to achieved on jurisdictional issues of crypto assets. Some jurisdictional issues on crypto assets in litigation have been established so far and there are others still need to be addressed. As already mentioned, in November 2019, the UKJT published its legal statement, identifying key questions that needed to be answered about English law’s approach to crypto assets and smart contracts. The report was described by Sir Geoffrey Vos, the Chancellor of the High Court, as something that no other jurisdiction had attempted.66 While the document is not a legal precedent, the aim of the legal statement was to afford a degree of “legal certainty.” Furthermore, in December 2019, the landmark cryptocurrency case of AA v Persons Unknown & Ors67 [endorsed and approved the UKJT’s analysis of crypto assets and recognized it as “property.” As such, a proprietary injunction was granted over the crypto assets. This was a multijurisdictional matter including—but not limited to—regions such as Canada, BVI, and the UK. Litigation and crypto assets are obviously a complex matter, on which many issues need to be addressed. These include for example, the extent to which courts will be asked to grant innovative legal arguments to secure crypto assets in the future. Another issue is that of establishing identities of those holding the bitcoin in question. A competent court needs to hear applications made by lawyers to direct relevant exchanges to produce information. This will prompt exchanges to assess whether they have a duty to comply, depending on the jurisdiction they are based and the governing law. Another problem is tracing crypto assets. This can be a challenging task for courts, given the fact that crypto assets are held on a blockchain where there is no intermediary (such as a bank) to apply freezing injunctions and to secure those assets once they are frozen. Another important jurisdictional issue is how to establish the grounds for a certain jurisdiction under Civil Procedure Rules. All these issues and problems are included in the context of “Crypto asset litigation”68 which is a new area in which tailor-made solutions, suitable remedies and to an extent certain regulatory measures are needed. Moreover, the adoption of bitcoin and other virtual currencies is quite low even among consumers who are aware of them. Virtual currencies are not yet appealing enough to encourage many consumers to obtain, hold, and use them. Lastly, as already noted, consumers can not actually be fully protected when using virtual currencies as a means of payment but there are certain “protection levels” that may be attained These “layers of protection” include: (1) consumers who buy virtual currencies should be fully aware and understand their specific characteristics, (2) consumers should not use “real” money (in fiat currency) that they cannot 66

See Ravelli (2020). [2019] EWHC. 68 See Ravelli (2020). 67

646

A. Plevri

afford to lose, (3) a consumer should exercise the same caution with the digital wallet as he/she would do with the conventional wallet or purse, (4) consumers should not keep large amounts of money in the digital wallet for an extended period of time, and ensure that they keep it safe and secure and (5) consumers should familiarize themselves with the ownership, the business model, the transparency and the public perception of the exchange platforms that they are considering using.69

References Brown R (2015) A simple model for smart contracts, https://gendal.me/2015/02/10/a-simplemodel-for-smart-contracts/; 20 Accessed June 2020 Christidis K, Devetsikiotis M (2016) Blockchains and smart contracts for the internet of things, 4 IEEE Access, 2295 Communication from the Commission to the European Parliament, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions, FinTech Action Plan: For a More Competitive and Innovative European Financial Sector, COM (2018) 109 final, available at: https://ec.europa.eu/transparency/regdoc/rep/1/ 2018/EN/COM-2018-109-F1-EN-MAIN-PART-1.PDF, Accessed 15 June 2020 De Filippi P, Wright A (2018) Blockchain and the Law: Τhe Rule of Code. Harvard University Press, Cambridge European Banking Authority (2013) Warning to consumers on virtual currencies, 12 December 2013, Available at: https://eba.europa.eu/sites/default/documents/files/documents/10180/ 598344/b99b0dd0-f253-47ee-82a5-c547e408948c/EBA%20Warning%20on%20Virtual% 20Currencies.pdf?retry¼1, Accessed 20 June 2020 European Banking Authority (2014) Opinion on “virtual currencies”, Available at: https://eba. europa.eu/sites/default/documents/files/documents/10180/657547/81409b94-4222-45d7-ba3b7deb5863ab57/EBA-Op-2014-08%20Opinion%20on%20Virtual%20Currencies.pdf?retry¼1, Accessed 20 June 2020 European Banking Authority (2018) ESAs warn consumers of risks in buying virtual currencies, Available at: https://eba.europa.eu/esas-warn-consumers-of-risks-in-buying-virtual-currencies, Accessed 20 June 2020 European Banking Authority (2019) Report on crypto-assets, Available at: https://eba.europa.eu/ sites/default/documents/files/documents/10180/2545547/67493daa-85a8-4429-aa91e9a5ed880684/EBA%20Report%20on%20crypto%20assets.pdf, Accessed 20 June 2020 European Central Bank (2012) Virtual currency schemes. Available at: https://www.ecb.europa.eu/ pub/pdf/other/virtualcurrencyschemes201210en.pdf, Accessed 15 June 2020 European Commission (2017) Consumer Financial Services Action Plan: Better Products, More Choice, COM/2017/013 final, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/? uri¼COM:2017:139:FIN, Accessed 20 June 2020 European Parliament (2016) Virtual Currencies, Resolution of 26 May 2016, 2016/2007 (INI), Available at: https://www.europarl.europa.eu/doceo/document/TA-8-2016-0228_EN.html, Accessed 20 June 2020 Grundmann ST, Hacker PH (2017) Digital technology as a challenge to European contract law. Eur Rev Contract Law 13:280 et.seq Hacker PH, Lianos I, Dimitropoulos G, Eich S (2019) Regulating blockchain, techno-social and legal challenges, 1st edn. Oxford University Press, Oxford. https://www.linklaters.com/en/

69

(EBA) (2013) Warning to consumers on virtual currencies, 12 December 2013, p. 3.

27

Consumer Protection and Digital Currencies in the EU: A Comparative. . .

647

insights/blogs/fintechlinks/2019/november/uk-confirms-legal-status-of-crypto-assets-andsmart-contracts, Accessed 20 June 2020 IMF Staff Discussion Note (2016) Virtual currencies and beyond: initial considerations, Available at: https://www.imf.org/external/pubs/ft/sdn/2016/sdn1603.pdf, Accessed 20 June 2020 Law Library of Congress, Global Legal Research Center (June 2018) Regulation of cryptocurrency around the World, Available at: https://www.loc.gov/law/help/cryptocurrency/world-survey. php, Accessed 20 June 2020 Linklaters (2019) UK confirms legal status of cryptoassets and smart contracts, Available at Lytras CH (2020) English High Court judgment paved the way for crypto-litigation, LegalTech, Available at: http://www.legaltechcy.com/english-high-court-judgment-paved-the-way-forcrypto-litigation/?fbclid¼IwAR3bhwMKFRdTychTx9GGCcRUmYSlXKEpfB_ 5fajipZiI4aHrN4TimKsYuz8#_ftn1, Accessed 20 June 2020 Ravelli R (2020) Cryptoassets and litigation, Available at: https://www.lexology.com/library/detail. aspx?g¼a87f74b6-c192-41af-8468-b596665b19e6, Accessed 20 June 2020 Redman J (2019) Survey shows consumers and investors remain bullish on the future of cryptos, Available at: https://news.bitcoin.com/survey-shows-consumers-and-investors-remain-bullishon-the-future-of-cryptos/, Accessed 20 June 2020 Smithin J (2000) What is money? Routledge, London The Brooklyn Project (2018) Framework for the establishment of consumer tokens, Working Paper, Available at: https://static1.squarespace.com/static/5a329be3d7bdce9ea2f3a738/t/ 5b9a09b50ebbe8e9409e291a/1536821696423/The+Brooklyn+Project%E2%80%94Frame work+Version+1+09_06_18.pdf , Accessed 20 June 2020 UK Jurisdiction Taskforce (UKJT), Legal statement on the status of cryptoassets and smart contracts under the law of England and Wales, Available at: https://www.linklaters.com/en/ insights/blogs/fintechlinks/2019/november/uk-confirms-legal-status-of-crypto-assets-andsmart-contracts, Accessed 20 June 2020 Vardi N (2016) Bit by bit: accessing the legal nature of virtual currencies in Bitcoin and mobile payments: constructing a European Union framework edited by Gabriella Gimigliano. Palgrave, Macmillan