ICT Law Newsletter Number 43 – April 2012

Contents

EUROPE 2 • EU - European Commission issues its proposal for the revision of the Data Protection Directive 95/46/EC) 2 • EU - European Court of Justice rules that a general monitoring obligation is not compatible with EU law 2 • EU - Court of Justice pronounces a judgment on the grounds for processing personal data 3 • EU - Article 29 Working Party finds the Online Behavioural Advertising Self-Regulatory Framework non-compliant with the e-Privacy Directive 3 BELGIUM 4 • BE - Labour Court of Brussels finds that the Data Protection Act does not prevent employers from making available employee-related information 4 • BE – Labour Court of Namur rules that electronic messages exchanged on Facebook do not have a confidential character that is protected by law 5 • BE – Privacy Commission gives guidance on the processing of personal data for mobile phones used by employees 5 • BE − Privacy Commission issues recommendation on the use of surveillance cameras in cells and detention rooms 5 THE NETHERLANDS 6 • NL – Supreme Court rules that a notice of default in an IT dispute is not always required prior to termination and claim for damages 6 • NL – Court of Appeal of Amsterdam rejects moderation of contractually agreed penalty 7 • NL – Court of Arnhem issues interim judgment that underlines the importance of being specific as regards fees and cost for IT development and consultancy agreements 7 • NL – Dutch government presents legislative proposal for changes to the Dutch Data Protection Act 8 • NL – Dutch Data Protection Authority upholds penalty decision for non-compliance of travel data processing 8 • NL – New E-mail Advertising Code 9 LUXEMBOURG 10 • LUX – VAT Authority reduces VAT on eBooks 10

IT, IP & TMT Law Firm of the Year 2007, 2010 and 2011 2

authority must be notified without undue delay - and EUROPE within 24 hours, if feasible - after the organisation becomes aware of any data breach. There are also EU - European Commission issues its measures requiring organisations to notify the proposal for the revision of the Data individuals affected by the breach where it is likely Protection Directive 95/46/EC) adversely to affect the protection of their privacy. On 25 January 2012, the European Commission • International data transfer: the draft Regulation published its draft Regulation for a reform of the does not change the existing possibilities to transfer European data protection regulatory framework. personal data outside of the EEA. However, it does According to the European Commission, such a reform indicate from now on that binding corporate rules will is needed to strengthen online privacy rights and boost be the transfer mechanism of choice. Europe’s digital economy. Technological progress and Before entering into force, the draft Regulation will have globalisation have profoundly changed the way our data to be approved by the Council and the European is collected, accessed and used. In addition, the 27 EU Parliament. (LL) Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A The draft Regulation can be found at single law, in the form of a Regulation, should do away http://ec.europa.eu with the current fragmentation and costly administrative burdens, and is expected to lead to substantial savings for businesses. Key changes of the new draft Regulation are: • Single set of rules: by proposing a Regulation, the European Commission opted for one set of directly applicable rules throughout Europe, which should eliminate any current issues resulting from the alleged lack of harmonisation under the Data Protection Directive • One single data protection authority for a data controller: under the draft Regulation, a data controller will no longer have to seek regulatory approval from all relevant national data protection authorities, but will have to deal with only one EU EU - European Court of Justice rules data protection authority, based in the controller’s that a general monitoring obligation is main establishment. In addition, data subjects can not compatible with EU law refer to the data protection authority in their country, even when their data is processed by a company On 24 November 2011, the European Court of Justice based outside the EU. (“ECJ”) ruled that European law precludes the imposition of an injunction against internet service providers • Empowerment of data protection authorities: requiring it to install a general filtering system for the independent national data protection authorities will purpose of preventing illegal downloading activities. be strengthened so they can better enforce the EU rules at home. They will be empowered to fine In 2004, the underlying case was brought before the companies that violate EU data protection rules. This Court of First Instance of Brussels by SABAM, the can lead to penalties of up to €1 million or up to 2% Belgian collecting society for authors, composers and of the global annual turnover of a company. editors of musical works. SABAM initiated interlocutory proceedings against Scarlet, an internet service provider • Consent: wherever consent is required for data to be which provides its customers with internet access, and processed, the European Commission clarifies that it sought an injunction to be issued against the latter, has to be given explicitly, rather than assumed. In ordering it to take measures by installing a filtering addition, doubt is cast over a controller’s ability to system to end copyright infringements committed by its obtain an “omnibus consent” (for example, collecting customers. Such filtering system would have to filter a consent to data processing which is part of the preventively all electronic communications of all same statement obtaining consent to terms and customers of Scarlet at its own expense for an unlimited conditions of sale). period in time and would have to identify and block • Access to data: data subjects will have easier electronic files that infringe copyrights which SABAM access to their own data and be able to transfer represents. After having established that the copyrights personal data from one service provider to another represented by SABAM were in this case infringed, per more easily (right to data portability). judgment of 29 June 2007, the Court of First Instance • Right to be forgotten: data subjects will be able to ordered Scarlet to make it impossible for its customers delete their data if there are no legitimate grounds for to send or receive illegal copies of musical works which retaining it. were copyright protected. • Reporting of data security breaches: the draft Scarlet appealed to the Court of Appeal of Brussels, Regulation requires data controllers across all sectors arguing, among other things, that such injunction was to notify their supervisory authority of data security contrary to a number of European Directives, including breaches involving personal data. The supervisory Directive 2000/31 on certain legal aspects of information

ICT Law Newsletter - Number 43 – April 2012 3 society services, in particular electronic commerce and Privacy Act relates to the severity of the processing and Directives 2001/29, 2004/48, 95/46 and 2002/58. the balancing of the interests at stake. To that extent, the Consequently, the Court of Appeal referred the question Spanish Article does further detail one of the existing on interpretation of these Directives to the ECJ for a requirements because processing personal data that are preliminary ruling. publicly accessible is less severe than the processing of personal data which are not known (accessible) by the In its judgment, the ECJ first underlined the fact that public. The ECJ then, however, states that the Spanish holders of intellectual property rights are entitled to apply Privacy Act firmly defines the outcome of the interests for injunctions against intermediaries if the services of under Article 10 and therefore, does not allow for any these intermediaries are used to infringe on their margin when it comes to the balancing of conflicting intellectual property rights. The Court pointed out that rights and interests in a particular case. Consequently, there are a number of restrictions that these injunctions the ECJ held that the addition of this third condition by must take into account, such as the restriction provided the Spanish legislator violates Article 7, sub f of the in Directive 2000/31 which forbids national authorities Privacy Directive, and that, since this Article of the from adopting measures which allow internet service Privacy Directive has direct effect, the parties to the providers to monitor all information that is transmitted dispute before the Tribunal Supremo can rely on its over their network. In light of this prohibition, the ECJ provisions. (LL) found that an injunction as such demanded by SABAM would qualify as this kind of obligation to monitor and is The case can be found on http://curia.europa.eu. thus incompatible with Directive 2000/31. The Court also added that the right to an intellectual property may not be regarded as legally absolute and inviolable. (LL) EU - Article 29 Working Party finds the The case can be found on http://curia.europa.eu. Online Behavioural Advertising Self- Regulatory Framework non-compliant with the e-Privacy Directive EU - Court of Justice pronounces a judgment on the grounds for European Directive 2009/136/EC, which revises the e-Privacy Directive (2002/58/EC), was adopted in processing personal data November 2009. One of the major changes to this On 24 November 2011, the European Court of Justice Directive was that the processing of information via (the “ECJ”) replied to a prejudicial question relating to the terminal equipment, such as cookies, can no longer be list of processing grounds contained in Directive 95/46 based on an “opt-out” regime (where the user can reset of the European Parliament and the Council of 24 the default settings of his/her computer in order ensure October 1995 on the protection of individuals with that no cookies will remain on his/her computer), but regard to the processing of personal data and regarding rather an informed consent of the user should be the free movement of such data (the “Privacy Directive”). obtained. This prejudicial question was submitted by the Spanish Since the online behavioural advertising companies rely Supreme Court, the Tribunal Supremo, following a case heavily on the use of cookies, the members of the in which the question as to whether the Ley Organico European Advertising Standards Alliance (EASA) and the 15/1999 on the protection of personal data (the “Spanish Internet Advertising Bureau Europe (IAB) have adopted a Privacy Act”) conforms with the Privacy Directive was self-regulatory Best Practice Recommendation on online raised. Article 10 of the Spanish Privacy Act states that behavioural advertising, the EASA/IAB Code. a processing of personal data without consent of the Furthermore, the website: www.youronlinechoices.eu person concerned is permitted only if (1) the processing (“the Website”) has been set up in which users can serves the representation of a legitimate interest of the participate. controller, (2) the processing is necessary to perform an The Article 29 Working Party has voiced a number of obligation of the responsible, and (3) the data are concerns with regard to data protection compliance as included in one of the publicly available sources listed in laid down in the Code. EASA and IAB have stated that the law. This Article is the Spanish transposition of Article the Code is intended to create a level playing field and 7, sub f of the Privacy Directive, which permits processing was not aimed to achieve compliance with the revised if (1) the processing is necessary for the protection of a e-Privacy Directive. Consequently, the Article 29 Working legitimate interest of the controller, and (2) the processing Party has decided to adopt an opinion containing a does not prevail the importance of fundamental rights specific analysis of the extent to which the Code and freedoms of the person concerned. complies with the e-Privacy Directive. The parties to the case before the Tribunal Supremo The Working Party’s main concern is that data subjects argued that the additional requirement of Article 10 of are given the wrong impression that it will be possible to the Spanish Privacy Act was incompatible with the choose not to be tracked when visiting websites. principles of EU law and the Privacy Directive because Furthermore, an information icon referring to information imposing additional conditions should not be allowed on the Website is used when cookies are placed on a and would hinder the free movement. In its judgment, website. Both the icon and the Website do not provide the ECJ first emphasised that Member States can only accurate and easily understandable information about further detail one of the two principles of the article when the different advertising networks that are involved in the transposing Article 7 of the Privacy Directive, but are not processing of the personal data, nor the purposes for allowed to change the scope of that article by adding the data processing. additional conditions. Subsequently, the ECJ confirmed that the third condition of Article 10 of the Spanish

ICT Law Newsletter - Number 43 – April 2012 4

More importantly, the fact that a user of a website needs to go to the Website in order to choose that he will not BELGIUM be tracked boils down to an opt-out regime, whereas the e-Privacy Directive requires the user’s informed BE - Labour Court of Brussels finds consent. At the same time, the “opt-out” cookie used on that the Data Protection Act does the Website does not make it possible to delete not prevent employers from making previously installed cookies and, at the same time, the available employee-related information “opt-out” choice is being tracked by the website itself. Finally, the Article 29 Working Party comments in its On 1 April 2011, the Labour Court of Brussels issued a opinion on the use of sensitive data, the lack of provisions judgment whereby it held that the Data Protection Act of regarding the retention periods of the personal data of 8 December 1992 (the “DPA”) does not prevent an the users as well as the compliance procedures employer from making available employee-related mentioned in the opinion. information to customers. The Opinion also clarifies the relationship between the On 12 June 2006, the Belgian Social Inspectorate use of different cookies and the need to seek consent. carried out a routine inspection on the premises of the Consent for the use of cookies is not always necessary. garage N.V. M. and found a cleaning lady working there. For instance, where secure login session cookies or Yet, contrary to Article 157 of the Program Act of 22 shopping basket cookies are concerned, these cookies December 1989 (the “Program Act”), there was no copy are necessary to carry out the transmission over an of the cleaning lady’s employment agreement on the electronic communications network, or these can be premises. seen as strictly necessary in order to provide a service The cleaning lady, during a subsequent questioning with which is explicitly requested by the user. Furthermore, the inspector, stated that she was an employee of N.V. the Working Party explains that a pop-up window is not Multiple Immo and that, as part of her employment with the only way to obtain a user’s consent. Consent can this company, she was required to work part-time as a also be obtained via, e.g., default settings in a browser cleaning lady at the garage of N.V. M. Since the or a static information banner on top of a website in employer, N.V. Multiple Immo, was obliged to have a which consent is asked for certain cookies to be used, copy of the part-time employment agreement stored on and a hyperlink to a privacy statement containing more the location where the employee is working, the Social information is also made available. Therefore, it is not Inspectorate imposed an administrative fine of 400 EUR always necessary for a user to click through multiple on N.V. Multiple Immo. pop-up windows. N.V. Multiple Immo argued that the requirement set forth The Working Party concludes that it does not question in Article 157 of the Program Act would oblige an the economic benefits of behavioural advertising, but employer to disclose all information set forth in that the user’s rights to privacy and data protection must employment agreement (which includes a large amount be respected. The Code, in combination with the of the employee’s personal data) to a third-party (i.e., Website, do not result in compliance with the current N.V. M). Since N.V. Multiple Immo believed that this e-Privacy Directive. (FVDJ) would violate the DPA, it refused to pay the fine. N.V. Multiple Immo’s failure to pay the fine led the Social Inspectorate to initiate proceedings against it before the Labour Tribunal. The Tribunal stated that although N.V. Multiple Immo has breached Article 157 of the Program Act of 22 December 1989, it cannot be held liable for the act in question because Article 157 of the Program Act constitutes a violation of the DPA. The Social Inspectorate appealed against this decision before the Labour Court of Brussels, which held that Article 157 of the Program Act does not as such violate the DPA. In its view, this Article does not prevent an employer from making the employment agreement available in a manner which would not violate the DPA. According to the court, N.V. Multiple Immo could have complied with Article 157 of the Program Act by making the employment agreement, among other things, available to N.V. M by enclosing it in a sealed envelope. By doing so, N.V. Multiple Immo would have complied with both Article 157 of the Program Act and the DPA. The Opinion can be found at http://ec.europa.eu, (LDA) Opinion 16/2011 The case is available at http://www.juridat.be

ICT Law Newsletter - Number 43 – April 2012 5

BE – Labour Court of Namur rules that calls could ever be made. Nevertheless, he received an electronic messages exchanged on invoice from the telecom operator. As a consequence Facebook do not have a confidential thereof, he submitted a complaint to the Commission, arguing that his personal data were not properly character that is protected by law transferred to the mobile operator. Since no amicable In a judgment of 10 November 2011, the Labour Court settlement was reached between the parties, the of Namur found that electronic messages exchanged via Commision issued an opinion on the legitimacy of that the website “Facebook” do not have a confidential complaint. character that is protected by law. Apart from the split billing described above, there are The case before the Court was about a kitchen maid of usually two other billing methods: the employee may a nursing home who was dismissed for urgent cause by choose usage contract for a lump sum amount or make her employer. She had made racist and other insulting a written declaration that he will only use the mobile remarks towards a colleague who was also employed at phone for business purposes, and not for any private the same nursing home, and published them on her calls. The Commission itself acknowledges that the Facebook page. The kitchen maid sued her former employer may verify whether these rules are observed employer and claimed the dismissal to be unlawful by by the employee. For instance, in the event of arguing that electronic messages on Facebook would overspending, the employer may ask for explanations have been collected in breach of both the Belgian and more details from the employee. On the other hand, Electronic Communications Act and the Belgian Privacy by applying the split billing, the employer has no detailed Act. view on the calls made by the employee which are private. The Court, however, did not agree with the claimant’s arguments and held that the contents of the electronic Under Belgian law, every processing of personal data, messages were lawful evidence. According to the judge, such as the disclosure of the employee’s postal address the electronic messages at stake did not have a private to the telecom operator, must have a specific and or confidential character of the type that is protected by legitimate purpose and may only take place in certain law. The electronic exchange of the messages did circumstances. For instance, processing of personal indeed take place on a website that is accessible by the data is allowed when the data subject has given his/her public and in particular accessible by staff members of unambiguous consent, which is not the case here. A the nursing home. processing of personal data is also possible if it is necessary to safeguard a legitimate interest of the data The Court found that the nursing home’s staff member’s controller or of a third party, provided that it is not communication to its employer of the contents of an overridden by the data subject’s interest or rights. In electronic message that was addressed to him or her via other words, the processing is authorized if the the Facebook webpage is not unlawful. All the more controller’s interest in processing the data is greater than because the contents of these messages did not the data subject’s interest in not having the data concern the private life of these persons, but rather their processed. However, in the current case, the employer’s professional relationship. The Court has therefore ruled interest was not greater than the employee’s right to that the Facebook messages are admissible as privacy. (NRO) evidence. (SCO) The opinion can be found on The case is available at http://www.juridat.be http://www.privacycommission.be

BE – Privacy Commission gives BE − Privacy Commission issues guidance on the processing of personal recommendation on the use of data for mobile phones used by surveillance cameras in cells and employees detention rooms On 30 November 2011, the Belgian Privacy Commission On 6 July 2011 the Privacy Commission issued a (“the Commission”) opined that an employer violated the recommendation on the installation and use of data protection legislation when it transmitted surveillance cameras in cells and detention rooms inside employees’ data to the telecom operator for invoicing police stations. With this recommendation, the purposes without being duly authorized to do so. Commission seeks to protect those individuals who An employee received a company mobile phone from have been filmed after their having been arrested and his employer to use during his employment. In order to detained. distinguish between the employee’s private and The Royal Decree of 14 September 2007 provides a professional usage of that phone, the employee was legal framework for the location, organization, and use of instructed to first enter a user code before making any detention rooms by the police. The fact that a specific private calls. With this “user code” system, two separate rule of law exists with regard to the organization of bills are issued: one for the employer and the other for detention rooms implies that camera surveillance in such the employee. This is the so-called “split billing” method. detention rooms is excluded from the scope of Also, the employee was requested to authorize, in application of the Belgian Camera Surveillance Act, yet writing, the employer to transmit his postal address as falls within the scope of the general rules of the Belgian well as to enter into a direct agreement with to the Privacy Act. telecom operator. The employee, however, did not proceed accordingly since he claimed that no private

ICT Law Newsletter - Number 43 – April 2012 6

The Commission confirms that video surveillance contributes to the protecting and safeguarding of the THE NETHERLANDS well-being of detained individuals. However, video surveillance should always be an element within the NL – Supreme Court rules that a notice context of additional measures such as regular physical of default in an IT dispute is not always examinations of detained persons, a suicide prevention required prior to termination and claim program, and an efficient reporting mechanism for for damages individuals who have been victims of improper practices during the period of their detention. In its judgment of 13 January 2012, the Dutch Supreme Court ruled that a professional party (“A-Line”) that From a practical point of view, all detained individuals ordered the development and implementation of should be properly informed about the following: a video computer software, which has not been implemented by surveillance system is in use in the detention rooms; the the supplier (“Cubeware”) on the agreed delivery date, is images can only be retained for a reasonable period; the not—under certain circumstances—obliged to send the police should take the necessary technical and supplier a notice of default. organizational measures to secure the access to the images captured. A-Line was a distributor of ICT products. After Cubeware had failed to meet the initially agreed delivery date of 1 Finally, video surveillance during body searches cannot January 1999, the parties negotiated for a fairly long be made available in real time for surveillance purposes delivery period extension. The outcome was that they according to the Commission, and those images can instructed an EDP auditor by June 2000 to investigate only be accessed by a magistrate in the event of a the implementation process of the software. The complaint. (SCO) outcome of the audit was negative for Cubeware. Subsequently, A-Line initiated legal proceedings to reclaim approx. €900,000 from Cubeware plus contractual damages and legal interest. One of the principal defences of Cubeware was that A-Line should have sent a notice of default to the former in light of the further discussions. The Dutch Civil Code (“DCC”) stipulates that there are three instances where a notice of default is not required. One is where the non-defaulting party can clearly infer from the other party’s statement that it can or will not perform its contractual obligations (Article 6:83 at c, DCC). According to the Supreme Court, the overview of instances where a notice of default is not required is not limitative; the Court found other instances where a The recommendation can be found on notice of default is not required. Additionally, there may www.privacycommission.be, No. 06/2011 be instances where, based on usage or custom, a notice of default is not necessary; thirdly, the Supreme Court referred to other decisions where it had determined that based upon the principles of reasonableness and fairness, in specific instances, a notice of default was not or no longer required. Finally and conversely, the Supreme Court considered that under certain circumstances, a plea that a notice of default would be required could be against the principle of reasonableness and fairness under specific circumstances. The lower appellate court had ruled that – under the specific circumstances – A-Line could have reached the conclusion, in all reasonableness, that Cubeware would not perform the delivery, implementation, and installation of the agreed computer software. This court reached this conclusion based on, inter alia, the facts that: (a) Cubeware had failed to meet the initially agreed delivery date; (b) the parties had agreed to appoint an independent expert. The prospective continuation of their further cooperation was thus put in the hands of the expert; (c) the report of the expert contained clear statements that any continued involvement of Cubeware would be useless, and that there was no reasonable expectation that Cubeware would be able to complete the delivery in time; (d) even if Cubeware had opposed the expert’s findings, it remained clear that Cubeware had proven to be unable to produce any type of result during the different phases of cooperation with A-Line.

ICT Law Newsletter - Number 43 – April 2012 7

Consequently, according to the Supreme Court, the the contractually agreed (formula to determine the) motivation of the Appellate Court was based on penalty. reasoning that Cubeware—under these circumstances— This case can be found on could not, claim in reasonableness and fairness that http://zoeken.rechtspraak.nl, LJN=BU7585 A-Line should still have sent it a notice of default. The Supreme Court then moved to confirm the findings of the Appellate Court of Den Bosch. NL – Court of Arnhem issues interim This case can be found on judgment that underlines the http://zoeken.rechtspraak.nl, LJN=BU4911 importance of being specific as regards fees and cost for IT development and consultancy agreements NL – Court of Appeal of Amsterdam rejects moderation of contractually The plaintiff, CTA Consulting, is a company specialising agreed penalty in the development of databases and the offering of links between such databases and websites. The defendant, In its judgment of 11 October 2011, the Court of Appeal Sound Sight, is music producer that had filed in a of Amsterdam quashed a judgment of the Court of First “Filemaker” database over 10,000 unpublished musical Instance of Amsterdam in which the lower court had numbers from one composer. The composer wanted to moderated a contractually agreed penalty which was sell these numbers through a web shop. For this due as a result of early termination of a fixed term purpose, he required a website with a back office, a new agreement for the provision of internet collection database, an online payment system, and hosting services. services. On behalf of the composer, Sound Sight ordered these services from CTA at fairly unsubstantial The appellant, Global Collect, had opposed the fees. A year after the project kicked off, Sound Sight moderation of a penalty due by the respondent, Internet expressed concerns regarding the progress of CTA’s Leasing & Factoring, from an amount of €15,500 to activities. Eight days later, Sound Sight terminated CTA’s €3,000. assignment. Subsequently, Sound Sight argued that it The termination clause in the Agreement between the terminated a “preliminary agreement”. parties read as follows: “This agreement will be effective CTA then sued Sound Sight, claiming around €50,000. as of the Effective Date and will remain in effect for three Sound Sight filed a counterclaim for damages which (3) years thereafter unless earlier terminated in CTA would allegedly be liable as a result of delays in the accordance with the provisions herein. (...) Merchant project. Sound Sight also argued there would have been (Internet Leasing) may terminate this Agreement at any no need to send CTA a notice of default since it would time at Merchant’s sole option upon one hundred eighty have become clear that CTA did not have the required (180) days advance written notice to GCS (Global expertise to successfully perform and complete the Collect). Parties agree that, based on economic project. According to CTA, any delays were fully assumptions material to each Party, Merchant shall attributable to Sound Sight, as it did not deliver the make compensatory payment in the event of termination required website that needed to be linked, and as it kept pursuant this paragraph. Compensatory payment shall requesting for modifications to the database design from equal the sum of the monthly minimum invoice amount CTA. which otherwise should have been due (...) for the remainder of the initial term of this Agreement or In the absence of any written agreement between the extension term.” parties, the Court first analyzed the email correspondence between the parties to see if it could find what they Internet Leasing had invoked the termination for would have agreed on. The Court held that the offer convenience clause, but to claim a moderation of the made by CTA at the start of the project was indicative of agreed penalty, it had argued that Global Collect had not the parties’ agreed contractual obligations. According to lived up to its promise to mention Internet Leasing on the Court, Sound Sight had not explicitly accepted all Global Collect’s invoices to its customers – which, items offered by CTA, in particular the fixed fee offered according to Internet Leasing, would justify moderating by CTA for a three-year database hosting service. the amount of the penalty. Conversely, the Court held that Sound Sight had not The Court of Appeal first considered that the contractual made a credible argument that it would have been penalty had been devised: (i) to compensate Global entitled to terminate the assignment it had given to CTA Collect for the fact that it could no longer provide its for cause. services to Internet Leasing—and thus could not The Court then held that Sound Sight was liable to generate revenues in the event of an early termination; compensate CTA, which the amount due consisted of and (ii) that the parties had determined the scope of the payment of: (i) the outstanding contractually agreed compensation along the lines of the minimum amount compensation, (ii) an amount of compensatory damages. due by Internet Leasing to Global Collect under its These damages included an additional compensation monthly invoice times the notice period. Thus, the that was agreed as a result of the offer minus cost practical effect of the penalty clause was that it would savings of CTA which was due to fact that it could no decrease gradually in time. longer have to perform any services for CTA, and (iii) an In view of the absence of any evidence that Internet amount for lost profits because of CTA’s missing out on Leasing would have had a reason to terminate the hosting services fees for a period of three years. The agreement at the beginning of the term, the Court of Court then offered some delineation as to how the Appeal did not find any grounds for the moderation of parties would have to estimate the compensation. It

ICT Law Newsletter - Number 43 – April 2012 8

made it clear that it did not find any indication as to how Although a similar duty will probably be implemented in to determine the financial compensation due in the file, the new Data Protection Regulation, the government thus leaving it largely to the parties and their advisers to already wants to introduce this duty of notification since provide for a costly determination of such compensation. the implementation of this legislative proposal is The interim decision underlines the importance for expected to take effect earlier than the new European parties to an IT project to agree on the cost and fees in legislation. writing before a project kicks off. (SG) As such, a security breach will have to be notified to the This case can be found on DPA without delay. Such notification is only mandatory http://zoeken.rechtspraak.nl, LJN=BU9785 when the assessment of that security breach indicates that the breach will lead to a significant risk of loss or unlawful processing of data which will have negative NL – Dutch government presents consequences on the personal data and privacy of the data subject involved. The data controller must also legislative proposal for changes to the inform the data subject, unless the DPA is of the opinion Dutch Data Protection Act that the data controller has taken adequate technical On 20 December 2011, the Dutch government started safety measures to encrypt or make the data unintelligible its consultations concerning changes to the Dutch Data for all persons that should not be able to become aware Protection Act (“DDPA”). These consultations concern of the data. The contents of the information to be an extension of the possibilities for private persons and presented to the data subjects needs to be filed with the companies to use camera footage for the investigation DPA. of criminal acts as well as to impose a duty to notify data When the data controller uses a data processor for the security breaches. processing of personal data, the processor is obliged to Recently, there have been several discussions in the notify the data controller of any security breaches in Netherlands on camera footage of, for example, a order to enable the data controller to fulfil its notification burglary being placed on the internet in order to catch duties. perpetrators. This use of the camera footage is currently In the explanatory memorandum, the government stated not allowed under the DDPA. The government would like that the notification to the DPA will in most instances not the DDPA to provide for more possibilities to use camera lead to the Authority’s reaction. The DPA will, however, footage, but at the same time, it wants to strike a be able to impose an administrative fine of a maximum balance between the interests of the private persons of EUR 200,000 when data controllers do not fulfil their and companies whose images are being used, on the notification duty. This penalty can also be imposed when one hand, and the persons of whom images are the data controller does not follow the DPA’s instructions published, on the other hand. to inform the data subjects involved. Finally, the proposal suggests that the Telecommunications Act is changed in order to harmonize the notification duty which has been proposed for providers of public electronic communications networks with that of the DDPA. The consultations for the legislative proposal ended on 29 February 2012. (FVDJ) This decision can be found at http://www.cbpweb.nl

NL – Dutch Data Protection Authority upholds penalty decision for non- compliance of travel data processing In December 2010, the Dutch Data Protection Authority (DPA) presented the results of its investigation into the According to the proposal, which has been drafted as a data processing of travel data, such as the card number result of the consultations that took place, the use of and actual travel data (destination, location, time) by camera footage will be allowed when strict rules – which several Dutch transport companies. The DPA started the are to be laid down in a governmental decree – are investigation subsequent to complaints made by Dutch complied with. Additionally, the Dutch Data Protection students who use a designated chip card when travelling Authority (“DPA”) must have approved the use of the on public transport. This personal chip card which was footage. The rules in the governmental decree will used by the students enables them to use public probably stipulate the ways in which the footags should transport for free or with reduction during certain hours be released, the duration of the release as well as the of the week. guidelines concerning the removal of the footages from the internet. The underlying rationale of the provisions is The DPA concluded that the transport companies that criminal investigation remains the primacy of the retained the travel data of the students longer than government. necessary, as the data were stored for a period of seven years. All transport companies were obliged to reduce The second part of the proposal deals with the the data retention periods otherwise they would risk an introduction of a duty to notify data security breaches. administrative penalty being imposed on them. These

ICT Law Newsletter - Number 43 – April 2012 9 companies decided to reduce the data retention period the personal data within the file and needs to enable that to two years. the addressed persons can unsubscribe from the mailing. The advertiser needs to ensure that the file Furthermore, the transport company responsible for the owner complies with the provisions of the Code. It is public transport by train obliged students to check in important to note that the addressee has given his and out with their chip card also during periods where consent for the provision of its personal data to a third they were entitled to travel for free, while this was actually party. If the advertiser uses its own files to send direct not mandatory. This train company, however, did not marketing e-mails, it will qualify not only as advertiser but inform the students that this was in fact not obligatory also as file owner; as a consequence, the provisions in and could therefore process the travel data of those the Code applying to both roles will kick in automatically. students who travelled during the free travel hours. The DPA held that this specific processing of travel data of The Code introduces several other obligations. A file students violates the law because there is no need for owner should add a label in the sender field within an such processing. e-mail. The label should be the brand or company name used to obtain consent from the addressee. The Subsequently, all but one transport company complied addressee should always be able to unsubscribe at the with the decision of the DPA. That transport company label or brand under which the consent has been lodged a notice of objection with the DPA; it was of the obtained. This form of transparency should enable the opinion that the unique card number in combination with addressee to establish in which files his personal data the travel data of the students (the transaction data) are processed and enable him to unsubscribe at the could not qualify as personal data because the data did same level as where he has given consent. not contain the name of the student so the transport company did not have the names at its disposal and could therefore not link the aforementioned data to a specific student. It argued that only the organization issuing the public transport cards to the students and the chip card data processor have access to the names of the students. Therefore, the Dutch Data Protection Act should not be applicable. The DPA rejected the objection. It stated that it is in fact possible for the transport company to link the transaction data to the student who possessed the chip card. This could be done via retrieving data from the database stored in the chip card data processor as well as when a student contacts the transport company by himself or herself. Therefore, the DPA qualified the transaction data as personal data. The DPA also pointed out that it has Furthermore, the Code clarifies that it is not allowed to ruled equally in similar cases such as the one concerning ask a an addressee for consent or to inform him/her on the discussion on the qualification of IP-addresses and the use of his/her e-mail address for direct marketing license plate numbers. purposes or the fact that his/her data will be provided to The transport company said that it will appeal against a third party, via a provision in a privacy statement or in the DPA’s decision. (FVDJ) general terms and conditions. Since most of the times, This decision can be found at http://www.cbpweb.nl these documents are not read by the addressee, the advertiser should inform the addressee at the exact “spot” where its e-mail address is collected. Of course, it is acceptable to provide further explanation via the NL – New E-mail Advertising Code privacy statement or general terms and conditions. On 1 January 2012, the new E-mail Advertising Code The Code attaches further requirements to the use of has come into force. The Code is applicable next to rules “Tell a friend”-systems. For an addressee, it should be embodied in the Dutch Telecommunications Act. The clear which friend is using the system and (s)he should Code was drafted by the Dutch Dialogue Marketing be able to reply directly to this friend. This enables the Association and the Dutch Distance Selling Association, addressee to inform his/her friend directly on whether or in cooperation with the largest entrepreneur organisation not (s)he wishes to receive such e-mails. Furthermore, in the Netherlands and the Confederation of The the joint opinion on “Tell a friend”-systems of the Dutch Netherlands Industry and Employers. The Code is part Data Protection Authority and the Independent Post and of the Dutch Advertising Code which has been set up by Telecommunications Authority should be taken into several market players. Consumers and companies can account. file a complaint at the Advertising Code Committee when a company violates the Code. Finally, the Code states that advertisers should limit attachments in their e-mails to a maximum of 150 kb. The Code introduces several separate roles. A party can The Code advises to use hyperlinks instead. be qualified as an advertiser, as well as a file owner or a data distributor. A party can have more than one role. The Code applies for a period of five years. For example, if e-mail is used for direct marketing A Dutch version of the Code can be found on: purposes this is often done via a data file of a third party. http://www.nuv.nl In most instances, the advertiser will not receive the e-mail addresses of persons who he wishes to address. The third party will then be responsible for the security of

ICT Law Newsletter - Number 43 – April 2012 10 LUXEMBOURG LUX – VAT Authority reduces VAT on eBooks On 12 December 2011, the Luxembourg VAT authority issued circular no. 756 in which it clarifies the definition of “books” for VAT purposes. The VAT authority emphasised that the term “books” has not yet been given a clear interpretation by EU Member States and thus, in accordance with the principle of neutrality, it decided to give this term the broadest interpretation possible. In order to achieve such a broad interpretation, it chose not to distinguish between traditional books and eBooks as both of these media have the same function. Consequently, the VAT authority concluded that the current VAT-rate for physical books, is to be applied to eBooks as well meaning that the VAT-rate applied to eBooks is reduced from 15% to 3%. The super-reduced VAT rate of 3% will give a competition advantage to eBook sellers in Luxembourg and will further make Luxembourg more attractive for eBook sellers since EU regulations provide that consumers pay the VAT-rate in the country of the vendor’s establishment. This competition advantage will be limited in time though as, from 1 January 20151, the place of supply of intra-EU business-to-consumers of electronically supplied services and broadcasting will be the place where the consumer is located or usually resides. Currently the VAT-rate for eBooks is 20% in the UK, 21% in Belgium and 7% in France (which was recently cut from 19.6% to 7%). The super-reduced VAT rate of 3% is applicable as from 1 January 2012. (NVH)

The circular can be found at http://www.aed.public.lu

1 Article 58 of the VAT Directive 2008/8/EC amending Directive 2006/112/EC has been modified so as to read as follows “The place of supply of the following services to a non-taxable person shall be the place where that person is established, has his permanent address or usually resides (…)”

ICT Law Newsletter - Number 43 – April 2012 11

Contributors to this issue of the ICT Law Newsletter: Sofie Costermans, Nicolas Roland, Laurens Dauwe, Lore Leitner, Erik Valgaeren, Serge Gijrath, Friederike van der Jagt and Nicolas van Heule.

For more information If you require further copies of this newsletter, or advice on any of the matters raised in it, please contact: Erik Valgaeren, T +32 2 533 53 51, F +32 2 533 51 15, [email protected] Serge Gijrath, T +31 20 546 02 12, F +31 20 546 08 11, [email protected]

Amsterdam Brussels Dubai Strawinskylaan 2001 Central Plaza Gate Village 7 Level 4 P.O. Box 75640 Loksumstraat 25 rue de Loxum P.O. Box 506631 1070 AP Amsterdam 1000 Brussels Dubai UAE The Netherlands Belgium T +971 4 428 63 13 T +31 20 546 06 06 T +32 2 533 52 11 F +971 4 365 31 71 F +31 20 546 01 23 F +32 2 533 52 12 [email protected] [email protected] [email protected]

London Luxembourg New York Exchange House Rue Jean Monnet 6 489 Fifth Avenue Primrose Street L-2180 Luxembourg 32nd Floor London EC2A 2ST T +352 26 61 81 New York, NY 10017 United Kingdom F +352 26 61 82 USA T +44 20 7466 63 00 T +1 212 972 40 00 F +44 20 7466 63 11 F +1 212 972 49 29 [email protected] [email protected]

The ICT Law Newsletter is also available on our website www.stibbe.com

All rights reserved. Care has been taken to ensure that the content of this newsletter is as accurate as possible. However the accuracy and completeness of the information in this newsletter, largely based upon third party sources, cannot be guaranteed. The materials contained in this newsletter have been prepared and provided by Stibbe for information pruposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this newsletter without consulting legal counsel. Consultation of this newsletter will not create an attorney-client relationship between Stibbe and the reader. The newsletter may be used only for personal use and all other uses are prohibited.

© Stibbe 2011 Publisher: Erik Valgaeren, Stibbe, Central Plaza, Loksumstraat 25 rue de Loxum - BE-1000 Brussels

ICT Law Newsletter - Number 43 – April 2012