ICT Law Newsletter Number 51 – April 2015

FOCUS: EUROPE 2

• WP 29 defines the scope of Health Data collected by mobile apps and devices 2 • National legislations may extend broadcasting organizations’ exclusive right provided in the EU Copyright Directive 3 • Courts of a Member State where a work is accessible online have jurisdiction to hear case 4 • WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten” 5 • WP 29 document on a new co-operation procedure regarding contractual clauses 6

FOCUS: BELGIUM 7

• Belgian collecting society SABAM may not levy royalties on ISPs 7 • Bhaalu case: Flemish Media Regulator rules in favor of broadcasters Medialaan, SBS Belgium, and VRT in their suit against Right Brain Interface 8 • The UsedSoft decision of the European Court of Justice on the resale of software has been successfully alleged by the second acquirer 9

FOCUS: THE NETHERLANDS 10

• Google wins appeal in first Dutch ‘Right to be Forgotten’ case 10 • Bill submitted to increase penalty powers of the Dutch Data Protection Authority to EUR 810,000 or 10% of the annual turnover of certain legal entities 11 • Dutch DPA: Employment agencies violate the privacy of the temporary workers 12 • The Dutch House of Representatives requests Privacy Impact Assessment for new legislation 14

FOCUS: LUXEMBOURG 15

• A new bill on data retention 15

Judica Krikke Gérald Origer Erik Valgaeren

Partner Partner Partner T • +31 20 546 02 12 T • +352 26 61 81 11 T • +32 2 533 53 43 [email protected] [email protected] [email protected]

FOCUS: EUROPE

WP 29 defines the scope of Health Data collected by mobile apps and devices

In light of the Internet of Things, mobile apps that are enough information to draw conclusions on the health status installed in smartphones, other portable electronic devices, of the user, the opinion of the WP 29 warns of the and smartwear devices collect and process increasingly processing of data that are in the “grey zone”, i.e., where it large quantities of data – especially personal data. Among is not directly obvious in determining if the data collected these mobile apps, an increasing number of lifestyle apps can be considered health data. The WP 29 emphasizes are currently available. They collect a variety of data about accordingly that not only the type of data but especially the the user’s day-to-day activities (e.g., one’s health and intended use of data must be considered when assessing physical conditions, eating, sleeping, and workout habits). whether personal data qualifies as health data. In that way, These mobile app users are often not aware of the kinds of even low impact data can be considered health data when data that are being processed and the adverse effects the used (especially in combination with other data) to determine processing could have on their private life and reputation. the health status of the user. For example, an app for Therefore, the category health data is considered a special runners (e.g., Nike +) might only collect limited information category of sensitive data to which a higher level of about a user (i.e., the blood pressure level and speed), but protection applies. such information collected over a long period of time, combined with data on the user’s age and gender can be As a response to the request of the European Commission used to draw conclusions on the user’s health status. in the light of its mobile Health or mHealth initiative, the Article 29 Working Party (“WP 29”) gave its clarification on Because of the prohibition of processing health data under the scope of health data, as set out in Article 8 of the Data Article 8 of the Data Protection Directive, a data controller Protection Directive (Directive 95/46/EC). The WP 29 who intends to process health data needs to rely on one of clarifies that personal data is qualified as health data if it falls the derogations laid down in the same provision. According within the broad scope of one of the following categories or to the WP 29, the derogation that would most likely apply to description: this scenario would be when there is explicit consent of the data subject for such processing, provided that the data 1. The data is inherently/clearly medical data; subject is clearly informed about the intended use of his or her data. In addition, the opinion focuses on additional 2. The data are raw sensor data that can be used in itself or obligations (e.g., principle of purpose limitation and security in combination with other data to draw a conclusion obligations) that will need to be taken into account by data about the actual health status or health risk of a person; controllers (i.e., lifestyle app developers) when processing health data. 3. Conclusions are drawn about a person’s health status or health risk (irrespectively of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate). Michiel Van Roey

Although not all information collected through lifestyle apps Junior associate constitutes health data within the meaning of Article 8 of the T • +32 2 533 52 07 Data Protection Directive, e.g., an app that registers the number of steps one takes during a walk does not collect [email protected]

ICT Law Newsletter – Number 51 – April 2015 2 FOCUS: EUROPE

National legislations may extend broadcasting organizations’ exclusive right provided in the EU Copyright Directive

On 26 March 2015 the Court of Justice of the European The CJEU states firstly that the objective of the EU Union (“CJEU”) held that the EU Copyright Directive ( Copyright Directive was not to remove any differences Directive 2001/29/EC of the European Parliament and of the between national legislations that do not adversely affect the Council of 22 May 2001 on the harmonization of certain functioning of the internal market. Therefore, the EU aspects of copyright and related right in the information Copyright Directive has only partially harmonized the society) must be interpreted as not precluding national copyright legal framework. Then, the Court, relying on legislations to extend the exclusive rights of broadcasting Directive 2006/115 on rental and lending rights and certain organizations beyond the legal protection as set forth in rights related to copyright, affirms that MS should be able to Article 3(2)(d) of the EU Copyright Directive, provided that provide, on a national level, for wider protection than the such protection does not undermine that of copyright. protection afforded under the EU Copyright Directive.

The issue before the Swedish Supreme Court concerned The Court concludes that Article 3(2) of the EU Copyright the alleged infringement of the rights of C More Directive does not preclude an MS to grant broadcasting Entertainment AB. C More Entertainment is a pay-TV station organizations the exclusive right to authorize or prohibit acts that offers live streaming of ice hockey matches on its of communication to the public (with no consideration about website. Mr Sandberg places links on his website that whether this act also represents an act of making available allows Internet users to access C More Entertainment’s to the public) of their transmissions, but provided that such website and watch the live streaming of two hockey protection does not undermine that of copyright. This ruling matches for free. In this context, the Swedish Supreme is in line with Recital 7 of the EU Copyright Directive Court submitted five questions to the CJEU, but whereby “the directive does not have the objective of subsequently decided to withdraw four of them (which were removing or preventing differences that do not adversely already answered by the recent Svensson case C-466/12). affect the functioning of the internal market”. In substance, the remaining question was: “May the Member State (MS) give wider protection to the exclusive This case is particularly interesting in the way that it moves right of authors by enabling ‘communication to the public’ to away from the precedent CJUE ruling in the Svensson case. cover greater range of acts than those provided for in Article In the latter case, the CJUE was asked whether an MS 3(2) of the EU Copyright Directive?” could extend the protection afforded to the copyright holders through an extension, on a domestic basis, of the As an introductory point, the CJEU restates Article 3(2)(d) of notion of “communication to the public” under Article 3(1) of the EU Copyright Directive whereby “MS are to provide for the EU Copyright Directive. The CJUE answered in the the exclusive right for broadcasting organizations to negative, stating that if it had held otherwise, the objective authorize or prohibit the making available of fixations of their pursued by the EU Copyright Directive would have been broadcasts to the public, in such a way that members of the undermined. The CJUE held that allowing the MS to widen public may access them from a place and at a time the concept of “communication to the public” would individually chosen by them.” The CJEU clarifies that the necessarily affect the functioning of the internal market. “making available to the public” was actually included within Conversely, in the present case, the CJUE, presumably the concept of “communication to the public” referred to in because it reads the EU Copyright Directive in conjunction Article 3(1) of the Directive. In any event, in order for an act with Directive 2001/29, allows MS to extend the rights set to fall under the category “making available to the public” forth in Article 3(2) of the EU Copyright Directive. and thus to benefit from the protection of Article 3(2)(d), this act must (i) make it possible for the public to access the The case (C-279/13) can be found on http://curia.europa.eu protected work from a place chosen by them and (ii) at a time chosen by them. However, the transmissions made available by Mr Sandberg cannot be considered as amounting to “interactive on-demand transmissions”. Carol Evrard Nevertheless, the Swedish legislation affords a wider protection as it is not limited to acts that make works Junior associate available “on demand”. T • +32 2 533 57 42 [email protected]

ICT Law Newsletter – Number 51 – April 2015 3 FOCUS: EUROPE

Courts of a Member State where a work is accessible online have jurisdiction to hear case

On 22 January 2015 the European Court of Justice (ECJ), in The ECJ confirmed, however, that in accordance with Article its judgment C-441/13, held that a court of a Member State 5(3) of Regulation 44/2001, the Austrian courts could be where a work is accessible online does have jurisdiction to seized on the basis of the place where the alleged damage hear the case if the damage has occurred or might occur in occurred. As a matter of fact, the likelihood of damage that Member State. occurring in a particular Member State is subject to the condition that the right whose infringement is alleged is Article 2 of Regulation 44/2001 of 22 December 2000 on protected in that Member State. jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (“Regulation The ECJ further confirms that unlike Article 15(1) of 44/2001”) stipulates that persons domiciled in a Member Regulation 44/2001, Article 5(3) does not require that the State shall be sued in the courts of that Member State. By activity concerned be directed to the Member State in which way of exception, and hence to be interpreted restrictively, the court seized is situated. In the case at issue, the Article 5(3) of this Regulation states that the courts of the occurrence of damage and/or the likelihood of its place where the harmful event occurred or might occur can occurrence arise from the accessibility in the Member State be seized in matters relating to tort, delict, or quasi-delict. of the photographs to which the rights relied on retain.

In the case at stake, a German-based company had This case can be found on: http://curia.europa.eu published on its website pictures that were taken by an Austrian photographer and had done so without this photographer’s consent and without any recognition of authorship. The photographer subsequently sued the Cédric Lindenmann company before the Austrian courts. The company (defendant) argued that the Austrian courts lacked Junior associate jurisdiction because the website was not directed at Austria T • +32 2 533 54 56 and that the mere fact that the website can be accessed from Austria is insufficient to confer jurisdiction on the [email protected] Austrian courts.

ICT Law Newsletter – Number 51 – April 2015 4 FOCUS: EUROPE

WP 29 guidelines on the implementation of the Google Spain Case and Google’s Advisory Council Report on “the Right to be Forgotten”

On 13 May 2014 the European Court of Justice (“ECJ”) not contradict freedom of expression, nor does it allow for delivered a landmark ruling, the so-called “Google Spain censorship. Indeed, it is emphasized that the Ruling does Case” (“the Ruling”). Because this decision has generated not enable people to have the contested search results several concerns and could have potentially led to Member removed in all cases, but only if the interest to privacy States’ diverging application of this case-law, the European overrides the respect for other fundamental rights. No less Commission (“the Commission”), followed by the Article 29 importantly, the EU Commission clarifies the scope of the Working Party (“WP 29”), issued guidelines (“Guidelines”) on Ruling, stating that it only concerns the right to be forgotten the matter. “regarding search engine results involving a person’s name”. The resulting consequences to this clarification are twofold: In February 2015 Google’s Advisory Council published its (i) only the link to the disputed content can be deleted, the report on “the Right to be Forgotten” to advise Google on content itself remains unaffected in its original location on how to implement the Ruling properly. Notwithstanding the the internet; (ii) the content can still be found via the same broad scope given by some in their interpretation of the search engine when using a different query. Ruling, it seems that the ECJ did not intend its judgment to be one of principle. Finally, the most recent developments regarding the appropriate implementation of the Ruling are contained in In the first part of the Guidelines, the WP 29 specifies the the report published by Google’s Advisory Council most important elements of the Ruling. It confirms that, (“Report”). This panel of independent experts has been according to the ECJ, search engines operators process asked to advise Google in this regard. The panel has based data are considered data controllers. The legal basis lies in its advice on, inter alia, the opinion on experts from all over the legitimate interest of the controller or of third parties to Europe, the European Court of Human Rights case-law, which the processed data are disclosed. This legal basis is policy guidelines of new organizations, and also the WP 29 different from the one justifying the publishing of content by Guidelines discussed above. Remarkably, the Report the original publisher. That is why, in some instances, emphasizes that the Ruling does not establish a general although the publishing of some information by the original right to be forgotten. Indeed, the balancing test that has to publisher might be lawful, the accessibility to those be used by Google might lead to the conclusion that information by means of a search engine might, however, in overriding interests justify a de-listing refusal. The Report turn be unlawful. In any event, search engine operators are states that “the Ruling, while reinforcing European citizen’s supposed to assess the legitimacy of the data processing data protection rights, should not be interpreted as a only at the data subjects’ request. Moreover, those data legitimation for practices of censorship of past information subjects, when they are refused its request to be de-listed, and limiting the right to access information.” should be allowed to turn to the competent data protection authority (“DPA”) to contest that decision of refusal. Further, and in line with the WP 29 approach, the Report Regarding transparency, the search engines could only lists the main criteria to be used for assessing delisting inform their users that some results have been removed if it requests: (i) the data subject’s role in public life; (ii) the nature was not, on this sole basis, possible for them to conclude of the information; (iii) the source of the information; and (iv) that a specific individual has asked for this de-listing. Lastly, the time that has elapsed since the original publication. the WP 29 considers that an effective de-listing decision Then, the Report explains key procedural elements in this should have a global territorial reach and affect all domain respect. Two of them are worth emphasizing. Firstly, the names, including those ending with .com. Panel advises, as a good practice, that the search engine should notify the publishers of the delisting to the extent In the second part of its Guidelines, the WP, through its allowed by law. That is to say, in compliance with each creating a list of “common criteria for the handling of Member State’s domestic data protection law, among other complaints by EU DPAs”, has undertaken to harmonize the regulations. Secondly, contrary to the WP 29 Guidelines, the way these DPAs should deal with de-listing-related Report states that the de-listing should not operate globally. complaints. The WP 29 makes it clear, however, that the The rights of the data subjects are, according to the Panel, assessment of the data subjects’ complaints must be made adequately protected if de-listings apply only to the on a case-by-case basis. The criteria are indeed merely European versions of the search. This is based on the “flexible working tool”, none of which being determinative. finding that 95% of all European search queries are They will always have to be applied in accordance with conducted on local versions of Google. The Report applicable domestic legislation. concludes that “removal from nationally directed versions of Google’s search services within Europe is the appropriate These Guidelines complement the report published on 19 means to implement the Ruling at this stage.” September by the EU Commission and aim to rebut the “myths” surrounding the Ruling. This report refutes some The Ruling allows for a major enhancement to the data ideas that have erroneously emerged, e.g.: the Ruling does subjects’ right online. However, it seems that this has been

ICT Law Newsletter – Number 51 – April 2015 5 FOCUS: EUROPE

widely misinterpreted. To increase clarity regarding its protection, and on the other hand, the rights to freedom of implications, the WP 29, the EU Commission, and later, a expression and access to information. panel of experts, have published reports and guidelines on how to implement the Ruling correctly. Although those Carol Evrard reports differ in some aspects (e.g., the geographical scope of the de-listing obligation), there seems to be a growing Junior associate consensus towards the inexistence of the so-called right to T • +32 2 533 57 42 be forgotten. The Ruling is a mere application of the balancing test that must be made, on a case-by-case basis, [email protected] between, on the one hand, the rights to privacy and data

WP 29 document on a new co-operation procedure regarding contractual clauses

On 26 November 2014 the Article 29 Data Protection decision-making process. The chosen lead DPA has the Working Party (“WP 29”) issued Working Document WP226. possibility to transfer the application to another DPA if it This document sets forth a co-operation procedure for issuing believes this other DPA is more suitable as the lead DPA. common opinions on contractual clauses that are considered Such transfer needs to be conducted under supervision of compliant with the EC Model Clauses. Through this the Presidency of the WP 29. Additional to the lead DPA and document the WP 29 wants to establish a more harmonized depending on the number of Member States from where the approach among the national data protection authorities data is transferred, one co-reviewer (if less than 10 Member (“DPAs”) throughout the multiple jurisdictions of Europe in States) or 2 co-reviewers (if more than 10 Member States) will approving EU Model Clauses. be appointed.

The Model Clauses were adopted by the European The review should be done in the context of a Mutual Commission to enable companies to put in place sufficient Recognition, and DPAs can freely decide on whether it wants safeguards for legally framing international data transfers to participate. The lead DPA will conduct the review and, outside the EEA. In principle, companies choosing to use once it is decided that the proposed contract conforms to the such clauses may not change them unless they seek prior Model Clauses, it will send its conclusion in the form of a draft approval from the DPA of the Member State from where the letter to the co-reviewer(s). The latter must submit their transfer is taking place (“competent DPA”). Nevertheless, it is comments (if any) within a one-month deadline. If no possible for companies to draft a contract that contains comments are made within this timeframe, the draft letter, the additional (commercial) clauses alongside these Model analysis, and the draft contract will be sent to the other Clauses as long as there is no direct or indirect contradiction competent DPAs. Only those not participating in the Mutual between them. Recognition procedure are allowed to make comments those documents. At a final stage, the lead DPA will sign the letter In many Member States, a company must obtain an on behalf of all competent DPAs and will send it to the authorization from the DPA—before the data transfer—for company. both the use of an ad hoc contract and the use of Model Clauses. In a situation where the company wants to transfer Through this Working Document, the WP 29 is clearly data from different EU/EEA countries, this obligation entails choosing the path of harmonization, which is desirable to the risk that the DPAs in the different Member States would create uniformity and legal certainty within the EU. not reach the same conclusion regarding the same draft Nevertheless, this procedure only relates to conformity to the contract. EC Model Clauses. But when permits or authorizations are legally required, national DPAs may still analyze the annexes Through this Working Document, the WP 29 launches a and descriptions of data transfers to assess their legality procedure that will enable companies to obtain a coordinated under national law. Moreover, in a situation where a company, position of the different DPAs regarding their proposed after initially having intended to transfer data from a few contract. DPAs are free to decide, based on the Member States, decides to extend the geographical scope circumstances, whether such co-operation procedure is after the co-operation procedure, the additional competent opportune or not. DPAs are not bound by the decision made in the co-operation procedure. They are free to conduct their own analysis of the As a first step in the co-operation procedure, the company draft contract, but the company will have to bear the risk needs to choose a lead DPA out of the several competent should the DPAs decide otherwise on the contract. DPAs. In the Working Document, the WP 29 sets out different possible decisive factors that can guide the company in the This article was written by student trainee Dorien Taeymans.

ICT Law Newsletter – Number 51 – April 2015 6 FOCUS: BELGIUM

Belgian collecting society SABAM may not levy royalties on ISPs

On 13 March 2015 the Brussels Court of First Instance communication originated from the Internet user/content issued a judgment in the cease-and-desist case the Belgian supplier to its ISP, or there is no “new public” when the ISP state brought against the collecting society SABAM, which makes the content available to its customers because this is was suing Internet service providers (ISPs). According to precisely the intended purpose of the initial communication SABAM, the ISPs themselves—besides the Internet of the Internet user/content supplier. users—“communicate” works to the public, and such communication would require authors’ consent under As a result thereof, there is no valid ground for claiming copyright law and, therefore, payment of specific royalties. royalties on such activities. When doing so, SABAM does violate Belgian copyright law, and therefore, the Belgian However, the supervising authority of collecting societies state is right to have intervened. within the Ministry of Economy did not agree with SABAM’s argument, and, through a specific administrative procedure, Finally, it is worth mentioning that the Court found that there it had SABAM summoned so that its claim against the ISPs was no need to refer to the ECJ for a preliminary ruling would stop. Since SABAM did not accede to this demand, because the existing case-law provided sufficient guidance. the Ministry of Economy sought eventually the Court to In this regard, the Court stressed the differences between order a cease-and-desist injunction. The main Belgian ISPs the disputed case and some landmark decisions previously joined the proceedings in support of that request. rendered by the ECJ, such as the decisions in Airfield (C-431/09) and SGAE/Rafael Hoteles (C-306/05). Also, the After a detailed examination of all the ISP’s activities, the Court recalled that ISPs are intermediaries that are essential Court recalled the applicable legal provisions, including for the functioning of the Internet, in the light of the decision Directive 2001/29/EC of 22 May 2001 on the harmonisation UPC Telekabel (C-314/12). Without them, the “initial” of certain aspects of copyright in the information society, the communication cannot take place. case-law of the European Court of Justice (ECJ), and more particularly the recent Svensson (C-466/12) and Bestwater By the end of March, SABAM has decided to lodge an International cases (C-348/13). Then, the Court formulated appeal against the Court of First Instance’s decision. two hypotheses: either the ISP’s activities are a mere provision of physical facilities for enabling or making a The case can be found on http://www.ie-forum.be communication (and in this scenario, it does not in itself amount to a communication, pursuant, notably, to Recital 27 of the Directive 2001/29/EC), or they do more than that. Nicolas Roland In the latter scenario, even if one were to consider that the ISPs make any additional communication to the “initial” Counsel communication of their customers or the content suppliers, T • +32 2 533 51 51 this would not satisfy the public requirement: either there is no large indefinite number of persons when looking at the [email protected]

ICT Law Newsletter – Number 51 – April 2015 7 FOCUS: BELGIUM

Bhaalu case: Flemish Media Regulator rules in favor of broadcasters Medialaan, SBS Belgium, and VRT in their suit against Right Brain Interface

Right Brain Interface NV is a young technology company broadcasters’ prior consent so that they could offer its that has created a remote DVR (digital video recording) customers the said option for delayed, shortened, or altered storage service called Bhaalu. In essence, this service allows viewing of linear television shows. its subscribers to record the television shows, which they can watch according to their TV channels’ subscription and The Media Decree defines “service providers” as any entity store them on servers owned by the unincorporated providing one or more broadcasting services to the public association of Bhaalu users (“in the cloud”). This way, by means of electronic communication networks, with the Bhaalu users can watch TV shows on demand up to 3 exception of broadcasting organizations that only make their months after they have been aired. own broadcasting services to available to the public. This third category of market players (which fall between a The Bhaalu system is also called a Collaborative Video broadcaster and a network operator) was added to the Recorder (or CVR) because the users are basically sharing Media Decree to cope with future technical evolutions in the the cost of certain common components of the CVR media sector. The Flemish Media Regulator held that Bhaalu hardware, without it being technically possible for them to was indeed the result of such technical evolutions and share content with or transfer the content to other users. needed to be considered a service provider under the Media Decree. Naturally, Bhaalu’s entry on the Belgian market has led to a great deal of opposition by Belgian broadcasters, provoking In reaching this decision, the Flemish Media Regulator first Medialaan, VRT, and SBS Belgium to sue Right Brain considered that it was not required for service providers to Interface before the Antwerp Commercial Court on grounds provide the broadcasting services to the public via their own of their right to exclusive reproduction and communication network. The Flemish Media Regulator also considered that enshrined in the Belgian Copyright Act. The broadcasters it was irrelevant whether these services were broadcast on also filed a complaint with the Flemish Media Regulator on individual request or whichever technique was used to grounds of Right Brain Interface’s violation of the Flemish broadcast them (including point-to-point technique or, as in Government Decree of 27 March 2009 (the “Media the present case, unicast technique). The fact that the Decree”). Bhaalu user must indeed have made a recording instruction so that the signal via unicast would be forwarded to him On November 4, 2014 the Antwerp Commercial Court ruled does not, according to the Flemish Media Regulator, imply that Right Brain Interface could not lawfully rely upon the that Bhaalu did not provide broadcasting services. “private copy” exception enshrined in the Belgian Copyright Act. Even though Right Brain Interface has since Therefore, the Flemish Media Regulator declared that Right suspended its activities, it did apply for an appeal against Brain Interface has violated Article 180 of the Media Decree this decision. On January 12, 2015 the Flemish Media by: (i) not transmitting the linear television shows—that are Regulator also decided in favor of the Belgian broadcasters. part of their range of television services in the Flemish Community—unabridged, unaltered, and in their entirety, at The broadcasters asserted that Right Brain Interface should the exact time these television shows are aired, and (ii) not be considered a “service provider” in the meaning of Article obtaining prior consent of the broadcasters so that they 2, 7° of the Media Decree. As a service provider, Right Brain could offer its customers an option allowing for a delayed, Interface would be obliged, according to Article 180 of the shortened, or altered viewing of linear television shows. Media Decree, to: However, given that Right Brain Interface had already • transmit linear television shows—that are included in the ceased its Bhaalu-related activities after the Antwerp range of television services in the Flemish Community— Commercial Court rendered its decision on November 4, unabridged, unaltered, and in their entirety, at the actual 2014, the Flemish Media Regulator only issued Right Brain time these television shows are aired. Interface a warning and ordered it to stop committing further violations. • seek prior consent of the broadcasters so that these broadcasters may offer its customers an option to have a delayed, shortened, or altered viewing of the linear television shows. Valerie Vanryckeghem

However, Right Brain Interface does not transmit linear Associate television shows in an unabridged, unaltered way and in T • +32 2 533 51 72 their entirety at the actual time these television shows are aired. In addition, Right Brain Interface did not obtain the [email protected]

ICT Law Newsletter – Number 51 – April 2015 8 FOCUS: BELGIUM

The UsedSoft decision of the European Court of Justice on the resale of software has been successfully alleged by the second acquirer

On 26 January 2015, the Court of Appeal of Gent dismissed Therefore, the Court found that the defendant may benefit the claim of a software company for copyright infringement from the exception of Article 5(1) of the Directive, pursuant against another company that integrated its computer to which the authorization of the right holder is not required program into an ERP solution for dentists. for some acts (such as the permanent or temporary reproduction by any means and in any form, in part of in This computer program and the accompanying license key whole) where they are necessary for the use of the computer were ordered by and delivered electronically to an authorized program in accordance with its intended purpose. In the reseller for the explicit purpose of resale. On many current case, the disputed software development kit aims to occasions, the Court stressed the fact that, apparently, the integrate third party applications. Furthermore, the Court software company did not impose any restriction in this ruled that the software company contractually agreed with respect. Also, it appears that the defendant that acquired such resale for commercial use, at least implicitly. such computer program from the reseller did not know that it was the property of the plaintiff since the reseller never Finally, the Court decided that the right of distribution is mentioned it and the software company failed to exhausted towards the defendant and that such exhaustion demonstrate that its licensing scheme should normally have does not relate solely to one physical copy of the program. been passed on to the defendant via the reseller. The latter Should the license key be used only-once for resale, then went bankrupt two years later. the software company should have expressly stipulated so, said the Court. The software company then initiated a lawsuit against the second acquirer, asking for monetary damages and a The case can be found on http://www.ie-forum.be cease-and-desist injunction.

However, pursuant to the Court that made several references to the landmark decision of the European Court Nicolas Roland of Justice dated 3 July 2012 UsedSoft v. Oracle (C-128/11), the defendant is a “lawful acquirer” within the meaning of Counsel Article 4(1) of the Council Directive 91/250/EEC of 14 May T • +32 2 533 51 51 1991 on the legal protection of computer programs (the Directive) since it validly acquired the disputed component [email protected] from an authorized reseller.

ICT Law Newsletter – Number 51 – April 2015 9 FOCUS: THE NETHERLANDS

Google wins appeal in first Dutch ‘Right to be Forgotten’ case

In May 2014, the European Court of Justice made a does not aim to protect a person from all negative groundbreaking decision regarding the Costeja-case, often information published on the internet, but that a person referred to as the Google Spain case. This case briefly should be protected from being haunted by irrelevant or stated that Google is bound to remove certain search results unnecessary defamatory posts. The Court also believes that should a person request Google to do so. A person can file the search results relating to X’s criminal offences cannot be such a request when he is of the opinion that these results considered irrelevant and that the connection via auto- can no longer be considered adequate or relevant, or when complete with Peter R. de Vries is logical. The right of the processing of such search results is excessive and freedom of information outweighs the right of privacy of X. subsequently infringes the privacy of the respective person. This European case has had great consequences for The ruling of the District Court is confirmed in appeal. The Google; the search engine has since received almost Court of Appeal states that although X is still awaiting the 240,000 requests and has evaluated more than 865,000 appeal in his criminal procedure, he has submitted no URLs. If Google refuses to remove certain search results, information which detracts from the existence of this one can start legal proceedings on a national level. conviction. The online publications are therefore the result of his own conduct. It is in the public interest that information In the Netherlands, one of the first cases dealt with by the about serious crimes, and consequently about the national courts regarding the “Right to be Forgotten” was prosecution and conviction of X, can be accessed. X has the case of a Dutch escort boss, X. X was sentenced to six not been able to prove that Google manipulates the search years in prison in 2012 following a failed attempt to procure results. Furthermore, X has not contested the fact that the the murder of a competing escort boss. He gave very search results generated via the auto-complete feature are detailed instructions to an assassin, who, unbeknownst to based on the number of times users have entered certain X, was secretly filming the entire conversation. The hit-man search results. There is no evidence that Google has proceeded to give the footage to Peter R. de Vries, a crime deliberately caused damage to X and X has not argued that journalist, who aired the tape during an episode of his very the auto-complete feature generates additional search popular true-crime TV show. Due to the mass media results that would harm him. The general ground of appeal attention, an author also decided to write a criminal novel that Google should refrain from infringing X’s privacy is too about the case, proclaiming it “faction”, a combination of broad and has been rejected. The Court’s lesson for X is fact and fiction. X is currently awaiting the appeal of his clear: if you play with fire, you are going to get burned. criminal procedure and claims that he is unable to pick up his day-to-day life, due to the fact that if you Google him, Source: Court of Appeal Amsterdam, 31 March 2015, search results about the criminal case, the TV show and the ECLI:NL:AMS:2015:1223 book pop-up. He has filed a request for Google to remove certain search results and that Google’s auto-complete feature abstains from automatically connecting him to the TV show and the novel. X believes that Google actively Friederike van der Jagt manipulates the search results with no other aim than to harm him. Google should generally refrain from any Senior associate infringement on X’s privacy. In first instance, the District T • +31 20 546 01 44 Court rejected X’s requests. The Court is of the opinion that X has committed a serious crime which has led to a huge [email protected] amount of publicity. The Court states that the Costeja-case

ICT Law Newsletter – Number 51 – April 2015 10 FOCUS: THE NETHERLANDS

Bill submitted to increase penalty powers of the Dutch Data Protection Authority to EUR 810,000 or 10% of the annual turnover of certain legal entities

On 24 November 2014 State Secretary Teeven (from the If the legislative proposal is accepted, the DPA shall be VVD, a conservative-liberal party) submitted a second referred to as ‘Personal Data Authority’. This reflects the memorandum of amendment concerning the legislative terminology of the European proposal for the new General proposal adjusting the Dutch Data Protection Act (“DDPA”). Data Protection Regulation and to prevent any existing The amendment, to be introduced through an adjustment of confusion with the Dutch Bureau for Economic Policy article 66 DDPA, is intended to give the Dutch Data Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition Protection Authority (“DPA”) the authority to impose higher the DPA will in the future need approval from the Minister of administrative fines and to be able to do so in more cases. Security and Justice for the guidelines which serve to explain and interpret the material standards of the DDPA, At the moment this authority is limited to a number of under which an administrative penalty can be imposed for specific administrative provisions such as failure to register a violations. data processing with the DPA. Furthermore, the maximum possible fine is EUR 4,500 which is relatively low and is in The proposal derives from the coalition agreement, which practice not imposed. The legislative proposal extends this contained an increase of penalty powers. This reinforces authority to a large number of general obligations under the supervision and shifts the focus from remedy sanctions such DDPA and introduces penalty categories which range from as incremental payments, often imposed by the DPA under EUR 20,250 for relatively minor violations, to EUR 810,000 the present system, towards administrative fines. The for intentional and repeated violations, which can have question is, however, whether this will make a difference in significant social repercussions. An even higher flexible practice, especially considering the fact that the DPA is financial penalty is proposed in relation to legal entities: if the obligated to first issue a binding instruction. This obligation maximum fine level of EUR 810,000 is not sufficiently arises from the advice of the Council of State that, given the punitive, the DPA can impose a fine equal to a maximum of ‘vague’ standards of the DDPA, it is undesirable to impose a 10% of the annual turnover of the respective legal entity. It is penalty without a previous warning. The DPA does not agree remarkable (and good news in practice) that the fine for not with this part of the proposal: it feels like a ‘paper tiger’ and registering a data processing with the DPA, which until now believes it will not be able to act promptly and efficiently. A was one of the only provisions from the DDPA that was fear exists that companies and organisations will not feel the fineable, will cease to exist. urge to comply with the law. Paper tiger or not, one thing is certain: the creation of a wider penalty authority The legislative proposal is consistent with the penalty demonstrates that, after years of talking and lobbying, categories included in article 23 of the Dutch Criminal Code. compliance with the privacy rules is being taken seriously. However, the DPA can only impose such an administrative Privacy compliance has become a boardroom issue and is fine after it has issued a binding instruction to the offender. A expected to be on the agenda of a number of companies in time limit in which the offender has to follow the instruction 2015. can be imposed. The offender may file a notice of objection against this decision – although this will not suspend the Friederike van der Jagt proceedings. This can be problematic since this could in practice lead to two parallel procedures. In situations Senior associate involving an intentional breach of the material standards of T • +31 20 546 01 44 the DDPA, there is no obligation to give a binding instruction and the DPA can impose a fine directly. [email protected]

ICT Law Newsletter – Number 51 – April 2015 11 FOCUS: THE NETHERLANDS

Dutch DPA: Employment agencies violate the privacy of the temporary workers

Each year the Dutch Data Protection Authority [“DPA”], Security Number [“SSN”] of the temp is also being taking its limited capacity into account, sets out a number of processed without any legal basis. As long as an individual key objectives on which it will focus. The protection of has not actually started working for the agency, the privacy in the employment relationship has been one of the aforementioned exceptions cannot be invoked. The legal priority areas over the last two years. Having regard to the obligations to process a copy of an ID or SSN only exist financial dependence between employee and employer and when someone actually starts working for the agency. As a the increasing pressure on the employees as a result of the result, it will only be necessary to process the information at economic crisis, the employee is in a vulnerable position in that stage in order to be able to perform the temporary terms of protecting its privacy. The DPA received various employment contract with the temp. signals that employment agencies appeared to be violating the privacy of temporary workers. In a temporary The necessary monitoring of a person’s identity by the employment relationship the agency acts as the employer of agencies during the selection process can be effected in a the temporary worker [“temp”]. For these reasons, the DPA lawful manner by letting the temp show its ID and allowing decided to carry out an investigation in respect of two large the intermediary to check it without making a copy. The employment agencies regarding their compliance with the employment agencies do not agree with this point of view of Dutch Data Protection Act [“DDPA”]. the DPA: they find the method impractical and are afraid of mistaken identities or mix-ups, particularly because temps Processing of copies of ID cards often speak to multiple agencies.

According to the DPA, the investigations confirmed that the Absence registration employment agencies are violating data protection laws on various points. For example, copies of ID cards are made as The DPA also noted that both employment agencies soon as the temp signs up at an employment agency and process too much data on temps who are ill. The agencies these copies are being shared with potential clients. Making list the nature and cause of the illness, which is not allowed. a copy of an ID is only permitted if there is a legal basis, for In line with the previous investigations into processing data example under the Wages and Salaries Tax Act or the of ill employers by absenteeism agencies and occupational Foreign National Employment Act, or when it is necessary in health and safety services, the DPA holds that the agencies connection with the performance of the contract with the are only allowed to record that someone is ill and to what data subject. The reason behind this is that the copies of ID extent he/she is incapacitated. Furthermore, this is only cards left lying around can easily lead to identity fraud. ‘ID permitted when it is necessary for the re-integration or the copies’ also contain information about race and nationality, guidance for the employee as a result of illness or incapacity and the sharing of this information [at an early stage] can or to meet legal objectives. lead to discrimination. In addition, this means that the Social

ICT Law Newsletter – Number 51 – April 2015 12 FOCUS: THE NETHERLANDS

Criminal antecedents Retention period and follow up

Employment agencies want to be able to screen people for Personal data cannot be held for longer than necessary in their criminal past for certain positions. The processing of order to fulfil the purposes for which they were collected, criminal information is, however, prohibited under the DDPA, unless the retention is necessary to meet legal retention unless one of the legal exceptions can be invoked. In obligations. However, in some cases the data were retained practice, use of the certificate of good conduct is often longer: one agency even retained the data for 24 [!] years. made. This does not contain information about a person’s previous convictions or on-going criminal proceedings. The practical implementation of the obligations of the DDPA Because an application for a certificate can take some time, which companies and business must comply with still the agencies usually ask a temp to fill out a statement, in remains an obstacle. In early 2014, therefore, the DPA which they indicate if they have or have not committed any published various do’s and don’ts in which a straightforward criminal offences. If the temps report criminal facts through explanation was given on how to handle the privacy of the the statement, processing of criminal information takes employee in the workplace. Useful guidelines regarding the place. Furthermore, this statement is also shared with clients processing of copies of IDs have also been published. of the employment agency. The agencies are of the opinion that this is allowed because they have received consent for The investigated employment agencies have promised to the processing thereof from the temps. However, according improve and have adapted or started to adapt their way of to the DPA, this consent cannot be relied on: a successful working. The DPA will keep a close eye on the matter: the appeal to base the processing of personal data on the DPA can order enforcement measures, for example justification ground of ‘consent’ can only exist if the consent imposing an order subject to a penalty, if the violations is given freely. In this case consent is not given freely continue. because of the imbalance in the relationship between the temp and the employment agency. Source: http://www.cbpweb.nl/Pages/pb_20141120_ uitzendbureaus.aspx Religious symbols Friederike van der Jagt One of the employment agencies occasionally recorded that a temp was wearing a headscarf. In principle, processing Senior associate such information is forbidden precisely because this can T • +31 20 546 01 44 lead to discrimination based on religion or belief. There is no legal exception in place that allows the employment [email protected] agencies to process such data.

ICT Law Newsletter – Number 51 – April 2015 13 FOCUS: THE NETHERLANDS

The Dutch House of Representatives requests Privacy Impact Assessment for new legislation

On 11 November 2014, the motion Segers/Oosenbrug on The call for a PIA by the government is in line with the Privacy Impact Assessments was adopted by the House of proposed European privacy regulation. The new Regulation Representatives [“the House”]. The motion was proposed in in article 33, expected to be agreed on at European level in connection with a legislative proposal, namely 34000 VII the course of 2015, imposes an obligation to perform a PIA Budget Memorandum of Interior and Kingdom Relations by companies and governments if the intended data 2015. The House expects a so-called Privacy Impact processing “present[s] specific risks to the rights and Assessment [“PIA”] to be performed by the government freedoms of data subjects by virtue of their nature, their when proposed legislation may have an impact on the scope or their purposes.” processing of personal data. If the PIA is not performed, it will be up to the government to explain why the PIA is Currently, there are already some prior tests in place. In missing. addition to the opinion of the Council of State, the government is required to ask the Data Protection Authority A PIA is a tool designed to help with setting out privacy risks [“DPA”] for advice on proposed legislation that is fully or in the development of new policies and relevant legislation. largely related to data processing under article 51(2) Dutch Questionnaires and test models are examples which can be Data Protection Act. used. The purpose behind performing a PIA is to put measures in place to reduce or eliminate privacy risks at an The added value of a PIA lies in the fact that the privacy early stage. impact of new legislation is critically evaluated at an early stage of the legislative process. The broadly defined motion A “Key Model Privacy Impact Assessment Civil Service” has means, however, that more proposals may be subject to a been in place within the government since 2013. This model PIA, when compared with the amount of times the DPA is requires the government to perform a PIA while developing requested to advise at present. new legislation or policy related to the installation of large data files or the construction of new IT systems. The wording of the motion is not clear on whether “new legislation” only applies to laws, orders of Councils or even The model has to be taken into account and considered in ministerial regulations. One thing is obvious: the privacy the Explanatory Memorandum of the legislation concerned. aspects of laws and regulations may look forward to The House wants to introduce an obligatory PIA for all new increasing scrutiny and developments in the near future. legislation likely to have an impact on the processing of personal data. In practice, the broadly defined motion will Source: https://zoek.officielebekendmakingen.nl/ lead to PIAs being undertaken on a regular basis. Minister dossier/33727/kst-34000-VII-21.html Plasterk of Interior and Kingdom Relations indicated that the motion supports government policy. He did point out that Friederike van der Jagt the application of the current key model will be evaluated in the summer of 2015. Senior associate T • +31 20 546 01 44 The minister is not required to actually implement the adopted motion. Nevertheless, he will have to inform the [email protected] House via the annual budget whether or not he has taken action in respect of the motion.

ICT Law Newsletter – Number 51 – April 2015 14 FOCUS: LUXEMBOURG

A new bill on data retention

On January 7, 2015, the Luxembourg Ministry of Justice refer to Article 67 -1 (4) of the Criminal Code where an filed with the Chamber of Deputies bill n° 6763 (the Bill) exhaustive list of offences has been inserted. modifying Article 67-1 of the Luxembourg Criminal Procedure Code (the Criminal Code) and Articles 5, 5-1 Furthermore, the Bill proposes to amend Articles 5 (1) (b) and 9 of the Act of May 30, 2005 laying down specific and 9 (1) (b) by stating that service providers and operators provisions for the protection of persons with regard to the must delete irrevocably and without any delay the retained processing of personal data in the electronic data at the end of the 6 months retention period. Service communications sector, as amended from time to time (the providers and operators cannot keep anonymous data at 2005 Privacy Act). the end of the retention data anymore.

By so doing, the Luxembourg government aims to comply The Bill also amends Articles 5 (6)- and 9 (6) of the 2005 with the Court of Justice of the European Union (the ECJ) Privacy Act by modifying the penalties to be imposed in ruling of April 8, 2014, the so-called “Digital Rights”, in joint case of breach of Article 5 (1) to 5 (5) and Article 9 (1) to 9 cases C-293/12 - Digital Rights Ireland and C-594/12 - (5) o the 2005 Privacy Act. The penalty incurred will be now Seitlinger and Others, whereby the ECJ has declared the a sentence of six months to two years of imprisonment and/ Data Retention Directive 2006/24/EC to be invalid. or a fine of between EUR 251 and EUR 125 000.

The Bill focuses on traffic data (Article 5 of the 2005 Privacy Finally, the Bill will oblige service providers and operators, Act) and location data other than traffic data (Article 9 of the through the amended Article 5-1, to store data on the 2005 Privacy Act). territory of the European Union.

Firstly the Bill intends to amend the current access by the Johanne Mersch judicial authorities to retained data for the purposes of the investigation, detection and prosecution of criminal offences Associate subject to a criminal or correctional penalty of at least one T • +352 26 61 81 20 year of imprisonment. Now Articles 5 (1) (a) and 9 (1) (a) will [email protected]

ICT Law Newsletter – Number 51 – April 2015 15 For more information

If you require further copies of this newsletter, or advice on any of the matters raised in it, please contact: Erik Valgaeren, T +32 2 533 53 51, F +32 2 533 51 15, [email protected]

Brussels Amsterdam Luxembourg

Central Plaza Stibbetoren Rue Jean Monnet 6 The ICT Law Newsletter Loksumstraat Strawinskylaan 2001 2180 Luxembourg is also available on Rue de Loxum 25 P.O. Box 75640 Luxembourg our website 1000 Brussels 1070 AP Amsterdam T • +352 26 61 81 Belgium The Netherlands F • +352 26 61 82 www.stibbe.com T • +32 2 533 52 11 T • +31 20 546 06 06 F • +32 2 533 52 12 F • +31 20 546 01 23

Dubai Hong Kong London New York

Dubai International Financial Centre Suite 1008-1009 Exchange House 489 Fifth Avenue, 32nd floor Gate Village 10 Level 3 Unit 12 10/F, Hutchison House Primrose Street New York, NY 10017 P.O. Box 506912 10 Harcourt Road London EC2A 2ST USA Dubai Central, Hong Kong United Kingdom T • +1 212 972 4000 United Arab Emirates T • +852 2537 0931 T • +44 20 7466 6300 F • +1 212 972 4929 T • +971 4 401 92 45 F • +852 2537 0939 F • +44 20 7466 6311 F • +971 4 401 99 91

All rights reserved. Care has been taken to ensure that the content of this newsletter is as accurate as possible. However the accuracy and completeness of the information in this newsletter, largely based upon third party sources, cannot be guaranteed. The materials contained in this newsletter have been prepared and provided by Stibbe for information pruposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this newsletter without consulting legal counsel. Consultation of this newsletter will not create an attorney-client relationship between Stibbe and the reader. The newsletter may be used only for personal use and all other uses are prohibited.

© Stibbe 2015 Publisher: Erik Valgaeren, Stibbe, Central Plaza, Loksumstraat 25 rue de Loxum - BE-1000 Brussels