What Canadian Businesses Should Know About Europe’s New Data Protection Laws

Presented by Dr. Wolfgang Spoerr, Hengeler Mueller Berlin

Moderated by Bill Hearn, Fogler Rubinoff LLP Toronto

January 24, 2018 OVERVIEW

Part 1: Where do we stand?: GDPR – Evolution or Revolution?

Part 2: The GDPR within the Digital Economy

Part 3: New Concepts and Controversial Issues

Part 4: Transatlantic Topics

Part 5: Enforcement

Part 6: Obligations of Data Controllers and Data Processors

Part 7: Data Protection and Beyond

2 Part 1: Where do we stand?: GDPR – Evolution or Revolution?

3 PART 1: WHERE DO WE STAND? GDPR – Evolution or Revolution?

Data Protection Directive 95/46/EC General Data Protection Regulation EU (DPD) 2016/679 (GDPR) • Entered into force on 24 May 2016 and will apply from 25 May 2018 • Directive vs. Regulation  direct application • Applies to non EU based organizations whenever an EU resident’s is processed in connection with goods or services offered to him/her (even if for free) or the behavior of individuals within the EU is “monitored” and Electronic Communications ePrivacy Regulation (ePR) Directive 2002/58/EC (ePD) • Proposal text published in January 2017 • Still in the law making procedure, won‘t enter into force until 2019 • Directive vs. Regulation  direct application • Complements the GDPR, addresses specifically electronic communication matters (secrecy of

4 telecommunication) PART 1: WHERE DO WE STAND? ECJ Case Law and National Implementation

Case Law – European Court of Justice National Legislation and Case Law (ECJ) • Case-by-case approach • GDPR allows Member States to legislate in  • Cases come from all over Europe: many areas challenge to consistency uncertainty about the application of the between EU Member States DPD and the connected legislation • Main legal source: Federal Data Protection • General tendency: broad interpretation of Act ( -BDSG), the scope of data protection laws (broad implements the DPD definition of personal data) and narrow • The GDPR will completely replace the interpretation of exceptions for lawful BDSG/DPD processing • Landmark cases: • Landmark cases:  Fundamental right to the guarantee of  Google Spain (C-131/12) the and integrity of information technology systems(1 BvR  Digital Rights Ireland (C-293/12, 370/07, 1 BvR 595/07) C-594/12)  Schrems (C-362/14)  KG Berlin: “WhatsApp” and “Facebook”

5 Part 2: The GDPR within the Digital Economy: EU Political Agenda – Single Market or Fortress Europe?

6 PART 2: THE GDPR WITHIN THE DIGITAL ECONOMY A Digital Single Market Strategy for Europe

7 PART 2: THE GDPR WITHIN THE DIGITAL ECONOMY Building a “Fortress Europe” for the digital economy?

• Digital Single Market Strategy provides only a cursory mention of the wider, non-EU international environment • While Commission's proposals for a unified on-line EU could provide benefits across the EU, both for consumers and businesses, there would be dangers if this were to develop inconsistently to wider world-wide standards • EU might become a “fortress” or “walled garden” with a different legal framework to much of the rest of the world • GDPR rules/Revision of the Safe Habour Framework clearly designed with North American/US firms (Google, Facebook, WhatsApp) in mind • However, strategy was deliberately called “single market” and not “internal market” to underline that building a “fortress Europe” is not the Commission’s intention

8 PART 2: THE GDPR WITHIN THE DIGITAL ECONOMY Rights in Data – General Challenges

Ascertainability of data as Diverging interests Macroeconomic subject of transactions aspects

• Connecting factor: Content or • Data subjects (regarding • Legal certainty personal data): embodiment? • Incentives regarding , public data technical advance • Pre-existing rights protection • No hold-ups • Assignment of authority to • Intermediaries such as (prohibitive use (exploitation and platform operators: licensing effort) exclusivity) Control, usage („right to • Authority to dispose and monetize“), licensing, control disposability • Service suppliers and product providers: Control, usage („right to monetize“), licensing, disposability

9 Part 3: New Concepts and Controversial Issues

10 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES GDPR Central Concepts and Key Changes – Overview

Data protection by design and increased accountability Transparency Enhanced rights and consent as of data subjects central requirements

Expanded Data breach definitions of notifications personal and sensitive data

Prohibition as the principle – lawful processing as the Drastic sanctions exception (“Verbot mit Erlaubnisvorbehalt”)

11 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Data Protection Principles

12 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Lawfulness of Processing and Further Processing

Prohibition as the principle – lawful processing as the exception

The use of personal data is subject to a preventive ban with permit reservation! The grounds for processing personal data under the GDPR broadly replicate those under the DPD, processing shall be lawful only if and to the extent that at least one of the following applies: • Consent of the data subject • Necessary for the purposes of legitimate interests • Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract • Necessary for compliance with a legal obligation • Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent • Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

13 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Consent – not an easy option!

Consent – GDPR’s high requirements

• Freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or by a clear affirmative action (Art. 4 no. 11 GDPR) • Obligation on data controller to demonstrate that data subject has consented, Art. 7 GDPR • Implied consent possible except for processing of sensitive data which requires explicit consent, Art.9 (2) GDPR • Data subject must have genuine, free choice and be able to withdraw consent without detriment Crisis of the digital consent

• Too much consent: Data subjects click on consent requests without examination • Too digital: In many cases, a simple yes/no option is not enough • Specification/transparency/flexibility: Pick any two! (Future) uses must be described in detail but still in a clear, easily form

14 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Consent – not an easy option!

How to design consent under the GDPR

• Granular consent: In browser interfaces and on websites, consent can be broken down in various topics (e.g. use of location, third party advertising) • : Design interfaces that implement granular and intelligible consent options • Privacy by default: Pre-tick the "right" boxes - flip the sliders to privacy

Prohibition of Coupling of Consent – Art. 7(4) GDPR • Such consent to the processing of personal data which is not necessary for the fulfillment of the contract, is considered as not freely given and therefore ineffective • Not limited to: companies with significant market power; essential services (however such consent might be considered as freely given still assessed on a case-by-case basis) • Best Practice: Specific and transparent design of contracts and consent required – especially given the high fines introduced by the GDPR!

15 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Prohibition of Coupling of Consent – Potential Loop Holes from Art. 7(4) GDPR

Establishing data as consideration • Personal data could be categorized as an equivalent consideration for the service provided

• In line with a current EU draft establishing personal data as payment method (Art. 3(1) DIR COM(2015) 634 on digital content)

• Service providers could no longer claim that their service is “free of Charge“, requires a transparent, unambiguous communication towards the customer in order for the data subject to freely consent

Characterizing data exchange as essential part of the contract itself

• Service in exchange for data could be included as an essential part of the contract itself • Art. 6(1) lit.b GDPR (processing necessary for the performance of a contract) could be the basis for data processing (and not consent!) • Requires the data subject to be informed in a transparent, unambiguous way that data processing is an essential part of the contract

16 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Information obligations when collecting consent

Art. 13 GDPR If personal data are obtained from the data subject, information about: • identity and contact details of the controller and contact details of the data protection officer, • purpose of processing, legal basis, legitimate interests (if applicable), recipients or categories of recipients, • data transfer to third countries, change of purpose, further required information (e.g. storing period)

Data subject must give informed consent

• Recital 42: For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended • Legal literature: Consent likely to be invalid if information under Art. 13 GDPR not provided beforehand • Best Practice: In case of new consent solicitation, provide information under Art. 13 GDPR

17 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Revision of existing consent declarations necessary in certain cases

Existing consent declarations and the GDPR • GDPR: no express provision  legal uncertainty • Recital (171): Where processing is based on consent […], it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation […] • Recital (42): [T]he controller [should] be able to demonstrate that the data subject has given consent to the processing operation • Düsseldorfer Kreis (conference of federal and state data protection authorities): Not necessary to comply with information requirements of Art. 13 GDPR if consent had been validly provided Best Practice Renew and adjust consent declarations at least • where processing has evolved; • where consent had arguably not been provided validly; • where a company uses a variety of different consent declarations or has not properly documented consent. 18 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Legitimate Interests as a way to circumvent consent requirements

Legitimate interests as legal grounds for lawful processing • Data processing is often based on consent – but there is no hierarchy between legal grounds • The recitals give examples for the legitimate interest of a data controller, these include: Recital 47: processing for direct marketing purposes or preventive fraud Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data Recital 49: processing for ensuring network and information security

GDPR – stricter requirements

• Where legitimate interests are relied on in relation to specific processing operations, this will now need to be set out in relevant information notices (Art. 13 GDPR) • Individuals are able to object to processing based on legitimate interests  the burden now lies on data controllers to prove they have compelling grounds to continue processing data (Art. 21 GPRD)

19 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Sensitive Data and Children

Lawful processing of sensitive data

• The grounds for processing sensitive data under the GDPR broadly replicate those under the DPD, although there are wider grounds in the area of health and healthcare management • Special categories of personal data (sensitve data) now expressly include “genetic data” and “biometric data” where processed “to uniquely identify a person”

Children

• The GDPR identifies children as “vulnerable Individuals” and deserving of “specific protection”, but in practice there is little new harmonization offered • Where online services are provided to a child and consent is relied on as the basis for the lawful processing of his or her data, consent must be given or authorized by a person with parental responsibility for the child • The GDPR does not prescribe the age at which a person is considered to be a child • Substantive restrictions will likely come from either existing or new national laws or code of conduct

20 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Individual Rights

21 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Data Protection Right – Data Ownership

No establishment of “data ownership“ Data protection right as a potential through data protection right limitation to usage

• German data protection right only • Informational “self-determination“ of recognizes personal data data subjects is protected („Schutz der informationellen Selbstbestimmung“) • Not recognized: “machine data“ generated by Industry 4.0 • Comparison with physical property in German law: Entitlement „to the extent • German data protection right should not that a statute or third-party rights do not establish exclusive exploitation rights conflict with this“ (Sec. 903, first • German Federal Constitutional Court: sentence German Civil Code) „Individuals have no right in the sense of • Comparison with limits and exceptions absolute, unrestricted control over ‚their‘ in Copyright Law data […]“ • Establishment of „data ownership“ probably would change none of the above

22 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Outlook: Regulation Proposals on Data Ownership

European Commission – building a data economy • Establishment of a “data producer right“ • Exclusive right regarding anonymised personal data or machine data possible • Criterion of allocation: Investment • Challenge: Clear distinction Federal Ministry of Transport and Digital Infrastructure – Strategy Paper „Digital Sovereignty “ („Strategiepapier Digitale Souveränität“) • Limited to mobility sector • Data sovereignty (“Datensouveränität“): Equality of data and physical objects regarding allocation of ownership by a “data law“ (“Datengesetz“) • “Public data is open data“ Federal Ministry for Economic Affairs and Energy – Whitepaper Digital Platforms („Weißbuch Digitale Plattformen“) • Legal certainty: Focus on accessibility of data instead of exclusivity in terms of usage • Avoidance of obstructive restrictions on competition, strengthening limits and exceptions against rights in data

23 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Draft ePrivacy Regulation (ePR) – Fundamental questions remain open

Objectives

• Updating rules on secrecy of telecommunication and application to OTT services • Replacing annoying and senseless "cookie banners“ of the EPD ("Cookie Directive“)

Important Rules

• Applies to pseudonymous and anonymous data • For use of personal online communication related data, consent under GDPR is required: Opt-in only • Exceptions: Session cookies (e.g. for log-in), web analytics, measuring coverage of a website • No exceptions: Tracking for retargeting, targeted advertising, machine-to-machine communication

24 PART 3: NEW CONCEPTS AND CONTROVERSIAL ISSUES Draft ePrivacy Regulation (ePR) – Controversial Issues

Specific Discussion Points • Tracking (e.g. cookies): Enforcement of "Do Not Track" – no tracking allowed • Prohibition of coupling e.g. tracking walls: Consent to the use of data in exchange for a service • Privacy by default: "Do Not Track" as default • Offline tracking only with consent • Encrypted communication to be decrypted by receiver only • Commercial use of metadata by communication platforms Possible Effects and Market Player Reactions • Advantage of Log-In based services (e.g. Facebook, Google)  will they gain even more market share? • Solution: Log-In-alliances of media houses and service providers? Verimi (Axel Springer, Daimler, Deutsche Bank) and RTL/Pro7/UI • Log-In necessary for multi-device tracking but also avoids cookie / tracking consent rules

25 Part 4: Transatlantic Topics

26 PART 4: TRANSATLANTIC TOPICS Regulators and Supervisory Authorities in the EU – No clear cut competences

One‐Stop‐Shop / Lead Authority • National data protection authorities (supervisory authorities) monitor the application of the GDPR on their own territory if processing carried out in a single Member State or only data subjects in a single Member State are concerned • In case of multiple establishments or

Lead cross-border processing in the EU the supervisory x competence lies with a lead-authority authority establishmen (at company’s main establishment); t cross- Local supervisory authorities can be border x processing involved main establishment (or single • Establishment of a European Data establishment) Protection Board (EDPB) to replace the Art. 29 Working Party

27 PART 4: TRANSATLANTIC TOPICS Regulators and Supervisory Authorities in the EU – Relevant Definitions

According to Art. 4 (23) GDPR, “cross‐border processing” means either: • Processing activities in more than one Member State + controller or processor is established in more than one Member State; or • Processing activities of a single establishment of a controller or processor in the Union which substantially affects or is likely to substantially affect data subjects in more than one Member State. • GDPR does not define “substantially affect”  Decision on a case by case basis. This decision shall take into account: . context and purpose of the processing . type of data . the likely effects of the processing

According to Art. 4 (16) GDPR, “main establishment” is: • In general the place of the central administration of the organisation • Exception: another establishment has the power to take the decisions about the purposes and means of the processing

28 PART 4: TRANSATLANTIC TOPICS Limitations on International Transfers of Personal Data

• The GDPR’s obligations are broadly similar to those imposed by the DPD  Transfers of personal data to recipients in countries outside the European Economic Area (“EEA”/”thrid countries”) continue to be regulated and restricted (also intra-groups!) • Data can be transferred only under: (1) Commission Adequacy Decisions like the one used to give effect to the EU-US Privacy Shield (Art. 45 GPDR) or (2) Existence of appropriate safeguards such as EU Model Clauses or Binding Corporate Rules (“BCRs”) for intra-group transfers (Art. 46 GDPR) • The existing list of countries which have previously been approved by the Commission as ensuring an adequate level of protection will remain in force, namely: Canada (where PIPEDA applies) • Data transfer compliance will remain a significant issue for multinational organizations and also for anyone using supply chains which process personal data outside the EEA • Breach of the GDPR’s data transfer provisions is identified in the band of non-compliance issues for which the maximum level of fines can be imposed (up to € 20 million/4% of worldwide annual turnover)

29 PART 4: TRANSATLANTIC TOPICS Limitations on International Transfers of Personal Data

No data transfers outside EEA unless specific conditions are met

30 PART 4: TRANSATLANTIC TOPICS Free Trade and Data Protection – Not an easy fit

GDPR and CETA • CETA provides a number of broad and specific provisions to protect personal information; but Canadian and EU law on protecting personal data are different • Canada-US link: significant transit of Canadian internet through the US GDPR and PIPEDA  adequacy for int. data transfers • Canada currently enjoys a partial “adequacy” designation to facilitate data transfers from the EU to Canada, if the organizations are subject to PIDEPA • However, GDPR goes much further than just data transfers and has a different conceptional approach to many topics (i.e. consent, data portability, right to erasure) Fundamental Rights and EU-Canada PNR agreement • PNR Agreement permits the systematic and continuous transfer of PNR data of all airplane passengers flying between the EU and Canada • ECJ: provisions of the agreement “do not meet requirements stemming from the fundamental rights of the 31 European Union” PART 4: TRANSATLANTIC TOPICS Free Trade and Data Protection – Not an easy fit

GDPR and TTIP • In theory there should be no crossover since data protection is not central to TTIP • Still GDPR has been opposed at every stage by US tech giants like Microsoft and Google • Question remains: Who will win the data protection wars?

GDPR and EU-US Privacy Shield • Replacement of “Safe habour” • Data Protection Principles, similar to European data protection law • Written assurance of US security offices that data of EU citizens can only be accessed within limitations, not for • Individual redress possibility through Ombudsperson • Closer monitoring of compliance by FTC • Enhanced legal remedies

32 Part 5: Enforcement

33 PART 5: ENFORCEMENT Drastic fines

Powers of Supervisory Authorities • Supervisory authorities are given an extensive list of specific tasks and powers, especially:  Issuing warnings and reprimands and imposing drastic fines on both data controllers and data processors • Fines are discretionary rather than mandatory and they may be imposed instead of, or in addition to, other measures ordered by the supervisory authorities • Two tiers of administrative fines (tier 1: up to EUR 10 million or 2% of global turnover; tier 2: EUR 20 million or 4% of global turnover) Relevant criteria for the decision on the amount of the fine • the nature, gravity and duration of the infringement, • the intentional or negligent nature of the infringement, • actions taken by the controller/processor to mitigate the damages, • the degree of responsibility of the controller/processor, • the categories of personal data, • whether the controller/processor notified the infringement. 34 PART 5: ENFORCEMENT Remedies and Liabilities

Remedies and liabilities under the GDPR

• Individuals have the following rights against controllers and processors: (1) Lodge a complaint with the supervisory authorities/the right to an effective judicial remedy where a competent supervisory authority fails to deal properly with a complaint (2) The right to an effective judicial remedy against a relevant controller or processor, including the right to compensation for material or immaterial damage from the controller or the processor (3) The potential for group actions to be brought is facilitated

Consumer and contractor litigation

• KG Berlin: WhatsApp Case  WhatsApp must provide terms and condition in German • Unfair Competition Act (UWG) • Act on Cease and Desist Actions (UKlaG)

35 Part 6: Obligations of Data Controllers and Data Processors

36 PART 6: OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS Data Protection as a Management Priority

37 PART 6: OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS Data Governance Obligations

Privacy by design • GDPR requires all organizations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they have considered and integrated data compliance measures into their data processing activities • These include accountability measures such as: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a Data Protection Officer (DPO) Privacy Impact Assessments (PIAs) • A PIA is an assessment to identify and minimize non-compliance risks; concept is not new but the GDPR formalizes a requirement for PIAs to be run • Specifically, controllers must ensure that a PIA has been run on any “high risk” processing activity before it is commenced – measured by the risk of infringing a data subject’s rights Using service providers (data processors) • GDPR imposes a high duty of care upon controllers in selecting their personal data processing service providers • Requires procurement processes and requests for tender documents to be regularly assessed

38 PART 6: OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS Information Obligations – Transparency matters!

If personal data are obtained If personal data are not Time‐independent right of from the data subject (Art. 13 obtained from the data subject access by the data subject (Art. GDPR), information about: 15 GDPR): (Art. 14 GDPR):

• Name and contact details of the • Content of information similar to • Confirmation whether or not controller Art. 13 GDPR personal data are being processed • Contact details of the data • Time frame: • Purpose of processing protection officer  Within a reasonable period (max. • Categories of personal data • Purpose of processing one month) • Recipients or categories of • Legal basis  At time of first communication (if recipients applicable) • Legitimate interests (if applicable) • Period of storing or criteria  When first disclosed to another • Recipients or categories of • Source (if data not obtained from recipient the data subject) recipients (if applicable) • Existence of automated decision- • Data transfer to third countries (if • Four exceptions: applicable) making  Prior information • Change of purpose (if applicable) • Appropriate safeguards for data  Disproportionate effort transfers to third countries • Further required information, e.g. storing period or criteria  Provision by law • Copy of personal data undergoing processing  Confidentiality

39 PART 6: OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS Personal Data Breaches and Notification

Incidents which trigger notification

Definition: “A breach of security leading to Notification to competent Notification to affected the accidental or unlawful authorities: individuals: destruction, loss, alteration, within 72 hours unless breach only where the breach is “likely unauthorized disclosure of, or is “unlikely to result in a risk to result in a high risk for the access to, personal data for the rights and freedoms of rights and freedoms of natural transmitted, stored or natural persons”. persons. otherwise processed.”

Documentation requirements • Data controllers must maintain an internal breach register • Failure to meet the above requirements can lead to tier one fines (up to € 10 million or 2 2% of global turnover

40 Part 7: Data Protection and Beyond

41 PART 7: DATA PROTECTION AND BEYOND Industry 4.0 and Data – Technological Driving Forces

42 PART 7: DATA PROTECTION AND BEYOND Industry 4.0 and Data – Legal Challenges

• Fully automated conclusion of contract via M2M? • Liability and insurance for automated production? (E.g. German Road Transport Law: Outdated concept of liability as owner („Halterhaftung“))? • Product liability for Smart Products? • IT security? • Big Data • Protecting Copy Rights • Standard-setting process and standard essential patents (especially for technical M2M- Communication) • Difficulties when „bypassing“ established standards („design around“ and compulsory licenses?)

43 PART 7: DATA PROTECTION AND BEYOND GDPR within the legal landscape of the Digital Ecosystem

E-Health Regulation

E- Act against Commerce Unfair Directive Competition

Digital Trademark Ecosystem Data & Protection Copyright (GDPR, Laws ePR)

Contract Compe- Law & tition Consumer & Protection Antitrust

44 PART 7: DATA PROTECTION AND BEYOND IP / Database Rights

Pre‐existing rights Challenges Sui generis database right • Individual data not included

(Sec. 87a et seqq. German Copyright Act) • Existence of database as well as database right questionable regarding „Big Data“ • Collection of independent and individually accessible elements, • Extensive interpretation of database concept? arranged in a systematic or • Act takes outdated state of the art (early methodical way nineties) as a basis • Substantial investment regarding  Allocation problem (ownership) considering obtaining, verification or presentation cross-linked value-added chains (not: generation) required  Duration of protection: 15 years – adequacy? Copyright regarding database work  Database which content has been changed in („Datenbankwerk“) a substantial manner is deemed to be a „new“ • Possible to the extent that database is database (Sec. 87a para 1, second sentence the author‘s own intellectual creation German Copyright Act) („persönliche geistige Schöpfung“) Effective legal protection against illicit usage of data collection

45 PART 7: DATA PROTECTION AND BEYOND German Legislator Pioneers Adjusting Competition Law to Data/Platform Economics

 Recent update of the German Competition Law (9. GWB-Novelle in 2017)  A number of amendments are specifically tailored to regulatory challenges in connection with online platforms and similar issues in the digital age

 Updated market definition: a market does not require that a service is only provided for remuneration (aims at data economy, i.e. provision of services in return for personal data)  Introduction of criteria for assessment of a dominant position specifically on multi-sided (i.e. platform) markets, such as: network effects, parallel-use/switching costs, access to data, innovation-driven competition  Introduction of a merger-control threshold (> 400 Mio. EUR) that takes the purchase price into consideration (reaction to Facebook’s WhatsApp acquisition)  Federal Cartel Office is currently investigating Facebook for abusing its dominant position on the market for social networks by requiring users to broadly consent to data collecting activities

46 PART 7: DATA PROTECTION AND BEYOND EU Commission – 2nd Copyright Package

 Sept. 2016 – Reviewed EU copyright rules

 Central elements of the proposal:

• Regulation (online transmissions of broadcasting organizations & retransmissions of television/radio programs) • Directive (Copyright in the Digital Single Market; COM(2016) 593 final)

 Objectives of EU copyright proposal:

• More cross-border access to content online • Wider opportunities to use copyrighted materials in education, research and cultural heritage • A better functioning copyright marketplace

47 PART 7: DATA PROTECTION AND BEYOND EU Copyright Package (Digital Single Market Directive) ‐ Art.11 Protection of News Publishers

 Commission draft includes ancillary copyright for press publishers • Press publishers receive exclusive rights for reproduction and making available to public under InfoSoc-Directive with regard to “digital use of their press publications”

• Rights expire after 20 years

• Highly controversial within EU institutions mainly because of its detrimental effects on the communication and information on the internet and lack of (economic) justification

• Alternative to new neighboring right: Rebuttable presumption to allow publisher to be regarded as the person entitled to conclude licenses & enforce the rights of reproduction / making available to the public concerning the digital use of works  Role model for EU approach is Germany’s ancillary right for press publishers • Introduced in 2013 and only applicable to making available of press publications by search engines and news aggregators (“Lex Google”)

• Has so far proven futile for both economic and legal reasons; its validity is currently challenged before the CJEU  Similar legislative approach in Spain • Spanish Copyright Code provides for exception for news aggregators whom in turn have to pay equitable and non-waivable remuneration

48 • As a reaction Google shut down the Spanish version of Google News PART 7: DATA PROTECTION AND BEYOND EU Copyright Package (Digital Single Market Directive) ‐ Art. 13 Platform duties

 Liability / duties (e.g. upload filter) for information society service providers that store and provide to the public access to large amounts of works or other subject-matter uploaded by their users  Statements regarding the liability exemption of Art. 14 E-Commerce Directive “hidden” in recitals

 Open questions: • What happens if the parties cannot conclude contractual agreements? • No statement regarding the liability of the user uploading the content

 Problems: • Primary liability of platform if it goes beyond the mere provision of physical facilities? Liability exemption of Art. 14 E-Commerce Directive (-)?  Disastrous consequences (end of many business models) • Introduction of upload filters very problematic very expansive; overblocking; so far only for music contents • Labels etc. may benefit, not authors • Prohibitive transaction costs – if platform has to negotiate with every single right holder

49 PART 7: DATA PROTECTION AND BEYOND Contractual Practice and Know‐how Protection

Contractual constructions Protection under the German Unfair Competition Act

Inter partes – effect Data (incorporated information) as „trade and industrial secrets“ • Non-disclosure agreements • Every not in general and publicly known • Prohibition against passing on information related to business, if there • Restrictions on use is a will or interest in keeping it • Perpetuation within value-added chain confidential through passing on the obligations • Machine data is included mentioned above • (Narrow) protection against unauthorized disclosure as well as unauthorized acquisition and exploitation • Widening through European Know-how Directive EU 2016/943

50 HENGELER MUELLER Intellectual Property / Information Technology Team (Berlin)

Dr. Albrecht Conrad Prof. Dr. Wolfgang Spoerr Dr. Matthias Berberich Fabian Seip

Partner Partner Counsel Counsel [email protected] [email protected] [email protected] [email protected]

Dr. Tobias Schubert Dr. Amit Datta Cornelia Gersch Jan Krusche

Senior Associate Associate Associate Associate [email protected] [email protected] [email protected] [email protected]

51 Berlin Düsseldorf Frankfurt Munich Behrenstraße 42 Benrather Straße 18–20 Bockenheimer Landstraße 24 Leopoldstraße 8–10 10117 Berlin 40213 Düsseldorf 60323 Frankfurt am Main 80802 München Germany Germany Germany Germany

Telephone +49 30 20374‐0 Telephone +49 211 8304‐0 Telephone +49 69 17095‐0 Telephone +49 89 383388‐0 Telefax +49 30 20374‐333 Telefax +49 211 8304‐170 Telefax +49 69 17095‐099 Telefax +49 89 383388‐333

Brussels London Shanghai Square de Meeûs 40 30 Cannon Street Unit 3201, Wheelock Square 1000 Bruxelles London EC4M 6XH 1717 Nanjing West Road, Jing An Belgium United Kingdom Shanghai 200040 China

Telephone +32 2 7885‐500 Telephone +44 20 7429‐0660 Telephone +86 21 5203‐0800 Telefax +32 2 7885‐599 Telefax +44 20 7429‐0666 Telefax +86 21 5203‐0810 www.hengeler.com